 So, about this final talk of the day, I think you've submitted this as a CFP or may have been like a low blade, like may have been right on a dot, and I was like, I think it was just right on the spot when all this crap was happening with, you know, when I saw this talk, I was like, I talked to my, you know, the previous speaker was Eric, I was Eric. I was like, he runs the honeypots. They say, we got to talk to this guy. We got to talk to this guy. And did you talk to, did you talk to Eric at all? Did you read the honeypot? And the honeypot, you know, that's been a part of us, that's been part of our village, and they say, we got to bring this in. I mean, we got to bring, we got to bring this guy in. And without much ado, he's going to talk about a very, very relevant issue. Anyone doing policy here by any chance, anyone like non-tech or doing policy, this will be a pretty good talk, especially for those. It's a good indoctrination of why the cybersecurity problem is so bad. And it is my pleasure to introduce your Tan Kien-chong. Thanks, Ming. Thank you very much. Can you guys hear me at the back, at the front? It should be fine, right? Okay. Hey, everyone. My name is Kien-chong. You can call me Kien. Yeah, I think, thank you very much today to be having me here today to share a few interesting stories about my 15 days of SMB Honeypot. I ran honeypots. I'm a honeypot hobby, definitely. And I ran this honeypot during the WannaCry ransomware time. Initially, I just expect that, well, I may catch a loss of tons of WannaCry ransomware, but unexpected and interesting, I found that, hey, there's a loss of uninvited guests that try to talk to my honeypot, try to crash a party, crawling into a honeypot, lay the egg inside the honeypot itself. So for the next 40 minutes, I'm going to share with you about this, what I have in my honeypot. I'm going to empty out all my pockets, share with you about payload itself. And then, yeah, here we go. So I'm going to share with you only three things for these sessions. The first things will be, let's try to explore together about WannaCry ransomware in brief, in terms of a narrow perspective. And then the second one, I'm going to share with you about my design of the Honeypot itself. And then we will see how the so-called wonderful interactions between the Honeypot itself and the WannaCry ransomware and then later, for the third one, we're going to see what happened to my Honeypot after when I pushed it to the internet. So, yeah, last but not least, definitely, I will share with you some of the photos that I have for my Honeypot itself. So please don't let me go if I don't share it to you. Yeah, just a quick introduction about myself. I'm from Malaysia, I'm a honeypot hobbyist. And then I'm part of the Honeypot project as well. During my free time, I tried to develop Honeypot, deploy Honeypot, and then try to see what I can have from the internet. Yeah, and then I involved in some of the so-called open source network Honeypot itself, for example, Dianna Honeypot, and then Garten Honeypot itself. And then three years back, we found that there's a challenge about how we can deploy Honeypot in a Raspberry Pi, which is those credit-cut-sized machines. And then Christopher Lake from the Honeynet Project Singapore chapter, both of us, we start off with a project called HoneyPie, which is everyone can download that image itself and then just burn into an SD card, boot it in the Raspberry Pi, boom, you got a Honeypot set up. That's it. Yeah, so I mean, there'll be much easier to set up Honeypot within like 15 minutes with this Raspberry Pi. So this is the HoneyPie project. Yeah, and then during my free time, I've involved in a Hang the Box conference, HITB. So for this coming August, we'll have one HITB conference in Singapore. So feel free to join us if you're in a town. Yeah, and then also I'm part of this Capture the Flag team for Hang the Box. So for you of us, we just set up the game itself for Hang the Box conference for the past few years. I would say this is always one of the exciting experience because for people, they try to solve the challenge, they will try to get access into your scoreboards, definitely. Oh well, this is one of the most scary and one of the most exciting screens you will have back in May 2017. I would say that if you have that on your screen, it could be potentially means that, oh shit, shit happened, which is you may get infected with the Wanna Current somewhere. But I know some of the very smart ass dudes, which is they put this on their screen and then when some guys just walk over and say that, hey man, you got infected with Wanna Cry, then he will just reply, hey dude, just relax, this is just a screensaver, no worry. I heard about this story, yeah, seriously. Yep, personally I would say that that's good and bad about the Wanna Cry Ransom attack. The bad thing that's definitely is about is going to disrupt a loss of operation. For example, I heard that there are some car manufacturing company have to shut down the whole entire production line because of the Wanna Cry Ransom