├── README.md ├── Rules ├── email_contents.yar ├── magic.yar ├── spyeye.yar └── zeus.yar ├── YO this is BAD ! FW- Voice Message.eml ├── clarityData ├── create_db.py ├── display_db.py ├── makePath.py ├── shredder.py ├── yara_headers.yar └── yara_include.yar /README.md: -------------------------------------------------------------------------------- 1 | # PM_Shredder 2 | 3 | A python script to rip / shred emails apart with Yara. 4 | 5 | ## Contents 6 | 7 | * shredder.py - shreds the email 8 | * yara_include.yar - Full set of Yara rules (if attachment exists) 9 | * yara_headers.yar - Slimmed down set of Yara rules to run (if no attachment exists) 10 | * email_contents.yar - Rules around contents of an email (header IP's, body text, domains, etc) 11 | * magic.yar - Magic byte rules 12 | * exe.yar - Rules around exe's and such 13 | 14 | ## Usage 15 | 16 | ``` 17 | cat email.eml | ./shredder.py 18 | ``` 19 | 20 | ## Setup 21 | 22 | ### Dependancies 23 | * [Yara](http://plusvic.github.io/yara/) 24 | * [Yara Python](http://plusvic.github.io/yara/) 25 | * [SSDEEP python](https://pypi.python.org/pypi/ssdeep) 26 | 27 | Example rule: 28 | ``` 29 | rule example_rule 30 | { 31 | strings: 32 | $a1 = "46.165.252.13" 33 | $a2 = "@peypal.com" nocase 34 | condition: 35 | any of them 36 | } 37 | ``` 38 | 39 | Schema: 40 | ``` 41 | key = randomly generated UUID at runtime 42 | CREATE TABLE email_meta(key varchar, date varchar, e_to varchar, e_from varchar, e_subject varchar, attachment varchar, reporting_mechanism varchar, email varchar); 43 | CREATE TABLE hash_db(key varchar, md5 varchar, sha256 varchar, ssdeep varchar); 44 | CREATE TABLE urls(key varchar, url varchar, cleaned_url varchar); 45 | CREATE TABLE yara_hits(key varchar, hit varchar); 46 | ``` 47 | 48 | Reasoning for splitting them out like this: 49 | 50 | There is no easy way to get back to a piece of information if you don't use it like this. 51 | Example: What user received this email with this link? By using this schema, any aspect of an email can get you back to the original (email id(key)) 52 | 53 | 54 | ## Installation 55 | 56 | ### Install System Packages 57 | ``` 58 | su root 59 | yum update 60 | yum groupinstall "Development tools" 61 | yum install zlib-devel bzip2-devel openssl-devel ncurses-devel 62 | ``` 63 | 64 | ### Alternative Install of Python 2.7 65 | ``` 66 | cd /opt 67 | wget http://www.python.org/ftp/python/2.7.3/Python-2.7.3.tar.bz2 68 | tar xf Python-2.7.3.tar.bz2 69 | cd Python-2.7.3 70 | ./configure --prefix=/usr/local 71 | make && make altinstall 72 | ``` 73 | 74 | ### Install Yara 75 | ``` 76 | wget https://github.com/plusvic/yara/archive/2.1.0.tar.gz 77 | cd yara-2.1.0 78 | chmod +x build.sh 79 | ./build.sh 80 | sudo make install 81 | ``` 82 | 83 | ### Yara python 84 | ``` 85 | yum install python-devel 86 | cd yara-python 87 | python setup.py build 88 | sudo python setup.py install 89 | python2.7 setup.py build 90 | python2.7 setup.py install 91 | ``` 92 | 93 | ### Ssdeep Python Installation (CentOS): 94 | ``` 95 | su 96 | yum install python-setuptools 97 | easy_install cython 98 | easy_install ssdeep 99 | ``` 100 | 101 | ### Verify Installation 102 | 103 | Run `python` from the command line, and type `import yara`. If you get an error that looks like this: 104 | ``` 105 | ImportError: libyara.so.0: cannot open shared object file: No such file or directory 106 | ``` 107 | 108 | Run the following (CentOS): 109 | ``` 110 | $ sudo echo "/usr/local/lib" >> /etc/ld.so.conf 111 | $ ldconfig 112 | ``` 113 | 114 | Postfix stdin: 115 | 116 | Check out this post here: http://stackoverflow.com/questions/8312001/python-postfix-stdin 117 | 118 | It is only one line to your `/etc/alias` file: `emailname: "|/path/to/script.py"` 119 | 120 | ## Contributing 121 | 122 | 1. Fork it ( https://github.com/x41x41x90/pm_shredder ) 123 | 2. Create your feature branch (`git checkout -b my-new-feature`) 124 | 3. Commit your changes (`git commit -am 'Add some feature'`) 125 | 4. Push to the branch (`git push origin my-new-feature`) 126 | 5. Create a new Pull Request 127 | -------------------------------------------------------------------------------- /Rules/email_contents.yar: -------------------------------------------------------------------------------- 1 | rule PM_Paypal_Spam 2 | { 3 | 4 | strings: 5 | $a1 = "46.165.252.13" 6 | $a2 = "@peypal.com" nocase 7 | condition: 8 | any of them 9 | 10 | } 11 | 12 | rule PM_Voicemail_Spam 13 | { 14 | 15 | strings: 16 | $a1 = "nepal-himalaya-trekking.de" nocase 17 | $a2 = ".de/archive/" nocase 18 | $a3 = "stopp-waldbahn.de" nocase 19 | $a4 = "icteraangeboden.nl" nocase 20 | $a5 = ".nl/message/" nocase 21 | 22 | $b1 = "Subject: Voice Message" nocase 23 | $b2 = "Thread-Topic: Voice Message" nocase 24 | 25 | condition: 26 | any of ($a*) or all of ($b*) 27 | 28 | } -------------------------------------------------------------------------------- /Rules/magic.yar: -------------------------------------------------------------------------------- 1 | // https://code.google.com/p/malwarecookbook/source/browse/trunk/3/6/magic.yara?r=5 2 | 3 | private rule office_magic_bytes 4 | { 5 | strings: 6 | $magic = { D0 CF 11 E0 A1 B1 1A E1 00 00 00 } 7 | condition: 8 | $magic 9 | } 10 | 11 | private rule chm_file 12 | { 13 | strings: 14 | $magic = { 49 54 53 46 03 00 00 00 60 00 00 00 01 00 00 00 } 15 | condition: 16 | $magic 17 | } 18 | 19 | 20 | private rule excel_document 21 | { 22 | strings: 23 | $rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } 24 | $workbook = "Workbook" wide nocase 25 | $msexcel = "Microsoft Excel" nocase 26 | 27 | condition: 28 | all of them 29 | } 30 | 31 | private rule word_document 32 | { 33 | strings: 34 | $rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } 35 | $worddoc = "WordDocument" wide 36 | $msworddoc = "MSWordDoc" nocase 37 | 38 | condition: 39 | $rootentry and ($worddoc or $msworddoc) 40 | } 41 | 42 | 43 | private rule powerpoint_document 44 | { 45 | strings: 46 | $pptdoc = "PowerPoint Document" wide nocase 47 | $rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } 48 | 49 | condition: 50 | all of them 51 | } 52 | 53 | private rule pdf_document 54 | { 55 | strings: 56 | $a = "%PDF-" 57 | condition: 58 | $a at 0 59 | } 60 | 61 | private rule mz_executable // from YARA user's manual 62 | { 63 | condition: 64 | // MZ signature at offset 0 and ... 