Mirrors/APT_CyberCriminal_Campagin_Collections
6
0
Fork 0
mirror of https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections synced 2024-06-16 12:00:04 +00:00
Code Issues Projects Releases Wiki Activity

2017.07.27.Operation_Wilted_Tulip

Browse Source
This commit is contained in:
Ziv Chang 2017-10-25 18:25:31 +08:00
parent 5680725a17
commit 946deb5356
2 changed files with 656 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

514
2017/2017.07.27.Operation_Wilted_Tulip/indicators-wilted_tulip.csv Normal file
View File

@ -0,0 +1,514 @@
Type,Value
URL,http://js.jguery.net/main.js
URL,http://pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online/winini.exe
URL,http://38.130.75.20/check.html
URL,http://update.microsoft-office.solutions/license.doc
URL,http://update.microsoft-office.solutions/error.html
URL,http://main.windowskernel14.com/spl/update5x.zip
URL,http://img.twiter-statics.info/i/658A6D6AE42A658A6D6AE42A/0de9c5c6599fdf5201599ff9b30e0000/6E24E58CFC94/icon.png
URL,http://files0.terendmicro.com/
URL,http://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech/%D7%A1%D7%A7%D7%A8%20%D7%A9%D7%A0%D7%AA%D7%99.docx
URL,http://ea-in-f155.1e100.microsoft-security.host/
URL,https://ea-in-f155.1e100.microsoft-security.host/mTQJ
URL,http://iba.stage.7338879.i.gtld-servers.services
URL,http://doa.stage.7338879.i.gtld-servers.services
URL,http://fda.stage.7338879.i.gtld-servers.services
URL,http://rqa.stage.7338879.i.gtld-servers.services
URL,http://qqa.stage.7338879.i.gtld-servers.services
URL,http://api.02ac36110.49318.a.gtld-servers.zone
URL,s1w-amazonaws.office-msupdate.solutions
URL,a104-93-82-25.mandalasanati.info/iBpa
URL,http://fetchnews-agency.news-bbc.press/pictures.html
URL,http://fetchnews-agency.news-bbc.press/omnews.doc
URL,http://fetchnews-agency.news-bbc.press/en/20170/pictures.doc
SSLCertificate,fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc
SSLCertificate,b11aa089879cd7d4503285fa8623ec237a317aee
SSLCertificate,07317545c8d6fc9beedd3dd695ba79dd3818b941
SSLCertificate,3c0ecb46d65dd57c33df5f6547f8fffb3e15722d
SSLCertificate,1c43ed17acc07680924f2ec476d281c8c5fd6b4a
SSLCertificate,8968f439ef26f3fcded4387a67ea5f56ce24a003
IPv4Address,206.221.181.253
IPv4Address,66.55.152.164
IPv4Address,68.232.180.122
IPv4Address,173.244.173.11
IPv4Address,173.244.173.12
IPv4Address,173.244.173.13
IPv4Address,209.190.20.149
IPv4Address,209.190.20.59
IPv4Address,209.190.20.62
IPv4Address,209.51.199.116
IPv4Address,38.130.75.20
IPv4Address,185.92.73.194
IPv4Address,144.168.45.126
IPv4Address,198.55.107.164
IPv4Address,104.200.128.126
IPv4Address,104.200.128.161
IPv4Address,104.200.128.173
IPv4Address,104.200.128.183
IPv4Address,104.200.128.184
IPv4Address,104.200.128.185
IPv4Address,104.200.128.187
IPv4Address,104.200.128.195
IPv4Address,104.200.128.196
IPv4Address,104.200.128.198
IPv4Address,104.200.128.205
IPv4Address,104.200.128.206
IPv4Address,104.200.128.208
IPv4Address,104.200.128.209
IPv4Address,104.200.128.48
IPv4Address,104.200.128.58
IPv4Address,104.200.128.64
IPv4Address,104.200.128.71
IPv4Address,107.181.160.138
IPv4Address,107.181.160.178
IPv4Address,107.181.160.194
IPv4Address,107.181.160.195
IPv4Address,107.181.161.141
IPv4Address,107.181.174.21
IPv4Address,107.181.174.228
IPv4Address,107.181.174.232
IPv4Address,107.181.174.241
IPv4Address,188.120.224.198
IPv4Address,188.120.228.172
IPv4Address,188.120.242.93
IPv4Address,188.120.243.11
IPv4Address,188.120.247.151
IPv4Address,62.109.2.52
IPv4Address,188.120.232.157
IPv4Address,185.118.65.230
IPv4Address,185.118.66.114
IPv4Address,141.105.67.58
IPv4Address,141.105.68.25
IPv4Address,141.105.68.26
IPv4Address,141.105.68.29
IPv4Address,141.105.69.69
IPv4Address,141.105.69.70
IPv4Address,141.105.69.77
IPv4Address,31.192.105.16
IPv4Address,31.192.105.17
IPv4Address,31.192.105.28
IPv4Address,146.0.73.109
IPv4Address,146.0.73.110
IPv4Address,146.0.73.111
IPv4Address,146.0.73.112
IPv4Address,146.0.73.114
IPv4Address,217.12.201.240
IPv4Address,217.12.218.242
IPv4Address,5.34.180.252
IPv4Address,5.34.181.13
IPv4Address,86.105.18.5
IPv4Address,93.190.138.137
IPv4Address,212.199.61.51
IPv4Address,80.179.42.37
IPv4Address,80.179.42.44
IPv4Address,176.31.18.29
IPv4Address,188.165.69.39
IPv4Address,51.254.76.54
IPv4Address,158.69.150.163
IPv4Address,192.99.242.212
IPv4Address,198.50.214.62
Hash,a60a32f21ac1a2ec33135a650aa8dc71
Hash,94ba33696cd6ffd6335948a752ec9c19
Hash,bcae706c00e07936fc41ac47d671fc40
Hash,1ca03f92f71d5ecb5dbf71b14d48495c
Hash,506415ef517b4b1f7679b3664ad399e1
Hash,1ca03f92f71d5ecb5dbf71b14d48495c
Hash,bd38cab32b3b8b64e5d5d3df36f7c55a
Hash,ac29659dc10b2811372c83675ff57d23
Hash,41466bbb49dd35f9aa3002e546da65eb
Hash,8f6f7416cfdf8d500d6c3dcb33c4f4c9e1cd33998c957fea77fbd50471faec88
Hash,02f2c896287bc6a71275e8ebe311630557800081862a56a3c22c143f2f3142bd
Hash,2df6fe9812796605d4696773c91ad84c4c315df7df9cf78bee5864822b1074c9
Hash,55f513d0d8e1fd41b1417a0eb2afff3a039a9529571196dd7882d1251ab1f9bc
Hash,da529e0b81625828d52cd70efba50794
Hash,1f9910cafe0e5f39887b2d5ab4df0d10
Hash,0feb0b50b99f0b303a5081ffb3c4446d
Hash,577577d6df1833629bfd0d612e3dbb05
Hash,165f8db9c6e2ca79260b159b4618a496e1ed6730d800798d51d38f07b3653952
Hash,1f867be812087722010f12028beeaf376043e5d7
Hash,b571c8e0e3768a12794eaf0ce24e6697
Hash,e319f3fb40957a5ff13695306dd9de25
Hash,acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a
