Last active
September 14, 2018 13:49
-
-
Save nicdev/fb64d89cb3a29cbec630953ca4037238 to your computer and use it in GitHub Desktop.
[RFI] GET /collections
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "public", | |
| "title": "XFE Public Collections", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "7ac6c457-8fac-afa0-de50-b72e7bf8f8c4", | |
| "title": "Botnet Command and Control Servers", | |
| "description": "Botnet C&C Servers,\n\n,Here are some ,IPs, and ,URLs, of known Botnet C&C servers. Connections to those servers are a good ,indicator for a malware infection,.,\n\n,Feel free to contribute and extend the list. ,\n\n,(,Pro-Tip:, hover with your mouse over an IP or URL to see a short summary in a popover for it),\n\n,C&C IPs,\n\n,217.147.169.242,\n\n,91.200.14.139,\n\n,217.23.5.57,\n\n,5.254.98.54,\n\n,5.61.39.14,\n\n,50.17.189.198,\n\n,50.21.187.135,\n\n,50.22.86.10,\n\n,50.23.98.194,\n\n,50.62.235.1,\n\n,50.62.31.207,\n\n,50.63.56.47,\n\n,50.87.146.115,\n\n,50.87.151.146,\n\n,50.87.153.96,\n\n,50.87.18.127,\n\n,50.87.72.219,\n\n,50.97.234.2,\n\n,52.10.128.168,\n\n,52.207.234.89,\n\n,54.209.159.227,\n\n,54.218.45.67,\n\n,54.228.191.94,\n\n,54.236.134.245,\n\n,54.239.172.114,\n\n,54.248.126.242,\n\n,54.72.9.51,\n\n,58.215.169.42,\n\n,58.215.240.96,\n\n,58.55.127.16,\n\n,59.32.213.195,\n\n,60.250.76.52,\n\n,61.139.126.15,\n\n,61.147.75.89,\n\n,61.158.145.141,\n\n,61.178.85.177,\n\n,61.19.251.27,\n\n,61.57.227.5,\n\n,41.207.222.252,\n\n,101.0.89.3,\n\n,101.200.81.187,\n\n,103.19.89.118,\n\n,103.230.84.239,\n\n,103.241.0.100,\n\n,103.26.128.84,\n\n,103.4.52.150,\n\n,103.7.59.135,\n\n,107.191.46.4,\n\n,109.127.8.242,\n\n,109.229.210.250,\n\n,109.229.36.65,\n\n,113.29.230.24,\n\n,116.193.77.118,\n\n,120.25.63.2,\n\n,120.31.134.133,\n\n,120.63.157.195,\n\n,123.30.129.179,\n\n,124.110.195.160,\n\n,128.210.157.251,\n\n,149.202.242.81,\n\n,151.80.52.45,\n\n,151.80.52.47,\n\n,151.97.190.239,\n\n,157.7.170.62,\n\n,160.97.52.229,\n\n,162.223.94.56,\n\n,177.4.23.159,\n\n,180.182.234.200,\n\n,185.25.117.49,\n\n,185.25.119.84,\n\n,185.35.138.22,\n\n,185.62.188.51,\n\n,185.99.133.163,\n\n,186.64.120.104,\n\n,187.174.252.247,\n\n,188.219.154.228,\n\n,188.226.141.142,\n\n,188.241.140.212,\n\n,188.241.140.222,\n\n,188.241.140.224,\n\n,188.247.135.53,\n\n,188.247.135.58,\n\n,188.247.135.74,\n\n,188.247.135.99,\n\n,190.123.35.140,\n\n,190.123.35.141,\n\n,190.128.29.1,\n\n,190.15.192.25,\n\n,192.64.11.244,\n\n,192.99.148.26,\n\n,192.99.19.4,\n\n,193.107.17.145,\n\n,193.107.17.55,\n\n,193.107.17.56,\n\n,193.107.19.24,\n\n,193.107.19.244,\n\n,193.146.210.69,\n\n,193.189.117.56,\n\n,193.201.227.142,\n\n,194.109.64.131,\n\n,194.58.103.199,\n\n,194.58.56.45,\n\n,195.20.40.123,\n\n,195.20.41.233,\n\n,195.20.42.1,\n\n,195.20.44.100,\n\n,195.20.44.109,\n\n,195.20.46.116,\n\n,198.245.202.92,\n\n,199.187.129.193,\n\n,199.201.121.185,\n\n,199.7.234.100,\n\n,2.50.11.28,\n\n,201.149.83.183,\n\n,202.144.144.195,\n\n,202.191.62.226,\n\n,202.29.22.38,\n\n,202.29.230.198,\n\n,202.67.13.107,\n\n,202.9.36.111,\n\n,203.170.193.23,\n\n,209.164.84.70,\n\n,210.211.108.215,\n\n,210.4.76.221,\n\n,212.44.64.202,\n\n,213.147.67.20,\n\n,216.176.100.240,\n\n,216.215.112.149,\n\n,217.12.202.85,\n\n,222.29.197.232,\n\n,23.113.113.105,\n\n,23.94.5.119,\n\n,23.96.196.120,\n\n,24.148.217.188,\n\n,24.172.94.180,\n\n,24.204.49.244,\n\n,27.131.149.102,\n\n,27.254.55.11,\n\n,31.131.139.42,\n\n,31.131.251.33,\n\n,31.134.100.179,\n\n,31.134.73.151,\n\n,31.14.134.47,\n\n,31.222.155.254,\n\n,31.23.128.204,\n\n,31.23.80.184,\n\n,31.28.103.254,\n\n,31.41.44.45