65 | uint16(0) == 0x5A4D and 66 | // ... PE signature at offset stored in MZ header at 0x3C 67 | uint32(uint32(0x3C)) == 0x00004550 68 | } 69 | 70 | private rule zip_file 71 | { 72 | strings: 73 | $magic = { 50 4b 03 04 } 74 | $magic2 = { 50 4b 05 06 } 75 | $magic3 = { 50 4b 07 08 } 76 | condition: 77 | ($magic at 0) or ($magic2 at 0) or ($magic3 at 0) 78 | } 79 | 80 | -------------------------------------------------------------------------------- /Rules/spyeye.yar: -------------------------------------------------------------------------------- 1 | rule spyeye_tracker { 2 | strings: 3 | $d0 = "beisentse.net" 4 | $d1 = "beromder56.com" 5 | $d2 = "detadomain.su" 6 | $d3 = "doemguing.net" 7 | $d4 = "futuretelefonica.com" 8 | $d5 = "gate.eyeonarte.it" 9 | $d6 = "helen33nasanorth.com" 10 | $d7 = "sebortemesd5.com" 11 | $d8 = "stendtlong.net" 12 | $d9 = "yawclovm.net" 13 | $d10 = "188.190.126.173" 14 | $d11 = "188.190.126.175" 15 | $d12 = "188.190.126.176" 16 | $d13 = "193.106.31.12" 17 | $d14 = "193.107.17.62" 18 | $d15 = "194.44.157.130" 19 | $d16 = "46.166.143.56" 20 | $d17 = "91.213.217.36" 21 | $d18 = "91.220.62.112" 22 | $d19 = "91.220.62.190" 23 | $d20 = "93.171.202.70" 24 | $d21 = "94.63.149.51" 25 | condition: 26 | any of them 27 | } -------------------------------------------------------------------------------- /Rules/zeus.yar: -------------------------------------------------------------------------------- 1 | rule zeus_tracker { 2 | strings: 3 | $d0 = "1day.su" 4 | $d1 = "3apa3a.tomsk.tw" 5 | $d2 = "69xloy.com" 6 | $d3 = "aconfideeeeeracia200.com" 7 | $d4 = "adamlikes.com" 8 | $d5 = "adkjt.3utilities.com" 9 | $d6 = "admessejana.com.br" 10 | $d7 = "advwinntdigiplus.net" 11 | $d8 = "ajahdelta.eu" 12 | $d9 = "akdenizparkbahce.com" 13 | $d10 = "ako.su" 14 | $d11 = "alabaka.net" 15 | $d12 = "aliwork.zapto.org" 16 | $d13 = "allfortune777.biz" 17 | $d14 = "alliancefrancaise.lk" 18 | $d15 = "allmensd.ru" 19 | $d16 = "alschsa.com" 20 | $d17 = "amods.net" 21 | $d18 = "andriu.bget.ru" 22 | $d19 = "anketguidevemersion.com" 23 | $d20 = "anonymizercom.com" 24 | $d21 = "anostermese.com" 25 | $d22 = "antonella.gr" 26 | $d23 = "anzi.com.mk" 27 | $d24 = "app.mkspace.biz" 28 | $d25 = "appet.ru" 29 | $d26 = "apx.euclid.ch" 30 | $d27 = "aquageo.cl" 31 | $d28 = "artforms.ro" 32 | $d29 = "artmir-holding.com" 33 | $d30 = "arweclote.ru" 34 | $d31 = "atlog.com.sg" 35 | $d32 = "atticlive.com" 36 | $d33 = "azores2022.com" 37 | $d34 = "b3enzcanadaa.com" 38 | $d35 = "backupworld.biz" 39 | $d36 = "badgefortime.net" 40 | $d37 = "balk.com.my" 41 | $d38 = "bananabase.ru" 42 | $d39 = "banknotice.in" 43 | $d40 = "baoshlda.com" 44 | $d41 = "barzev.net" 45 | $d42 = "basitbellitalianart.eu" 46 | $d43 = "bbce-legalconsultancy.com" 47 | $d44 = "bbwscimanuk.pdsda.net" 48 | $d45 = "bendigocurtainservice.com.au" 49 | $d46 = "berguns.ru" 50 | $d47 = "bill.4java.ca" 51 | $d48 = "billitoncrores.su" 52 | $d49 = "bizserviceszero.com" 53 | $d50 = "blackhill.pp.ua" 54 | $d51 = "blackroot.pro" 55 | $d52 = "blakraxtrip.com" 56 | $d53 = "blessmyhustles.com" 57 | $d54 = "blogerjijer.pw" 58 | $d55 = "bmwfanatics.eu" 59 | $d56 = "bobkilasadareta.su" 60 | $d57 = "bonton.by" 61 | $d58 = "breezyj.hol.es" 62 | $d59 = "bufflomens.me.uk" 63 | $d60 = "burrinsurance.com" 64 | $d61 = "buypaymer.so" 65 | $d62 = "calmonstarn.co.uk" 66 | $d63 = "cashcasinoworld.com" 67 | $d64 = "charteredcapitalbk.com" 68 | $d65 = "cheriosmarketing.net" 69 | $d66 = "cit.redirectme.net" 70 | $d67 = "clay.su" 71 | $d68 = "clickrate.com.au" 72 | $d69 = "cndbase.ru" 73 | $d70 = "collectcoins.su" 74 | $d71 = "congrbasering.su" 75 | $d72 = "consumerfocusedconspicuously.net" 76 | $d73 = "cont24x7host.org" 77 | $d74 = "counter-1.adscounter.com.ua" 78 | $d75 = "cp1.0pu.ru" 79 | $d76 = "cp2.0pu.ru" 80 | $d77 = "cpxp.0pu.ru" 81 | $d78 = "creamlonsarter.co.uk" 82 | $d79 = "createlognet.co.uk" 83 | $d80 = "cumfaci.eu" 84 | $d81 = "daldavanis.gr" 85 | $d82 = "damante.com.my" 86 | $d83 = "danotech.eu" 87 | $d84 = "danramataryyuu.yzi.me" 88 | $d85 = "dargs.su" 89 | $d86 = "darker.in.ua" 90 | $d87 = "dasch.pl " 91 | $d88 = "dashuxmaecrmecia.ws" 92 | $d89 = "dattinggate.com" 93 | $d90 = "daymen.ru" 94 | $d91 = "debitor.su" 95 | $d92 = "deborenttt.co.uk" 96 | $d93 = "debservers.pw" 97 | $d94 = "dec1.0pu.ru" 98 | $d95 = "dec2.0pu.ru" 99 | $d96 = "dertoprteiopolo.com" 100 | $d97 = "destino-crew.com" 101 | $d98 = "dettymoodz.com" 102 | $d99 = "di-ip.com" 103 | $d100 = "diamondjewelry1.com" 104 | $d101 = "diminisheddatatransfer.net" 105 | $d102 = "dino1.hc0.me" 106 | $d103 = "diosdelared.com.mx" 107 | $d104 = "dirvers.net" 108 | $d105 = "documentsgarage.info" 109 | $d106 = "dollet.ru" 110 | $d107 = "domicom.me.uk" 111 | $d108 = "donaldsimmelweb.com" 112 | $d109 = "donuts.su" 113 | $d110 = "dos.wearethenest.com.au" 114 | $d111 = "downtownsiouxcity.com" 115 | $d112 = "drat.myvnc.com" 116 | $d113 = "dwaserca.pl" 117 | $d114 = "e-imatismos.gr" 118 | $d115 = "eenyellowredpf.su" 119 | $d116 = "egyptianlords.oo3.co" 120 | $d117 = "ehnynewyortenotbaber.net" 121 | $d118 = "ejanormalteene250.com" 122 | $d119 = "elcanto.bl.ee" 123 | $d120 = "elektrokomplekt.kz" 124 | $d121 = "elivrarahimova.cu.cc" 125 | $d122 = "elshottrends.com" 126 | $d123 = "emylosy.com" 127 | $d124 = "endom.net" 128 | $d125 = "eriwa.uni.me" 129 | $d126 = "esherristore.com" 130 | $d127 = "etilertesisat.com" 131 | $d128 = "etilertesisat.net" 132 | $d129 = "etot.su" 133 | $d130 = "evarisms.bl.ee" 134 | $d131 = "evobank.co" 135 | $d132 = "expressglobaltrading.info" 136 | $d133 = "ezent.su" 137 | $d134 = "f0rg0tt0nmem0ries.su" 138 | $d135 = "f83.filmesonlinemegavideo.com" 139 | $d136 = "f8b2b9.su" 140 | $d137 = "fakssfriday.hc0.me" 141 | $d138 = "fansclub.servehttp.com" 142 | $d139 = "fengshaotrade.com" 143 | $d140 = "fernnz.com" 144 | $d141 = "fibrousdysplasiafoundation.com" 145 | $d142 = "fidelity-tfs.co.uk" 146 | $d143 = "fileserver03.com" 147 | $d144 = "fliuvana.url.ph" 148 | $d145 = "fongyeh.com.tw" 149 | $d146 = "formail.su" 150 | $d147 = "forwatorkoraswtopler.su" 151 | $d148 = "freshboilogs.co.uk" 152 | $d149 = "fretiolo.com" 153 | $d150 = "frevolore.com" 154 | $d151 = "fsnc.ru" 155 | $d152 = "fujidenki-web.co.jp" 156 | $d153 = "gaskotel.by" 157 | $d154 = "gate.timstackleshop.es" 158 | $d155 = "generaltdco.com" 159 | $d156 = "geogoldpty.info" 160 | $d157 = "getboating.com.au" 161 | $d158 = "getinglsaett.co.uk" 162 | $d159 = "gjoonalitikeer310.com" 163 | $d160 = "globalproductx.com" 164 | $d161 = "globytefocus.com" 165 | $d162 = "glowpaks.com" 166 | $d163 = "godgotanarmy.org" 167 | $d164 = "golubtrekk.co.uk" 168 | $d165 = "google.poultrymiddleeast.com" 169 | $d166 = "gorainbowzone.tk" 170 | $d167 = "gormonigraetnapovalahule26.net" 171 | $d168 = "gotemooetoaw.ru" 172 | $d169 = "greagons.oo3.co" 173 | $d170 = "griffin.su" 174 | $d171 = "groove.su" 175 | $d172 = "grupolz.com.br" 176 | $d173 = "guilare.com" 177 | $d174 = "gukin.as" 178 | $d175 = "gurimi.ru" 179 | $d176 = "gushante.net" 180 | $d177 = "hajimahmoud.com" 181 | $d178 = "handlemonth.com" 182 | $d179 = "henex.net.ua" 183 | $d180 = "herrty.esy.es" 184 | $d181 = "hfoajof1ornmzmasvuqiowdpchap.net" 185 | $d182 = "higan.org" 186 | $d183 = "highlandsfm.org.au" 187 | $d184 = "hohohobase.ru" 188 | $d185 = "holmesmanz.co.uk" 189 | $d186 = "homecanada.su" 190 | $d187 = "homfair.ru" 191 | $d188 = "hope-found-now.net" 192 | $d189 = "host.caracasws.com" 193 | $d190 = "hotbird.su" 194 | $d191 = "hruner.com" 195 | $d192 = "hulkania.bl.ee" 196 | $d193 = "i-buy.gr" 197 | $d194 = "iae.hosei.ac.jp" 198 | $d195 = "iafnoajrpgjajoqokgjhaiofpzvnz.net" 199 | $d196 = "ice.andromed.in.ua" 200 | $d197 = "ice.ip64.net" 201 | $d198 = "idersnonvirus.com" 202 | $d199 = "ifrclan.it" 203 | $d200 = "ifrgha.com" 204 | $d201 = "igor32.herbalbrasil.com.br" 205 | $d202 = "illinoisnets.net" 206 | $d203 = "imbon.ru" 207 | $d204 = "imemberdirect.net" 208 | $d205 = "imonanachiinfosys.co.in" 209 | $d206 = "indongsang.com" 210 | $d207 = "inginida.hol.es" 211 | $d208 = "inndividual.co.uk" 212 | $d209 = "innoteh.pro" 213 | $d210 = "innovation.com.my" 214 | $d211 = "instituteofscience.com.sg" 215 | $d212 = "insurancecamarillo.com" 216 | $d213 = "investmentfinancialadviser.com" 217 | $d214 = "iscaleos.com" 218 | $d215 = "ishara.cn" 219 | $d216 = "isolu.eu" 220 | $d217 = "jacksandra.ru" 221 | $d218 = "jackson.su" 222 | $d219 = "jangasm.org" 223 | $d220 = "jayboyd.t15.org" 224 | $d221 = "jeado.ru" 225 | $d222 = "jgworlddrivers.com" 226 | $d223 = "jgworldupd.com" 227 | $d224 = "jj-tradings.ru" 228 | $d225 = "jjvse.com" 229 | $d226 = "joecode1.oo3.co" 230 | $d227 = "joecodew1.oo3.co" 231 | $d228 = "journalads.com" 232 | $d229 = "jp.0pu.ru" 233 | $d230 = "kachmanest.com" 234 | $d231 = "kakaku.su" 235 | $d232 = "kane22.flu.cc" 236 | $d233 = "kathsk.com" 237 | $d234 = "keximvlc.com.vn" 238 | $d235 = "kingcebu.net" 239 | $d236 = "kingtools.no-ip.biz" 240 | $d237 = "kinostram1.biz" 241 | $d238 = "kubikrubiksoft.ru" 242 | $d239 = "kudcukarica.org" 243 | $d240 = "lamintaza.ru" 244 | $d241 = "larryloth.com" 245 | $d242 = "latiilots.co.uk" 246 | $d243 = "latte.su" 247 | $d244 = "layerinformatics.com" 248 | $d245 = "leendeilco-200.su" 249 | $d246 = "leendeilco-700.su" 250 | $d247 = "leendeilco-900.su" 251 | $d248 = "legitvendors.ru" 252 | $d249 = "lekgroup.net" 253 | $d250 = "lekki.info" 254 | $d251 = "lerreria.hol.es" 255 | $d252 = "lifeisgoodwhenu2.info" 256 | $d253 = "lifestyles.pp.ru" 257 | $d254 = "lilidega.zapto.org" 258 | $d255 = "limfory.net" 259 | $d256 = "lion.web2.0campus.net" 260 | $d257 = "littwronthath.net" 261 | $d258 = "livesupdate.redirectme.net" 262 | $d259 = "liveupdate.dnsfor.me" 263 | $d260 = "livoberegna.com.ua" 264 | $d261 = "liwachem.eu" 265 | $d262 = "lmk2.0pu.ru" 266 | $d263 = "lobatan.biz" 267 | $d264 = "lomamo.com" 268 | $d265 = "longgad.tk" 269 | $d266 = "lonsmemorials.com" 270 | $d267 = "ltymub.net" 271 | $d268 = "madcobra.net" 272 | $d269 = "madera.su" 273 | $d270 = "madlion.sc" 274 | $d271 = "maniron24x7.com" 275 | $d272 = "manpower.hc0.me" 276 | $d273 = "manto.su" 277 | $d274 = "mantourmiao.su" 278 | $d275 = "marytraders.in" 279 | $d276 = "medlytrade.net" 280 | $d277 = "mehrmusikgarantie.com" 281 | $d278 = "melko.allalla.com" 282 | $d279 = "mesmultimedia.com" 283 | $d280 = "microsofto.sytes.net" 284 | $d281 = "microsoftpr.redirectme.net" 285 | $d282 = "microsoftupdates.eu" 286 | $d283 = "microsofupgrade.redirectme.net" 287 | $d284 = "mifkgukrglsporret.su" 288 | $d285 = "migratesolutions.net" 289 | $d286 = "mijn.ramlort.com" 290 | $d287 = "mindspringsup.oo3.co" 291 | $d288 = "mintokl.com" 292 | $d289 = "minute.su" 293 | $d290 = "mlscmusic.com" 294 | $d291 = "mmtalontix.com" 295 | $d292 = "modgame.bl.ee" 296 | $d293 = "moneyspirit.eu" 297 | $d294 = "motherboardreasons.net" 298 | $d295 = "mspeller.net" 299 | $d296 = "mxstat230.com" 300 | $d297 = "myaffiliatesconnection.com" 301 | $d298 = "mybalticlegit.tk" 302 | $d299 = "myclydesdale.com" 303 | $d300 = "myheartgoesboomboom.com" 304 | $d301 = "mysecurityupdates.info" 305 | $d302 = "mytuinarchitect.be" 306 | $d303 = "myvizitkaepta.site88.net" 307 | $d304 = "naijayoutube.com" 308 | $d305 = "neatnewmanny.co.uk" 309 | $d306 = "nelsonadmadi2.eu" 310 | $d307 = "netstat.adjuncate.com" 311 | $d308 = "newcollins.co.uk" 312 | $d309 = "newday4allz.co.uk" 313 | $d310 = "newdomainsconf.com" 314 | $d311 = "noonepa.tk" 315 | $d312 = "novnika.com" 316 | $d313 = "ntoswincombo.com" 317 | $d314 = "obremon.net" 318 | $d315 = "oklahoma.nojimshu.com" 319 | $d316 = "onestopinstru.net" 320 | $d317 = "optimaplast.hr" 321 | $d318 = "orburi.ru" 322 | $d319 = "orchestraalarmist.net" 323 | $d320 = "orderprocessingsuffering.name" 324 | $d321 = "ortegas.ru" 325 | $d322 = "otopl.ru" 326 | $d323 = "outgoingonlych.su" 327 | $d324 = "ouutin.ru" 328 | $d325 = "ozgepen.net" 329 | $d326 = "p-alpha.ooo.al" 330 | $d327 = "panel.vargakragard.se" 331 | $d328 = "paranoidf.com" 332 | $d329 = "parkmanup.com" 333 | $d330 = "paul-boogy.fr.fo" 334 | $d331 = "pcdevguard.com" 335 | $d332 = "peccenter.com" 336 | $d333 = "pensiuneamagic.ro" 337 | $d334 = "pfengineering.com" 338 | $d335 = "phimsex4u.biz" 339 | $d336 = "pic-pro.ru" 340 | $d337 = "piquedhotelclubcom.net" 341 | $d338 = "placelookme.ru" 342 | $d339 = "planetaservis2000.ru" 343 | $d340 = "plusnordhost.net" 344 | $d341 = "pontokol.com" 345 | $d342 = "poroto666.ru" 346 | $d343 = "porschecosv.com" 347 | $d344 = "portfolioatimization.net" 348 | $d345 = "presleywebs.uk.pn" 349 | $d346 = "primnproper.com.my" 350 | $d347 = "prk.citserver.co.vu" 351 | $d348 = "prk.cs.co.vu" 352 | $d349 = "prk.firstconf.3gb.biz" 353 | $d350 = "prk.proklcit.cu.cc" 354 | $d351 = "prk.rescit.cu.cc" 355 | $d352 = "prk.secondcit.cu.cc" 356 | $d353 = "prk.thrdcit.cu.cc" 357 | $d354 = "pro100tevel.zapto.org" 358 | $d355 = "projects.globaltronics.net" 359 | $d356 = "promoitaliane.tv" 360 | $d357 = "prons.com.ar" 361 | $d358 = "propertymanagement-varna.com" 362 | $d359 = "purplelab.sg" 363 | $d360 = "rag.su" 364 | $d361 = "raphclickable.com" 365 | $d362 = "ready-for-numbers.com" 366 | $d363 = "reconnectdns.redirectme.net" 367 | $d364 = "reconnectdns1.redirectme.net" 368 | $d365 = "recyclersvoice.com" 369 | $d366 = "redrosemedical.com" 370 | $d367 = "relectsdispla.net" 371 | $d368 = "reoboometrom.ru" 372 | $d369 = "replacespanish.oo3.co" 373 | $d370 = "representacionesaustral.cl" 374 | $d371 = "res81.weissdecisions.com" 375 | $d372 = "reserve.jumpingcrab.com" 376 | $d373 = "resr.configure.8c1.net" 377 | $d374 = "resr.res.co.vu" 378 | $d375 = "resr.unlimiteds.uni.me" 379 | $d376 = "rest-mlyn.com.ua" 380 | $d377 = "rivascloviso.net" 381 | $d378 = "rivocoil.com" 382 | $d379 = "rjlandscapingltd.com" 383 | $d380 = "romanobbnet.info" 384 | $d381 = "roster.su" 385 | $d382 = "rotaractclubofmanipal.in" 386 | $d383 = "rss.medsav.net" 387 | $d384 = "rtserver.co.vu" 388 | $d385 = "sadjskdjsdj22.ru" 389 | $d386 = "salvationdekey.net" 390 | $d387 = "sameetc.tk" 391 | $d388 = "sanjinpin.ru" 392 | $d389 = "sanpedr0.com" 393 | $d390 = "santroperope.ru" 394 | $d391 = "sasse.ru" 395 | $d392 = "sd30d.ff43as.f0d9.g930d1.ddns.su" 396 | $d393 = "sdspropro.co.ua" 397 | $d394 = "searscanada.su" 398 | $d395 = "searsholding.co.uk" 399 | $d396 = "secctor.ru" 400 | $d397 = "secruret.mywindjet.com" 401 | $d398 = "seejin.com" 402 | $d399 = "sellcoins.su" 403 | $d400 = "senocorpol.com" 404 | $d401 = "seriaiam.com" 405 | $d402 = "server.bovine-mena.com" 406 | $d403 = "serverjainpangwang.pw" 407 | $d404 = "serversss.biz" 408 | $d405 = "setnevadanebraska.su" 409 | $d406 = "shoppingmall93.ml" 410 | $d407 = "sicarscarr.co.uk" 411 | $d408 = "sidomo.com" 412 | $d409 = "siladin.cch-oriente.unam.mx" 413 | $d410 = "sinusi.su" 414 | $d411 = "siouxlandchamber.com" 415 | $d412 = "sochicasflow.com" 416 | $d413 = "soinstlen.su" 417 | $d414 = "spec02.dircon.co.uk" 418 | $d415 = "srv1.dns-freedom.ru" 419 | $d416 = "srv1.freedom-dns.ru" 420 | $d417 = "srv5.free-z0ne.ru" 421 | $d418 = "sslsecure.servehttp.com" 422 | $d419 = "staging.shawhealthcare.precedenthost.co.uk" 423 | $d420 = "starkcapsol.biz" 424 | $d421 = "startsponsor.com" 425 | $d422 = "stats.tyokarhut.net" 426 | $d423 = "stinkymovies.url.ph" 427 | $d424 = "stpbb.org" 428 | $d425 = "stpeterpadungan.my" 429 | $d426 = "sub.beirinckx.be" 430 | $d427 = "submitbox.su" 431 | $d428 = "substandarddefinitionqualities.net" 432 | $d429 = "supendose.co.uk" 433 | $d430 = "super67.me" 434 | $d431 = "suspended.amywien.com" 435 | $d432 = "swapp.ru" 436 | $d433 = "sync.dns-reserve.ru" 437 | $d434 = "taxi78mijas.es" 438 | $d435 = "techskills.hol.es" 439 | $d436 = "terryproof.info" 440 | $d437 = "thanhc50.no-ip.info" 441 | $d438 = "thetimes420.com" 442 | $d439 = "thietbikiemdinh.com.vn" 443 | $d440 = "third.crabdance.com" 444 | $d441 = "thriller.su" 445 | $d442 = "timesroom.com" 446 | $d443 = "tnserver.tk" 447 | $d444 = "tobelhof.ch" 448 | $d445 = "tompotompo.com" 449 | $d446 = "tonyuwa.biz" 450 | $d447 = "tosing.ru" 451 | $d448 = "tqpoint.com" 452 | $d449 = "tradecharm.lt" 453 | $d450 = "trafikms.name" 454 | $d451 = "treching.net" 455 | $d452 = "trendyinia.esy.es" 456 | $d453 = "trenquecardiohemo.com.ar" 457 | $d454 = "trinityinterior.com" 458 | $d455 = "truer.su" 459 | $d456 = "tryana.url.ph" 460 | $d457 = "ttbkvietnam.com" 461 | $d458 = "tuk-tuk.com" 462 | $d459 = "turkey.co.vu" 463 | $d460 = "turkishcoffeecafe.com" 464 | $d461 = "tuxerox.com" 465 | $d462 = "ucggroup.com.tr" 466 | $d463 = "ugwebz.uk.pn" 467 | $d464 = "ukcrib.com" 468 | $d465 = "ukdev.net" 469 | $d466 = "umuoma.com" 470 | $d467 = "uncluvmeteam.ru" 471 | $d468 = "unicorn.bl.ee" 472 | $d469 = "uniev.ru" 473 | $d470 = "update.odeen.eu" 474 | $d471 = "update.rifugiopontese.it" 475 | $d472 = "update.saintfrancoisath.be" 476 | $d473 = "updateapi.longmusic.com" 477 | $d474 = "updating-flash.cloudapp.net" 478 | $d475 = "upfile.url.ph" 479 | $d476 = "uplogsnet.co.uk" 480 | $d477 = "upperts.su" 481 | $d478 = "urbanrural.hc0.me" 482 | $d479 = "urbelos.com" 483 | $d480 = "usilc.mx" 484 | $d481 = "uwwertu.ru" 485 | $d482 = "valentine.su" 486 | $d483 = "vanikosguideversionmp.com" 487 | $d484 = "vankhoatech.com" 488 | $d485 = "vascoycorena.com" 489 | $d486 = "vdistone.com" 490 | $d487 = "visit2013.in.ua" 491 | $d488 = "vivaspace2013.com" 492 | $d489 = "voiceofmentors.com" 493 | $d490 = "voip-offices.in.ua" 494 | $d491 = "vps.x-st.org" 495 | $d492 = "wahaladey.hc0.me" 496 | $d493 = "waiiiu.myftp.biz" 497 | $d494 = "warriorinjapan.hostjava.net" 498 | $d495 = "watercoolingsystems.ru" 499 | $d496 = "webos.in" 500 | $d497 = "welcahllyn.com" 501 | $d498 = "wenden.itt21.de" 502 | $d499 = "weporsche.com" 503 | $d500 = "whitewidow.ciscofreak.com" 504 | $d501 = "widnows.net" 505 | $d502 = "windows-update.su" 506 | $d503 = "windowscat.info" 507 | $d504 = "windowscrackle.su" 508 | $d505 = "windowslion.info" 509 | $d506 = "wispaloud.url.ph" 510 | $d507 = "wlopescorretora.com.br" 511 | $d508 = "wmzbase.ru" 512 | $d509 = "wor6.b6dfnahea.ns2.name" 513 | $d510 = "worldrumor.com" 514 | $d511 = "www.4121.tv" 515 | $d512 = "www.abunny2love.com" 516 | $d513 = "www.ansatz.net" 517 | $d514 = "www.aokh.ir" 518 | $d515 = "www.basquiat.com.br" 519 | $d516 = "www.cabelo.med.br" 520 | $d517 = "www.calderaycia.cl" 521 | $d518 = "www.calzadoanaconda.com" 522 | $d519 = "www.chevrcon.com" 523 | $d520 = "www.cuzeriii.cu.cc" 524 | $d521 = "www.czkey1n.com" 525 | $d522 = "www.doinghumanrightsfrombelow.com" 526 | $d523 = "www.exklusiv-lab.ru" 527 | $d524 = "www.expertoffshore.com" 528 | $d525 = "www.foxservice-investigazioni.com" 529 | $d526 = "www.freemall.jp" 530 | $d527 = "www.gereformeerdekerkenter.nl" 531 | $d528 = "www.gmailapps.hc0.me" 532 | $d529 = "www.gminalubiewo.pl" 533 | $d530 = "www.googelevi.com" 534 | $d531 = "www.happystar-radio.com" 535 | $d532 = "www.hostmyash.eu" 536 | $d533 = "www.ia0000.com" 537 | $d534 = "www.joker-tattoo.by" 538 | $d535 = "www.kimsa.vn" 539 | $d536 = "www.kuman.cz" 540 | $d537 = "www.lbmedical.se" 541 | $d538 = "www.lcwaldviertel.com" 542 | $d539 = "www.longstor.com" 543 | $d540 = "www.loongweed.com" 544 | $d541 = "www.lpftag.upm.es" 545 | $d542 = "www.macclean.cn" 546 | $d543 = "www.madhavaj.in" 547 | $d544 = "www.mantourmiao.su" 548 | $d545 = "www.nationaldrivetrain.com" 549 | $d546 = "www.netropoton.com" 550 | $d547 = "www.norrvikenfrilufts.net" 551 | $d548 = "www.oltreilvelo.com" 552 | $d549 = "www.outliermagazine.co" 553 | $d550 = "www.overside.com" 554 | $d551 = "www.pacificshipping.org" 555 | $d552 = "www.perilshed.info" 556 | $d553 = "www.pneumatica.com.ua" 557 | $d554 = "www.rae.su" 558 | $d555 = "www.raynor.tw" 559 | $d556 = "www.rcollard.com" 560 | $d557 = "www.remaxhost.com" 561 | $d558 = "www.roya1ebusinessclub.com" 562 | $d559 = "www.saudevitalsuplementos.com" 563 | $d560 = "www.sdspropro.co.ua" 564 | $d561 = "www.sherrif.info" 565 | $d562 = "www.sinoconcept.fr" 566 | $d563 = "www.site.feuc.br" 567 | $d564 = "www.skhgiehlgisur.su" 568 | $d565 = "www.smillin.com" 569 | $d566 = "www.sonoralaboralpc.com" 570 | $d567 = "www.speedayauto.ae" 571 | $d568 = "www.venushouston.com" 572 | $d569 = "www.vip-file.eu" 573 | $d570 = "www.vozdocampoamapa.com.br" 574 | $d571 = "www.wassoc.in" 575 | $d572 = "www.wilfharwood.com" 576 | $d573 = "www.witkey.com" 577 | $d574 = "x0rzendencrypti0n.su" 578 | $d575 = "xq.rurs.net" 579 | $d576 = "xserqwerdsdrasder.su" 580 | $d577 = "xtremesoftnow.ru" 581 | $d578 = "yamleg.fu8.com" 582 | $d579 = "yanitymm.com.tr" 583 | $d580 = "yankeezzzz.co.uk" 584 | $d581 = "yetrilo.url.ph" 585 | $d582 = "yhalla.com" 586 | $d583 = "yurkomrf.ru" 587 | $d584 = "yutse.ru" 588 | $d585 = "zaebstonrder.com" 589 | $d586 = "zenkaogkeh.su" 590 | $d587 = "zeus.guvencelikimalat.com" 591 | $d588 = "zonefreerote.com" 592 | $d589 = "zopapublishedn.su" 593 | $d590 = "zswe4tfrhdhthr5.su" 594 | $d591 = "zukkoshop.su" 595 | $d592 = "103.11.74.118" 596 | $d593 = "103.241.0.100" 597 | $d594 = "103.4.52.150" 598 | $d595 = "103.7.59.135" 599 | $d596 = "108.162.196.114" 600 | $d597 = "108.162.197.168" 601 | $d598 = "108.175.156.136" 602 | $d599 = "108.61.63.78" 603 | $d600 = "109.127.8.242" 604 | $d601 = "109.229.36.65" 605 | $d602 = "109.235.59.44" 606 | $d603 = "109.68.33.18" 607 | $d604 = "111.90.133.131" 608 | $d605 = "111.90.159.156" 609 | $d606 = "112.137.163.228" 610 | $d607 = "116.193.76.135" 611 | $d608 = "116.254.188.24" 612 | $d609 = "119.110.108.49" 613 | $d610 = "123.30.129.179" 614 | $d611 = "128.210.157.251" 615 | $d612 = "141.101.116.230" 616 | $d613 = "142.0.78.136" 617 | $d614 = "142.0.78.142" 618 | $d615 = "142.0.79.247" 619 | $d616 = "144.76.108.137" 620 | $d617 = "144.76.39.38" 621 | $d618 = "146.185.174.81" 622 | $d619 = "15.185.99.202" 623 | $d620 = "151.97.190.239" 624 | $d621 = "16.54.12.15" 625 | $d622 = "162.211.84.6" 626 | $d623 = "173.193.204.119" 627 | $d624 = "173.230.253.193" 628 | $d625 = "173.242.112.135" 629 | $d626 = "173.245.71.94" 630 | $d627 = "173.249.152.23" 631 | $d628 = "176.119.2.90" 632 | $d629 = "176.119.2.91" 633 | $d630 = "176.215.86.120" 