Hash,8c8496390c3ad048f2a0a4031edfcdac819ee840d32951b9a1a9337a2dcbea25
Hash,c5a02e984ca3d5ac13cf946d2ba68364
Hash,efca6664ad6d29d2df5aaecf99024892
Hash,bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361
Hash,afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77
Hash,4a3d93c0a74aaabeb801593741587a02
Hash,64c9acc611ef47486ea756aca8e1b3b7
Hash,fb775e900872e01f65e606b722719594
Hash,cf8502b8b67d11fbb0c75ebcf741db15
Hash,4999967c94a2fb1fa8122f1eea7a0e02
Hash,5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902
Hash,37449ddfc120c08e0c0d41561db79e8cbbb97238
Hash,4442c48dd314a04ba4df046dfe43c9ea1d229ef8814e4d3195afa9624682d763
Hash,7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6
Hash,eb01202563dc0a1a3b39852ccda012acfe0b6f4d
Hash,7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb
Hash,9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb
Hash,6a19624d80a54c4931490562b94775b74724f200
Hash,32860b0184676509241bbaf9233068d472472c3d9c93570fc072e1acea97a1d4
Hash,b34721e53599286a1093c90a9dd0b789
Hash,7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31
Hash,59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd
Hash,fb775e900872e01f65e606b722719594
Hash,871efc9ecd8a446a7aa06351604a9bf4
Hash,cf8502b8b67d11fbb0c75ebcf741db15
Hash,a4dd1c225292014e65edb83f2684f2d5
Hash,838fb8d181d52e9b9d212b49f4350739
Hash,e37418ba399a095066845e7829267efe
Hash,1072b82f53fdd9fa944685c7e498eece89b6b4240073f654495ac76e303e65c9
Hash,752240cddda5acb5e8d026cef82e2b54
Hash,435a93978fa50f55a64c788002da58a5
Hash,3de91d07ac762b193d5b67dd5138381a
Hash,a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37
Hash,aba7771c42aea8048e4067809c786b0105e9dfaa
Hash,b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd
Hash,3676914af9fd575deb9901a8b625f032
Hash,f1607a5b918345f89e3c2887c6dafc05c5832593
Hash,341c920ec47efa4fd1bfcd1859a7fb98945f9d85
Hash,8b702ba2b2bd65c3ad47117515f0669c
Hash,6ea02f1f13cc39d953e5a3ebcdcfd882
Hash,8f77a9cc2ad32af6fb1865fdff82ad89
Hash,62f8f45c5f10647af0040f965a3ea96d
Hash,d9aa197ca2f01a66df248c7a8b582c40
Hash,217b1c2760bcf4838f5e3efb980064d7
Hash,cfb4be91d8546203ae602c0284126408
Hash,16a711a8fa5a40ee787e41c2c65faf9a78b195307ac069c5e13ba18bce243d01
Hash,5e65373a7c6abca7e3f75ce74c6e8143
Hash,d3b9da7c8c54f7f1ea6433ac34b120a1
Hash,32261fe44c368724593fbf65d47fc826
Hash,d2c117d18cb05140373713859803a0d6
Hash,113ca319e85778b62145019359380a08
Hash,4999967c94a2fb1fa8122f1eea7a0e02
Hash,9846b07bf7265161573392d24543940e
Hash,bf23ce4ae7d5c774b1fa6becd6864b3b
Hash,720203904c9eaf45ff767425a8c518cd
Hash,62652f074924bb961d74099bc7b95731
Hash,1fba1876c88203a2ae6a59ce0b5da2a1
Hash,cf8502b8b67d11fbb0c75ebcf741db15
Hash,fb775e900872e01f65e606b722719594
Hash,73f14f320facbdd29ae6f0628fa6f198dc86ba3428b3eddbfc39cf36224cebb9
Hash,3d2885edf1f70ce4eb1e9519f47a669f
Filename,config.exe
Filename,Strike.doc
Filename,malware.doc
Filename,PDFOPENER_CONSOLE.exe
Filename,Ma_1.tmp
Filename,Wextract
Filename,The%20United%20Nations%20Counter.doc.docx
Filename,netsrvs.exe
Filename,Date.dotm
Filename,ssl.docx
Filename,o040t.exe
Filename,m8f7s.exe
Filename,d5tjo.exe
Filename,LogManager.tmp
Filename,edg1CF5.tmp
Filename,ntuser.swp
Filename,svchost64.swp
Filename,ntuser.dat.swp
Filename,455aa96e-804g-4bcf-bcf8-f400b3a9cfe9.PackageExtraction
Filename,Svchost32.swp
Filename,Svchost64.swp
Filename,update5x.dll
Filename,22092014_ver621.dll     
Filename,netsrv.exe
Filename,netsrva.exe
Filename,netsrvd.exe
Filename,netsrvs.exe
Filename,vminst.tmp
Filename,tdtess.exe
Filename,test_oracle.xls
Filename,ur96r.exe
Filename,The North Korean weapons program now testing USA range.docx
Filename,F123321.exe
Filename,ISIS terrorizes jewish people.docx
Domain,wethearservice.com
Domain,mywindows24.in
Domain,microsoft-office.solutions
Domain,code.jguery.net
Domain,1m100.tech
Domain,cloudflare-statics.com
Domain,cachevideo.com
Domain,winfeedback.net
Domain,terendmicro.com
Domain,alkamaihd.com
Domain,msv-updates.gsvr-static.co
Domain,fbstatic-a.space
Domain,broadcast-microsoft.tech
Domain,sharepoint-microsoft.co
Domain,newsfeeds-microsoft.press
Domain,owa-microsoft.online
Domain,digicert.online
Domain,cloudflare-analyse.com
Domain,israelnewsagency.link
Domain,akamaitechnology.tech
Domain,winupdate64.org
Domain,ads-youtube.net
Domain,cortana-search.com
Domain,nsserver.host
Domain,nameserver.win
Domain,symcd.xyz
Domain,fdgdsg.xyz
Domain,dnsserv.host
Domain,winupdate64.com
Domain,ssl-gstatic.online
Domain,updatedrivers.org
Domain,alkamaihd.net
Domain,update.microsoft-office.solutions
Domain,javaupdate.co
Domain,outlook360.org
Domain,winupdate64.net
Domain,trendmicro.tech
Domain,qoldenlines.net
Domain,windefender.org
Domain,1e100.tech
Domain,chromeupdates.online
Domain,ads-youtube.online
Domain,akamaitechnology.com
Domain,cloudmicrosoft.net
Domain,js.jguery.online
Domain,azurewebsites.tech
Domain,elasticbeanstalk.tech
Domain,jguery.online
Domain,microsoft-security.host
Domain,microsoft-ds.com
Domain,jguery.net
Domain,primeminister-goverment-techcenter.tech
Domain,officeapps-live.com
Domain,microsoft-tool.com
Domain,cissco.net
Domain,js.jguery.net
Domain,f-tqn.com
Domain,javaupdator.com
Domain,officeapps-live.net
Domain,ipresolver.org
Domain,intelchip.org
Domain,outlook360.net
Domain,windowkernel.com
Domain,wheatherserviceapi.info
Domain,windowslayer.in
Domain,sdlc-esd-oracle.online
Domain,mpmicrosoft.com