,\n\n,31.42.172.36,\n\n,31.7.63.146,\n\n,37.123.99.188,\n\n,37.128.132.96,\n\n,37.139.30.95,\n\n,37.140.195.177,\n\n,37.143.11.189,\n\n,37.229.126.164,\n\n,37.46.131.153,\n\n,37.46.135.204,\n\n,37.48.125.119,\n\n,37.57.177.15,\n\n,37.58.112.101,\n\n,37.59.61.29,\n\n,37.99.146.27,\n\n,38.64.199.113,\n\n,38.64.199.33,\n\n,41.144.68.21,\n\n,41.189.45.166,\n\n,41.189.52.14,\n\n,41.189.53.94,\n\n,41.202.71.27,\n\n,41.202.78.237,\n\n,41.202.90.185,\n\n,41.207.11.79,\n\n,41.207.2.186,\n\n,41.207.203.238,\n\n,41.207.220.170,\n\n,41.207.220.57,\n\n,41.207.24.201,\n\n,41.207.64.49,\n\n,41.38.18.230,\n\n,41.66.35.238,\n\n,41.66.39.42,\n\n,41.79.173.47,\n\n,41.86.46.245,\n\n,42.117.2.85,\n\n,45.124.65.51,\n\n,45.127.92.179,\n\n,45.46.51.81,\n\n,45.55.136.31,\n\n,46.151.52.191,\n\n,46.151.52.61,\n\n,46.16.200.133,\n\n,46.161.2.60,\n\n,46.161.40.102,\n\n,46.161.40.106,\n\n,46.165.222.231,\n\n,46.19.136.211,\n\n,46.22.128.133,\n\n,46.22.134.78,\n\n,46.31.43.57,\n\n,46.33.54.45,\n\n,46.4.150.111,\n\n,46.4.203.213,\n\n,5.100.249.215,\n\n,5.135.28.113,\n\n,5.139.154.42,\n\n,5.152.199.70,\n\n,5.152.201.19,\n\n,5.172.193.101,\n\n,5.187.0.137,\n\n,5.187.193.224,\n\n,5.187.4.183,\n\n,5.196.249.163,\n\n,5.206.225.104,\n\n,5.9.253.173,\n\n,5.9.82.18,\n\n,50.62.233.1,\n\n,52.39.53.151,\n\n,58.195.1.4,\n\n,59.157.4.2,\n\n,60.13.186.5,\n\n,60.241.184.209,\n\n,60.249.31.231,\n\n,61.14.209.167,\n\n,61.47.43.241,\n\n,62.76.191.108,\n\n,63.249.152.74,\n\n,63.250.54.134,\n\n,64.127.71.73,\n\n,64.182.215.68,\n\n,64.182.6.61,\n\n,64.76.19.244,\n\n,64.76.19.251,\n\n,64.85.233.8,\n\n,69.118.144.195,\n\n,69.144.171.44,\n\n,69.15.194.26,\n\n,69.23.87.56,\n\n,72.167.245.34,\n\n,72.230.82.80,\n\n,72.41.18.212,\n\n,73.72.208.195,\n\n,74.119.194.18,\n\n,74.62.209.104,\n\n,78.138.104.167,\n\n,78.46.222.241,\n\n,80.65.93.241,\n\n,81.177.180.101,\n\n,82.196.3.245,\n\n,83.15.254.242,\n\n,83.212.117.233,\n\n,83.69.233.121,\n\n,87.236.210.110,\n\n,87.236.210.124,\n\n,87.237.198.245,\n\n,87.246.143.242,\n\n,87.254.167.37,\n\n,89.40.181.101,\n\n,90.80.231.36,\n\n,91.108.176.118,\n\n,91.121.240.111,\n\n,91.121.240.97,\n\n,91.195.12.143,\n\n,91.201.155.96,\n\n,91.224.141.11,\n\n,91.236.213.74,\n\n,91.236.75.11,\n\n,92.53.119.248,\n\n,92.53.124.62,\n\n,93.171.205.12,\n\n,94.103.36.55,\n\n,95.211.153.134,\n\n,98.126.6.83,\n\n,98.131.185.136, ,\n\n,192.42.119.41,\n\n, ,\n\n,Emotet C2 ,\n\n,212.83.166.45,\n\n,173.230.136.67,\n\n,173.224.218.25,\n\n,104.227.137.34,\n\n,137.74.254.64,\n\n,188.165.220.214,\n\n,85.143.221.180,\n\n,119.82.27.246,\n\n,194.88.246.7,\n\n,206.214.220.79,\n\n,104.236.2.253,\n\n,62.39.95.185,\n\n,C&C URLs,\n\n,optiker-michelmann.de/eoewdksna, (,81.169.145.155, reverse lookup: ,w9b.rzone.de,),\n\n,securitywebservices.com/WrQBcRn4E3.js, (zeus webinject),\n\n,www.super8service.de/zf0yx, (,81.169.145.164, reverse lookup: ,wa4.rzone.de,).Zeus,\n\n,1st.technology,\n\n,arvision.com.co,\n\n,atmape.ru,\n\n,bestdove.in.ua,\n\n,brausincsystem.pro,\n\n,championbft.com,\n\n,danislenefc.info,\n\n,dau43vt5wtrd.tk,\n\n,emaillifecoaching.com.au,\n\n,everbless.biz,\n\n,gorainbowzone.tk,\n\n,hotelavalon.org,\n\n,hui-ain-apparel.tk,\n\n,ice.ip64.net,\n\n,jacobkrumnow.com,\n\n,kesikelyaf.com,\n\n,lion.web2.0campus.net,\n\n,machine.cu.ma,\n\n,maminoleinc.tk,\n\n,muazymaur.tk,\n\n,mxstat230.com,\n\n,nasscomminc.tk,\n\n,ns511849.ip-192-99-19.net,\n\n,ns513726.ip-192-99-148.net,\n\n,ozowarac.com,\n\n,panel.vargakragard.se,\n\n,petroyeda.com,\n\n,platinum-casino.ru,\n\n,projects.globaltronics.net,\n\n,prtscrentercn.info,\n\n,prtscrinsertcn.net,\n\n,sanyai-love.rmu.ac.th,\n\n,securetestingnetwotk.com,\n\n,server.bovine-mena.com,\n\n,servmill.com,\n\n,ssl.sinergycosmetics.com,\n\n,sslsam.com,\n\n,sus.nieuwmoer.info,\n\n,telefonfiyatlari.org,\n\n,toolsathomes.com,\n\n,update.odeen.eu,\n\n,update.rifugiopontese.it,\n\n,valdmir.noriysha.ru,\n\n,vodahelp.sytes.net,\n\n,www.9mode-clothing-manufacturer.com,\n\n,www.antibasic.ga,\n\n,www.nikey.cn,\n\n,www.riverwalktrader.co.za,\n\n,www.witkey.com,\n\n,sabitovaroza.website,\n\n,External