mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-16 12:00:04 +00:00
2017.07.27.Operation_Wilted_Tulip
This commit is contained in:
parent
5680725a17
commit
946deb5356
@ -0,0 +1,514 @@
|
||||
Type,Value
|
||||
URL,http://js.jguery.net/main.js
|
||||
URL,http://pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online/winini.exe
|
||||
URL,http://38.130.75.20/check.html
|
||||
URL,http://update.microsoft-office.solutions/license.doc
|
||||
URL,http://update.microsoft-office.solutions/error.html
|
||||
URL,http://main.windowskernel14.com/spl/update5x.zip
|
||||
URL,http://img.twiter-statics.info/i/658A6D6AE42A658A6D6AE42A/0de9c5c6599fdf5201599ff9b30e0000/6E24E58CFC94/icon.png
|
||||
URL,http://files0.terendmicro.com/
|
||||
URL,http://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech/%D7%A1%D7%A7%D7%A8%20%D7%A9%D7%A0%D7%AA%D7%99.docx
|
||||
URL,http://ea-in-f155.1e100.microsoft-security.host/
|
||||
URL,https://ea-in-f155.1e100.microsoft-security.host/mTQJ
|
||||
URL,http://iba.stage.7338879.i.gtld-servers.services
|
||||
URL,http://doa.stage.7338879.i.gtld-servers.services
|
||||
URL,http://fda.stage.7338879.i.gtld-servers.services
|
||||
URL,http://rqa.stage.7338879.i.gtld-servers.services
|
||||
URL,http://qqa.stage.7338879.i.gtld-servers.services
|
||||
URL,http://api.02ac36110.49318.a.gtld-servers.zone
|
||||
URL,s1w-amazonaws.office-msupdate.solutions
|
||||
URL,a104-93-82-25.mandalasanati.info/iBpa
|
||||
URL,http://fetchnews-agency.news-bbc.press/pictures.html
|
||||
URL,http://fetchnews-agency.news-bbc.press/omnews.doc
|
||||
URL,http://fetchnews-agency.news-bbc.press/en/20170/pictures.doc
|
||||
SSLCertificate,fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc
|
||||
SSLCertificate,b11aa089879cd7d4503285fa8623ec237a317aee
|
||||
SSLCertificate,07317545c8d6fc9beedd3dd695ba79dd3818b941
|
||||
SSLCertificate,3c0ecb46d65dd57c33df5f6547f8fffb3e15722d
|
||||
SSLCertificate,1c43ed17acc07680924f2ec476d281c8c5fd6b4a
|
||||
SSLCertificate,8968f439ef26f3fcded4387a67ea5f56ce24a003
|
||||
IPv4Address,206.221.181.253
|
||||
IPv4Address,66.55.152.164
|
||||
IPv4Address,68.232.180.122
|
||||
IPv4Address,173.244.173.11
|
||||
IPv4Address,173.244.173.12
|
||||
IPv4Address,173.244.173.13
|
||||
IPv4Address,209.190.20.149
|
||||
IPv4Address,209.190.20.59
|
||||
IPv4Address,209.190.20.62
|
||||
IPv4Address,209.51.199.116
|
||||
IPv4Address,38.130.75.20
|
||||
IPv4Address,185.92.73.194
|
||||
IPv4Address,144.168.45.126
|
||||
IPv4Address,198.55.107.164
|
||||
IPv4Address,104.200.128.126
|
||||
IPv4Address,104.200.128.161
|
||||
IPv4Address,104.200.128.173
|
||||
IPv4Address,104.200.128.183
|
||||
IPv4Address,104.200.128.184
|
||||
IPv4Address,104.200.128.185
|
||||
IPv4Address,104.200.128.187
|
||||
IPv4Address,104.200.128.195
|
||||
IPv4Address,104.200.128.196
|
||||
IPv4Address,104.200.128.198
|
||||
IPv4Address,104.200.128.205
|
||||
IPv4Address,104.200.128.206
|
||||
IPv4Address,104.200.128.208
|
||||
IPv4Address,104.200.128.209
|
||||
IPv4Address,104.200.128.48
|
||||
IPv4Address,104.200.128.58
|
||||
IPv4Address,104.200.128.64
|
||||
IPv4Address,104.200.128.71
|
||||
IPv4Address,107.181.160.138
|
||||
IPv4Address,107.181.160.178
|
||||
IPv4Address,107.181.160.194
|
||||
IPv4Address,107.181.160.195
|
||||
IPv4Address,107.181.161.141
|
||||
IPv4Address,107.181.174.21
|
||||
IPv4Address,107.181.174.228
|
||||
IPv4Address,107.181.174.232
|
||||
IPv4Address,107.181.174.241
|
||||
IPv4Address,188.120.224.198
|
||||