Domain,officeapps-live.org
Domain,cachevideo.online
Domain,win-update.com
Domain,labs-cloudfront.com
Domain,windowskernel14.com
Domain,fbstatic-akamaihd.com
Domain,mcafee-analyzer.com
Domain,cloud-analyzer.com
Domain,fb-statics.com
Domain,ynet.link
Domain,twiter-statics.info
Domain,diagnose.microsoft-office.solutions
Domain,mswordupdate17.com
Domain,gsvr-static.co
Domain,news-bbc.press
Domain,mandalasanati.info
Domain,office-msupdate.solutions
Domain,windows-updates.solutions
Domain,akamai-net.network
Domain,azureedge-net.services
Domain,doucbleclick.tech
Domain,windows-updates.services
Domain,windows-updates.network
Domain,cloudfront.site
Domain,netcdn-cachefly.network
Domain,akamaized.online
Domain,cdninstagram.center
Domain,googlusercontent.center
DNSName,ea-in-f354.1e100.ads-youtube.net
DNSName,ns1.ynet.link
DNSName,ns2.ynet.link
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com
DNSName,pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online
DNSName,ns1.winfeedback.net
DNSName,ns2.winfeedback.net
DNSName,msupdate.diagnose.microsoft-office.solutions
DNSName,www.alkamaihd.net
DNSName,c20.jdk.cdn-external-ie.1e100.alkamaihd.net
DNSName,ns2.img.twiter-statics.info
DNSName,api.img.twiter-statics.info
DNSName,ns1.img.twiter-statics.info
DNSName,ns1.officeapps-live.net
DNSName,ns1.wheatherserviceapi.info
DNSName,ns2.microsoft-tool.com
DNSName,ns2.f-tqn.com
DNSName,carl.ns.cloudflare.com.sdlc-esd-oracle.online
DNSName,ns1.cortana-search.com
DNSName,40.dc.c0ad.ip4.dyn.gsvr-static.co
DNSName,40.dc.c2ad.ip4.dyn.gsvr-static.co
DNSName,ns2.winupdate64.org
DNSName,ns1.f-tqn.com
DNSName,ns2.cortana-search.com
DNSName,ns1.symcd.xyz
DNSName,ns2.symcd.xyz
DNSName,ns1.winupdate64.org
DNSName,ns1.microsoft-tool.com
DNSName,ns2.officeapps-live.com
DNSName,ns1.israelnewsagency.link
DNSName,ns2.israelnewsagency.link
DNSName,ns1.cissco.net
DNSName,ns2.cissco.net
DNSName,ns1.cachevideo.online
DNSName,ns2.cachevideo.online
DNSName,www.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.www.alkamaihd.com
DNSName,dhb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
DNSName,main.windowskernel14.com
DNSName,www.winupdate64.net
DNSName,ae13-0-hk2-96cbe-1a-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
DNSName,be-5-0-ibr01-lts-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
DNSName,cyb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
DNSName,ns1.winupdate64.com
DNSName,ns1.twiter-statics.info
DNSName,40.dc.c0ad.ip4.dyn.gsvr-static.co
DNSName,update.microsoft-office.solutions
DNSName,wk-in-f104.1e100.n.microsoft.qoldenlines.net
DNSName,ns1.fb-statics.com
DNSName,ns2.fb-statics.com
DNSName,is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology
DNSName,img.gmailtagmanager.com
DNSName,wk-in-f104.1c100.n.microsoft-security.host
DNSName,msnbot-sd7-46-cdn.microsoft-security.host
DNSName,msnbot-sd7-46-img.microsoft-security.host
DNSName,ns2.winupdate64.com
DNSName,msnbot-sd7-46-194.microsoft-security.host
DNSName,ea-in-f155.1e100.microsoft-security.host
DNSName,msnbot-207-46-194.microsoft-security.host
DNSName,img.twiter-statics.info
DNSName,msnbot-sd7-46-cdn.microsoft-security.host
DNSName,ns2.wheatherserviceapi.info
DNSName,ns1.windowkernel.com
DNSName,ns2.windowkernel.com
DNSName,ns2.fbstatic-a.space
DNSName,ns1.fbstatic-a.space
DNSName,api.TwitEr-Statics.info
DNSName,ns2.mcafee-analyzer.com
DNSName,21666.mpmicrosoft.com
DNSName,22830.officeapps-live.org
DNSName,15236.mcafee-analyzer.com
DNSName,ns2.static.dyn-usr.gsrv02.ssl-gstatic.online
DNSName,ns1.mcafee-analyzer.com
DNSName,ns1.fbstatic-akamaihd.com
DNSName,ns1.static.dyn-usr.gsrv01.ssl-gstatic.online
DNSName,ns2.officeapps-live.org
DNSName,wk-in-f104.1e100.n.microsoft-security.host
DNSName,ns1.mpmicrosoft.com
DNSName,www.microsoft-security.host
DNSName,ns2.fbstatic-akamaihd.com
DNSName,ns1.cachevideo.online
DNSName,wk-in-f100.1e100.n.microsoft-security.host
DNSName,ns1.officeapps-live.org
DNSName,ns2.mpmicrosoft.com
DNSName,ns02.nsserver.host
DNSName,ns2.cachevideo.online
DNSName,be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
DNSName,www.alkamaihd.com
DNSName,ae13-0-hk2-96cbe-1a-ntwk-msn.alkamaihd.com
DNSName,ns2.microsoft-ds.com
DNSName,adcenter.microsoft-ds.com
DNSName,ns1.microsoft-ds.com
DNSName,ns1.mswordupdate17.com
DNSName,ns2.mswordupdate17.com
DNSName,c.mswordupdate17.com
DNSName,ns1.cloudflare-analyse.com
DNSName,static.dyn-usr.f-loginme.c19.a23.akamaitechnology.com
DNSName,ns2.cloudflare-analyse.com
DNSName,ns1.cloud-analyzer.com
DNSName,ns2.cloud-analyzer.com
DNSName,ns01.nsserver.host
DNSName,ns1.fb-statics.com
DNSName,ns02.dnsserv.host
DNSName,15236.cachevideo.online
DNSName,ns2.fb-statics.com
DNSName,ns2.twiter-statics.info
DNSName,ea-in-f113.1e100.microsoft-security.host
DNSName,static.dyn-usr.f-login-me.c19.a.akamaitechnology.tech
DNSName,ea-in-f155.1e100.microsoft-security.host
DNSName,float.2963.bm-imp.akamaitechnology.tech
DNSName,ns1.mcafee-analyzer.com
DNSName,ns2.mcafee-analyzer.com
DNSName,ns1.mpmicrosoft.com
DNSName,ns2.mpmicrosoft.com
DNSName,jpsrv-java-jdkec1.javaupdate.co
DNSName,microsoft-active.directory_update-change-policy.primeminister-goverment-techcenter.tech
DNSName,jpsrv-java-jdkec3.javaupdate.co
DNSName,nameserver02.javaupdate.co
DNSName,jpsrv-java-jdkec2.javaupdate.co
DNSName,static.dyn-usr.f-login-me.c19.a23.akamaitechnology.com