Blacklists:,\n\n,http://rules.emergingthreats.net/open/suricata/rules/botcc.rules,\n", | |
| "can_read": true, | |
| "can_write": true, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "cbb0ba41-28f8-3a23-918e-0db08d8148cd", | |
| "title": "The Urpage Connection to Bahamut, Confucius and Patchwork", | |
| "description": "Threat Type\nMalware\nOverview\nTrend Micro published an article on a threat actor dubbed “Urpage” and possible connections to other cyber criminals known as Confucius, Patchwork, and Bahamut. The article elaborated on tactics, techniques, and procedures (TTPs) shared across these cyber groups. One key attack vector for Urpage is the targeting of InPage (a word processor for Urdu and Arabic languages). Although, this TTP sets them apart, additional components such as the use of the Delphi backdoor, shows a common factor with Confucius, Patchwork, and the use of Bahamut-like malware. The article highlights the existing connection between Bahamut and Urpage by the way numerous malicious Android applications match Bahamut’s code with command and control (C&C) properties belonging to the Urpage infrastructure. In addition to Confucius and Urpage sharing the same Delphi file stealer, a connection is present in the properties set in two malicious RTF files that exploit different flaws but download a similar script. Patchwork also shares similarities with Urpage in terms of the usage of the Delphi backdoor. The bond is more transparent given that the application code (Android applications) C&C matches the registration pattern of Patchwork, as well as an infrastructure close to an old Patchwork domain. For further details on similarities and IOCs, refer to Trend Micro’s article.\nIndicators of Compromise\nCVEs\n CVE-2017-8750 \n CVE-2017-12824 \n CVE-2017-11882 \n CVE-2017-0199 \n** For additional IOCs, refer to the attachments section.\nProtection\nhttps://exchange.xforce.ibmcloud.com/signature/RTF_Office_AutoLink_Exec \nhttps://exchange.xforce.ibmcloud.com/signature/Email_XML_Office_OLE_Remote_Bypass \nhttps://exchange.xforce.ibmcloud.com/signature/XML_Office_OLE_Remote_Bypass \nhttps://exchange.xforce.ibmcloud.com/signature/XML_Office_OLE_Script_Exec \nhttps://exchange.xforce.ibmcloud.com/signature/HTML_Edge_Memory_Corruption_004 \nhttps://exchange.xforce.ibmcloud.com/signature/RTF_OLE_Equation_Exec \nhttps://exchange.xforce.ibmcloud.com/signature/CompoundFile_OLE_Equation_Exec \nRecommendations\nKeep applications and operating systems running at the current released patch level\nEnsure anti-virus software and associated files are up to date\nVerify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can't validate\nSearch for existing signs of the indicated IOCs in your environment\nBlock all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices \nReferences\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\nhttps://documents.trendmicro.com/assets/Appendix-TheUrpageConnectiontoBahamutConfuciusandPatchwork.pdf ", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "0fa6578f-adc8-aa09-ed22-05adf9fc2423", | |