634 | $d631 = "176.9.17.171" 635 | $d632 = "176.9.27.59" 636 | $d633 = "178.19.99.42" 637 | $d634 = "178.32.54.90" 638 | $d635 = "178.89.159.32" 639 | $d636 = "180.151.58.244" 640 | $d637 = "184.168.221.38" 641 | $d638 = "184.22.1.235" 642 | $d639 = "184.22.83.122" 643 | $d640 = "184.82.97.117" 644 | $d641 = "185.20.227.39" 645 | $d642 = "185.24.233.109" 646 | $d643 = "185.25.117.244" 647 | $d644 = "185.25.117.49" 648 | $d645 = "185.25.48.107" 649 | $d646 = "185.5.55.248" 650 | $d647 = "188.116.21.92" 651 | $d648 = "188.219.154.228" 652 | $d649 = "188.225.33.165" 653 | $d650 = "188.225.33.167" 654 | $d651 = "188.240.51.133" 655 | $d652 = "188.247.135.53" 656 | $d653 = "188.247.135.58" 657 | $d654 = "188.247.135.74" 658 | $d655 = "188.247.135.99" 659 | $d656 = "190.15.192.25" 660 | $d657 = "192.157.212.215" 661 | $d658 = "192.64.177.143" 662 | $d659 = "193.107.19.24" 663 | $d660 = "193.120.55.242" 664 | $d661 = "193.169.244.174" 665 | $d662 = "195.13.249.204" 666 | $d663 = "195.3.146.47" 667 | $d664 = "198.20.107.130" 668 | $d665 = "198.50.198.162" 669 | $d666 = "198.52.199.123" 670 | $d667 = "198.58.93.4" 671 | $d668 = "198.58.93.56" 672 | $d669 = "199.101.184.254" 673 | $d670 = "199.201.121.177" 674 | $d671 = "199.201.126.156" 675 | $d672 = "199.231.186.170" 676 | $d673 = "199.231.187.7" 677 | $d674 = "199.246.2.105" 678 | $d675 = "199.7.234.100" 679 | $d676 = "2.133.128.98" 680 | $d677 = "202.29.230.198" 681 | $d678 = "203.170.193.23" 682 | $d679 = "204.188.238.142" 683 | $d680 = "204.93.211.115" 684 | $d681 = "208.73.210.89" 685 | $d682 = "210.211.108.215" 686 | $d683 = "212.193.228.167" 687 | $d684 = "212.225.213.253" 688 | $d685 = "212.44.64.202" 689 | $d686 = "213.147.67.20" 690 | $d687 = "213.152.26.146" 691 | $d688 = "213.57.77.220" 692 | $d689 = "216.176.100.240" 693 | $d690 = "216.215.112.149" 694 | $d691 = "23.239.140.114" 695 | $d692 = "31.148.219.85" 696 | $d693 = "31.204.154.16" 697 | $d694 = "33.12.12.90" 698 | $d695 = "37.0.123.108" 699 | $d696 = "37.0.123.153" 700 | $d697 = "37.0.127.101" 701 | $d698 = "37.143.11.189" 702 | $d699 = "37.143.14.207" 703 | $d700 = "37.143.15.235" 704 | $d701 = "37.143.15.75" 705 | $d702 = "37.252.120.68" 706 | $d703 = "41.186.24.58" 707 | $d704 = "41.71.188.2" 708 | $d705 = "46.102.246.202" 709 | $d706 = "46.166.131.154" 710 | $d707 = "46.166.141.107" 711 | $d708 = "46.166.145.113" 712 | $d709 = "46.166.146.202" 713 | $d710 = "46.166.168.173" 714 | $d711 = "46.21.157.219" 715 | $d712 = "46.22.211.47" 716 | $d713 = "46.4.150.111" 717 | $d714 = "49.50.8.213" 718 | $d715 = "5.135.127.68" 719 | $d716 = "5.135.199.3" 720 | $d717 = "5.135.3.138" 721 | $d718 = "5.231.71.16" 722 | $d719 = "5.29.130.59" 723 | $d720 = "5.45.179.132" 724 | $d721 = "5.56.133.45" 725 | $d722 = "5.56.133.48" 726 | $d723 = "5.56.133.72" 727 | $d724 = "5.56.133.73" 728 | $d725 = "5.56.133.84" 729 | $d726 = "5.63.158.126" 730 | $d727 = "50.28.88.109" 731 | $d728 = "50.7.66.226" 732 | $d729 = "59.157.4.2" 733 | $d730 = "60.13.186.5" 734 | $d731 = "64.127.71.73" 735 | $d732 = "64.85.233.8" 736 | $d733 = "66.154.50.12" 737 | $d734 = "66.45.253.74" 738 | $d735 = "66.96.160.153" 739 | $d736 = "68.89.11.90" 740 | $d737 = "74.117.57.219" 741 | $d738 = "78.110.9.77" 742 | $d739 = "78.46.75.138" 743 | $d740 = "79.143.178.105" 744 | $d741 = "79.143.190.212" 745 | $d742 = "81.177.141.191" 746 | $d743 = "82.131.180.72" 747 | $d744 = "83.15.254.242" 748 | $d745 = "83.222.112.221" 749 | $d746 = "83.69.233.121" 750 | $d747 = "85.10.234.166" 751 | $d748 = "86.106.188.120" 752 | $d749 = "87.236.211.7" 753 | $d750 = "87.236.215.88" 754 | $d751 = "87.246.143.242" 755 | $d752 = "87.254.167.37" 756 | $d753 = "88.27.247.141" 757 | $d754 = "89.248.160.159" 758 | $d755 = "89.31.143.20" 759 | $d756 = "89.32.150.234" 760 | $d757 = "89.33.0.194" 761 | $d758 = "89.33.0.197" 762 | $d759 = "89.33.0.199" 763 | $d760 = "89.36.31.215" 764 | $d761 = "89.45.14.57" 765 | $d762 = "89.46.251.146" 766 | $d763 = "89.46.251.158" 767 | $d764 = "89.46.251.169" 768 | $d765 = "91.194.91.202" 769 | $d766 = "91.214.201.156" 770 | $d767 = "91.214.203.132" 771 | $d768 = "91.214.203.246" 772 | $d769 = "91.218.121.136" 773 | $d770 = "91.220.131.56" 774 | $d771 = "91.226.212.11" 775 | $d772 = "91.226.212.170" 776 | $d773 = "91.227.152.237" 777 | $d774 = "91.227.18.17" 778 | $d775 = "91.228.160.170" 779 | $d776 = "91.228.160.201" 780 | $d777 = "91.229.20.134" 781 | $d778 = "91.229.20.214" 782 | $d779 = "91.229.20.243" 783 | $d780 = "91.230.60.208" 784 | $d781 = "91.231.85.76" 785 | $d782 = "91.237.88.250" 786 | $d783 = "91.239.15.219" 787 | $d784 = "92.243.67.242" 788 | $d785 = "93.125.99.15" 789 | $d786 = "93.170.131.175" 790 | $d787 = "93.186.120.112" 791 | $d788 = "93.90.182.90" 792 | $d789 = "94.103.36.55" 793 | $d790 = "94.73.151.120" 794 | $d791 = "95.154.208.106" 795 | $d792 = "95.173.183.91" 796 | $d793 = "95.211.187.3" 797 | $d794 = "96.127.169.2" 798 | $d795 = "97.79.238.65" 799 | $d796 = "98.131.185.136" 800 | condition: 801 | any of them 802 | } -------------------------------------------------------------------------------- /YO this is BAD ! FW- Voice Message.eml: -------------------------------------------------------------------------------- 1 | Received: from MAILR012.mail.lan ([10.110.18.56]) by HUB024.mail.lan 2 | ([10.110.17.24]) with mapi; Tue, 17 Dec 2013 16:07:23 -0500 3 | From: Semloh Kcolrehs 4 | To: ronnie tokazowski 5 | Content-Class: urn:content-classes:message 6 | Date: Tue, 17 Dec 2013 16:07:20 -0500 7 | Subject: YO this is BAD ! FW: Voice Message 8 | Thread-Topic: YO this is BAD ! FW: Voice Message 9 | Thread-Index: Ac77a+Yjx6v5SRk6Q0mZ8PaCmHs8cQ== 10 | Message-ID: <899DD367B712194CBDBBF8E459E94EF2CC167A38E8@MAILR012.mail.lan> 11 | Accept-Language: en-US 12 | Content-Language: en-US 13 | X-MS-Exchange-Organization-AuthAs: Internal 14 | X-MS-Exchange-Organization-AuthMechanism: 04 15 | X-MS-Exchange-Organization-AuthSource: HUB024.mail.lan 16 | X-MS-Has-Attach: 17 | X-MS-Exchange-Organization-SCL: -1 18 | X-MS-TNEF-Correlator: 19 | acceptlanguage: en-US 20 | Content-Type: multipart/alternative; 21 | boundary="_000_899DD367B712194CBDBBF8E459E94EF2CC167A38E8MAILR012maill_" 22 | MIME-Version: 1.0 23 | 24 | --_000_899DD367B712194CBDBBF8E459E94EF2CC167A38E8MAILR012maill_ 25 | Content-Type: text/plain; charset="us-ascii" 26 | Content-Transfer-Encoding: quoted-printable 27 | 28 | Do NOT Click the links! 29 | 30 | From: WhatsApp [mailto:team@bocabio.com] 31 | Sent: Tuesday, December 17, 2013 9:13 AM 32 | To: phishme feedback 33 | Subject: Voice Message 34 | 35 | WhatsApp 36 | 37 | 38 | 39 | You have a new Voice Message! 40 | 41 | Message Details: 42 | 43 | Time of Call: Dec-15 2013 11:11: 11 44 | Lenth of Call: 11sec 45 | 46 | 47 | 48 | 111 50 | 51 | 52 | 54 | Play 56 | 57 | 58 | *If you cannot play, move message to the "Inbox" folder. 59 | 60 | 61 | 62 | 2013 WhatsApp Inc 63 | 64 | 65 | 66 | --_000_899DD367B712194CBDBBF8E459E94EF2CC167A38E8MAILR012maill_ 67 | Content-Type: text/html; charset="us-ascii" 68 | Content-Transfer-Encoding: quoted-printable 69 | 70 |