IPv4Address,188.120.228.172
|
||||
IPv4Address,188.120.242.93
|
||||
IPv4Address,188.120.243.11
|
||||
IPv4Address,188.120.247.151
|
||||
IPv4Address,62.109.2.52
|
||||
IPv4Address,188.120.232.157
|
||||
IPv4Address,185.118.65.230
|
||||
IPv4Address,185.118.66.114
|
||||
IPv4Address,141.105.67.58
|
||||
IPv4Address,141.105.68.25
|
||||
IPv4Address,141.105.68.26
|
||||
IPv4Address,141.105.68.29
|
||||
IPv4Address,141.105.69.69
|
||||
IPv4Address,141.105.69.70
|
||||
IPv4Address,141.105.69.77
|
||||
IPv4Address,31.192.105.16
|
||||
IPv4Address,31.192.105.17
|
||||
IPv4Address,31.192.105.28
|
||||
IPv4Address,146.0.73.109
|
||||
IPv4Address,146.0.73.110
|
||||
IPv4Address,146.0.73.111
|
||||
IPv4Address,146.0.73.112
|
||||
IPv4Address,146.0.73.114
|
||||
IPv4Address,217.12.201.240
|
||||
IPv4Address,217.12.218.242
|
||||
IPv4Address,5.34.180.252
|
||||
IPv4Address,5.34.181.13
|
||||
IPv4Address,86.105.18.5
|
||||
IPv4Address,93.190.138.137
|
||||
IPv4Address,212.199.61.51
|
||||
IPv4Address,80.179.42.37
|
||||
IPv4Address,80.179.42.44
|
||||
IPv4Address,176.31.18.29
|
||||
IPv4Address,188.165.69.39
|
||||
IPv4Address,51.254.76.54
|
||||
IPv4Address,158.69.150.163
|
||||
IPv4Address,192.99.242.212
|
||||
IPv4Address,198.50.214.62
|
||||
Hash,a60a32f21ac1a2ec33135a650aa8dc71
|
||||
Hash,94ba33696cd6ffd6335948a752ec9c19
|
||||
Hash,bcae706c00e07936fc41ac47d671fc40
|
||||
Hash,1ca03f92f71d5ecb5dbf71b14d48495c
|
||||
Hash,506415ef517b4b1f7679b3664ad399e1
|
||||
Hash,1ca03f92f71d5ecb5dbf71b14d48495c
|
||||
Hash,bd38cab32b3b8b64e5d5d3df36f7c55a
|
||||
Hash,ac29659dc10b2811372c83675ff57d23
|
||||
Hash,41466bbb49dd35f9aa3002e546da65eb
|
||||
Hash,8f6f7416cfdf8d500d6c3dcb33c4f4c9e1cd33998c957fea77fbd50471faec88
|
||||
Hash,02f2c896287bc6a71275e8ebe311630557800081862a56a3c22c143f2f3142bd
|
||||
Hash,2df6fe9812796605d4696773c91ad84c4c315df7df9cf78bee5864822b1074c9
|
||||
Hash,55f513d0d8e1fd41b1417a0eb2afff3a039a9529571196dd7882d1251ab1f9bc
|
||||
Hash,da529e0b81625828d52cd70efba50794
|
||||
Hash,1f9910cafe0e5f39887b2d5ab4df0d10
|
||||
Hash,0feb0b50b99f0b303a5081ffb3c4446d
|
||||
Hash,577577d6df1833629bfd0d612e3dbb05
|
||||
Hash,165f8db9c6e2ca79260b159b4618a496e1ed6730d800798d51d38f07b3653952
|
||||
Hash,1f867be812087722010f12028beeaf376043e5d7
|
||||
Hash,b571c8e0e3768a12794eaf0ce24e6697
|
||||
Hash,e319f3fb40957a5ff13695306dd9de25
|
||||
Hash,acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a
|
||||
Hash,8c8496390c3ad048f2a0a4031edfcdac819ee840d32951b9a1a9337a2dcbea25
|
||||
Hash,c5a02e984ca3d5ac13cf946d2ba68364
|
||||
Hash,efca6664ad6d29d2df5aaecf99024892
|
||||
Hash,bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361
|
||||
Hash,afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77
|
||||
Hash,4a3d93c0a74aaabeb801593741587a02
|
||||
Hash,64c9acc611ef47486ea756aca8e1b3b7
|
||||
Hash,fb775e900872e01f65e606b722719594
|
||||
Hash,cf8502b8b67d11fbb0c75ebcf741db15
|
||||
Hash,4999967c94a2fb1fa8122f1eea7a0e02
|
||||
Hash,5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902
|
||||
Hash,37449ddfc120c08e0c0d41561db79e8cbbb97238
|
||||
Hash,4442c48dd314a04ba4df046dfe43c9ea1d229ef8814e4d3195afa9624682d763
|
||||
Hash,7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6
|
||||
Hash,eb01202563dc0a1a3b39852ccda012acfe0b6f4d
|
||||
Hash,7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb
|
||||
Hash,9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb
|
||||
Hash,6a19624d80a54c4931490562b94775b74724f200
|
||||