| "title": "Middle Eastern Government Targeted By OilRig Group", | |
| "description": "Overview\nPalo Alto's Unit 42 researchers have published their latest findings on the group called OilRig. This campaign uses spear phishing to deliver an enticing email lure that contains a variant of the OopsIE Trojan as a payload. This variant of OopsIE includes anti-analysis, including anti-virtual machine techniques, to aid in evading detection. Should the user open the attachment, the Trojan will make a number of WMI (Windows Management Instrumentation) queries to determine if it is running in a virtual machine, stopping further execution if it detects a virtual environment. The system time zone must also conform to a list of acceptable Middle Eastern timezones. The short list of acceptable timezones gives an indication that this is a highly targeted attack. If the malware concludes it is safe to continue, it presents a dialog box to the user, indicating that an error has occurred. Clicking the OK button, the victim essentially gives the malware the go-ahead to infect the system. The malware has the ability to execute commands issued by its command and control (CnC) server, such as, run a command and send the output back to the CnC, download a file to the system, read and upload a file to the CnC, as well as being able to self-destruct. \nIndicators of Compromise\nSHA-256\n 36e66597a3ff808acf9b3ed9bc93a33a027678b1e262707682a2fd1de7731e23 \n 055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9 \n 6b240178eedba4ebc9f1c8b56bac02676ce896e609577f4fb64fa977d67c0761 \n 9e8ec04e534db1e714159cc68891be454c2459f179ab1df27d7f89d2b6793b17 \nURLs\n http://www.windowspatch.com/khc \n http://www.windowspatch.com/tahw \nDomains\n defender-update.com \n windowspatch.com \nRecommendations\nKeep applications and operating systems running at the current released patch level\nEnsure anti-virus software and associated files are up to date\nVerify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can not validate\nSearch for existing signs of the indicated IOCs in your environment\nBlock all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices\nReference\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/ ", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "ae8a2e16-d9c3-2c82-1002-b53bd175e40f", | |
| "title": "Cryptomining -Threat Intelligence", | |
| "description": "All IP's and domains associated with crypto-mining ", | |
| "can_read": true, | |
| "can_write": true, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "a2a6346a-56ee-4ad1-bd44-2bab8751d7f2", | |
| "title": "Rocke: The Champion of Monero Miners", | |
| "description": "Threat Type\nThreat Actor, Crypto Mining Malware \nOverview\nTalos released intel on the threat-actor group “Rocke” utilizing crypto mining malware. Rocke is most commonly known for distributing and executing crypto mining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and many different payloads. Talos reports that in Late July of 2018 they detected Rocke continuing a similar campaign attacking vulnerable Apache Struts servers. The result is the uploading and executing of ELF binary based malware intended for the Linux operating system. This malware connects out to the attacker’s command and control with the capability to open a password protected reverse shell to give full command-line access to the attacker. Continued infection includes a XMRig based open-source Monero miner configured to the attackers account rocke@live.cn. \nFor full detailed analysis of the threat-actor group “Rocke” please see the Talos blog post. \nIndicators of Compromise\nATTACKING IPS TARGETING STRUTS:\n 52.167.219.168 : Attacking IP using repo at gitlab\n 120.55.226.24 : Attacking IP using repo at gitee\nATTACKING IP TARGETING WEBLOGIC:\n 27.193.180.224 \nATTACKING IPS TARGETING COLDFUSION:\n 112.226.250.77 \n 27.210.170.197 \n 112.226.74.162 \nDOMAINS\n 3389.space \nURLS\n https://gitee.com/c-999/ss/raw/master/ss/a \n https://gitee.com/c-999/ss/raw/master/ss/config.json \n https://gitee.com/c-999/ss/raw/master/ss/dir.dir \n https://gitee.com/c-999/ss/raw/master/ss/h32 \n https://gitee.com/c-999/ss/raw/master/ss/upd \n https://gitee.com/c-999/ss/raw/master/ss/x86_64 \n https://gitee.com/c-999/ss/raw/master/ss/h64 \n https://gitee.com/c-999/ss/raw/master/ss/x \n https://gitee.com/c-999/ss/raw/master/ss/run \n https://gitee.com/c-999/ss/raw/master/ss/logo.jpg \n https://gitee.com/c-888/ss/raw/master/ss/a \n https://gitee.com/c-888/ss/raw/master/ss/cron.d \n https://gitee.com/c-888/ss/raw/master/ss/dir.dir \n https://gitlab.com/c-18/ss/raw/master/ss/x \n https://gitlab.com/c-18/ss/raw/master/ss/x86_64 \n https://gitlab.com/c-18/ss/raw/master/ss/run \n https://gitee.com/c-888/ss/raw/master/ss/upd \n https://gitlab.com/c-18/ss/raw/master/ss/upd \n https://gitee.com/c-888/ss/raw/master/ss/x \n https://gitlab.com/c-18/ss/raw/master/ss/cron.d \n https://gitee.com/c-888/ss/raw/master/ss/h64 \n https://gitlab.com/c-18/ss/raw/master/ss/a \n https://gitee.com/c-888/ss/raw/master/ss/config.json \n https://gitlab.com/c-18/ss/raw/master/ss/config.json \n https://gitee.com/c-888/ss/raw/master/ss/run \n https://gitlab.com/c-18/ss/raw/master/ss/h32 \n https://gitlab.com/c-18/ss/raw/master/ss/dir.dir \n https://gitee.com/c-888/ss/raw/master/ss/x86_64 \n https://gitee.com/c-888/ss/raw/master/ss/h32 \n https://gitlab.com/c-18/ss/raw/master/ss/h64 \n hxxp://93.174.93.149/.xxxzlol.tar.gz \n https://gitee.com/c-888/ss/raw/master/ss/logo.jpg \n https://gitlab.com/c-18/ss/raw/master/ss/logo.jpg \nHASHES:\nLogo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \na: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb \ncron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe \ndir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027 \nh32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 \nh64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf \nlogo.jpg (from gitee.com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b \nlogo.jpg (from gitlab.com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \nrun: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5 \nupd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b \nx (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5 \nx86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612 \nMore recent campaign:\nIPS\n 123.249.9.149 : Issues get request for 0720.bin \n 118.24.150.172 : Rocke's HFS, also resolves to C2 sydwzl.cn \nDOMAINS:\n sydwzl.cn \n blockbitcoin.com : Reached out to by Install.exe \n dazqc4f140wtl.cloudfront.net : file server\n 3g2upl4pq6kufc4m.tk : file server\n d3goboxon32grk2l.tk : file server\n enjoytopic.tk : file server\n realtimenews.tk : file server\n 8282.space : older C2\nDOMAINS REGISTERED TO ROCKE (NOT ALL ARE NECESSARILY MALICIOUS):\n 5-xun.com \n 88180585.com \n firstomato.com \n jxtiewei.com \n ncyypx.net \nURLS\n http://d20blzxlz9ydha.cloudfront.net/Install.exe \nHASHES\n 55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin \n 38066751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin \n 89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe \n