From 5d0fa82692dc1cc27a0250a5798f9ad809e2a1bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 16 Feb 2021 14:02:02 +0100 Subject: [PATCH] Fenrir with Sandworm Centreon IOCs and Strings --- c2-iocs.txt | 125 +--------------------------------------------- fenrir.sh | 4 +- filename-iocs.txt | 7 +++ hash-iocs.txt | 99 +----------------------------------- string-iocs.txt | 12 +++-- 5 files changed, 19 insertions(+), 228 deletions(-) diff --git a/c2-iocs.txt b/c2-iocs.txt index f04bc21..fc6693a 100644 --- a/c2-iocs.txt +++ b/c2-iocs.txt @@ -1,125 +1,2 @@ -201.191.202.34 -216.58.192.68 -185.11.146.191 -185.11.146.151 -185.62.190.62 -185.62.190.82 -185.62.190.156 -185.62.190.222 -185.62.190.253 -188.209.49.163 -188.209.52.195 -188.209.49.131 -188.209.49.165 -185.130.5.165 -185.130.5.174 -185.130.5.200 -185.130.5.205 -185.130.5.246 -80.82.64.177 -80.82.78.12 -89.248.168.29 -89.248.172.201 -94.102.53.144 -89.248.162.167 -89.248.162.171 -89.248.166.131 -89.248.168.39 -89.248.172.166 -89.248.172.173 -94.102.49.197 -94.102.63.136 -46.165.251.153 -178.162.199.88 -178.162.205.4 -178.162.205.29 -178.162.205.30 -178.162.211.200 -178.162.211.211 -178.162.211.213 -178.162.211.214 -178.162.211.215 -178.162.211.216 -178.162.211.217 -149.202.153.56 -173.208.196.202 -188.0.236.27 -188.209.52.228 -192.210.220.3 -198.23.238.215 -198.23.238.251 -208.67.1.130 -208.67.1.33 -208.69.31.11 -5.152.206.162 -5.196.8.171 -89.248.162.167 -115.239.248.62 -117.27.158.104 -117.27.158.71 -117.27.158.78 -117.27.158.91 -122.225.103.118 -122.225.103.122 -122.225.103.125 -122.225.103.97 -122.225.109.102 -122.225.109.103 -122.225.109.108 -122.225.109.109 -122.225.109.114 -122.225.109.121 -122.225.109.125 -122.225.109.202 -122.225.109.214 -122.225.109.220 -122.225.109.99 -218.2.0.121 -218.2.0.132 -218.2.0.133 -218.2.0.137 -221.235.188.210 -222.186.34.121 -222.186.58.70 -60.169.77.228 -61.174.50.172 -61.174.50.177 -61.174.50.184 -61.174.50.216 -61.174.51.214 -61.174.51.226 -61.174.51.229 -61.174.51.230 -61.174.51.233 -61.174.51.235 -61.174.50.184 -122.225.103.118 -218.2.0.132 -122.225.103.125 -122.225.109.99 -122.225.103.97 -122.225.103.122 -61.174.51.226 -117.27.158.71 -61.174.51.233 -122.225.109.108 -122.225.109.109 -61.174.50.177 -61.174.51.214 -117.27.158.104 -61.174.50.172 -222.186.34.121 -117.27.158.91 -222.186.58.70 -61.174.51.229 -122.225.109.214 -61.174.50.216 -117.27.158.78 -221.235.188.210 -122.225.109.121 -167.114.153.55 -94.237.37.28 -82.118.242.171 -31.220.61.251 -128.199.199.187 +176.31.225.204 # END diff --git a/fenrir.sh b/fenrir.sh index 6e9e054..9dee705 100755 --- a/fenrir.sh +++ b/fenrir.sh @@ -27,8 +27,8 @@ SYSLOG_FACILITY=local4 DO_C2_CHECK=1 # Exclusions -MAX_FILE_SIZE=2000 # max file size to check in kilobyte, default 2 MB -CHECK_ONLY_RELEVANT_EXTENSIONS=1 +MAX_FILE_SIZE=8000 # max file size to check in kilobyte, default 2 MB +CHECK_ONLY_RELEVANT_EXTENSIONS=1 # ELF binaries get always checked declare -a RELEVANT_EXTENSIONS=('exe' 'jsp' 'dll' 'txt' 'js' 'vbs' 'bat' 'tmp' 'dat' 'sys' 'php' 'jspx' 'pl' 'war' 'sh' 'asp' 'aspx' 'jspx'); # use lower-case # files in these directories will be checked with string grep # regradless of their size and extension diff --git a/filename-iocs.txt b/filename-iocs.txt index ee4e7b9..a42265b 100644 --- a/filename-iocs.txt +++ b/filename-iocs.txt @@ -1,2 +1,9 @@ demo/evil.jsp # END - DO NOT REMOVE +/tmp/.applocktx +/tmp/.applock$ +/usr/local/centreon/www/search.php +/usr/share/centreon/www/search.php +/usr/share/centreon/www/modules/Discovery/include/DB−Drop.php +/usr/share/centreon/www/htmlHeader.php +/configtx\.json \ No newline at end of file diff --git a/hash-iocs.txt b/hash-iocs.txt index 414f7af..1117b1f 100644 --- a/hash-iocs.txt +++ b/hash-iocs.txt @@ -1,98 +1,3 @@ -329cd07f4dd67947ff10d8a6550ff779;Demo file - evil.jsp - -866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035;Equation APT -8447dabffd37eb7fcb1bc1d6c6f1d164;Htran Chinese APT Tunneling Tool Sample - -5d853a8de18d844a9ab269f3d51e5072;Five Eyes QUERTY Malware20120.dll.bin -cc8b737edb3f11c9c5dba57035c63103;Five Eyes QUERTY Malware20120.xml -67ac8dc6589a07d950bd12f534dc9789;Five Eyes QUERTY Malware20120_cmdDef.xml -40451f20371329b992fb1b85c754d062;Five Eyes QUERTY Malware20121.dll.bin -ff0afae5c68c5177ed0a3d6339810cae;Five Eyes QUERTY Malware20121.xml -1bc8f4df4551c6efbbb1fe9f965dca49;Five Eyes QUERTY Malware20121_cmdDef.xml -0ed11a73694999bc45d18b4189f41ac2;Five Eyes QUERTY Malware20123.sys.bin -066b6253afc3ad0efe9a15cead4ef7d8;Five Eyes QUERTY Malware20123.xml -790d1b448e97985deb710a94eb927c27;Five Eyes QUERTY Malware20123_cmdDef.xml - -ad61e8daeeba43e442514b177a1b41ad4b7c6727;Skeleton Key Malware -5083b17ccc50dd0557dfc544f84e2ab55d6acd92;Skeleton Key Malware -66da7ed621149975f6e643b4f9886cfd;Symantec Report http://goo.gl/9Tmq2e msuta64.dll -bf45086e6334f647fda33576e2a05826;Symantec Report http://goo.gl/9Tmq2e ole64.dll -a487f1668390df0f4951b7292bae6ecf;Symantec Report http://goo.gl/9Tmq2e HookDC.dll -8ba4df29b0593be172ff5678d8a05bb3;Symantec Report http://goo.gl/9Tmq2e HookDC.dll -f01026e1107b722435126c53b2af47a9;Symantc Report http://goo.gl/9Tmq2e HookDC.dll -747cc5ce7f2d062ebec6219384b57e8c;Symantec Report http://goo.gl/9Tmq2e ole.dll -600b604784594e3339776c6563aa45a1;Symantec Report http://goo.gl/9Tmq2e jqs.exe (Backdoor.Winnti dropper) -48377c1c4cfedebe35733e9c3675f9be;Symantec Report http://goo.gl/9Tmq2e tmp8296.tmp (Backdoor.Winnti variant) - -20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92;Regin Malware Sample -225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430;Regin Malware Sample -392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e;Regin Malware Sample -40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b;Regin Malware Sample -4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be;Regin Malware Sample -4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9;Regin Malware Sample -5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823;Regin Malware Sample -5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90;Regin Malware Sample -7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7;Regin Malware Sample -7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926;Regin Malware Sample -8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13;Regin Malware Sample -8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7;Regin Malware Sample -8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db;Regin Malware Sample -9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f;Regin Malware Sample -9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379;Regin Malware Sample -a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355;Regin Malware Sample -a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880;Regin Malware Sample -a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35;Regin Malware Sample -a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669;Regin Malware Sample -a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample -a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample -b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047;Regin Malware Sample -b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce;Regin Malware Sample -c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513;Regin Malware Sample -cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601;Regin Malware Sample -df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c;Regin Malware Sample -e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902;Regin Malware Sample -e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935;Regin Malware Sample -ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69;Regin Malware Sample -f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e;Regin Malware Sample -f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4;Regin Malware Sample -fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef;Regin Malware Sample -fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129;Regin Malware Sample - -9bec941bec02c7fbe037a97db8c89f18;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network -6ce69e4bec14511703a8957e90ded1fa;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network -1c05164fede51bf947f1e78cba811063;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network -5129c26818ef712bde318dff970eba8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network -bdce0ed65f005a11d8e9a6747a3ad08c;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network -e04ad0ec258cbbf94910a677f4ea54f0;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section -928d0ef4c17f0be21f2ec5cc96182e0c;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section -d686ce4ed3c46c3476acf1be0a1324e6;Symantec Waterbug Attack http://goo.gl/9Tlk90 typecli.exe -22fb51ce6e0bc8b52e9e3810ca9dc2e1;Symantec Waterbug Attack http://goo.gl/9Tlk90 msc32.exe -df06bde546862336ed75d8da55e7b1cc;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -a85616aec82078233ea25199c5668036;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -b7d80000100f2cb50a37a8a5f21b185f;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -552a8e8d60731022dcb5a89fd4f313ec;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -a1ecf883627a207ed79d0fd103534576;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -560f47c8c50598760914310c6411d3b1;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -b28cbcd6998091f903c06a0a46a0fd8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -b0952e130f6f8ad207998000a42531de;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -c04190dc190b6002f064e3d13ac22212;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -959ed9d60a8f645fd46b7c7a9b62870c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -305801a809b7d9136ab483682e26d52d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -e5a9fc45ab11dd0845508d122a6c8c8c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter -bf0e4d46a51f27493cbe47e1cfb1b2ea;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information -22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information -f156ff2a1694f479a079f6777f0c5af0;Symantec Waterbug Attack http://goo.gl/9Tlk90 pxinsi64.exe 64-bit driver possibly used by vboxdev_win32.dll -eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 mswme32.exe Collects files with extensions (.*library, *.inf, *.exe, .*dll, .*dot), Encrypts with Trojan.Turla XOR key -56f423c7a7fef041f3039319f2055509;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe -22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe -eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnet32.exe -20c9df1e5f426f9eb7461cd99d406904;Symantec Waterbug Attack http://goo.gl/9Tlk90 rpcsrv.exe RPC server using ncacn_np identifier and binds to \\pipe\ hello, Can be used as a proxy -ed3509b103dc485221c85d865fafafac;Symantec Waterbug Attack http://goo.gl/9Tlk90 charmap32.exe Executes msinfo32.exe /nfo and direct output to winview.nfo -09886f7c1725fe5b86b28dd79bc7a4d1;Symantec Waterbug Attack http://goo.gl/9Tlk90 mqsvc32.exe Capable of sending exfiltrated data through email using MAPI32.dll -fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 msrss.exe Registers as a service “svcmgr” with display name ‘Windows Svcmgr’ -fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 dc1.exe -fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 svcmgr.exe -98992c12e58745854a885f9630124d3e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msx32.exe Used to encrypt file (supplied as argument on command line) using common Trojan.Turla XOR key, Output written to [FILE NAME].XOR - -c709e0963ad64f87d9c7a05ddd2eb7c5;APT28 IOT script https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ +84837778682450cdca43d1397afd2310;PAS Webshell +92ef0aaf5f622b1253e5763f11a08857;Exaramel Malware # END - DO NOT REMOVE diff --git a/string-iocs.txt b/string-iocs.txt index f4c9287..b91fcbb 100644 --- a/string-iocs.txt +++ b/string-iocs.txt @@ -1,6 +1,8 @@ -eval request( -bash -i >/dev/tcp/ -chmod +x /tmp/ -() { :; }; -packed with the UPX executable packer +/tmp/.applock +.substr(md5(strrev( +Archive created by P.A.S. +socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print +SQL Dump created by P.A.S. +odhyrfjcnfkdtslt +configtx.json # END - DO NOT REMOVE - contents passed to grep - double escape square brackets