Hash,32860b0184676509241bbaf9233068d472472c3d9c93570fc072e1acea97a1d4
|
||||
Hash,b34721e53599286a1093c90a9dd0b789
|
||||
Hash,7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31
|
||||
Hash,59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd
|
||||
Hash,fb775e900872e01f65e606b722719594
|
||||
Hash,871efc9ecd8a446a7aa06351604a9bf4
|
||||
Hash,cf8502b8b67d11fbb0c75ebcf741db15
|
||||
Hash,a4dd1c225292014e65edb83f2684f2d5
|
||||
Hash,838fb8d181d52e9b9d212b49f4350739
|
||||
Hash,e37418ba399a095066845e7829267efe
|
||||
Hash,1072b82f53fdd9fa944685c7e498eece89b6b4240073f654495ac76e303e65c9
|
||||
Hash,752240cddda5acb5e8d026cef82e2b54
|
||||
Hash,435a93978fa50f55a64c788002da58a5
|
||||
Hash,3de91d07ac762b193d5b67dd5138381a
|
||||
Hash,a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37
|
||||
Hash,aba7771c42aea8048e4067809c786b0105e9dfaa
|
||||
Hash,b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd
|
||||
Hash,3676914af9fd575deb9901a8b625f032
|
||||
Hash,f1607a5b918345f89e3c2887c6dafc05c5832593
|
||||
Hash,341c920ec47efa4fd1bfcd1859a7fb98945f9d85
|
||||
Hash,8b702ba2b2bd65c3ad47117515f0669c
|
||||
Hash,6ea02f1f13cc39d953e5a3ebcdcfd882
|
||||
Hash,8f77a9cc2ad32af6fb1865fdff82ad89
|
||||
Hash,62f8f45c5f10647af0040f965a3ea96d
|
||||
Hash,d9aa197ca2f01a66df248c7a8b582c40
|
||||
Hash,217b1c2760bcf4838f5e3efb980064d7
|
||||
Hash,cfb4be91d8546203ae602c0284126408
|
||||
Hash,16a711a8fa5a40ee787e41c2c65faf9a78b195307ac069c5e13ba18bce243d01
|
||||
Hash,5e65373a7c6abca7e3f75ce74c6e8143
|
||||
Hash,d3b9da7c8c54f7f1ea6433ac34b120a1
|
||||
Hash,32261fe44c368724593fbf65d47fc826
|
||||
Hash,d2c117d18cb05140373713859803a0d6
|
||||
Hash,113ca319e85778b62145019359380a08
|
||||
Hash,4999967c94a2fb1fa8122f1eea7a0e02
|
||||
Hash,9846b07bf7265161573392d24543940e
|
||||
Hash,bf23ce4ae7d5c774b1fa6becd6864b3b
|
||||
Hash,720203904c9eaf45ff767425a8c518cd
|
||||
Hash,62652f074924bb961d74099bc7b95731
|
||||
Hash,1fba1876c88203a2ae6a59ce0b5da2a1
|
||||
Hash,cf8502b8b67d11fbb0c75ebcf741db15
|
||||
Hash,fb775e900872e01f65e606b722719594
|
||||
Hash,73f14f320facbdd29ae6f0628fa6f198dc86ba3428b3eddbfc39cf36224cebb9
|
||||
Hash,3d2885edf1f70ce4eb1e9519f47a669f
|
||||
Filename,config.exe
|
||||
Filename,Strike.doc
|
||||
Filename,malware.doc
|
||||
Filename,PDFOPENER_CONSOLE.exe
|
||||
Filename,Ma_1.tmp
|
||||
Filename,Wextract
|
||||
Filename,The%20United%20Nations%20Counter.doc.docx
|
||||
Filename,netsrvs.exe
|
||||
Filename,Date.dotm
|
||||
Filename,ssl.docx
|
||||
Filename,o040t.exe
|
||||
Filename,m8f7s.exe
|
||||
Filename,d5tjo.exe
|
||||
Filename,LogManager.tmp
|
||||
Filename,edg1CF5.tmp
|
||||
Filename,ntuser.swp
|
||||
Filename,svchost64.swp
|
||||
Filename,ntuser.dat.swp
|
||||
Filename,455aa96e-804g-4bcf-bcf8-f400b3a9cfe9.PackageExtraction
|
||||
Filename,Svchost32.swp
|
||||
Filename,Svchost64.swp
|
||||
Filename,update5x.dll
|
||||
Filename,22092014_ver621.dll
|
||||
Filename,netsrv.exe
|
||||
Filename,netsrva.exe
|
||||
Filename,netsrvd.exe
|
||||
Filename,netsrvs.exe
|
||||
Filename,vminst.tmp
|
||||
Filename,tdtess.exe
|
||||
Filename,test_oracle.xls
|
||||
Filename,ur96r.exe
|
||||
Filename,The North Korean weapons program now testing USA range.docx
|
||||
Filename,F123321.exe
|
||||
Filename,ISIS terrorizes jewish people.docx
|
||||
Domain,wethearservice.com
|
||||
Domain,mywindows24.in
|
||||
Domain,microsoft-office.solutions
|
||||
Domain,code.jguery.net
|
||||
Domain,1m100.tech
|
||||
Domain,cloudflare-statics.com
|
||||
Domain,cachevideo.com
|
||||