DNSName,static.dyn-usr.g-blc-se.d45.a63.alkamaihd.net
DNSName,ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech
DNSName,ns1.static.dyn-usr.gsrv01.ssl- gstatic.online
DNSName,ns2.static.dyn-usr.gsrv02.ssl- gstatic.online
DNSName,static.primeminister-goverment-techcenter.tech
DNSName,ns1.outlook360.org
DNSName,d45.a63.alkamaihd.net
DNSName,ns1.officeapps-live.org
DNSName,ns2.outlook360.org
DNSName,ns2.officeapps-live.org
DNSName,ns2.win-update.com
DNSName,aaa.stage.14043411.email.sharepoint-microsoft.co
DNSName,ns1.updatedrivers.org
DNSName,a17-h16.g11.iad17.as.pht-external.c15.qoldenlines.net
DNSName,ns1.windefender.org
DNSName,is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com
DNSName,ns2.windefender.org
DNSName,ns1.win-update.com
DNSName,ns2.updatedrivers.org
DNSName,ns1.mpmicrosoft.com
DNSName,ns1.officeapps-live.org
DNSName,ns2.officeapps-live.org
DNSName,ns2.ipresolver.org
DNSName,ns1.ipresolver.org
DNSName,www.is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com
DNSName,11716.cachevideo.com
DNSName,ns1.intelchip.org
DNSName,ns2.cachevideo.com
DNSName,7737.cloudflare-statics.com
DNSName,7052.cloudflare-statics.com
DNSName,7737.digicert.online
DNSName,ns1.cloudflare-statics.com
DNSName,24984.cachevideo.com
DNSName,ns1.digicert.online
DNSName,ns2.digicert.online
DNSName,24984.digicert.online
DNSName,ns1.fbstatic-akamaihd.com
DNSName,ns2.fbstatic-akamaihd.com
DNSName,ns1.javaupdator.com
DNSName,ns2.outlook360.net
DNSName,ns01.nameserver.win
DNSName,ns2.javaupdator.com
DNSName,ns2.intelchip.org
DNSName,TATIC.DYN-USR.GSRV01.SSL-GSTATIC.ONLINe
DNSName,STATIC.DYN-USR.GSRV01.SSL-GSTATIC.online
DNSName,ns1.labs-cloudfront.com
DNSName,ns2.labs-cloudfront.com
DNSName,www.broadcast-microsoft.tech
DNSName,www.newsfeeds-microsoft.press
DNSName,www.owa-microsoft.online
DNSName,static.c20.jdk.cdn-external-ie.1e100.tech
DNSName,ns1.cloud-analyzer.com
DNSName,ns2.cloud-analyzer.com
DNSName,ns2.cloudflare-statics.com
DNSName,ns1.cachevideo.com
DNSName,ns1.outlook360.net
DNSName,3012.digicert.online
DNSName,24984.cloudflare-statics.com
DNSName,7737.cachevideo.com
DNSName,hda.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
DNSName,msdn.winupdate64.net
DNSName,kja.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
Detection name,BKDR_COBEACON.A
Detection name,TROJ_POWPICK.A
Detection name,HKTL_PASSDUMP
Detection name,TROJ_SODREVR.A
Detection name,TROJ_POWSHELL.C
Detection name,BKDR_CONBEA.A
Detection name,TSPY64_REKOTIB.A
Detection name,HKTL_DIRZIP
Detection name,TROJ_WAPPOME.A
1 Type Value
2 URL http://js.jguery.net/main.js
3 URL http://pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online/winini.exe
4 URL http://38.130.75.20/check.html
5 URL http://update.microsoft-office.solutions/license.doc
6 URL http://update.microsoft-office.solutions/error.html
7 URL http://main.windowskernel14.com/spl/update5x.zip
8 URL http://img.twiter-statics.info/i/658A6D6AE42A658A6D6AE42A/0de9c5c6599fdf5201599ff9b30e0000/6E24E58CFC94/icon.png
9 URL http://files0.terendmicro.com/
10 URL http://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech/%D7%A1%D7%A7%D7%A8%20%D7%A9%D7%A0%D7%AA%D7%99.docx
11 URL http://ea-in-f155.1e100.microsoft-security.host/
12 URL https://ea-in-f155.1e100.microsoft-security.host/mTQJ
13 URL http://iba.stage.7338879.i.gtld-servers.services
14 URL http://doa.stage.7338879.i.gtld-servers.services
15 URL http://fda.stage.7338879.i.gtld-servers.services
16 URL http://rqa.stage.7338879.i.gtld-servers.services
17 URL http://qqa.stage.7338879.i.gtld-servers.services
18 URL http://api.02ac36110.49318.a.gtld-servers.zone
19 URL s1w-amazonaws.office-msupdate.solutions
20 URL a104-93-82-25.mandalasanati.info/iBpa
21 URL http://fetchnews-agency.news-bbc.press/pictures.html
22 URL http://fetchnews-agency.news-bbc.press/omnews.doc
23 URL http://fetchnews-agency.news-bbc.press/en/20170/pictures.doc
24 SSLCertificate fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc
25 SSLCertificate b11aa089879cd7d4503285fa8623ec237a317aee
26 SSLCertificate 07317545c8d6fc9beedd3dd695ba79dd3818b941
27 SSLCertificate 3c0ecb46d65dd57c33df5f6547f8fffb3e15722d
28 SSLCertificate 1c43ed17acc07680924f2ec476d281c8c5fd6b4a
29 SSLCertificate 8968f439ef26f3fcded4387a67ea5f56ce24a003
30 IPv4Address 206.221.181.253
31 IPv4Address 66.55.152.164
32 IPv4Address 68.232.180.122
33 IPv4Address 173.244.173.11
34 IPv4Address 173.244.173.12
35 IPv4Address 173.244.173.13
36 IPv4Address 209.190.20.149
37 IPv4Address 209.190.20.59
38 IPv4Address 209.190.20.62
39 IPv4Address 209.51.199.116
40 IPv4Address 38.130.75.20
41 IPv4Address 185.92.73.194
42 IPv4Address 144.168.45.126
43 IPv4Address 198.55.107.164
44 IPv4Address 104.200.128.126
45 IPv4Address 104.200.128.161
46 IPv4Address 104.200.128.173
47 IPv4Address 104.200.128.183
48 IPv4Address 104.200.128.184
49 IPv4Address 104.200.128.185
50 IPv4Address 104.200.128.187
51 IPv4Address 104.200.128.195
52 IPv4Address 104.200.128.196
53 IPv4Address 104.200.128.198
54 IPv4Address 104.200.128.205
55 IPv4Address 104.200.128.206
56 IPv4Address 104.200.128.208
57 IPv4Address 104.200.128.209
58 IPv4Address 104.200.128.48
59 IPv4Address 104.200.128.58
60 IPv4Address 104.200.128.64
61 IPv4Address 104.200.128.71
62 IPv4Address 107.181.160.138
63 IPv4Address 107.181.160.178
64 IPv4Address 107.181.160.194
65 IPv4Address 107.181.160.195