D= 123 | o NOT Click the links!

 

From: WhatsApp [mailto:team@bocabio.com]
= 130 | Sent: Tuesday, December 17, 2013 9:13 AM
To: phishme feedb= 131 | ack
Subject: Voice Message

 

WhatsApp

You= 146 | have a new Voice Message!

Message Details:= 150 |

Time of Call: Dec-15 201= 153 | 3 11:11: 11
Lenth of Call: 11sec

111

 

= 174 | Play= 176 |

 

*If you cannot play, move message to the &q= 185 | uot;Inbox" folder. <= 186 | /span>

2013 WhatsApp = 193 | Inc

 

= 195 | 196 | --_000_899DD367B712194CBDBBF8E459E94EF2CC167A38E8MAILR012maill_-- 197 | -------------------------------------------------------------------------------- /clarityData: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x41x41x90/pm_shredder/7fa83b2250a434bfe153a67eb52e015558e9409a/clarityData -------------------------------------------------------------------------------- /create_db.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sqlite3,os 3 | 4 | #CREATE TABLE email_meta(key varchar, date varchar, e_to varchar, e_from varchar, e_subject varchar, attachment varchar, reporting_mechanism varchar, email varchar); 5 | #CREATE TABLE hash_db(key varchar, md5 varchar, sha256 varchar, ssdeep varchar); 6 | #CREATE TABLE urls(key varchar, url varchar, cleaned_url varchar); 7 | #CREATE TABLE yara_hits(key varchar, hit varchar); 8 | 9 | if os.path.isfile("clarityData") == False: 10 | conn = sqlite3.connect('clarityData') 11 | c = conn.cursor() 12 | c.execute("""CREATE TABLE email_meta(key varchar, date varchar, e_to varchar, e_from varchar, e_subject varchar, attachment varchar, reporting_mechanism varchar, email varchar)""") 13 | c.execute("""CREATE TABLE hash_db(key varchar, md5 varchar, sha256 varchar, ssdeep varchar)""") 14 | c.execute("""CREATE TABLE urls(key varchar, url varchar, cleaned_url varchar);""") 15 | c.execute("""CREATE TABLE yara_hits(key varchar, hit varchar)""") 16 | -------------------------------------------------------------------------------- /display_db.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sqlite3,sys 3 | conn = sqlite3.connect("clarityData") 4 | c = conn.cursor() 5 | 6 | if len(sys.argv) == 1: 7 | c.execute("select * from yara_hits") 8 | temp = c.fetchall() 9 | print "" 32 | 33 | c.execute ("select * from email_meta") 34 | temp = c.fetchall() 35 | print "
" 10 | print "### Emails with Yara hits ###
" + str(each[0]) + "" 13 | print str(each).replace(str(each[0]) ,bla) + "
" 14 | print "
" 15 | 16 | c.execute("select * from urls") 17 | temp = c.fetchall() 18 | print "
" 19 | print "### Links in Emails ###
" + str(each[0]) + "" 22 | print str(each).replace(".", "[d]").replace(str(each[0]), bla) + "
" 23 | print "
" 24 | 25 | c.execute("select * from hash_db") 26 | temp = c.fetchall() 27 | print "### Hashes ###
" + str(each[0]) + "" 30 | print str(each).replace(str(each[0]), bla) + "
" 31 | print "
" 36 | print "### Email ###
" + str(each[0]) + "" 39 | print str(each).replace(str(each[0]), bla) +"
" 40 | print "
" 41 | else: 42 | print "### Data pivot ###
" 43 | c.execute("select * from yara_hits where key is '" + str(sys.argv[1]) + "'") 44 | temp = c.fetchall() 45 | print "### Yara hits ###
" 46 | for each in temp: 47 | bla = "" + str(each[0]) + "" 48 | print str(each).replace(str(each[0]), bla) +"
" 49 | c.execute("select * from email_meta where key is '" + str(sys.argv[1]) + "'") 50 | temp = c.fetchall() 51 | print "### email meta ###
" 52 | for each in temp: 53 | bla = "" + str(each[0]) + "" 54 | print str(each).replace(str(each[0]), bla) +"
" 55 | c.execute("select * from hash_db where key is '" + str(sys.argv[1]) + "'") 56 | temp = c.fetchall() 57 | print "### hashes ###
" 58 | for each in temp: 59 | bla = "" + str(each[0]) + "" 60 | print str(each).replace(str(each[0]), bla) +"
" 61 | c.execute("select * from urls where key is '" + str(sys.argv[1]) + "'") 62 | temp = c.fetchall() 63 | print "### urls ###
" 64 | for each in temp: 65 | bla = "" + str(each[0]) + "" 66 | print str(each).replace(str(each[0]), bla)+"
" 67 | print "
### FULL EMAIL ###

" + a 68 | -------------------------------------------------------------------------------- /makePath.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | i = 0 4 | j = 0 5 | while i <= 255: 6 | while j <= 255: 7 | x = str(hex(i)).replace("0x", "") 8 | y = str(hex(j)).replace("0x", "") 9 | if len(x) == 1: x = "0" + x 10 | if len(y) == 1: y = "0" + y 11 | os.system("mkdir -p clarity/" + x + "/" + y) 12 | j+=1 13 | j = 0 14 | i+=1 -------------------------------------------------------------------------------- /shredder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ''' 3 | LICENSING 4 | This code is licensed under the Creative Commons Attribution-NonCommercial 2.5 Generic licensing. 5 | You can read more about the licensing here: http://creativecommons.org/licenses/by-nc/2.5/ 6 | 7 | File: shredder.py 8 | Implementation: Used as "cat email.eml | ./shredder.py " 9 | Functions: "shred" an email into each part using email lib, scanning each part, and 10 | manipulating them. 11 | - Rips links out of ALL email pieces 12 | - "Cleans" links to be fed into SEIM tool 13 | - Runs Yara on each piece of the email. 14 | - Performs a check and runs Attachment set of rules vs. non-attachment set of rules 15 | * IMPORTANT! In previous testing, this leads to ~50% overall faster processing 16 | - Pulls out email meta data (think NSA) 17 | - Can get back to original email for each piece 18 | Extra dependancies: Yara, Yara-python, ssdeep (to keep it sleek and sexy, not dependancy hell) 19 | ''' 20 | 21 | vtApi = "0xdead1337b33f" # Virustotal API key 22 | 23 | import sys, email, uuid, hashlib, base64, json, time # basic functions. sys == args, email == basic email processing, uuid == random tracking key, hashlib == sha256 + MD5 support, base64 == for finiky base64 blobs, json == json, time == time 24 | import quopri # This is used for emails that have funky formatted text, such as =20 for a space. THIS IS NEEDED AND IMPORTANT, or things break / doesn't get all the way processed!!! 25 | import yara # This is for using the Yara engine. Important, as none of this would be possible. 26 | import re # regex for links 27 | import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED 28 | import sqlite3 # for database 29 | import urllib, urllib2 # For Virustotal 30 | import os 31 | my_uuid = str(uuid.uuid4()) # Creates the unique hash at runtime. This is used for tracking back the email 32 | 33 | awesome_s_check = 1 34 | outFile = "outFile.csv" 35 | 36 | conn = sqlite3.connect("clarityData") # name of DB 37 | my_db = conn.cursor() 38 | 39 | # For debugging. If it's ./shredder.py asdfasdfasdfagagasdf, debugging is set and output will commence. 40 | vtCheck = 0 41 | if len(sys.argv) >1: 42 | debug = 1 43 | else: 44 | debug = 0 45 | 46 | # if the attachment returns back as "attachment.zip", with quotes, it must be cleaned. 47 | def clean_attachment_name(att): 48 | att = att[att.find("\"")+1:] 49 | att = att[:att.find("\"")] 50 | return att 51 | 52 | # If email addresses come back like , the ><'s must be cleaned, as this is not DB friendly / SEIM friendly 53 | def clean_addresses(names): 54 | i = 0 55 | for each in names: 56 | each = each[each.find("<")+1:] 57 | each = each[:each.find(">")] 58 | names[i] = each 59 | i+=1 60 | return names 61 | 62 | # This is for grabbing the message= from the meta data field from the Yara rule. 63 | # *** IMPORTANT !!! 64 | def mycallback(data): 65 | #if data["matches"] == True: 66 | # user_message.append(data["meta"]["message"]) 67 | yara.CALLBACK_CONTINUE 68 | 69 | # This is for pulling out all links from an email. This can be extended to include ftp[s] as well, but 70 | # should be good as-is. I suck at regex, so if you have a more efficient way to do this...leme know. 71 | 72 | def extract_my_links(data): 73 | links = re.findall('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', data) 74 | return links 75 | 76 | # Cleans e's. It's best to blast them all here at the end than having it in regex routine. Again...killed servers. 77 | # Reasoning: can be fed through SEIM / Splunk / custom API instead of http://foo.bar.evil.com/bleh.exe, and can just 78 | # look for foo.bar.evil.com . 79 | def clean_url(url): 80 | url = url.replace("http://", "").replace("https://", "") 81 | if url.find("/") != -1: 82 | return url[:url.find("/")] # Cleans it out to TLD's 83 | else: 84 | return url 85 | 86 | def virustotalApi(hashes): 87 | if vtCheck == 1: 88 | temp = "" 89 | for each in hashes: 90 | temp +=each + ", " 91 | temp = temp[:-2] 92 | url = "https://www.virustotal.com/vtapi/v2/file/rescan" 93 | parameters = {"resource": temp, "apikey": vtApi} 94 | data = urllib.urlencode(parameters) 95 | req = urllib2.Request(url, data) 96 | response = urllib2.urlopen(req) 97 | return response.read() 98 | else: 99 | return "" 100 | 101 | ''' 102 | Need a big comment field for this one. =D 103 | 104 | This is the routine that does the magic. First, the email needs to be cleaned with qupori (further down) 105 | then fed to email walk. Once walking, the pieces of the email will be fed into an array (awesomesauce), and kept there. 106 | Once there, it's then possible to call Yara to scan each part. For example, if an email contains an attachment 107 | plus the body of text, the array would essentially contain 3 parts: the headers, the 108 | next part could be the body, and the third part would be the binary data of the attachment. 109 | 110 | For the headers + body, this is where the slim Yara ruleset comes into play. When scanned, we're just looking for known 111 | bad IP addresses or links to domains that we know are bad. Scanning with the whole full ruleset adds un-needed overhead. 112 | 113 | For the attachment, the base64 blob is decoded, and saved as an array. It's important to maintain the binary 114 | data, as this can be used to find evilness from binary / malware-based Yara rules. 115 | 116 | ''' 117 | 118 | def parse_the_email(my_email): 119 | msg = email.message_from_string(my_email) 120 | for part in msg.walk(): 121 | awesome_sauce.append(part.get_payload(decode=True)) # Saves each piece into memory of awesome_sauce array 122 | if part["to"] != None: my_to.append(part["to"]) 123 | if part["bcc"] != None: my_to.append(part["bcc"]) 124 | if part["cc"] != None: my_to.append(part["cc"]) 125 | if part["from"] != None: my_from.append(part["from"]) 126 | if part["subject"] != None: my_subject.append(part["subject"]) 127 | if part["date"] != None: my_date.append(part["date"]) 128 | if part["content-disposition"] != None: my_attachments.append(clean_attachment_name(part["content-disposition"])) # grab attachment names 129 | 130 | #if awesome_s_check == 1: print awesome_sauce 131 | for each in awesome_sauce: 132 | try: # skip for none types 133 | 134 | 135 | # BEGIN FINIKY CODE SNIPPET # 136 | # This section is for base64 that isn't correctly ended / some other hankiness went on 137 | if each.find(" ") == -1 and len(each) != 0: 138 | each = each.replace("\r", "").replace("\n", "") # for those finiky base64 blobs 139 | #each +="=" 140 | eq_count = each.count("=") 141 | true_b64 = len(each)%4 142 | 143 | if true_b64 != 0: 144 | each = each.replace("=", "") 145 | each += (4-(len(each)%4)) * "=" # math to calculate how long the padding *should* be for the base64 blob 146 | awesome_sauce.append(base64.b64decode(each)) 147 | except: 148 | pass 149 | 150 | #if awesome_s_check == 1: print base64.b64decode(awesome_sauce[4].replace("\r", "").replace("\n", "") + "=") 151 | 152 | if debug == 1: print "[D] Email Array Length: " + str(len(awesome_sauce)) 153 | temp = my_email.lower() # lowercase email 154 | if temp.find("attachment") != -1: # Because attachment can be Attachment, attachment, ATTACHMENT, or some other thing to break analysis 155 | if debug == 1: print "[D] I has attachments" 156 | rules = yara.compile("yara_include.yar", includes=True) # Full Yara rule set 157 | else: 158 | rules = yara.compile("yara_headers.yar", includes=True) # Why scan with "attachment" set if there are no attachments? Again, +50% performance benifit from doing this check. +) 159 | if debug == 1: print "[D] No attachment" 160 | 161 | 162 | for each in awesome_sauce: # for each part in the email... 