Today i was searching more samples of BlackPOS because this malware use FTP protocol.
And knowing this, i was interested to crawl more panels but then i realised something...
Why did i look only for BlackPOS, instead of targeting everything ?
So i downloaded a random malware pack found on internet and send everything to Cuckoo.
After i've just parsed each of these generated pcaps to get some stuff (simple but effective)
Everything automated of course, it's too enormous to do that manually, especially on malware pack.
Here is a small part:
I've added signature manually by browsing VirusTotal report but i got too many results so i've just leaved 'F*ck this shit' to all of them.
Crawling VirusTotal with the API can be also an idea to retrieve results but i'm lazy.
Looking at random pcap i've found some was fun:
Malware using free hosting service is a bad idea:
Malware builded with wrong datas (epic failure)
Malware badly coded:
Infecting yourself with Ardamax and enabling all features on it is a bad idea:
Another configuration failure:
FTP's full of sh*t:
You can learn about actors, eg from firstname.lastname@example.org, emo boy (i've included him on the ftp list):
I got also some false positive, this one is fun because it's a server against malware infection: