Suspicious IP Addresses Avoided by Malware Samples
Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst's job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware samples written in Python that have these built-in capabilities. One of them is the detection of “suspicious” IP addresses.
The last one I found has the SHA256 9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b with a VT score of 8/57[1].
Here is a common code snippet:
def check_ip(): blacklisted = { ... } while True: try: ip = urllib.request.urlopen('https://checkip.amazonaws.com').read().decode().strip() if ip in blacklisted: exit_program('Blacklisted IP Detected') return except: pass
The malware will query the public IP address of the host where it is running and, if it is present on the “blacklisted” list, it will exit… But what are these IP addresses? I had a look at them and here is the list:
IP Address |
PTR Record |
AS Name |
AS Country |
Attacks (ISC) |
Count (ISC) |
20[.]99[.]160[.]173 |
NXDOMAIN |
MICROSOFT-CORP-MSN-AS-BLOCK |
US |
0 |
0 |
23[.]128[.]248[.]46 |
tor-exit46[.]stormycloud[.]org |
DATAIDEAS-LLC |
US |
0 |
0 |
34[.]105[.]0[.]27 |
27[.]0[.]105[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
34[.]105[.]183[.]68 |
68[.]183[.]105[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
21 |
32 |
34[.]105[.]72[.]241 |
241[.]72[.]105[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
34[.]138[.]96[.]23 |
23[.]96[.]138[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
34[.]141[.]146[.]114 |
114[.]146[.]141[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
19 |
28 |
34[.]141[.]245[.]25 |
25[.]245[.]141[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
35 |
51 |
34[.]142[.]74[.]220 |
220[.]74[.]142[.]34[.]bc[.]googleusercontent[.]com |
|
US |
0 |
0 |
34[.]145[.]195[.]58 |
58[.]195[.]145[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
34[.]145[.]89[.]174 |
174[.]89[.]145[.]34[.]bc[.]googleusercontent[.]com |
|
US |
0 |
0 |
34[.]253[.]248[.]228 |
ec2-34-253-248-228[.]eu-west-1[.]compute[.]amazonaws[.]com |
AMAZON-02 |
US |
0 |
0 |
34[.]83[.]46[.]130 |
130[.]46[.]83[.]34[.]bc[.]googleusercontent[.]com[ |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
34[.]85[.]243[.]241 |
241[.]243[.]85[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
34[.]85[.]253[.]170 |
170[.]253[.]85[.]34[.]bc[.]googleusercontent[.]com |
GOOGLE-CLOUD-PLATFORM |
US |
0 |
0 |
35[.]192[.]93[.]107 |
107[.]93[.]192[.]35[.]bc[.]googleusercontent[.]com |
|
US |
0 |
0 |
35[.]199[.]6[.]13 |
13[.]6[.]199[.]35[.]bc[.]googleusercontent[.]com |
|
US |
0 |
0 |
35[.]229[.]69[.]227 |
227[.]69[.]229[.]35[.]bc[.]googleusercontent[.]com |
|
US |
0 |
0 |
35[.]237[.]47[.]12 |
12[.]47[.]237[.]35[.]bc[.]googleusercontent[.]com |
|
US |
0 |
0 |
64[.]124[.]12[.]162 |
64[.]124[.]12[.]162[.]IDIA-144793-004-ZYO[.]zip[.]zayo[.]com |
ZAYO-6461 |
US |
0 |
0 |
78[.]139[.]8[.]50 |
catv-78-139-8-50[.]catv[.]fixed[.]vodafone[.]hu |
ASN-VODAFONE- |
HU |
0 |
0 |
79[.]104[.]209[.]33 |
NXDOMAIN |
SOVAM-AS |
RU |
0 |
0 |
80[.]211[.]0[.]97 |
host97-0-211-80[.]serverdedicati[.]aruba[.]it |
ARUBA-ASN |
IT |
0 |
0 |
84[.]147[.]54[.]113 |
p54933671[.]dip0[.]t-ipconnect[.]de |
DTAG Internet service provider operations |
DE |
0 |
0 |
84[.]147[.]62[.]12 |
p54933e0c[.]dip0[.]t-ipconnect[.]de |
DTAG Internet service provider operations |
DE |
0 |
0 |
87[.]166[.]50[.]213 |
p57a632d5[.]dip0[.]t-ipconnect[.]de |
DTAG Internet service provider operations |
DE |
0 |
0 |
88[.]132[.]225[.]100 |
host-88-132-225-100[.]kabelszat2002[.]hu |
GAX-KABELSZAT |
HU |
0 |
0 |
88[.]132[.]226[.]203 |
host-88-132-226-203[.]kabelszat2002[.]hu |
GAX-KABELSZAT |
HU |
0 |
0 |
88[.]132[.]227[.]238 |
host-88-132-227-238[.]kabelszat2002[.]hu |
GAX-KABELSZAT |
HU |
0 |
0 |
88[.]132[.]231[.]71 |
host-88-132-231-71[.]kabelszat2002[.]hu |
GAX-KABELSZAT |
HU |
0 |
0 |
88[.]153[.]199[.]169 |
