First, fix dots in ES 2.4:
Fix dots in field names
Next install Bro ElasticSearch plugin:
Bro ElasticSearch Plugin
with a couple caveats of you'll need to cd to bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && make install, and the default plugin dir to install in is bro-install-dir/lib/bro/plugins/.
The below script to use for mappings will set all strings to not analyzed, and ip source and destinations to field type of IP:
curl -XPUT "http://localhost:9200/_template/bro_template" -d'
{
"template": "bro-*",
"order": 1,
"mappings": {
"_default_": {
"dynamic_templates": [
{
"strings": {
"match_mapping_type": "string",
"mapping": {
"type": "string",
"index": "not_analyzed"
}
}
}
]
},
"bro_ts": {
"properties": {
"ts": {
"type": "date",
"format": "epoch_millis"
}
}
},
"bro_orig_h": {
"properties": {
"id.orig_h": {
"type": "ip"
}
}
},
"bro_resp_h": {
"properties": {
"id.resp_h": {
"type": "ip"
}
}
},
"bro_assigned_ip": {
"properties": {
"assigned_ip": {
"type": "ip"
}
}
}
}
}'
Friday, September 16, 2016
Thursday, September 8, 2016
Maltrail Setup and Systemd Integration
Having run this app for a while now I figured this was long overdue...tested on Ubuntu 14-16:
git clone https://github.com/stamparm/maltrail.git
sudo mv maltrail /opt/
add to /etc/passwd:
maltrail:x:10000:10000::/opt/maltrail:/bin/false
add to /etc/group:
maltrail:x:10000:maltrail
edit your /opt/maltrail/maltrail.conf (interface, creds, etc...)
sudo chown -R maltrail:maltrail /opt/maltrail
create the two files below:
/lib/systemd/system/maltrail-server.service:
[Unit]
Description=Maltrail server
[Service]
User=maltrail
Group=maltrail
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/nohup /usr/bin/python /opt/maltrail/server.py & disowm
[Install]
WantedBy=multi-user.target
/lib/systemd/system/maltrail-sensor.service:
[Unit]
Description=Maltrail sensor
[Service]
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/python /opt/maltrail/sensor.py
[Install]
WantedBy=multi-user.target
then run:
sudo systemctl enable maltrail-server
sudo systemctl enable maltrail-sensor
lastly run:
sudo systemctl start maltrail-server
sudo systemctl start maltrail-sensor
updating:
sudo systemctl stop maltrail-server
sudo systemctl stop maltrail-sensor
cd /opt/maltrail
sudo cp maltrail.conf maltrail.conf.mine
sudo rm maltrail.conf
sudo git pull
copy local changes from maltrail.conf.mine to the new maltrail.conf
sudo chown -R maltrail:maltrail /opt/maltrail
sudo systemctl start maltrail-server
sudo systemctl start maltrail-sensor
git clone https://github.com/stamparm/maltrail.git
sudo mv maltrail /opt/
add to /etc/passwd:
maltrail:x:10000:10000::/opt/maltrail:/bin/false
add to /etc/group:
maltrail:x:10000:maltrail
edit your /opt/maltrail/maltrail.conf (interface, creds, etc...)
sudo chown -R maltrail:maltrail /opt/maltrail
create the two files below:
/lib/systemd/system/maltrail-server.service:
[Unit]
Description=Maltrail server
[Service]
User=maltrail
Group=maltrail
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/nohup /usr/bin/python /opt/maltrail/server.py & disowm
[Install]
WantedBy=multi-user.target
/lib/systemd/system/maltrail-sensor.service:
[Unit]
Description=Maltrail sensor
[Service]
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/python /opt/maltrail/sensor.py
[Install]
WantedBy=multi-user.target
then run:
sudo systemctl enable maltrail-server
sudo systemctl enable maltrail-sensor
lastly run:
sudo systemctl start maltrail-server
sudo systemctl start maltrail-sensor
updating:
sudo systemctl stop maltrail-server
sudo systemctl stop maltrail-sensor
cd /opt/maltrail
sudo cp maltrail.conf maltrail.conf.mine
sudo rm maltrail.conf
sudo git pull
copy local changes from maltrail.conf.mine to the new maltrail.conf
sudo chown -R maltrail:maltrail /opt/maltrail
sudo systemctl start maltrail-server
sudo systemctl start maltrail-sensor
Thursday, August 18, 2016
The Sad State of Foxit Reader
The tl;dr is: Foxit Reader, tracks your usage and sends it to their servers (in China!!), installs a service that you can’t uninstall without uninstalling Foxit Reader, and is not proxy aware. There is currently no way to disable any of the cloud based functionality, or user tracking. Long version below:
After installation, you can see the Foxit Reader Service installed (left), but no option to uninstall the service (right), whereas previous versions you could:
Lastly, the Detected field shows the protections Foxit has put in place on the exe:
After installation, you can see the Foxit Reader Service installed (left), but no option to uninstall the service (right), whereas previous versions you could:
If you disable the service as shown above, Foxit will give you the below prompt EVERY TIME you open a pdf or start the application:
 |
| Foxit Reader sending your IP and MAC address to Foxit's servers |
 |
| Logging data sent to Foxit's servers |
The below shows a list of User Agent's found in the FoxitConnectedPDFService.exe memory:
Lastly, the Detected field shows the protections Foxit has put in place on the exe:
Wednesday, June 29, 2016
Boleto Malspam Leads to Symmi
Boleto Malspam Leads to Symmi
It starts with an email
The pdf button goes to a servint.net link, which in turn goes to dropbox.com
We're left with BOLETO-29-06-2016.PDF.zip, which extracts to BOLETO-29-06-2016.jar. Decompiling the jar file we see several interesting bits
the key and most of the crypto routine were pulled from avajava.com tutorials. After decrypting the files we're left with two 64 bit files, and two 32 bit files
We're left with BOLETO-29-06-2016.PDF.zip, which extracts to BOLETO-29-06-2016.jar. Decompiling the jar file we see several interesting bits