66 IPv4Address 107.181.161.141
67 IPv4Address 107.181.174.21
68 IPv4Address 107.181.174.228
69 IPv4Address 107.181.174.232
70 IPv4Address 107.181.174.241
71 IPv4Address 188.120.224.198
72 IPv4Address 188.120.228.172
73 IPv4Address 188.120.242.93
74 IPv4Address 188.120.243.11
75 IPv4Address 188.120.247.151
76 IPv4Address 62.109.2.52
77 IPv4Address 188.120.232.157
78 IPv4Address 185.118.65.230
79 IPv4Address 185.118.66.114
80 IPv4Address 141.105.67.58
81 IPv4Address 141.105.68.25
82 IPv4Address 141.105.68.26
83 IPv4Address 141.105.68.29
84 IPv4Address 141.105.69.69
85 IPv4Address 141.105.69.70
86 IPv4Address 141.105.69.77
87 IPv4Address 31.192.105.16
88 IPv4Address 31.192.105.17
89 IPv4Address 31.192.105.28
90 IPv4Address 146.0.73.109
91 IPv4Address 146.0.73.110
92 IPv4Address 146.0.73.111
93 IPv4Address 146.0.73.112
94 IPv4Address 146.0.73.114
95 IPv4Address 217.12.201.240
96 IPv4Address 217.12.218.242
97 IPv4Address 5.34.180.252
98 IPv4Address 5.34.181.13
99 IPv4Address 86.105.18.5
100 IPv4Address 93.190.138.137
101 IPv4Address 212.199.61.51
102 IPv4Address 80.179.42.37
103 IPv4Address 80.179.42.44
104 IPv4Address 176.31.18.29
105 IPv4Address 188.165.69.39
106 IPv4Address 51.254.76.54
107 IPv4Address 158.69.150.163
108 IPv4Address 192.99.242.212
109 IPv4Address 198.50.214.62
110 Hash a60a32f21ac1a2ec33135a650aa8dc71
111 Hash 94ba33696cd6ffd6335948a752ec9c19
112 Hash bcae706c00e07936fc41ac47d671fc40
113 Hash 1ca03f92f71d5ecb5dbf71b14d48495c
114 Hash 506415ef517b4b1f7679b3664ad399e1
115 Hash 1ca03f92f71d5ecb5dbf71b14d48495c
116 Hash bd38cab32b3b8b64e5d5d3df36f7c55a
117 Hash ac29659dc10b2811372c83675ff57d23
118 Hash 41466bbb49dd35f9aa3002e546da65eb
119 Hash 8f6f7416cfdf8d500d6c3dcb33c4f4c9e1cd33998c957fea77fbd50471faec88
120 Hash 02f2c896287bc6a71275e8ebe311630557800081862a56a3c22c143f2f3142bd
121 Hash 2df6fe9812796605d4696773c91ad84c4c315df7df9cf78bee5864822b1074c9
122 Hash 55f513d0d8e1fd41b1417a0eb2afff3a039a9529571196dd7882d1251ab1f9bc
123 Hash da529e0b81625828d52cd70efba50794
124 Hash 1f9910cafe0e5f39887b2d5ab4df0d10
125 Hash 0feb0b50b99f0b303a5081ffb3c4446d
126 Hash 577577d6df1833629bfd0d612e3dbb05
127 Hash 165f8db9c6e2ca79260b159b4618a496e1ed6730d800798d51d38f07b3653952
128 Hash 1f867be812087722010f12028beeaf376043e5d7
129 Hash b571c8e0e3768a12794eaf0ce24e6697
130 Hash e319f3fb40957a5ff13695306dd9de25
131 Hash acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a
132 Hash 8c8496390c3ad048f2a0a4031edfcdac819ee840d32951b9a1a9337a2dcbea25
133 Hash c5a02e984ca3d5ac13cf946d2ba68364
134 Hash efca6664ad6d29d2df5aaecf99024892
135 Hash bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361
136 Hash afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77
137 Hash 4a3d93c0a74aaabeb801593741587a02
138 Hash 64c9acc611ef47486ea756aca8e1b3b7
139 Hash fb775e900872e01f65e606b722719594
140 Hash cf8502b8b67d11fbb0c75ebcf741db15
141 Hash 4999967c94a2fb1fa8122f1eea7a0e02
142 Hash 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902
143 Hash 37449ddfc120c08e0c0d41561db79e8cbbb97238
144 Hash 4442c48dd314a04ba4df046dfe43c9ea1d229ef8814e4d3195afa9624682d763
145 Hash 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6
146 Hash eb01202563dc0a1a3b39852ccda012acfe0b6f4d
147 Hash 7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb
148 Hash 9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb
149 Hash 6a19624d80a54c4931490562b94775b74724f200
150 Hash 32860b0184676509241bbaf9233068d472472c3d9c93570fc072e1acea97a1d4
151 Hash b34721e53599286a1093c90a9dd0b789
152 Hash 7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31
153 Hash 59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd
154 Hash fb775e900872e01f65e606b722719594
155 Hash 871efc9ecd8a446a7aa06351604a9bf4
156 Hash cf8502b8b67d11fbb0c75ebcf741db15
157 Hash a4dd1c225292014e65edb83f2684f2d5
158 Hash 838fb8d181d52e9b9d212b49f4350739
159 Hash e37418ba399a095066845e7829267efe
160 Hash 1072b82f53fdd9fa944685c7e498eece89b6b4240073f654495ac76e303e65c9
161 Hash 752240cddda5acb5e8d026cef82e2b54
162 Hash 435a93978fa50f55a64c788002da58a5
163 Hash 3de91d07ac762b193d5b67dd5138381a
164 Hash a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37
165 Hash aba7771c42aea8048e4067809c786b0105e9dfaa
166 Hash b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd
167 Hash 3676914af9fd575deb9901a8b625f032
168 Hash f1607a5b918345f89e3c2887c6dafc05c5832593
169 Hash 341c920ec47efa4fd1bfcd1859a7fb98945f9d85
170 Hash 8b702ba2b2bd65c3ad47117515f0669c
171 Hash 6ea02f1f13cc39d953e5a3ebcdcfd882
172 Hash 8f77a9cc2ad32af6fb1865fdff82ad89
173 Hash 62f8f45c5f10647af0040f965a3ea96d
174 Hash d9aa197ca2f01a66df248c7a8b582c40
175 Hash 217b1c2760bcf4838f5e3efb980064d7
176 Hash cfb4be91d8546203ae602c0284126408
177 Hash 16a711a8fa5a40ee787e41c2c65faf9a78b195307ac069c5e13ba18bce243d01
178 Hash 5e65373a7c6abca7e3f75ce74c6e8143
179 Hash d3b9da7c8c54f7f1ea6433ac34b120a1
180 Hash 32261fe44c368724593fbf65d47fc826
181 Hash d2c117d18cb05140373713859803a0d6
182 Hash 113ca319e85778b62145019359380a08
183 Hash 4999967c94a2fb1fa8122f1eea7a0e02
184 Hash 9846b07bf7265161573392d24543940e
185 Hash bf23ce4ae7d5c774b1fa6becd6864b3b
186 Hash 720203904c9eaf45ff767425a8c518cd
187 Hash 62652f074924bb961d74099bc7b95731
188 Hash 1fba1876c88203a2ae6a59ce0b5da2a1
189 Hash cf8502b8b67d11fbb0c75ebcf741db15
190 Hash fb775e900872e01f65e606b722719594