Domain,winfeedback.net
|
||||
Domain,terendmicro.com
|
||||
Domain,alkamaihd.com
|
||||
Domain,msv-updates.gsvr-static.co
|
||||
Domain,fbstatic-a.space
|
||||
Domain,broadcast-microsoft.tech
|
||||
Domain,sharepoint-microsoft.co
|
||||
Domain,newsfeeds-microsoft.press
|
||||
Domain,owa-microsoft.online
|
||||
Domain,digicert.online
|
||||
Domain,cloudflare-analyse.com
|
||||
Domain,israelnewsagency.link
|
||||
Domain,akamaitechnology.tech
|
||||
Domain,winupdate64.org
|
||||
Domain,ads-youtube.net
|
||||
Domain,cortana-search.com
|
||||
Domain,nsserver.host
|
||||
Domain,nameserver.win
|
||||
Domain,symcd.xyz
|
||||
Domain,fdgdsg.xyz
|
||||
Domain,dnsserv.host
|
||||
Domain,winupdate64.com
|
||||
Domain,ssl-gstatic.online
|
||||
Domain,updatedrivers.org
|
||||
Domain,alkamaihd.net
|
||||
Domain,update.microsoft-office.solutions
|
||||
Domain,javaupdate.co
|
||||
Domain,outlook360.org
|
||||
Domain,winupdate64.net
|
||||
Domain,trendmicro.tech
|
||||
Domain,qoldenlines.net
|
||||
Domain,windefender.org
|
||||
Domain,1e100.tech
|
||||
Domain,chromeupdates.online
|
||||
Domain,ads-youtube.online
|
||||
Domain,akamaitechnology.com
|
||||
Domain,cloudmicrosoft.net
|
||||
Domain,js.jguery.online
|
||||
Domain,azurewebsites.tech
|
||||
Domain,elasticbeanstalk.tech
|
||||
Domain,jguery.online
|
||||
Domain,microsoft-security.host
|
||||
Domain,microsoft-ds.com
|
||||
Domain,jguery.net
|
||||
Domain,primeminister-goverment-techcenter.tech
|
||||
Domain,officeapps-live.com
|
||||
Domain,microsoft-tool.com
|
||||
Domain,cissco.net
|
||||
Domain,js.jguery.net
|
||||
Domain,f-tqn.com
|
||||
Domain,javaupdator.com
|
||||
Domain,officeapps-live.net
|
||||
Domain,ipresolver.org
|
||||
Domain,intelchip.org
|
||||
Domain,outlook360.net
|
||||
Domain,windowkernel.com
|
||||
Domain,wheatherserviceapi.info
|
||||
Domain,windowslayer.in
|
||||
Domain,sdlc-esd-oracle.online
|
||||
Domain,mpmicrosoft.com
|
||||
Domain,officeapps-live.org
|
||||
Domain,cachevideo.online
|
||||
Domain,win-update.com
|
||||
Domain,labs-cloudfront.com
|
||||
Domain,windowskernel14.com
|
||||
Domain,fbstatic-akamaihd.com
|
||||
Domain,mcafee-analyzer.com
|
||||
Domain,cloud-analyzer.com
|
||||
Domain,fb-statics.com
|
||||
Domain,ynet.link
|
||||
Domain,twiter-statics.info
|
||||
Domain,diagnose.microsoft-office.solutions
|
||||
Domain,mswordupdate17.com
|
||||
Domain,gsvr-static.co
|
||||
Domain,news-bbc.press
|
||||
Domain,mandalasanati.info
|
||||
Domain,office-msupdate.solutions
|
||||
Domain,windows-updates.solutions
|
||||
Domain,akamai-net.network
|
||||
Domain,azureedge-net.services
|
||||
Domain,doucbleclick.tech
|
||||
Domain,windows-updates.services
|
||||
Domain,windows-updates.network
|
||||
Domain,cloudfront.site
|
||||
Domain,netcdn-cachefly.network
|
||||
Domain,akamaized.online
|
||||
Domain,cdninstagram.center
|
||||
Domain,googlusercontent.center
|
||||
DNSName,ea-in-f354.1e100.ads-youtube.net
|
||||
DNSName,ns1.ynet.link
|
||||
DNSName,ns2.ynet.link
|
||||
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com
|
||||
DNSName,pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online
|
||||
DNSName,ns1.winfeedback.net
|
||||
DNSName,ns2.winfeedback.net
|
||||
DNSName,msupdate.diagnose.microsoft-office.solutions
|
||||
DNSName,www.alkamaihd.net
|
||||
DNSName,c20.jdk.cdn-external-ie.1e100.alkamaihd.net
|
||||
DNSName,ns2.img.twiter-statics.info
|
||||
DNSName,api.img.twiter-statics.info
|
||||
DNSName,ns1.img.twiter-statics.info
|
||||
DNSName,ns1.officeapps-live.net