attacks, definitely. And then let me share this story. During the Wanna Cry Ransom outbreak time, I was in the Uber Drive, yeah. And then I have a we have a good conversations between the driver himself and then he's a 60 years old retirement, which guy definitely, yeah. Then we have a chit chat and then he asked, he asked me, he said, hey Ken, what are you doing for a living? Then I told him that I'm with an IT industry. But the next questions that he asked me is really amazed and surprised me the most. He asked me, hey Ken, I mean he's a 60 years old retirement. He asked me, hey Ken, have you heard about Wanna Cry Ransom attack? Is Wanna Cry Ransom attack going to infect my iPhone? I would say good and bad, which is the good thing is Wanna Cry Ransom attack created a loss of security awareness for us as well as a loss of non-IT industry people. For him, definitely he concerned about his iPhone because he's using his iPhone for his living. If his phone got infected, I think his ride will be in trouble, yeah. So let's try to dive in. Just to simply, let's try to explore together about how Wanna Cry works in terms of network perspective. Just a brief one, yeah. So let's see. Personally, I love to simplify stuff, which is I love to simplify complicated concept into just a simple concept, simple ideas. So let's try to explore this of Wanna Cry attack life cycle brief. Personally, I love to simplify at just three simple phases. So the first one will be scanning, which is Wanna Cry will try to scan the targeted holes. And then after that, they will move on to the second phase, which is a so-called exploitation phase. And then the third one will be delivering the payload itself. So for the scanning phase, you'll try to check if the holes or the targeted holes is patched or not. And then the second thing you'll check is if the double-posed backdoor is installed. So and then it will move on to the second phase, which is the exploitation phase. The exploitation phase will be go with this eternal blue exploit. And then upon the success of the exploitations, they will install the double-posed into it. Here's the very simple two steps, which is the first one will be the scanning, move on to the exploitations. And then the third one will be definitely, Wanna Cry will definitely happily deliver the payloads to the compromise host itself. So this is just a very brief one about the three most simple steps. So let's try to take a look in terms of the network perspective. I'm going to show a few screenshots, which is just about Wanna Cry in terms of the network pick up capture perspective. So let's see. In the initial phase, which is Wanna Cry will try to check if the system is patched or not, or if the system is vulnerable to the MS-17017 vulnerability. So it will go through by one simple request, which is called SMB name pipe request with the file ID equal to zero. As a normal Windows 7 or the clean installations of the Windows 7 machines, it will reply back with a trans response, which is the one highlighted in blue color. And then we will continue the error message called status, insufficiency, server resources. Then by looking at that, Wanna Cry will make a second check. The check will be sure to check for if the double-posed is installed on the machine. And this check is interesting. I mean, he catch my eye when I first try to analyze, try to understand about how these things work. So it will, the checking will be done through by trans to request and a multiplex ID equal to 65, which is highlighted in the gray color. Yep. And then if a normal clean machine, it will come back with a response called a trans to response session setup, multiplex ID equal to 65. Request the 65, respond 65. Yep. So in this case, Wanna Cry understand that, well, this machine is not infected, it's not patched, it's not installed with a double poser. So what it will do, it will try to go to the next, to the second phase, which is the explorations. Yep. This is how eternal blue looks like in terms of a network perspective. So it's just a long, I would say very long, quite long, base 64 and go to strings. Yep. I mean, there are some, we can try to decode and try to understand that, but upon the success of the installations of the eternal blue, it will, yeah, it will install double poser into it. Yeah. So right now we have complete the initial phase, which is the, which is the scanning. And then the second phase is explorations. And then here we go. Wanna Cry will try to make a final check. You'll check whether if the, if the double poser back it up, install nicely on the compromise host. The checking is pretty simple, same trick, same old trick, which is using the, the trans to request, the multiplex ID equal to 65. Yeah, we have seen it before, but surprisingly the, the response they came back is a trans to response with a multiplex ID equal to 81. So let's see. 65, 65. This is the original request. If the machine is not infected by one, uh, by double poser, but what if, if the machine is, uh, uh, is infected with a double poser, the request, the multiplex ID will be 65. The response