the key and most of the crypto routine were pulled from avajava.com tutorials. After decrypting the files we're left with two 64 bit files, and two 32 bit files
c4cb4fdf6369dd1342d2666171866ce5 is apparently calc.exe (?), the rest are packed with VMProtect. VT Links:
https://www.virustotal.com/en/file/2db1aa1eed26fd3805c121ed42af2a35f93af22932462f4919b190b1cf5464dc/analysis/
https://www.virustotal.com/en/file/2db1aa1eed26fd3805c121ed42af2a35f93af22932462f4919b190b1cf5464dc/analysis/
Friday, February 5, 2016
A Concise List of Windows 10 Network Activity on Boot
So this is just a list of what sysmon sees on boot. This is Windows 10 Pro with all the security settings set to as much strict as allowed. This was a fresh install, updated, no applications installed, with no user interaction. Interesting that Procmon running on Windows 10 doesn't show any of this activity. CSV is below...read from bottom up.
Type,Date,Time,Domain\User,Computer,Process proto dst ip
Information,2/5/2016,12:02:16 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:02:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:57 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:45 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:42 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:38 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:33 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:01:04 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:00:53 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:50 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:38 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 134.170.179.87
Information,2/5/2016,12:00:37 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.61.66
Information,2/5/2016,12:00:36 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 134.170.179.87
Information,2/5/2016,12:00:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.61.66
Information,2/5/2016,12:00:31 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 127.0.0.1
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 64.4.54.253
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:29 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\CompatTelRunner.exe tcp 64.4.54.253
Information,2/5/2016,12:00:28 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 107.20.234.199
Information,2/5/2016,12:00:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:59:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:59:25 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.165
Information,2/5/2016,11:59:17 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:59:16 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:59:13 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:58:57 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 111.221.29.222
Information,2/5/2016,11:58:54 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:52 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.225.172.125
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 198.41.215.184
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.252
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 198.41.215.184
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:21 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 72.21.91.8
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.103
Information,2/5/2016,11:58:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:18 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:58:12 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe tcp 204.79.197.200
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:57:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp e000:fc:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:3
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 10.10.0.25
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp a0a:19:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:2
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.15
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.255
And matching IP to name for a unique list:
107.20.234.199 version.hybrid.api.here.com
111.221.29.222 tsfe.trafficshaping.dsp.mp.microsoft.com
131.253.40.84 platform.maps.glbdns2.microsoft.com
131.253.61.66 login.live.com.nsatc.net
134.170.179.87 device.auth.xboxlive.com
172.225.172.125 store-images.microsoft.com
172.225.172.182 go.microsoft.com.edgekey.net
172.226.113.163 store-images.s-microsoft.com
172.226.137.132 sci1-1.am.microsoft.com
172.231.200.101 t0.ssl.ak.dynamic.tiles.virtualearth.net
172.231.255.140 t0.ssl.ak.tiles.virtualearth.net
191.232.139.170 tsfe.trafficshaping.dsp.mp.microsoft.com
198.41.215.184 ocsp.msocsp.com
204.79.197.200 tse4.mm.bing.net
23.196.87.75 ssl2.tiles.virtualearth.net.edgekey.net
64.129.104.150 static.btrd.net
64.129.104.158 ctldl.windowsupdate.nsatc.net
64.129.104.165 ctldl.windowsupdate.nsatc.net
64.4.54.253 settings-win.data.microsoft.com
64.4.54.36 licensing.mp.microsoft.com
65.52.108.103 arc.msn.com
65.52.108.252 rpt.msn.com
65.55.113.11 dmd.metaservices.microsoft.com
72.21.91.8 cdn.optimizely.com
Type,Date,Time,Domain\User,Computer,Process proto dst ip
Information,2/5/2016,12:02:16 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:02:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:57 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:45 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:42 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:38 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:33 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:01:04 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:00:53 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:50 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:38 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 134.170.179.87