d341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7\n 442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf\n 7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg\n 7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh \n 2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt \n ba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json \n 7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh \n d44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh \n 35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe \n 654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO \n F808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY\n 725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct \n d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png \n ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png \nRecommendations\nBlock all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter based devices. \nUse updated anti-virus and ensure your current vendor has coverage for this campaign. \nSearch for existing signs of the indicated IOC's in your environment and websites.\nReference\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html ", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "78b496f6-5de9-8217-d0be-eb64025e234f", | |
| "title": "LuckyMouse Signs Malicious NDISProxy Driver with Certificate of Chinese IT Company", | |
| "description": "Threat Type\nMalware\nOverview\nKaspersky Lab released a report which highlights a nefarious cyber campaign linked to the threat actor dubbed “LuckyMouse”. This campaign was detected in March 2018 targeting Central Asian government entities surrounding the Shanghai Cooperation Organization. It’s believed that the motive is tied to a regional political agenda. As Kaspersky did not detect any spear phishing or watering hole activity, they believe the malware was injected into the lsass.exe process on already compromised hosts. The report mentioned that the implants were injected by the digitally signed 32-bit and 64-bit network filtering driver NDISProxy. The associated digital certificate belongs to a legitimate Chinese company named LeagSoft who develop information security software and are based in Shenzhen, Guangdong. The malware consists of three modules; 1) a custom C++ installer that decrypts and drops the driver file, 2) a network filtering driver (NDISProxy) that decrypts and injects the Trojan, and 3) a last-stage C++ Trojan acting as a HTTPS server that works together with the driver. Given the use of the NDISProxy tool, Earthworm tunnels, and commands used by the adversary (“-s rssocks -d 103.75.190.28 -e 443”) that creates a tunnel to a known LuckyMouse command and control (C2) server, Kaspersky Lab attributes this activity to the Chinese-speaking actor, LuckyMouse. For further technical details, refer to Kaspersky’s report.\nIndicators of Compromise\nFile Hashes\nDroppers-installers\n 9dc209f66da77858e362e624d0be86b3 \n dacedff98035f80711c61bc47e83b61d \nDrivers\n 8e6d87eadb27b74852bd5a19062e52ed \n d21de00f981bb6b5094f9c3dfa0be533 \n a2eb59414823ae00d53ca05272168006 \n 493167e85e45363d09495d0841c30648 \n ad07b44578fa47e7de0df42a8b7f8d2d \nAuxiliary Earthworm SOCKS tunneler and Scanline network scanner\n 83c5ff660f2900677e537f9500579965 \n 3a97d9b6f17754dcd38ca7fc89caab04 \nDomains and IPs\n 103.75.190.28 \n 213.109.87.58 \nSemaphores\nGlobal\\Door-ndisproxy-mn\nGlobal\\Door-ndisproxy-help\nGlobal\\Door-ndisproxy-notify\nServices\nndisproxy-mn\nndisproxy-help\nndisproxy-notify\nRegistry keys and values\nHKLM\\SOFTWARE\\Classes\\32ndisproxy-mn\nHKLM\\SOFTWARE\\Classes\\64ndisproxy-mn\nHKCR\\ndisproxy-mn\\filterpd-ndisproxy-mn\nHKLM\\SOFTWARE\\Classes\\32ndisproxy-help\nHKLM\\SOFTWARE\\Classes\\64ndisproxy-help\nHKCR\\ndisproxy-mn\\filterpd-ndisproxy-help\nHKLM\\SOFTWARE\\Classes\\32ndisproxy-notify\nHKLM\\SOFTWARE\\Classes\\64ndisproxy-notify\nHKCR\\ndisproxy-mn\\filterpd-ndisproxy-notify\nDriver certificate\nA lot of legitimate LeagSoft products are signed with the following certificate. Please don’t consider all signed files as malicious.