will be 81. Let's see. 65, 81. The differences is 16, which is six, 16 is equivalent to hex value zero x one zero. So by looking at the, the, this particular differences in, uh, in terms of, uh, uh, the multiplex ID. Yeah. Wanna Cry understand that? Well, this machine is, uh, installed with the double poser successfully. So double poser will start to perform so-called the payload delivery. I have the payloads. You are my targeted host. You just eat it. Yeah. You just eat all the, send all the payloads to the compromise host. Yeah. And then if the payload is got, um, executed on the host itself, the first things the payload it will do, it will try to perform a DNS resolution to this, uh, very long strings, random domain. I think a lot of us will be very familiar with this. This is so-called a kill switch domain that we have for, uh, the Wanna Cry on somewhere. I would say that, uh, this is the design floor of the Wanna Cry on somewhere itself. Uh, so when Wanna Cry on somewhere payload got executed, the first thing, if he failed to resolve this particular domain itself, it will start to perform encryptions on the disk, which is to try to lock the, uh, lock the DC itself. But the catch is this domain is not as easy as it seems in the world. It's just random come out from someone or some sandbox stuff. But, and then so no matter how Wanna Cry try to resolve this domain itself, they will not have any resolutions back. There's no IP address that should be matched with this domain initially. So, uh, I think props to the 22 years old, young, very brilliant, uh, British, uh, researchers. He said that, uh, let me try to register this domain. I'm going to own this domain. So in this case, any attempts to, for this, uh, DNS, uh, resolutions, you'll come back to the IP address. Boom. Then, I mean, thanks to his, uh, his, uh, this act, definitely, I mean, he, uh, slowed down the whole, uh, Wanna Cry on somewhere. I'll break around the whole world. I mean, this is a very, uh, very good tricks, uh, definitely try to, try to stop the entire, uh, so-called operation itself. So right now, let's look back on the, on the entire life cycle. We have completed, uh, the initial phase, and then the exploitation phase and the payload phase. So right now everyone here is the Wanna Cry expert. Yeah. So as a honeypot, uh, researcher, back in this, uh, May 2017, I noticed that, uh, our, uh, the security industry facing, uh, very big challenge. The challenge itself is, how can we collect, or how can we download all the Wanna Cry payloads as much as possible, as easy as possible? Yeah. I mean, this is one of the very big challenge we, uh, we have encountered during May, uh, back in two months back. So, I'm trying to take a look on this, uh, attack life cycle itself. Yep. And then I found a very pretty interesting behavior of the, uh, Wanna Cry on somewhere. Um, um, I'm trying to simplify, again, I love to, I love to simplify, uh, complicated idea into a simplified, uh, more simple idea itself. So I found that, uh, we can simplify these, uh, five simple steps into, uh, into just three steps. So let's see. Wanna Cry talked to me, started to talk to me. He said, hey Kian, are you, are you patched with the patches? Then I will respond to him. I said, no, I'm not patched. I'm vulnerable to this, uh, vulnerability. And then, uh, Wanna Cry will send me a second request. Are you installed with a double poser and I'll respond back. Hey man, I'm infected with a double, with a double poser. Yeah. And I, I, I noticed that Wanna Cry will not proceed with the exploitation phase or he will not proceed with the installations of a new Wanna Cry, uh, of the new double poser. But what he will do, he will just happily deliver the payload to me. So right now, I had a payload. Yeah. In this case, by simplifying these are five steps into three steps. So, well, while I discovered this, uh, behavior, then now I have, uh, I have a thought. Let's try to implement the whole thing into the honeypot and then let's see what we will have. Yeah. So the honeypot that I chose with, uh, is a Diania honeypot. Yeah. Uh, Diania, this, this particular name, I always misspell with it, which is a D I O N A E A. When you type, I think I have a fat tingles, which is a D I O N A N A, D I O N N N N N A. But no, it's a, this is a very easy to remember name, Diania honeypot, which is equivalent to this particular weird shaped plant in here. So right now, I think everyone is a wanna car expert. Uh, everyone is a Diania expert. Right? So, Diania honeypot, uh, the most powerful, uh, features of this, uh, Diania honeypot is about the capability of doing the network, uh, emulations. Um, a bit of a story about Diania honeypot, uh, it was developed back in a conflict era, which is a, uh, the age of conflict, which is back in the 2008 or 2009 back then. And then, uh, but, uh, against these two proven to be very useful after six or seven, uh, seven or nine year, eight, eight, eight years right now. Uh, this whole, uh, this is a Diania honeypot, uh, capable of, uh, sporting a loss of protocol. The mainly will be on an SMB