Information,2/5/2016,12:00:37 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.61.66
Information,2/5/2016,12:00:36 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 134.170.179.87
Information,2/5/2016,12:00:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.61.66
Information,2/5/2016,12:00:31 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 127.0.0.1
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 64.4.54.253
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:29 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\CompatTelRunner.exe tcp 64.4.54.253
Information,2/5/2016,12:00:28 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 107.20.234.199
Information,2/5/2016,12:00:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:59:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:59:25 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.165
Information,2/5/2016,11:59:17 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:59:16 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:59:13 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:58:57 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 111.221.29.222
Information,2/5/2016,11:58:54 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:52 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.225.172.125
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 198.41.215.184
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.252
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 198.41.215.184
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:21 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 72.21.91.8
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.103
Information,2/5/2016,11:58:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:18 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:58:12 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe tcp 204.79.197.200
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:57:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp e000:fc:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:3
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 10.10.0.25
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp a0a:19:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:2
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.15
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.255
And matching IP to name for a unique list:
107.20.234.199 version.hybrid.api.here.com
111.221.29.222 tsfe.trafficshaping.dsp.mp.microsoft.com
131.253.40.84 platform.maps.glbdns2.microsoft.com
131.253.61.66 login.live.com.nsatc.net
134.170.179.87 device.auth.xboxlive.com
172.225.172.125 store-images.microsoft.com
172.225.172.182 go.microsoft.com.edgekey.net
172.226.113.163 store-images.s-microsoft.com
172.226.137.132 sci1-1.am.microsoft.com
172.231.200.101 t0.ssl.ak.dynamic.tiles.virtualearth.net
172.231.255.140 t0.ssl.ak.tiles.virtualearth.net
191.232.139.170 tsfe.trafficshaping.dsp.mp.microsoft.com
198.41.215.184 ocsp.msocsp.com
204.79.197.200 tse4.mm.bing.net
23.196.87.75 ssl2.tiles.virtualearth.net.edgekey.net
64.129.104.150 static.btrd.net
64.129.104.158 ctldl.windowsupdate.nsatc.net
64.129.104.165 ctldl.windowsupdate.nsatc.net
64.4.54.253 settings-win.data.microsoft.com
64.4.54.36 licensing.mp.microsoft.com
65.52.108.103 arc.msn.com
65.52.108.252 rpt.msn.com
65.55.113.11 dmd.metaservices.microsoft.com
72.21.91.8 cdn.optimizely.com
Friday, November 20, 2015
A comparison of OS phone homes
Not much to say here really...so I'll let the pictures do the talking. Each OS was turned on...that was it....no interaction for a few days at all. Each OS was a basic install....no other applications were installed.
 |
| Ubuntu |
 |
| El Capitan |
 |
| Windows 10 |
Wednesday, August 19, 2015
Binnavi install on Windows
Great app...I couldn't find anywhere that talked about what you need to make it so here goes:
Apache Ant
Apache Maven
Java JDK
PostgreSQL
Install the JDK, create a new Windows Environment Variable called JAVA_HOME that should point to install directory (e.g. C:\Program Files\Java\jdk1.8.0_60). Extract your apache-maven-*.*.*-bin.zip and apache-ant-*.*.*-bin.zip, put them somewhere (I put mine just in "c:\", and add both to your PATH (I renamed these and mine look like: C:\apache-maven\bin;C:\apache-ant\bin).
Install PostgreSQL, and with pgAdmin create a new user (I called mine binnavi), then create a new database (I called mine binnavi) with the owner being binnavi.
Get a command prompt/powershell and cd to binnavi-master then build:
mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml build-binnavi-fat-jar
Then run and point to your PostgreSQL instance:
java -jar target/binnavi-all.jar
Done.
Apache Ant
Apache Maven
Java JDK
PostgreSQL
Install the JDK, create a new Windows Environment Variable called JAVA_HOME that should point to install directory (e.g. C:\Program Files\Java\jdk1.8.0_60). Extract your apache-maven-*.*.*-bin.zip and apache-ant-*.*.*-bin.zip, put them somewhere (I put mine just in "c:\", and add both to your PATH (I renamed these and mine look like: C:\apache-maven\bin;C:\apache-ant\bin).
Install PostgreSQL, and with pgAdmin create a new user (I called mine binnavi), then create a new database (I called mine binnavi) with the owner being binnavi.
Get a command prompt/powershell and cd to binnavi-master then build:
mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml build-binnavi-fat-jar
Then run and point to your PostgreSQL instance:
java -jar target/binnavi-all.jar
Done.
Subscribe to:
Comments (Atom)