|
||||
DNSName,ns1.wheatherserviceapi.info
|
||||
DNSName,ns2.microsoft-tool.com
|
||||
DNSName,ns2.f-tqn.com
|
||||
DNSName,carl.ns.cloudflare.com.sdlc-esd-oracle.online
|
||||
DNSName,ns1.cortana-search.com
|
||||
DNSName,40.dc.c0ad.ip4.dyn.gsvr-static.co
|
||||
DNSName,40.dc.c2ad.ip4.dyn.gsvr-static.co
|
||||
DNSName,ns2.winupdate64.org
|
||||
DNSName,ns1.f-tqn.com
|
||||
DNSName,ns2.cortana-search.com
|
||||
DNSName,ns1.symcd.xyz
|
||||
DNSName,ns2.symcd.xyz
|
||||
DNSName,ns1.winupdate64.org
|
||||
DNSName,ns1.microsoft-tool.com
|
||||
DNSName,ns2.officeapps-live.com
|
||||
DNSName,ns1.israelnewsagency.link
|
||||
DNSName,ns2.israelnewsagency.link
|
||||
DNSName,ns1.cissco.net
|
||||
DNSName,ns2.cissco.net
|
||||
DNSName,ns1.cachevideo.online
|
||||
DNSName,ns2.cachevideo.online
|
||||
DNSName,www.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
|
||||
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.www.alkamaihd.com
|
||||
DNSName,dhb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
|
||||
DNSName,main.windowskernel14.com
|
||||
DNSName,www.winupdate64.net
|
||||
DNSName,ae13-0-hk2-96cbe-1a-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
|
||||
DNSName,be-5-0-ibr01-lts-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
|
||||
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
|
||||
DNSName,cyb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
|
||||
DNSName,ns1.winupdate64.com
|
||||
DNSName,ns1.twiter-statics.info
|
||||
DNSName,40.dc.c0ad.ip4.dyn.gsvr-static.co
|
||||
DNSName,update.microsoft-office.solutions
|
||||
DNSName,wk-in-f104.1e100.n.microsoft.qoldenlines.net
|
||||
DNSName,ns1.fb-statics.com
|
||||
DNSName,ns2.fb-statics.com
|
||||
DNSName,is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology
|
||||
DNSName,img.gmailtagmanager.com
|
||||
DNSName,wk-in-f104.1c100.n.microsoft-security.host
|
||||
DNSName,msnbot-sd7-46-cdn.microsoft-security.host
|
||||
DNSName,msnbot-sd7-46-img.microsoft-security.host
|
||||
DNSName,ns2.winupdate64.com
|
||||
DNSName,msnbot-sd7-46-194.microsoft-security.host
|
||||
DNSName,ea-in-f155.1e100.microsoft-security.host
|
||||
DNSName,msnbot-207-46-194.microsoft-security.host
|
||||
DNSName,img.twiter-statics.info
|
||||
DNSName,msnbot-sd7-46-cdn.microsoft-security.host
|
||||
DNSName,ns2.wheatherserviceapi.info
|
||||
DNSName,ns1.windowkernel.com
|
||||
DNSName,ns2.windowkernel.com
|
||||
DNSName,ns2.fbstatic-a.space
|
||||
DNSName,ns1.fbstatic-a.space
|
||||
DNSName,api.TwitEr-Statics.info
|
||||
DNSName,ns2.mcafee-analyzer.com
|
||||
DNSName,21666.mpmicrosoft.com
|
||||
DNSName,22830.officeapps-live.org
|
||||
DNSName,15236.mcafee-analyzer.com
|
||||
DNSName,ns2.static.dyn-usr.gsrv02.ssl-gstatic.online
|
||||
DNSName,ns1.mcafee-analyzer.com
|
||||
DNSName,ns1.fbstatic-akamaihd.com
|
||||
DNSName,ns1.static.dyn-usr.gsrv01.ssl-gstatic.online
|
||||
DNSName,ns2.officeapps-live.org
|
||||
DNSName,wk-in-f104.1e100.n.microsoft-security.host
|
||||
DNSName,ns1.mpmicrosoft.com
|
||||
DNSName,www.microsoft-security.host
|
||||
DNSName,ns2.fbstatic-akamaihd.com
|
||||
DNSName,ns1.cachevideo.online
|
||||
DNSName,wk-in-f100.1e100.n.microsoft-security.host
|
||||
DNSName,ns1.officeapps-live.org
|
||||
DNSName,ns2.mpmicrosoft.com
|
||||
DNSName,ns02.nsserver.host
|
||||
DNSName,ns2.cachevideo.online
|
||||
DNSName,be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com
|
||||
DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com
|
||||
DNSName,www.alkamaihd.com