protocol, HTTP, uh, FTP, TFTP, uh, SQL protocol as well. And then also the VOIP, uh, voice over SIP. Yeah. And then, uh, two years back, I started to implement the, uh, the IOT protocol, which is a UPNP and MQTT, uh, into it. So two months ago, with that ideas that we have, that simplify ideas, then I'm input, uh, I'm trying to, uh, implement the entire ideas that I have inside the honeypot itself. So what I did is, uh, I turned Diania honeypot into a Windows 7 machine and then, uh, it is infected with a double POSAR back door. Yeah. So this is the core idea of the entire, uh, honeypot itself. So right now, Diania honeypot is able to speak in the double POSAR language. Yeah. So he, he can interpret, he can understand about how double POSAR work. So for example, about the common, about the common itself, external host tried to talk to my double POSAR and it, it will send a first command called ping. I ping you and double POSAR will respond back. Hey, I'm here. Yep. And then, uh, it, uh, it will send a second request, which is the execute request. This request, uh, Diania honeypot will understand that, well, these guys are going to send a payload to me. So, yep. And then the, there is a very interesting command, which is, uh, you don't sit elsewhere. Maybe a lot of people are not aware about this particular double POSAR. That's a kill command, which is, uh, we can kill double POSAR back door. So during the design of the honeypot itself, uh, a couple of friends will just sit down and then catch up for, uh, for a beer and then we have the thought, why not? We just create an internet scanner, scan the whole internet, found any machines with a double POSAR back door. We send the kill command to the double POSAR back door. Are we going to kill all the double POSAR infected machines in the world? Are we going to stop the whole entire WannaCry outbreak? Uh, I mean, besides about, uh, that kill switch domain. I mean, we have this kind of thought, why not we just create scanner, zoom, scan the whole internet. After a day, we get everything done. But the problem is, uh, it doesn't solve the fundamental questions, which is the squeaky patches on the windows machine itself. So even be able to kill, kill the double POSAR doesn't make sense, which is, uh, the infections will be still come back. Yeah, so let's try to focus on the, uh, interesting stuff. So right now, uh, Diana Honeypot can speak in the double POSAR language. Uh, uh, we start seeing the payloads coming into the honeypot. The egg is coming. But the problem is, uh, there's another big challenge. Um, the payload itself is, uh, encrypted. So we're not able to passing that. Uh, uh, definitely, uh, thanks to, uh, ZeroSum for his very detailed analysis on how double POSAR work. And then, uh, uh, we understand that, uh, this encryption is just simple four bytes of key. And then with some, uh, uh, algorithms, yep, uh, this is an encryption key. In fact, it's provided by the compromised host. Any host can, uh, the infected host will be provided XOR key to WannaCry. WannaCry will use that and then encrypt the payload and to the compromised host. Yeah. Uh, so in this case, uh, I would say that let's try to have our honeypot provide this key to WannaCry, WannaCry take it and encrypt, we have it, we decrypt. Yeah, so this is, uh, uh, the idea behind the scene. And, uh, and this key is, uh, uh, embedded in this particular SMB trying to respond, which is, uh, the one square in the rate in the signature POSAR. Yeah. So right now we have, uh, double POSAR back door. We have, uh, the encryptions, decryptions. Here we go. This is the beautiful payloads that we have, uh, in our honeypot. So, uh, in the payload itself, uh, there contain a few PE file, PE header itself. And then, uh, you have couple of, uh, I think three of, two or three, three or four PE headers inside the payload. This is, uh, exactly matched with the WannaCry, uh, behavior, which is a WannaCry embedded, uh, his, uh, resources, uh, his EXE in the resource, uh, of the PE header itself. Then, uh, we saw that there are a few, uh, additional code prepended in, uh, in front of the, the first, uh, PE file. Yeah. I mean, uh, what we do is just try to strip it off. Yeah. Now we have the clean binary. Yep. So let me show you, this is one of the very beautiful interactions between my honeypot and, uh, WannaCry in some way. So this is how they talk to each others, how they flirt around to each others. And WannaCry will start to lay eggs and try to see, uh, pushing all the eggs to my honeypot. We have the payload. We start to decrypt the payloads with the four white keys that we, we send to them. And then, uh, after that we will try to find out the PE headers, remove the, those code that prepended, uh, in the PE headers. Boom. Yep. We have those kind of clean payloads in our pockets. Yeah. So this is how, uh, how it works. Yeah. So, um, definitely at the same time, which is in the May, we know that, uh, Windows is vulnerable with, uh, WannaCry in some way. But for Linux machines, the same thing. They have a so-called the summer