ip-088-153-199-169[.]um27[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
92[.]211[.]109[.]160 |
ipservice-092-211-109-160[.]092[.]211[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
92[.]211[.]192[.]144 |
ipservice-092-211-192-144[.]092[.]211[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
92[.]211[.]52[.]62 |
ipservice-092-211-052-062[.]092[.]211[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
92[.]211[.]55[.]199 |
ipservice-092-211-055-199[.]092[.]211[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
93[.]216[.]75[.]209 |
p5dd84bd1[.]dip0[.]t-ipconnect[.]de |
DTAG Internet service provider operations |
DE |
0 |
0 |
95[.]25[.]204[.]90 |
95-25-204-90[.]broadband[.]corbina[.]ru |
CORBINA-AS OJSC Vimpelcom |
RU |
0 |
0 |
95[.]25[.]81[.]24 |
95-25-81-24[.]broadband[.]corbina[.]ru |
CORBINA-AS OJSC Vimpelcom |
RU |
0 |
0 |
104[.]18[.]12[.]38 |
NXDOMAIN |
CLOUDFLARENET |
US |
0 |
0 |
109[.]145[.]173[.]169 |
host109-145-173-169[.]range109-145[.]btcentralplus[.]com |
BT-UK-AS BTnet UK Regional network |
GB |
0 |
0 |
109[.]74[.]154[.]90 |
SERVFAIL |
VNET-AS |
SK |
0 |
0 |
109[.]74[.]154[.]91 |
SERVFAIL |
VNET-AS |
SK |
0 |
0 |
109[.]74[.]154[.]92 |
SERVFAIL |
VNET-AS |
SK |
0 |
0 |
178[.]239[.]165[.]70 |
70[.]165[.]239[.]178[.]baremetal[.]zare[.]com |
BANDWIDTH-AS |
GB |
1 |
1 |
188[.]105[.]91[.]116 |
dslb-188-105-091-116[.]188[.]105[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
188[.]105[.]91[.]143 |
dslb-188-105-091-143[.]188[.]105[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
188[.]105[.]91[.]173 |
dslb-188-105-091-173[.]188[.]105[.]pools[.]vodafone-ip[.]de |
VODANET International IP-Backbone of Vodafone |
DE |
0 |
0 |
192[.]211[.]110[.]74 |
NXDOMAIN |
DNIC-ASBLK-00721-00726 |
US |
0 |
0 |
192[.]40[.]57[.]234 |
NXDOMAIN |
PERFORMIVE |
US |
0 |
0 |
192[.]87[.]28[.]103 |
192[.]87[.]28[.]103[.]dyn[.]centr[.]nl |
SURFNET-NL SURFnet, The Netherlands |
NL |
1 |
1 |
193[.]128[.]114[.]45 |
h193-128-114-45[.]ptr[.]roamsite[.]com |
UUNET |
US |
0 |
0 |
193[.]225[.]193[.]201 |
NXDOMAIN |
HBONE-AS KIFU |
HU |
0 |
0 |
194[.]154[.]78[.]160 |
SERVFAIL |
SOVAM-AS |
RU |
0 |
0 |
195[.]181[.]175[.]105 |
unn-195-181-175-105[.]datapacket[.]com |
CDN77 \\^_^ |
GB |
0 |
0 |
195[.]239[.]51[.]3 |
NXDOMAIN |
SOVAM-AS |
RU |
0 |
0 |
195[.]239[.]51[.]59 |
NXDOMAIN |
SOVAM-AS |
RU |
0 |
0 |
195[.]74[.]76[.]222 |
r-222[.]76[.]74[.]195[.]ptr[.]avast[.]com |
AVAST-AS-DC |
CZ |
0 |
0 |
212[.]119[.]227[.]151 |
NXDOMAIN |
SOVAM-AS |
RU |
0 |
0 |
212[.]119[.]227[.]167 |
NXDOMAIN |
SOVAM-AS |
RU |
0 |
0 |
213[.]33[.]142[.]50 |
mail[.]areal-hotel[.]ru |
SOVAM-AS |
RU |
0 |
0 |
Most of these IP addresses belong to major cloud providers. You can also see that some of them have a non-zero number of attacks/counts (results extracted from our AP[2]). Probably most of them are sandboxes or analysis systems deployed by security companies or researchers? I did a quick nmap scan of them and most do not export any port/service.
In the case above, the IP address verification is not performed to detect if the computers is an interesting host to infect or not (classic scenario: when country "x" would like to attack country "y"). In such scenario, the performed tests will rely on big IP pools used by Internet providers, the keyboard mapping, the OS language, etc...
I will keep this list of IP addresses up-to-date amongst my discovered samples and see if there are big changes.
[1] https://www[.]virustotal[.]com/gui/file/9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b
[2] https://isc.sans.edu/api/
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
Comments
In your experience does a AI monitoring tool could be effective to detect and protect this kind of behaviour?
DQC
Jul 27th 2023
1 year ago
https://www.trellix.com/en-ca/about/newsroom/stories/research/skuld-the-infostealer-that-speaks-golang.html
Dennis K
Jul 27th 2023
1 year ago
newyork167
Jul 29th 2023
1 year ago