|
||||
DNSName,ae13-0-hk2-96cbe-1a-ntwk-msn.alkamaihd.com
|
||||
DNSName,ns2.microsoft-ds.com
|
||||
DNSName,adcenter.microsoft-ds.com
|
||||
DNSName,ns1.microsoft-ds.com
|
||||
DNSName,ns1.mswordupdate17.com
|
||||
DNSName,ns2.mswordupdate17.com
|
||||
DNSName,c.mswordupdate17.com
|
||||
DNSName,ns1.cloudflare-analyse.com
|
||||
DNSName,static.dyn-usr.f-loginme.c19.a23.akamaitechnology.com
|
||||
DNSName,ns2.cloudflare-analyse.com
|
||||
DNSName,ns1.cloud-analyzer.com
|
||||
DNSName,ns2.cloud-analyzer.com
|
||||
DNSName,ns01.nsserver.host
|
||||
DNSName,ns1.fb-statics.com
|
||||
DNSName,ns02.dnsserv.host
|
||||
DNSName,15236.cachevideo.online
|
||||
DNSName,ns2.fb-statics.com
|
||||
DNSName,ns2.twiter-statics.info
|
||||
DNSName,ea-in-f113.1e100.microsoft-security.host
|
||||
DNSName,static.dyn-usr.f-login-me.c19.a.akamaitechnology.tech
|
||||
DNSName,ea-in-f155.1e100.microsoft-security.host
|
||||
DNSName,float.2963.bm-imp.akamaitechnology.tech
|
||||
DNSName,ns1.mcafee-analyzer.com
|
||||
DNSName,ns2.mcafee-analyzer.com
|
||||
DNSName,ns1.mpmicrosoft.com
|
||||
DNSName,ns2.mpmicrosoft.com
|
||||
DNSName,jpsrv-java-jdkec1.javaupdate.co
|
||||
DNSName,microsoft-active.directory_update-change-policy.primeminister-goverment-techcenter.tech
|
||||
DNSName,jpsrv-java-jdkec3.javaupdate.co
|
||||
DNSName,nameserver02.javaupdate.co
|
||||
DNSName,jpsrv-java-jdkec2.javaupdate.co
|
||||
DNSName,static.dyn-usr.f-login-me.c19.a23.akamaitechnology.com
|
||||
DNSName,static.dyn-usr.g-blc-se.d45.a63.alkamaihd.net
|
||||
DNSName,ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech
|
||||
DNSName,ns1.static.dyn-usr.gsrv01.ssl- gstatic.online
|
||||
DNSName,ns2.static.dyn-usr.gsrv02.ssl- gstatic.online
|
||||
DNSName,static.primeminister-goverment-techcenter.tech
|
||||
DNSName,ns1.outlook360.org
|
||||
DNSName,d45.a63.alkamaihd.net
|
||||
DNSName,ns1.officeapps-live.org
|
||||
DNSName,ns2.outlook360.org
|
||||
DNSName,ns2.officeapps-live.org
|
||||
DNSName,ns2.win-update.com
|
||||
DNSName,aaa.stage.14043411.email.sharepoint-microsoft.co
|
||||
DNSName,ns1.updatedrivers.org
|
||||
DNSName,a17-h16.g11.iad17.as.pht-external.c15.qoldenlines.net
|
||||
DNSName,ns1.windefender.org
|
||||
DNSName,is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com
|
||||
DNSName,ns2.windefender.org
|
||||
DNSName,ns1.win-update.com
|
||||
DNSName,ns2.updatedrivers.org
|
||||
DNSName,ns1.mpmicrosoft.com
|
||||
DNSName,ns1.officeapps-live.org
|
||||
DNSName,ns2.officeapps-live.org
|
||||
DNSName,ns2.ipresolver.org
|
||||
DNSName,ns1.ipresolver.org
|
||||
DNSName,www.is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com
|
||||
DNSName,11716.cachevideo.com
|
||||
DNSName,ns1.intelchip.org
|
||||
DNSName,ns2.cachevideo.com
|
||||
DNSName,7737.cloudflare-statics.com
|
||||
DNSName,7052.cloudflare-statics.com
|
||||
DNSName,7737.digicert.online
|
||||
DNSName,ns1.cloudflare-statics.com
|
||||
DNSName,24984.cachevideo.com
|
||||
DNSName,ns1.digicert.online
|
||||
DNSName,ns2.digicert.online
|
||||
DNSName,24984.digicert.online
|
||||
DNSName,ns1.fbstatic-akamaihd.com
|
||||
DNSName,ns2.fbstatic-akamaihd.com
|
||||
DNSName,ns1.javaupdator.com
|
||||
DNSName,ns2.outlook360.net
|
||||
DNSName,ns01.nameserver.win
|
||||
DNSName,ns2.javaupdator.com
|
||||
DNSName,ns2.intelchip.org
|
||||
DNSName,TATIC.DYN-USR.GSRV01.SSL-GSTATIC.ONLINe
|
||||
DNSName,STATIC.DYN-USR.GSRV01.SSL-GSTATIC.online
|
||||
DNSName,ns1.labs-cloudfront.com
|
||||
DNSName,ns2.labs-cloudfront.com