cries, uh, uh, vulnerability. Uh, this, uh, vulnerability is pretty interesting, which is, for example, let's see, we're able to find one, uh, SMB servers. And then there's, uh, in a, you know, SMB servers that, there's a, uh, there's a writeable folders. We can put our binary into it. Yeah. And then, uh, by, uh, uploading that, uh, the binary that, that we have into the writeable folders, and we can do some tricks just to get it to be executed. Yeah. So this is one of the wonderful, warmable, vulnerability. If you can, anyone can just create a warm and scan the whole internet, pop into a lot of shell as, as much as possible. Yeah. So, uh, I mean, uh, metasploits came out with one of the very interesting module. Uh, uh, this, uh, it's known pipe name is pretty stable. So for me again, as honeypot hobbies, uh, I love to, to turn my honeypot into SMB, SMB, uh, server with a writeable share folders. Yeah. And then, uh, Diana will be happy to receive all the payloads that, all the eggs that coming from around the world. So, yep, uh, I'm trying to implement these holdings into Diana. So Diana Honeypot can be a windows, uh, can the windows so much machines, or it can be another so-called the Samba server. So, yep. Oh, I was told that, uh, uh, I need to put a cat's photos on my, because this will get everyone high. Oh, no, no, no, I'll get everyone excited. Yeah. Oh, all right. Right now we have our honeypot design. So we try to push it to the internet. So let's see what we are going to have. Yeah. Oh, another one. Yeah. So if later we've managed to met up with each other. So let's try to catch up over beer if you are interested about the honeypot, SMB honeypots, and how, if you're running out some honeypots, I'd love to heard about this idea definitely. So let's see, let's see what I, I'm going to empty out all my pockets. I'm going to share with you what I've seen for the past few months or especially during the four, 15 days during the hot, so-called golden age while, uh, one occurrence of my outbreak. So here we go. What happened to my honeypot? I'm running a honeypot for quite sometimes. Uh, but just a disclaimer, uh, I know, I understand that a loss of a security company or the national certain you'll run, you have a loss of honeypot and you have a loss of IP space, uh, to play with. Maybe you have a few thousand of honeypot deployed around your country, or around, around the world, try to understand what's, uh, the internet try to solve. But for me, I only have one honeypot in my room. Yeah, I promise, I promise, I promise. I'm going to show you my photo later. Yeah. So I only have one honeypot just for personal basis, personal learning experience. Yeah, and then I realized that, uh, I'm trying to, uh, I realized from this graph is that, uh, from January to May, from time to time, I was seeing conflictors still talk to me, talk to my honeypot after so many years. But interestingly, when, uh, during the May, mid of May, uh, there's a loss of incoming connection to my room. Yeah. Uh, those, uh, in the daily basis could be around 200. And then out of 240 of them, we'll try to lay the eggs inside my honeypot, which is, uh, yeah, I mean we are going to try to take a look on this. Yeah. And then, uh, here we go. I love to share with you about my gold mine that I have in my honeypot. Yeah, this is just a brief one. Um, from whatever in the string sort, it's just, uh, four days of my collections from May 27 to May 30th. You can see from that, uh, Peekalek MD5, the exact binary self, and then also, uh, the timestamp when this binary start to drop into our honeypot. And then also the file size. Yep. By looking at this list, very short list, we can see there's patterns in terms of the file size. Yep. I'll give you a five seconds. One, two, three, four, five. Okay. Yeah. The pattern itself, there's always a 5.1 MB of files. If you take a closer look. Yep. There's always a 5.1 MB of files. Uh, my purpose is very simple. I just would like to have want to cry. I just would like to talk to want to cry. I just would like to flirt around together with want to cry. But, uh, interestingly and unexpectedly, there's lots of uninvited guess, which is a very small file, big file, very small little a few bites of files. You see, like, there are some 8 bytes of files into my honeypots. So what the hell is that? I have no idea. I just want to want to cry. But why you come into my honeypots? Yep. So let's try to take a look on just a few categories of what I have in my pocket. So, uh, let's try to explore. Those are definitely about a 5.1 MB of files. And then you'll try to explore some of the 70 KB, 83 KB, also the very small tiny file, which is 4 bytes, or even a 400 bytes of file. The file size is, the differences between the file size is too significant. 