163 | if each != None: 164 | matches = rules.match(data=each, callback=mycallback) # if it's not none, check for Yara matches 165 | tMd5 = hashlib.md5(each).hexdigest() 166 | tSha256 = hashlib.sha256(each).hexdigest() 167 | tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest() #ssdeep.hash(each) 168 | # gotta hash 'em all gotta hash 'em all... 169 | md5_hashes.append(tMd5) 170 | sha256_hashes.append(tSha256) 171 | ssdeep_hashes.append(tSsdeep) 172 | 173 | my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") 174 | 175 | # and pull out / clean all links 176 | temp = extract_my_links(each) 177 | for zing in temp: 178 | my_links.append(zing) 179 | for blue in matches: 180 | #print each 181 | 182 | yara_hit.append(blue) # makes it cleaner for pushing hits on the back end 183 | 184 | 185 | 186 | awesome_sauce = [] # decoded payloads 187 | my_to = [] # To: field 188 | my_from = [] # From: field 189 | my_subject = [] # Do I really need to keep going...? 190 | my_date = [] 191 | my_attachments = [] 192 | user_message = [] # Pulled from Yara meta message= field 193 | 194 | md5_hashes = [] 195 | sha256_hashes = [] 196 | ssdeep_hashes = [] 197 | 198 | my_links = [] # Regex'ed links from email 199 | cleaned_links = [] # parsed / cleaned domains, for SEIM's and other fun stuff 200 | yara_hit = [] # duh 201 | 202 | my_email = quopri.decodestring(sys.stdin.read()) # reads email from stdin 203 | 204 | parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) 205 | 206 | 207 | yara_hit = list(set(yara_hit)) # sort / uniq them all. Better to do this now than on the backend with un-needed duplication 208 | user_message = list(set(user_message)) # Sorts / uniq's user messages. See above comment 209 | md5_hashes = list(set(md5_hashes)) 210 | 211 | cur_stats = "" 212 | my_to = clean_addresses(my_to) 213 | my_from = clean_addresses(my_from) 214 | my_links = list(set(my_links)) # removes duplication 215 | 216 | #print len(yara_hit) 217 | for blue in yara_hit: 218 | my_db.execute("INSERT INTO yara_hits VALUES (\'" + my_uuid + "\', \'" + str(blue) + "\')") 219 | if debug == 1: 220 | for each in my_links: 221 | cUrl = clean_url(each) 222 | print "Pivotable: " + "http://www.dshield.org/ipinfo.html?ip=" + cUrl 223 | print "Pivotable: " + "https://www.robtex.com/dns/" + cUrl + ".html" 224 | print "Pivotable: " + "https://www.robtex.com/ip/" + cUrl + ".html" 225 | print "Pivotable: " + "http://network-tools.com/default.asp?prog=express&host=" + cUrl 226 | cleaned_links.append(cUrl) 227 | #print "INSERT INTO urls (\'" + my_uuid + "\', \'" + each + "\', \'" + cUrl + "\')" 228 | try: 229 | my_db.execute("INSERT INTO urls VALUES (\'" + my_uuid + "\', \'" + each.replace("<", "").replace(">", "") + "\', \'" + cUrl + "\')") 230 | except: 231 | print "ERRORS ON " + my_uuid + cUrl 232 | 233 | 234 | #cleaned_links = list(set(cleaned_links)) # removes duplication 235 | 236 | # This prints everything out, to show what the final output would look like. Here would be a good time 237 | # to throw it all into the DB 238 | 239 | if debug == 1: print str(user_message).replace("[", "").replace("'", "").replace("]", "") + "\n\nTo: " + str(my_to) + "\nFrom: " + str(my_from) + "\nSubject: " + str(my_subject) + "\nDate: " + str(my_date) + "\nAttachments: " + str(my_attachments) + "\nDetection Signatures: " + str(yara_hit) + "\nReporting Mechanism: " + str(cur_stats) + "\nEmail ID: " +str(my_uuid) + "\nMD5 hashes: " + str(md5_hashes) + "\nSha256 Hashes: " + str(sha256_hashes) + "\nSSDeep: " + str(ssdeep_hashes) + "\nLinks: " + str(my_links).replace(".", "[d]") + "\nCleaned Links: " + str(cleaned_links).replace(".", "[d]") 240 | # CREATE TABLE email_meta(key varchar, date varchar, attachment varchar, reporting_mechanism varchar, email varchar); 241 | 242 | my_db.execute("INSERT INTO email_meta VALUES (\'" + my_uuid + "\', \"" + str(my_date) + "\", \"" + str(my_to) + "\", \"" + str(my_from) + "\", \"" + str(my_subject) + "\", \"" + str(my_attachments) + "\", \'" + str(cur_stats) + "\', \'" + "entireEmailHere" + "\')") 243 | vtResults = virustotalApi(sha256_hashes) 244 | print vtResults 245 | 246 | # To save the email 247 | open ("emails/" + my_uuid, "wb").write(my_email) 248 | 249 | #cef_my_hash(data, c_from, c_to, c_key, c_subject, c_attachments, c_reporting): 250 | 251 | # md5_hashes = [] 252 | # sha256_hashes = [] 253 | # ssdeep_hashes = [] 254 | 255 | # Check for similarities 256 | incr = 0 257 | for each in my_to: 258 | if len(str(my_db.execute('select * from email_meta where e_to like "%' + each + '%" and key != "' + my_uuid + '"').fetchall())) > 2: 259 | print "THERES AN EMAIL MATCHING RECIPIENT" 260 | incr +=1 261 | 262 | for each in my_from: 263 | if len(str(my_db.execute('select * from email_meta where e_from like "%' + each + '%" and key != "' + my_uuid + '"').fetchall())) > 2: 264 | print "THERES AN EMAIL MATCHING SENDER" 265 | incr +=1 266 | 267 | for each in my_subject: 268 | if len(str(my_db.execute('select * from email_meta where e_subject like "%' + each + '%" and key != "' + my_uuid + '"').fetchall())) > 2: 269 | print "THERES AN EMAIL MATCHING SUBJECT" 270 | incr +=1 271 | 272 | for each in my_attachments: 273 | if len(str(my_db.execute('select * from email_meta where attachment like "%' + each + '%" and key != "' + my_uuid + '"').fetchall())) > 2: 274 | print "THERES AN EMAIL MATCHING ATTACHMENT" 275 | incr +=1 276 | 277 | for each in yara_hit: 278 | if len(str(my_db.execute('select * from yara_hits where hit like "%' + str(each) + '%" and key != "' + my_uuid + '"').fetchall())) > 2: 279 | print "THERES AN EMAIL MATCHING YARA HIT" 280 | incr +=1 281 | 282 | for each in cleaned_links: 283 | if len(str(my_db.execute('select * from urls where cleaned_url like "%' + str(each) + '%" and key != "' + my_uuid + '"').fetchall())) > 2: 284 | print "THERES A LINK MATCH IN THE HIT" 285 | incr +=1 286 | 287 | if incr >=2: 288 | print "Clustering! We have a match!" 289 | conn.commit() 290 | conn.close() 291 | 292 | # To, From, Subject, Date, Attachments, Detection Signatures, Reporting Mechanism, Email ID, MD5 Hashes, URLs, Clean URLs 293 | # writes out the .csv file. Mostly for debugging here 294 | open (outFile, "a").write("\"" + str(my_to) + "\",\"" + str(my_from) + "\",\"" + str(my_subject) + "\",\"" + str(my_date) + "\",\"" + str(my_attachments) + "\",\"" + str(yara_hit) + "\",\"" + str(cur_stats) + "\",\"" +str(my_uuid) + "\",\"" + str(md5_hashes) + "\",\"" + str(my_links).replace(".", "[d]") + "\",\"" + str(cleaned_links).replace(".", "[d]") + "\",\"" + str(sha256_hashes) + "\",\"" + str(ssdeep_hashes) + "\"\n") 295 | 296 | 297 | 298 | -------------------------------------------------------------------------------- /yara_headers.yar: -------------------------------------------------------------------------------- 1 | include "Rules/email_contents.yar" 2 | include "Rules/zeus.yar" 3 | include "Rules/spyeye.yar" 4 | -------------------------------------------------------------------------------- /yara_include.yar: -------------------------------------------------------------------------------- 1 | include "Rules/magic.yar" 2 | include "Rules/email_contents.yar" 3 | include "Rules/zeus.yar" 4 | include "Rules/spyeye.yar" --------------------------------------------------------------------------------