|
||||
DNSName,www.broadcast-microsoft.tech
|
||||
DNSName,www.newsfeeds-microsoft.press
|
||||
DNSName,www.owa-microsoft.online
|
||||
DNSName,static.c20.jdk.cdn-external-ie.1e100.tech
|
||||
DNSName,ns1.cloud-analyzer.com
|
||||
DNSName,ns2.cloud-analyzer.com
|
||||
DNSName,ns2.cloudflare-statics.com
|
||||
DNSName,ns1.cachevideo.com
|
||||
DNSName,ns1.outlook360.net
|
||||
DNSName,3012.digicert.online
|
||||
DNSName,24984.cloudflare-statics.com
|
||||
DNSName,7737.cachevideo.com
|
||||
DNSName,hda.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
|
||||
DNSName,msdn.winupdate64.net
|
||||
DNSName,kja.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co
|
||||
Detection name,BKDR_COBEACON.A
|
||||
Detection name,TROJ_POWPICK.A
|
||||
Detection name,HKTL_PASSDUMP
|
||||
Detection name,TROJ_SODREVR.A
|
||||
Detection name,TROJ_POWSHELL.C
|
||||
Detection name,BKDR_CONBEA.A
|
||||
Detection name,TSPY64_REKOTIB.A
|
||||
Detection name,HKTL_DIRZIP
|
||||
Detection name,TROJ_WAPPOME.A
|
|
142
2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt
Normal file
142
2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt
Normal file
@ -0,0 +1,142 @@
|
||||
/*
|
||||
Yara Rule Set
|
||||
Author: Florian Roth
|
||||
Date: 2017-07-23
|
||||
Identifier: Operation Wilted Tulip
|
||||
Reference: http://www.clearskysec.com/tulip
|
||||
*/
|
||||
|
||||
import "pe"
|
||||
|
||||
/* Rule Set ----------------------------------------------------------------- */
|
||||
|
||||
|
||||
rule WiltedTulip_tdtess {
|
||||
meta:
|
||||
description = "Detects malicious service used in Operation Wilted Tulip"
|
||||
author = "Florian Roth"
|
||||
reference = "http://www.clearskysec.com/tulip"
|
||||
date = "2017-07-23"
|
||||
hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34"
|
||||
strings:
|
||||
$x1 = "d2lubG9naW4k" fullword wide /* base64 encoded string 'winlogin$' */
|
||||
$x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii
|
||||
|
||||
$s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii
|
||||
$s2 = "winlogin.exe" fullword wide
|
||||
condition:
|
||||
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of them ) )
|
||||
}
|
||||
|
||||
rule WiltedTulip_matryoshka_Injector {
|
||||
meta:
|
||||
description = "Detects hack tool used in Operation Wilted Tulip"
|
||||
author = "Florian Roth"
|
||||
reference = "http://www.clearskysec.com/tulip"
|
||||
date = "2017-07-23"
|
||||
hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed"
|
||||
hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509"
|
||||
strings:
|
||||
$s1 = "Injector.dll" fullword ascii
|
||||
$s2 = "ReflectiveLoader" fullword ascii
|
||||
condition:
|
||||
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or
|
||||
(
|
||||
pe.exports("__dec") and
|
||||
pe.exports("_check") and
|
||||
pe.exports("_dec") and
|
||||
pe.exports("start") and
|
||||
pe.exports("test")
|
||||
)
|
||||
}
|
||||
|
||||
rule WiltedTulip_Zpp {
|
||||
meta:
|
||||
description = "Detects hack tool used in Operation Wilted Tulip"
|
||||
author = "Florian Roth"
|
||||
reference = "http://www.clearskysec.com/tulip"
|
||||
date = "2017-07-23"
|
||||
hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb"
|
||||
hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918"
|
||||
hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf"
|
||||
strings:
|
||||
$x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide
|
||||
$x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide
|
||||
|
||||
$s1 = "LT Time invalid" fullword wide
|
||||
$s2 = "doCompressInNetWorkDirectory" fullword ascii
|
||||
$s3 = "files remaining ,total file save = " fullword wide
|
||||
$s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii
|
||||
$s5 = "Destinition Directory Not Found" fullword wide
|
||||
$s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 30KB and ( 1 of ($x*) or 3 of them )
|
||||
}
|
||||
|
||||
rule WiltedTulip_Netsrv_netsrvs {
|
||||
meta:
|
||||
description = "Detects sample from Operation Wilted Tulip"
|
||||
author = "Florian Roth"
|
||||
reference = "http://www.clearskysec.com/tulip"
|
||||
date = "2017-07-23"
|
||||
hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5"
|
||||
hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77"
|
||||
hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a"
|
||||
hash4 = "bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361"
|
||||
hash5 = "07ab795eeb16421a50c36257e6e703188a0fef9ed87647e588d0cd2fcf56fe43"
|
||||
strings:
|
||||
$s1 = "Process %d Created" fullword ascii
|
||||
$s2 = "%s\\system32\\rundll32.exe" fullword wide
|
||||
$s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide
|
||||
|
||||
$c1 = "slbhttps" fullword ascii
|
||||
$c2 = "/slbhttps" fullword wide
|
||||
$c3 = "/slbdnsk1" fullword wide
|
||||
$c4 = "netsrv" fullword wide
|
||||
$c5 = "/slbhttps" fullword wide
|
||||
condition:
|
||||
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) and 1 of ($c*) ) )
|
||||
}
|
||||
|
||||
rule WiltedTulip_ReflectiveLoader {
|
||||
meta:
|
||||
description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip"
|
||||
author = "Florian Roth"
|
||||
reference = "http://www.clearskysec.com/tulip"
|
||||
date = "2017-07-23"
|
||||
hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904"
|
||||
hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a"
|
||||
hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f"
|
||||
hash4 = "cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0"
|
||||
hash5 = "eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89"
|
||||
strings:
|
||||
$x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
|
||||
$x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii
|
||||
$x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
|
||||
$x4 = "Failed to impersonate token from %d (%u)" fullword ascii
|
||||
$x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii
|
||||
$x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
|
||||
condition:
|
||||
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) or
|
||||
( 2 of them ) or
|
||||
pe.exports("_ReflectiveLoader@4")
|
||||
}
|
||||
|
||||
rule WiltedTulip_Matryoshka_RAT {
|
||||
meta:
|
||||
description = "Detects Matryoshka RAT used in Operation Wilted Tulip"
|
||||
author = "Florian Roth"
|
||||
reference = "http://www.clearskysec.com/tulip"
|
||||
date = "2017-07-23"
|
||||
hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab"
|
||||
hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32"
|
||||
strings:
|
||||
$s1 = "%S:\\Users\\public" fullword wide
|
||||
$s2 = "ntuser.dat.swp" fullword wide
|
||||
$s3 = "Job Save / Load Config" fullword wide
|
||||
$s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii
|
||||
$s5 = "winupdate64.com" fullword ascii
|
||||
$s6 = "Job Save KeyLogger" fullword wide
|
||||
condition:
|
||||
( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them )
|
||||
}
|
Loading…
Reference in New Issue
Block a user