Amun not downloading captures

[ayisal]

I am running amun honeypot on mhn and it has been recording attacks and logging normally. However, there are no files in the Malware folder: it has failed to download binaries and shellcodes. Please how do i resolve this issue?
Thank you in anticipation

[zeroq]

can you check your log files, e.g. download.log for errors?

[ayisal]

Thank you for your response.
All log files that have to do with downloads are empty

[zeroq]

ok, does the shellcode manager correctly extract download URLs or similar? and is the submit-md5 module enabled?

[ayisal]

How do i check if submit-md5 module is enabled?
This is the content of my shellcode manager, i am not sure what it means.

2018-04-17 09:00:15,629 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (cce914602eb9703e346414f7c11d3b37 :2526785) - MS17010 (EternalBlue)
2018-04-17 09:00:15,720 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (8da422a2b59e817b5a03b2324e1e5124 :2637533) - MS17010 (EternalBlue)
2018-04-17 09:00:16,228 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (b0996cfb41f7564a97991282c48ded7a :2587524) - MS17010 (EternalBlue)
2018-04-17 09:00:16,282 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (9b9f34a4fc78051ce0c31111c58282f2 :2699945) - MS17010 (EternalBlue)
2018-04-17 09:00:43,413 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (724c761079e6c4245b7734c6ddabbbc0 :2496936) - MS17010 (EternalBlue)
2018-04-17 09:00:43,512 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (abd7d32070a3897b423f717214529bb1 :2607148) - MS17010 (EternalBlue)
2018-04-17 09:02:44,464 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (f2e023510af1426aa06fdc76b1d45baf :2558665) - MS17010 (EternalBlue)
2018-04-17 09:02:44,568 INFO [shellcode_manager] (109.75.195.157) no match, writing hexdump (6510529fe1f54ddc54a2391d43073a21 :2670584) - MS17010 (EternalBlue)

[ayisal]

I found this in download log this morning, i am not sure what it is. In a ddition, there is one .bin file in .../Malware/md5 directory

2018-04-17 09:17:28,446 INFO [http_download] Unknown Response: 404 (http://localhost:80/aaaaaaa)
2018-04-17 09:17:28,446 INFO [http_download] Unknown Header: 404 (['HTTP/1.1 404 Not Found', 'Server: Apache/1.3.29 (Unix) PHP/4.3.4', 'Content-Length: 292', 'Content-Language: de', 'Content-Type: text/html', 'Connection: close'])
2018-04-17 09:17:28,446 INFO [http_download] Unknown Content: 404 (['\r\n\r\n<title>400 Bad Request</title>\r\n\r\n

Bad Request

\r\n

Your browser sent a request that this server could not understand.
\r\n

\r\n

---

\r\nApache/1.3.29 Server at Port 80\r\n\r\n\r\n'])
2018-04-17 09:17:28,446 INFO [http_download] different size 294 :: 292 (localhost:80 - GET /aaaaaaa HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Accept: /
Host: localhost
Connection: close)

[zeroq]

Sorry for the late reply. Looks like one download was working (the .bin file). Can you check what file type it is? But that means submit-md5 module (in amun.conf) is enabled. From the other log it looks like the Eternal Blue Exploit is using an unrecognized shellcode. Could you check your "hexdumps" folder and maybe provide me with some of the dumps? That way I could try to update the shellcode manager.

[ayisal]

I still have one file in the ...Malware/md5 directory and its a .bin file
I have attached copies of some dumps from the hexdumps folder.
Thank you

[ayisal]

Hello, please i am still awaiting your response.
Thanks in anticipation

[zeroq]

sorry, I do not see the attached dumps.

[ayisal]

file:///opt/amun/hexdumps/ARC-d209defdc51ab21d710c9a42bafc2589-1900.hex
file:///opt/amun/hexdumps/ARC-d209defdc51ab21d710c9a42bafc2589-raw-1900.hex
file:///opt/amfilefile:///opt/amun/hexdumps/IIS-cf8de08c57cbb02d81d82308734b8ba8-443.hex
:///opt/amun/hexdumps/SMB-b49cc2c1600fdfbc9ab11cc847a867ed-445.hex
un/hexdumps/MSfile:///opt/amun/hexdumps/SMB-b67a265cbd35a6c6cf2d947880b080e4-raw-445.hex
17010-1042fdafile:///opt/amun/hexdumps/MS17010-6f87200dcb961a07cf328cfb033c3241-raw-445.hex
c47642b0ee399590899ffa3bb-445.hex

[ayisal]

https://gist.github.com/ayisal/fb0d6869f7c277192bee2c8d876b037f
https://gist.github.com/ayisal/77dc906ed9a1337627307c5beadd1045
https://gist.github.com/ayisal/5e5d44e81de6a7c7e220492b15c5fc23

[zeroq]

hi can you provide some of the hexdump logs starting with either SMB or MS17010 ? The ones you provided refer to data received via port 1900 and 443.

[ertza]

Hi @zeroq I'm facing similar issues i.e. no malware samples and plenty of Hexdumps. I have uploaded some of those Hexdumps, of MS17010 as you required.
You can view them at https://github.com/ertzaaafzal/Amun-Hexdumps/

[ayisal]

I have finally uploaded the files correctly. Please find them here: https://github.com/ayisal/Amun_Hexdump
Thank you in anticipation

[zeroq]

Hi, thanks both of you. The MS17010 dumps seem to contain the base64 encoded chunks of shellcode as used by wannacry. However, my shellcode decoding functions cannot handle this yet. I need some time to understand how this works.

[ertza]

Hi I haven't had a chance myself to look at these samples but usually the Wannacry's shellcode travels XOR encrypted so do see in that direction too, it might help. Cheers.