5 max and 8 bytes. What the hell? So, yep, in during May and June and two days ago, I'm still seeing a lot of 5.1 MB of files in my honeypots. Yeah, I believe right now I have a, I think I have a gigabytes of collections of a 1.0 KB of file. Well, I mean, all these 5.1 MB of files, I just made a simple strings on it. And then we will know that this is the kill switch domain. Yeah. So, I just made a very tough and very, very rough assumptions. I assume all of 5.1 MB of files they are 1.0 KB of files. Yep. So, let's ignore it. So, we don't talk about 1.0 KB right now. Let's try to see what I have in the Honeypot itself. So, 25th of May, I think this particular small file, which is 83 KB of file, try to make a simple analysis and then it will try to call to this particular domain and download secondary files which is 25001.exe. Yep. This file just made a simple query in a various total. I understand that this, this guy is just a DDoSer. Yeah. It's a Windows versions of Bill Gates boardnet. So, this boardnet is in my Honeypot. I would say that every party will have a DDoSer definitely. Yep. So, three days afterwards, I think, another file which is 70 KB of file dropped to my Honeypot and then when I try to analyze with that, they will connect to the secondary domains, try to download the secondary payload. So, in these payloads, I try to execute this of 345.exe. I realize that the file will drop 6 or 7 batch file, VBS file, EXC files into my into the machine itself. So, let's take a quick look on what is the bad file, VAT file or the EXC file, so the batch file will just perform two simple tasks. The first one when it has got executed on the machines, it will enable the firewall service definitely on the machines and then it will plug two different simple firewall rules inside the firewall and then it will try to block any incoming connections any to the port 405 or 139. These simple actions claim that it means that this batch file will try to claim the ownership of that host itself. So, this is my machine right now. I won't allow anyone else to connect to the same machines. I want this machine. This is mine. So, what it will do, the next thing it will execute is the VBS file which is a there's a stratum protocol inside that. You know that this is so called Bitcoin miner. So, I claim the machines. This is mine. I'm going to mine Bitcoin with these machines. Yeah? So, I mean, I would say again every party will have a Bitcoin miner right now. So, at the same day May 22, there's another interesting behavior happened to my honeypot. I think two files, two eggs deliver two presents or two gifts that drop into the honeypot at the same time. And then this file itself is just pretty small. Eight bytes of files and 476 bytes of files. When I first look at this particular this file size, I'm so excited because I know that oh well, this is likely the summer cry attacks. So, I got a summer cry first pawn into my honeypot. I also understand that this vulnerability was released on 24th of May. And then Metasploit started to release their first proof of concept on 26th of May. But my honeypot received these special guests on 28th of May. So, I believe that a lot of people are trying to act very fast. Just try to claim, try to get a lot of ShellSS, Pornanis, all the SMB servers are in the world if those servers are not patched. Yeah. So, let's see what we have in these 8 bytes and 476 bytes of files. Yeah. But just look at a simple payload the content of this file itself is exactly matched with how summer cry work. The attackers will definitely he or she have to test if the if the folder itself is writable. So, in this case he writes 8 bytes of files random characters into my honeypot. So, right now he's understand it all well. This folder is writable. Yep. And then he start to deliver this ELF so called Elfalf to me. Just a simple Hexdom understand that those are highlighted in the red color is a slash bin slash sssh. I mean this is a shell definitely. Yep. So, what we have explore WannaCry DDoSer Bitcoinminer we have summer cry. So, what else? I have two months to go. So, after two days another two days May 30th there's another file called 5.1 MB of very small file into the honeypot. But looking at the Hexdoms I understand that this is there's IP address inside at the bottom in the middle there's a random strings. But looking at by just purely looking at the Hexdoms I understand that this is slightly the metasploit HTTP reverse shell. How it works is if this payload got executed it will send a HTTP request with a URI HTTP double colon slash slash the IP address and that random strings. I would say welcome to my honeypot. Yeah. So, this is the last one I'm going to share today. May 30th I saw a this file 39KB of small file drawn into my honeypot when I have it executed it is you try to download the file called MAT.exe this happened on May 30th but in June 5th of June I see the same file again. So I'm trying to grab the secondary payloads from the external host the MAT.exe but I realize that the MD5 is different which is somewhere in the back definitely they change their payload and because of a definitely after a few days could be AV pick it up so they try to get a new binary into into their backend. So all of my curiosity I just try to shop around in the backend. That's what I see. This backend is just a simple HFS which is a HTTP file server. This file server is pretty commonly used in