\nSubject -- ShenZhen LeagSoft Technology Co.,Ltd.\nSerial number -- 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21\nIssuer -- VeriSign Class 3 Code Signing 2010 CA\nValid to -- 2018-07-19\nRecommendations\nKeep applications and operating systems running at the current released patch level\nEnsure anti-virus software and associated files are up to date\nVerify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can't validate\nSearch for existing signs of the indicated IOCs in your environment\nBlock all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices \nReference\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/ ", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "f5f4d38b-fdf7-670c-958e-92affffd6e12", | |
| "title": "GandCrab v4 Ransomware", | |
| "description": "GandCrab v4 Ransomware activity \n\nhttps://www.hybrid-analysis.com/sample/97addc3ac19b3c142099bf72f7a41f9106bcd4e2418cceb1979c2e005f282842/5b9a2ea97ca3e133fc6d1153 \n", | |
| "can_read": true, | |
| "can_write": true, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| }, | |
| { | |
| "id": "f895cb30-5fd7-d9f3-0360-03730ac8e77d", | |
| "title": "PyLocky Ransomware", | |
| "description": "Threat Type\nRansomware\nOverview\nSecurity researchers at Trend Micro released details about the ransomware known as PyLocky. From the end of July through August, there was a notable increase in spam emails being sent to distribute this malware. The emails make use of social engineering techniques to entice an unsuspecting user into clicking a malicious URL, beginning the infection process, and ultimately downloading the ransomware itself. Some of the themes observed in the subject line pretend to be legitimate invoices. PyLocky is written in Python and packaged with PyInstaller. As is customary with most ransomware, PyLocky will encrypt a victim's files and demand that a ransom is paid to unlock them. For full technical details, refer to Trend Micro's article. \nIndicators of Compromise\nSHA-256:\n c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa \n 1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999 \n e172e4fa621845080893d72ecd0735f9a425a0c7775c7bc95c094ddf73d1f844 \n 2a244721ff221172edb788715d11008f0ab50ad946592f355ba16ce97a23e055 \n 87aadc95a8c9740f14b401bd6d7cc5ce2e2b9beec750f32d1d9c858bc101dffa \nURLs:\n https://centredentairenantes.fr \n https://panicpc.fr/client.php?fac=676171&u=0000EFC90103 \n https://savigneuxcom.securesitefr.com/client.php?fac=001838274191030 \nRecommendations\nKeep applications and operating systems running at the current released patch level\nEnsure anti-virus software and associated files are up to date\nVerify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can not validate\nSearch for existing signs of the indicated IOCs in your environment\nBlock all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices\nReference\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/ ", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| } | |
| ] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment