-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathemotet-domain-analysis.py
58 lines (52 loc) · 2.37 KB
/
emotet-domain-analysis.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#Author: Abdirahman Mohamed
#Date: March 2021
import whois
import socket
import robtex_python
import requests
import json
import urllib.request
#These domains were extracted by executing malicious emotet office docs in a sandbox environment and observing the C2 domain that they contacted.
#You can adapt this script to analyze C2 domains utilized by other Malwares by replacing the below domains and their resources.
domains = [
'isuzupoznan.pl',
'kanmoretail.com',
'colegiorosales.com',
'harboursidechurch.org',
'clever12.com',
'damchi.net',
'credibleinteriors.in',
'adserver.arcmediainteractive.com',
'ads-staging.planqk.com'
]
resources = [
'/cNz1Rz/',
'/lKhn5rc/',
'/nihqiyo',
'/YNgfxDP/',
'/EcIF',
'/hr8J',
'/nxcPA',
'/8YJAS1C',
'/fKHzW',
]
print("-----------------------------------------------------------------------------------------------------------------")
print('{0: <15}'.format('#'), '{0: <25}'.format("Domain Name"), '{0: <15}'.format("Resource"), '{0: <15}'.format("Status Code"), '{0: <30}'.format("Creation Date"), '{0: <15}'.format("Country"))
print("-----------------------------------------------------------------------------------------------------------------")
i=1
j=0
for dom in domains:
w = whois.whois(dom)
ip = socket.gethostbyname(dom)
res_url = "http://" + dom + resources[j]
url_req = requests.get(res_url)
status = url_req.status_code
#response = robtex_python.pdns_forward(dom)
if (type(w.domain_name).__name__ == 'str' and type(w.creation_date).__name__ == 'datetime'):
print('{0: <15}'.format(i), '{0: <25}'.format(w.domain_name), '{0: <15}'.format(resources[j]), '{0: <15}'.format(status), '{0: <30}'.format(str(w.creation_date)), '{0: <15}'.format(str(w.country)))
elif (type(w.domain_name).__name__ == 'str' and type(w.creation_date).__name__ == 'list'):
print('{0: <15}'.format(i), '{0: <25}'.format(w.domain_name), '{0: <15}'.format(resources[j]), '{0: <15}'.format(status), '{0: <30}'.format(str(w.creation_date[0])), '{0: <15}'.format(str(w.country)))
elif (type(w.domain_name).__name__ == 'list' and type(w.creation_date).__name__ == 'datetime'):
print('{0: <15}'.format(i), '{0: <25}'.format(w.domain_name[0]), '{0: <15}'.format(resources[j]), '{0: <15}'.format(status), '{0: <30}'.format(str(w.creation_date)), '{0: <15}'.format(str(w.country)))
i+=1
j+=1