191 Hash 73f14f320facbdd29ae6f0628fa6f198dc86ba3428b3eddbfc39cf36224cebb9
192 Hash 3d2885edf1f70ce4eb1e9519f47a669f
193 Filename config.exe
194 Filename Strike.doc
195 Filename malware.doc
196 Filename PDFOPENER_CONSOLE.exe
197 Filename Ma_1.tmp
198 Filename Wextract
199 Filename The%20United%20Nations%20Counter.doc.docx
200 Filename netsrvs.exe
201 Filename Date.dotm
202 Filename ssl.docx
203 Filename o040t.exe
204 Filename m8f7s.exe
205 Filename d5tjo.exe
206 Filename LogManager.tmp
207 Filename edg1CF5.tmp
208 Filename ntuser.swp
209 Filename svchost64.swp
210 Filename ntuser.dat.swp
211 Filename 455aa96e-804g-4bcf-bcf8-f400b3a9cfe9.PackageExtraction
212 Filename Svchost32.swp
213 Filename Svchost64.swp
214 Filename update5x.dll
215 Filename 22092014_ver621.dll
216 Filename netsrv.exe
217 Filename netsrva.exe
218 Filename netsrvd.exe
219 Filename netsrvs.exe
220 Filename vminst.tmp
221 Filename tdtess.exe
222 Filename test_oracle.xls
223 Filename ur96r.exe
224 Filename The North Korean weapons program now testing USA range.docx
225 Filename F123321.exe
226 Filename ISIS terrorizes jewish people.docx
227 Domain wethearservice.com
228 Domain mywindows24.in
229 Domain microsoft-office.solutions
230 Domain code.jguery.net
231 Domain 1m100.tech
232 Domain cloudflare-statics.com
233 Domain cachevideo.com
234 Domain winfeedback.net
235 Domain terendmicro.com
236 Domain alkamaihd.com
237 Domain msv-updates.gsvr-static.co
238 Domain fbstatic-a.space
239 Domain broadcast-microsoft.tech
240 Domain sharepoint-microsoft.co
241 Domain newsfeeds-microsoft.press
242 Domain owa-microsoft.online
243 Domain digicert.online
244 Domain cloudflare-analyse.com
245 Domain israelnewsagency.link
246 Domain akamaitechnology.tech
247 Domain winupdate64.org
248 Domain ads-youtube.net
249 Domain cortana-search.com
250 Domain nsserver.host
251 Domain nameserver.win
252 Domain symcd.xyz
253 Domain fdgdsg.xyz
254 Domain dnsserv.host
255 Domain winupdate64.com
256 Domain ssl-gstatic.online
257 Domain updatedrivers.org
258 Domain alkamaihd.net
259 Domain update.microsoft-office.solutions
260 Domain javaupdate.co
261 Domain outlook360.org
262 Domain winupdate64.net
263 Domain trendmicro.tech
264 Domain qoldenlines.net
265 Domain windefender.org
266 Domain 1e100.tech
267 Domain chromeupdates.online
268 Domain ads-youtube.online
269 Domain akamaitechnology.com
270 Domain cloudmicrosoft.net
271 Domain js.jguery.online
272 Domain azurewebsites.tech
273 Domain elasticbeanstalk.tech
274 Domain jguery.online
275 Domain microsoft-security.host
276 Domain microsoft-ds.com
277 Domain jguery.net
278 Domain primeminister-goverment-techcenter.tech
279 Domain officeapps-live.com
280 Domain microsoft-tool.com
281 Domain cissco.net
282 Domain js.jguery.net
283 Domain f-tqn.com
284 Domain javaupdator.com
285 Domain officeapps-live.net
286 Domain ipresolver.org
287 Domain intelchip.org
288 Domain outlook360.net
289 Domain windowkernel.com
290 Domain wheatherserviceapi.info
291 Domain windowslayer.in
292 Domain sdlc-esd-oracle.online
293 Domain mpmicrosoft.com
294 Domain officeapps-live.org
295 Domain cachevideo.online
296 Domain win-update.com
297 Domain labs-cloudfront.com
298 Domain windowskernel14.com
299 Domain fbstatic-akamaihd.com
300 Domain mcafee-analyzer.com
301 Domain cloud-analyzer.com
302 Domain fb-statics.com
303 Domain ynet.link
304 Domain twiter-statics.info
305 Domain diagnose.microsoft-office.solutions
306 Domain mswordupdate17.com
307 Domain gsvr-static.co
308 Domain news-bbc.press
309 Domain mandalasanati.info
310 Domain office-msupdate.solutions
311 Domain windows-updates.solutions
312 Domain akamai-net.network
313 Domain azureedge-net.services
314 Domain doucbleclick.tech
315 Domain windows-updates.services
316 Domain windows-updates.network
317 Domain cloudfront.site
318 Domain netcdn-cachefly.network
319 Domain akamaized.online
320 Domain cdninstagram.center
321 Domain googlusercontent.center
322 DNSName ea-in-f354.1e100.ads-youtube.net
323 DNSName ns1.ynet.link
324 DNSName ns2.ynet.link
325 DNSName static.dyn-usr.g-blc-se.d45.a63.akamai.be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com
326 DNSName pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online
327 DNSName ns1.winfeedback.net
328 DNSName ns2.winfeedback.net
329 DNSName msupdate.diagnose.microsoft-office.solutions
330 DNSName www.alkamaihd.net
331 DNSName c20.jdk.cdn-external-ie.1e100.alkamaihd.net
332 DNSName ns2.img.twiter-statics.info
333 DNSName api.img.twiter-statics.info
334 DNSName ns1.img.twiter-statics.info
335 DNSName ns1.officeapps-live.net
336 DNSName ns1.wheatherserviceapi.info
337 DNSName ns2.microsoft-tool.com
338 DNSName ns2.f-tqn.com
339 DNSName carl.ns.cloudflare.com.sdlc-esd-oracle.online
340 DNSName ns1.cortana-search.com
341 DNSName 40.dc.c0ad.ip4.dyn.gsvr-static.co
342 DNSName 40.dc.c2ad.ip4.dyn.gsvr-static.co
343 DNSName ns2.winupdate64.org
344 DNSName ns1.f-tqn.com
345 DNSName ns2.cortana-search.com
346 DNSName ns1.symcd.xyz
347 DNSName ns2.symcd.xyz
348 DNSName ns1.winupdate64.org
349 DNSName ns1.microsoft-tool.com
350 DNSName ns2.officeapps-live.com
351 DNSName ns1.israelnewsagency.link
352 DNSName ns2.israelnewsagency.link
353 DNSName ns1.cissco.net
354 DNSName ns2.cissco.net
355 DNSName ns1.cachevideo.online
356 DNSName ns2.cachevideo.online
357 DNSName www.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