Asia. And then for the MAT.exe in the back in May 30th this file was uploaded to the HFS on 25th of May within five days durations this guy got downloaded by 988 times. I believe could be some of the security researchers just like me very curious write a WGAT or a CURL download it for 900 times who knows? Yeah so June 5th I think the same backend try to explore about the same backend then I realize that this binary is newly uploaded to the backend on the second of June within three days this binary was downloaded for 6,500 times. Again I believe could be some of the security researchers write a CURL and he forgot to close his loop so it downloaded for 6,500 times and he do a control C okay kill yeah but I would rather believe that there are 6,500 holes has been infected with this Trojan Bitcoin miner and they are mining the Bitcoin for him yeah so I always shop around with wherever I have a chance with this UR any UR that that I can have from my honeypot so from time to time I was seeing some of the HS file pretty similar with 21,000 of download heats of some simple particular binary and then yep shopping time we have we will see some of the SWFR files inside the backend as well I just take a quick look on this SW movie.swf I think it's related to the hacking team exploit back in the 2015 I think CVE 2015 5119 or something yeah yep so we have explored different categories of gold mines that I have which is from monocrine 511 NBL files to a DDoSer to a Bitcoin miner to a summercry very small file metasploit is a reverse shell and also this kind of binary has been downloaded for 6,500 times so as a promise I'm going to show you some of my photos that I have for my honeypot so please let me go that is what I have at home which is just a Raspberry Pi with a Dianian honeypot on it yep and then but it's pretty bad I don't recommend everyone play with this because you might spoil the pin and then have to buy another new Raspberry Pi again so I decided to go for to buy a case for it so instead of one so I have three yeah actually these are blinking lights in my room so this is daytime this is nighttime so this is daytime this is nighttime hahah yeah definitely I strongly encourage everyone to set up your own honeypot so the first Github link is my is my development link but then I would highly recommend everyone to go for Dino Dino tools fork Fibo is maintaining very he paid a lot of effort in terms of maintaining Diania right now previously back in the conflict era setting up Diania may take one hour with your luck yeah but right now setting up Diania honeypot is just very easy three to five minutes run on a Ubuntu machines yeah I would really highly recommend everyone should use Dino tools fork yeah and then if you would like to set up some honeypot on a Raspberry Pi go for honeypot image this is a good one which is a compilation of a lot of honeypot tools inside it get an SD card burn into that boot it up yep you have the honeypot just as my picture hahah yep I would say that personally I would say that playing with honeypot is a very exciting experience initially I expect just a one acquiring somewhere but always the most awesome part is you expect the unexpected in this case we have seen a loss of uninvited gas crashing the party lay their eggs deliver the payloads to us I mean definitely I'm happy to receive all the payloads yeah just capture one by one and then let's try to analyze what happened over the internet and how people adapt to the different vulnerability and how they react and how to pawn any shell as much as possible by the internet mass scanning yeah so that's what I have for today for everyone about one acquiring somewhere and yeah I think thank you very much any questions I can help to share or any ideas uh... noria oh or this is a good good questions let me try to repeat the the question itself so once I have those are binary those are goldmine those eggs so all those eggs are still inside the honey pot itself or pie itself or we transfer it elsewhere so my for my personal practice because back then which is a me uh... this is a golden age of the whole one acquiring a brand somewhere I almost log into my honey pot hourly or maybe in the daily basis and then try to see what I what I have yeah in my honey pot uh... I'm copying it out the whole binary just for a backup purpose because if a small power failure of couples of power failure uh... as the cost may may corrupt so it's always good to back up definitely about the binary because those binary are the eggs that we have I'll be just all you mean that my you in my my respiratory pie honey pot picture I just use my some song no no I understand so the question is uh uh... what is the software that used to generate the graph that particular at the the city so uh... inside the eyes of the subpoena functions uh... there's a few inscript so you can i just run a command query all the sql lights uh... data's then you can generate such a beautiful grubs even by separate by protocol assembly to have to be on any protocol itself thank you very much i think that uh... that's what i have