358 DNSName static.dyn-usr.g-blc-se.d45.a63.akamai.www.alkamaihd.com
359 DNSName dhb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
360 DNSName main.windowskernel14.com
361 DNSName www.winupdate64.net
362 DNSName ae13-0-hk2-96cbe-1a-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
363 DNSName be-5-0-ibr01-lts-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
364 DNSName static.dyn-usr.g-blc-se.d45.a63.akamai.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
365 DNSName cyb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
366 DNSName ns1.winupdate64.com
367 DNSName ns1.twiter-statics.info
368 DNSName 40.dc.c0ad.ip4.dyn.gsvr-static.co
369 DNSName update.microsoft-office.solutions
370 DNSName wk-in-f104.1e100.n.microsoft.qoldenlines.net
371 DNSName ns1.fb-statics.com
372 DNSName ns2.fb-statics.com
373 DNSName is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology
374 DNSName img.gmailtagmanager.com
375 DNSName wk-in-f104.1c100.n.microsoft-security.host
376 DNSName msnbot-sd7-46-cdn.microsoft-security.host
377 DNSName msnbot-sd7-46-img.microsoft-security.host
378 DNSName ns2.winupdate64.com
379 DNSName msnbot-sd7-46-194.microsoft-security.host
380 DNSName ea-in-f155.1e100.microsoft-security.host
381 DNSName msnbot-207-46-194.microsoft-security.host
382 DNSName img.twiter-statics.info
383 DNSName msnbot-sd7-46-cdn.microsoft-security.host
384 DNSName ns2.wheatherserviceapi.info
385 DNSName ns1.windowkernel.com
386 DNSName ns2.windowkernel.com
387 DNSName ns2.fbstatic-a.space
388 DNSName ns1.fbstatic-a.space
389 DNSName api.TwitEr-Statics.info
390 DNSName ns2.mcafee-analyzer.com
391 DNSName 21666.mpmicrosoft.com
392 DNSName 22830.officeapps-live.org
393 DNSName 15236.mcafee-analyzer.com
394 DNSName ns2.static.dyn-usr.gsrv02.ssl-gstatic.online
395 DNSName ns1.mcafee-analyzer.com
396 DNSName ns1.fbstatic-akamaihd.com
397 DNSName ns1.static.dyn-usr.gsrv01.ssl-gstatic.online
398 DNSName ns2.officeapps-live.org
399 DNSName wk-in-f104.1e100.n.microsoft-security.host
400 DNSName ns1.mpmicrosoft.com
401 DNSName www.microsoft-security.host
402 DNSName ns2.fbstatic-akamaihd.com
403 DNSName ns1.cachevideo.online
404 DNSName wk-in-f100.1e100.n.microsoft-security.host
405 DNSName ns1.officeapps-live.org
406 DNSName ns2.mpmicrosoft.com
407 DNSName ns02.nsserver.host
408 DNSName ns2.cachevideo.online
409 DNSName be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com
410 DNSName static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
411 DNSName www.alkamaihd.com
412 DNSName ae13-0-hk2-96cbe-1a-ntwk-msn.alkamaihd.com
413 DNSName ns2.microsoft-ds.com
414 DNSName adcenter.microsoft-ds.com
415 DNSName ns1.microsoft-ds.com
416 DNSName ns1.mswordupdate17.com
417 DNSName ns2.mswordupdate17.com
418 DNSName c.mswordupdate17.com
419 DNSName ns1.cloudflare-analyse.com
420 DNSName static.dyn-usr.f-loginme.c19.a23.akamaitechnology.com
421 DNSName ns2.cloudflare-analyse.com
422 DNSName ns1.cloud-analyzer.com
423 DNSName ns2.cloud-analyzer.com
424 DNSName ns01.nsserver.host
425 DNSName ns1.fb-statics.com
426 DNSName ns02.dnsserv.host
427 DNSName 15236.cachevideo.online
428 DNSName ns2.fb-statics.com
429 DNSName ns2.twiter-statics.info
430 DNSName ea-in-f113.1e100.microsoft-security.host
431 DNSName static.dyn-usr.f-login-me.c19.a.akamaitechnology.tech
432 DNSName ea-in-f155.1e100.microsoft-security.host
433 DNSName float.2963.bm-imp.akamaitechnology.tech
434 DNSName ns1.mcafee-analyzer.com
435 DNSName ns2.mcafee-analyzer.com
436 DNSName ns1.mpmicrosoft.com
437 DNSName ns2.mpmicrosoft.com
438 DNSName jpsrv-java-jdkec1.javaupdate.co
439 DNSName microsoft-active.directory_update-change-policy.primeminister-goverment-techcenter.tech
440 DNSName jpsrv-java-jdkec3.javaupdate.co
441 DNSName nameserver02.javaupdate.co
442 DNSName jpsrv-java-jdkec2.javaupdate.co
443 DNSName static.dyn-usr.f-login-me.c19.a23.akamaitechnology.com
444 DNSName static.dyn-usr.g-blc-se.d45.a63.alkamaihd.net
445 DNSName ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech
446 DNSName ns1.static.dyn-usr.gsrv01.ssl- gstatic.online
447 DNSName ns2.static.dyn-usr.gsrv02.ssl- gstatic.online
448 DNSName static.primeminister-goverment-techcenter.tech
449 DNSName ns1.outlook360.org
450 DNSName d45.a63.alkamaihd.net
451 DNSName ns1.officeapps-live.org
452 DNSName ns2.outlook360.org
453 DNSName ns2.officeapps-live.org
454 DNSName ns2.win-update.com
455 DNSName aaa.stage.14043411.email.sharepoint-microsoft.co
456 DNSName ns1.updatedrivers.org
457 DNSName a17-h16.g11.iad17.as.pht-external.c15.qoldenlines.net
458 DNSName ns1.windefender.org
459 DNSName is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com
460 DNSName ns2.windefender.org
461 DNSName ns1.win-update.com
462 DNSName ns2.updatedrivers.org
463 DNSName ns1.mpmicrosoft.com
464 DNSName ns1.officeapps-live.org
465 DNSName ns2.officeapps-live.org
466 DNSName ns2.ipresolver.org
467 DNSName ns1.ipresolver.org
468 DNSName www.is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com
469 DNSName 11716.cachevideo.com
470 DNSName ns1.intelchip.org
471 DNSName ns2.cachevideo.com
472 DNSName 7737.cloudflare-statics.com
473 DNSName 7052.cloudflare-statics.com
474 DNSName 7737.digicert.online
475 DNSName ns1.cloudflare-statics.com
476 DNSName 24984.cachevideo.com
477 DNSName ns1.digicert.online
478 DNSName ns2.digicert.online
479 DNSName 24984.digicert.online
480 DNSName ns1.fbstatic-akamaihd.com
481 DNSName ns2.fbstatic-akamaihd.com
482 DNSName ns1.javaupdator.com
483 DNSName ns2.outlook360.net
484 DNSName ns01.nameserver.win
485 DNSName ns2.javaupdator.com
486 DNSName ns2.intelchip.org
487 DNSName TATIC.DYN-USR.GSRV01.SSL-GSTATIC.ONLINe
488 DNSName STATIC.DYN-USR.GSRV01.SSL-GSTATIC.online
489 DNSName ns1.labs-cloudfront.com
490 DNSName ns2.labs-cloudfront.com
491 DNSName www.broadcast-microsoft.tech
492 DNSName www.newsfeeds-microsoft.press
493 DNSName www.owa-microsoft.online
494 DNSName static.c20.jdk.cdn-external-ie.1e100.tech
495 DNSName ns1.cloud-analyzer.com
496 DNSName ns2.cloud-analyzer.com
497 DNSName ns2.cloudflare-statics.com
498 DNSName ns1.cachevideo.com
499 DNSName ns1.outlook360.net
500 DNSName 3012.digicert.online
501 DNSName 24984.cloudflare-statics.com
502 DNSName 7737.cachevideo.com
503 DNSName hda.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
504 DNSName msdn.winupdate64.net
505 DNSName kja.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
506 Detection name BKDR_COBEACON.A
507 Detection name TROJ_POWPICK.A
508 Detection name HKTL_PASSDUMP
509 Detection name TROJ_SODREVR.A
510 Detection name TROJ_POWSHELL.C
511 Detection name BKDR_CONBEA.A
512 Detection name TSPY64_REKOTIB.A
513 Detection name HKTL_DIRZIP
514 Detection name TROJ_WAPPOME.A

142
2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt Normal file
View File

@ -0,0 +1,142 @@
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-07-23
Identifier: Operation Wilted Tulip
Reference: http://www.clearskysec.com/tulip
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
rule WiltedTulip_tdtess {
meta:
description = "Detects malicious service used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34"
strings:
$x1 = "d2lubG9naW4k" fullword wide /* base64 encoded string 'winlogin$' */
$x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii
$s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii
$s2 = "winlogin.exe" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of them ) )
}
rule WiltedTulip_matryoshka_Injector {
meta:
description = "Detects hack tool used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed"
hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509"
strings:
$s1 = "Injector.dll" fullword ascii
$s2 = "ReflectiveLoader" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or
(
pe.exports("__dec") and
pe.exports("_check") and
pe.exports("_dec") and
pe.exports("start") and
pe.exports("test")
)
}
rule WiltedTulip_Zpp {
meta:
description = "Detects hack tool used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb"
hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918"
hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf"
strings:
$x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide
$x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide
$s1 = "LT Time invalid" fullword wide
$s2 = "doCompressInNetWorkDirectory" fullword ascii
$s3 = "files remaining ,total file save = " fullword wide
$s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii
$s5 = "Destinition Directory Not Found" fullword wide
$s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and ( 1 of ($x*) or 3 of them )
}
rule WiltedTulip_Netsrv_netsrvs {
meta:
description = "Detects sample from Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5"
hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77"
hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a"
hash4 = "bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361"
hash5 = "07ab795eeb16421a50c36257e6e703188a0fef9ed87647e588d0cd2fcf56fe43"
strings:
$s1 = "Process %d Created" fullword ascii
$s2 = "%s\\system32\\rundll32.exe" fullword wide
$s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide
$c1 = "slbhttps" fullword ascii
$c2 = "/slbhttps" fullword wide
$c3 = "/slbdnsk1" fullword wide
$c4 = "netsrv" fullword wide
$c5 = "/slbhttps" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) and 1 of ($c*) ) )
}
rule WiltedTulip_ReflectiveLoader {
meta:
description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904"
hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a"
hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f"
hash4 = "cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0"
hash5 = "eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89"
strings:
$x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii
$x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$x4 = "Failed to impersonate token from %d (%u)" fullword ascii
$x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii
$x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) or
( 2 of them ) or
pe.exports("_ReflectiveLoader@4")
}
rule WiltedTulip_Matryoshka_RAT {
meta:
description = "Detects Matryoshka RAT used in Operation Wilted Tulip"
author = "Florian Roth"
reference = "http://www.clearskysec.com/tulip"
date = "2017-07-23"
hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab"
hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32"
strings:
$s1 = "%S:\\Users\\public" fullword wide
$s2 = "ntuser.dat.swp" fullword wide
$s3 = "Job Save / Load Config" fullword wide
$s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii
$s5 = "winupdate64.com" fullword ascii
$s6 = "Job Save KeyLogger" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them )
}