From 946deb535677d9318709bdec06785608719cd984 Mon Sep 17 00:00:00 2001 From: Ziv Chang Date: Wed, 25 Oct 2017 18:25:31 +0800 Subject: [PATCH] 2017.07.27.Operation_Wilted_Tulip --- .../indicators-wilted_tulip.csv | 514 ++++++++++++++++++ .../yara-apt_wilted_tulip.txt | 142 +++++ 2 files changed, 656 insertions(+) create mode 100644 2017/2017.07.27.Operation_Wilted_Tulip/indicators-wilted_tulip.csv create mode 100644 2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt diff --git a/2017/2017.07.27.Operation_Wilted_Tulip/indicators-wilted_tulip.csv b/2017/2017.07.27.Operation_Wilted_Tulip/indicators-wilted_tulip.csv new file mode 100644 index 0000000..e5fdb52 --- /dev/null +++ b/2017/2017.07.27.Operation_Wilted_Tulip/indicators-wilted_tulip.csv @@ -0,0 +1,514 @@ +Type,Value +URL,http://js.jguery.net/main.js +URL,http://pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online/winini.exe +URL,http://38.130.75.20/check.html +URL,http://update.microsoft-office.solutions/license.doc +URL,http://update.microsoft-office.solutions/error.html +URL,http://main.windowskernel14.com/spl/update5x.zip +URL,http://img.twiter-statics.info/i/658A6D6AE42A658A6D6AE42A/0de9c5c6599fdf5201599ff9b30e0000/6E24E58CFC94/icon.png +URL,http://files0.terendmicro.com/ +URL,http://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech/%D7%A1%D7%A7%D7%A8%20%D7%A9%D7%A0%D7%AA%D7%99.docx +URL,http://ea-in-f155.1e100.microsoft-security.host/ +URL,https://ea-in-f155.1e100.microsoft-security.host/mTQJ +URL,http://iba.stage.7338879.i.gtld-servers.services +URL,http://doa.stage.7338879.i.gtld-servers.services +URL,http://fda.stage.7338879.i.gtld-servers.services +URL,http://rqa.stage.7338879.i.gtld-servers.services +URL,http://qqa.stage.7338879.i.gtld-servers.services +URL,http://api.02ac36110.49318.a.gtld-servers.zone +URL,s1w-amazonaws.office-msupdate.solutions +URL,a104-93-82-25.mandalasanati.info/iBpa +URL,http://fetchnews-agency.news-bbc.press/pictures.html +URL,http://fetchnews-agency.news-bbc.press/omnews.doc +URL,http://fetchnews-agency.news-bbc.press/en/20170/pictures.doc +SSLCertificate,fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc +SSLCertificate,b11aa089879cd7d4503285fa8623ec237a317aee +SSLCertificate,07317545c8d6fc9beedd3dd695ba79dd3818b941 +SSLCertificate,3c0ecb46d65dd57c33df5f6547f8fffb3e15722d +SSLCertificate,1c43ed17acc07680924f2ec476d281c8c5fd6b4a +SSLCertificate,8968f439ef26f3fcded4387a67ea5f56ce24a003 +IPv4Address,206.221.181.253 +IPv4Address,66.55.152.164 +IPv4Address,68.232.180.122 +IPv4Address,173.244.173.11 +IPv4Address,173.244.173.12 +IPv4Address,173.244.173.13 +IPv4Address,209.190.20.149 +IPv4Address,209.190.20.59 +IPv4Address,209.190.20.62 +IPv4Address,209.51.199.116 +IPv4Address,38.130.75.20 +IPv4Address,185.92.73.194 +IPv4Address,144.168.45.126 +IPv4Address,198.55.107.164 +IPv4Address,104.200.128.126 +IPv4Address,104.200.128.161 +IPv4Address,104.200.128.173 +IPv4Address,104.200.128.183 +IPv4Address,104.200.128.184 +IPv4Address,104.200.128.185 +IPv4Address,104.200.128.187 +IPv4Address,104.200.128.195 +IPv4Address,104.200.128.196 +IPv4Address,104.200.128.198 +IPv4Address,104.200.128.205 +IPv4Address,104.200.128.206 +IPv4Address,104.200.128.208 +IPv4Address,104.200.128.209 +IPv4Address,104.200.128.48 +IPv4Address,104.200.128.58 +IPv4Address,104.200.128.64 +IPv4Address,104.200.128.71 +IPv4Address,107.181.160.138 +IPv4Address,107.181.160.178 +IPv4Address,107.181.160.194 +IPv4Address,107.181.160.195 +IPv4Address,107.181.161.141 +IPv4Address,107.181.174.21 +IPv4Address,107.181.174.228 +IPv4Address,107.181.174.232 +IPv4Address,107.181.174.241 +IPv4Address,188.120.224.198 +IPv4Address,188.120.228.172 +IPv4Address,188.120.242.93 +IPv4Address,188.120.243.11 +IPv4Address,188.120.247.151 +IPv4Address,62.109.2.52 +IPv4Address,188.120.232.157 +IPv4Address,185.118.65.230 +IPv4Address,185.118.66.114 +IPv4Address,141.105.67.58 +IPv4Address,141.105.68.25 +IPv4Address,141.105.68.26 +IPv4Address,141.105.68.29 +IPv4Address,141.105.69.69 +IPv4Address,141.105.69.70 +IPv4Address,141.105.69.77 +IPv4Address,31.192.105.16 +IPv4Address,31.192.105.17 +IPv4Address,31.192.105.28 +IPv4Address,146.0.73.109 +IPv4Address,146.0.73.110 +IPv4Address,146.0.73.111 +IPv4Address,146.0.73.112 +IPv4Address,146.0.73.114 +IPv4Address,217.12.201.240 +IPv4Address,217.12.218.242 +IPv4Address,5.34.180.252 +IPv4Address,5.34.181.13 +IPv4Address,86.105.18.5 +IPv4Address,93.190.138.137 +IPv4Address,212.199.61.51 +IPv4Address,80.179.42.37 +IPv4Address,80.179.42.44 +IPv4Address,176.31.18.29 +IPv4Address,188.165.69.39 +IPv4Address,51.254.76.54 +IPv4Address,158.69.150.163 +IPv4Address,192.99.242.212 +IPv4Address,198.50.214.62 +Hash,a60a32f21ac1a2ec33135a650aa8dc71 +Hash,94ba33696cd6ffd6335948a752ec9c19 +Hash,bcae706c00e07936fc41ac47d671fc40 +Hash,1ca03f92f71d5ecb5dbf71b14d48495c +Hash,506415ef517b4b1f7679b3664ad399e1 +Hash,1ca03f92f71d5ecb5dbf71b14d48495c +Hash,bd38cab32b3b8b64e5d5d3df36f7c55a +Hash,ac29659dc10b2811372c83675ff57d23 +Hash,41466bbb49dd35f9aa3002e546da65eb +Hash,8f6f7416cfdf8d500d6c3dcb33c4f4c9e1cd33998c957fea77fbd50471faec88 +Hash,02f2c896287bc6a71275e8ebe311630557800081862a56a3c22c143f2f3142bd +Hash,2df6fe9812796605d4696773c91ad84c4c315df7df9cf78bee5864822b1074c9 +Hash,55f513d0d8e1fd41b1417a0eb2afff3a039a9529571196dd7882d1251ab1f9bc +Hash,da529e0b81625828d52cd70efba50794 +Hash,1f9910cafe0e5f39887b2d5ab4df0d10 +Hash,0feb0b50b99f0b303a5081ffb3c4446d +Hash,577577d6df1833629bfd0d612e3dbb05 +Hash,165f8db9c6e2ca79260b159b4618a496e1ed6730d800798d51d38f07b3653952 +Hash,1f867be812087722010f12028beeaf376043e5d7 +Hash,b571c8e0e3768a12794eaf0ce24e6697 +Hash,e319f3fb40957a5ff13695306dd9de25 +Hash,acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a +Hash,8c8496390c3ad048f2a0a4031edfcdac819ee840d32951b9a1a9337a2dcbea25 +Hash,c5a02e984ca3d5ac13cf946d2ba68364 +Hash,efca6664ad6d29d2df5aaecf99024892 +Hash,bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361 +Hash,afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77 +Hash,4a3d93c0a74aaabeb801593741587a02 +Hash,64c9acc611ef47486ea756aca8e1b3b7 +Hash,fb775e900872e01f65e606b722719594 +Hash,cf8502b8b67d11fbb0c75ebcf741db15 +Hash,4999967c94a2fb1fa8122f1eea7a0e02 +Hash,5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902 +Hash,37449ddfc120c08e0c0d41561db79e8cbbb97238 +Hash,4442c48dd314a04ba4df046dfe43c9ea1d229ef8814e4d3195afa9624682d763 +Hash,7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6 +Hash,eb01202563dc0a1a3b39852ccda012acfe0b6f4d +Hash,7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb +Hash,9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb +Hash,6a19624d80a54c4931490562b94775b74724f200 +Hash,32860b0184676509241bbaf9233068d472472c3d9c93570fc072e1acea97a1d4 +Hash,b34721e53599286a1093c90a9dd0b789 +Hash,7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31 +Hash,59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd +Hash,fb775e900872e01f65e606b722719594 +Hash,871efc9ecd8a446a7aa06351604a9bf4 +Hash,cf8502b8b67d11fbb0c75ebcf741db15 +Hash,a4dd1c225292014e65edb83f2684f2d5 +Hash,838fb8d181d52e9b9d212b49f4350739 +Hash,e37418ba399a095066845e7829267efe +Hash,1072b82f53fdd9fa944685c7e498eece89b6b4240073f654495ac76e303e65c9 +Hash,752240cddda5acb5e8d026cef82e2b54 +Hash,435a93978fa50f55a64c788002da58a5 +Hash,3de91d07ac762b193d5b67dd5138381a +Hash,a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37 +Hash,aba7771c42aea8048e4067809c786b0105e9dfaa +Hash,b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd +Hash,3676914af9fd575deb9901a8b625f032 +Hash,f1607a5b918345f89e3c2887c6dafc05c5832593 +Hash,341c920ec47efa4fd1bfcd1859a7fb98945f9d85 +Hash,8b702ba2b2bd65c3ad47117515f0669c +Hash,6ea02f1f13cc39d953e5a3ebcdcfd882 +Hash,8f77a9cc2ad32af6fb1865fdff82ad89 +Hash,62f8f45c5f10647af0040f965a3ea96d +Hash,d9aa197ca2f01a66df248c7a8b582c40 +Hash,217b1c2760bcf4838f5e3efb980064d7 +Hash,cfb4be91d8546203ae602c0284126408 +Hash,16a711a8fa5a40ee787e41c2c65faf9a78b195307ac069c5e13ba18bce243d01 +Hash,5e65373a7c6abca7e3f75ce74c6e8143 +Hash,d3b9da7c8c54f7f1ea6433ac34b120a1 +Hash,32261fe44c368724593fbf65d47fc826 +Hash,d2c117d18cb05140373713859803a0d6 +Hash,113ca319e85778b62145019359380a08 +Hash,4999967c94a2fb1fa8122f1eea7a0e02 +Hash,9846b07bf7265161573392d24543940e +Hash,bf23ce4ae7d5c774b1fa6becd6864b3b +Hash,720203904c9eaf45ff767425a8c518cd +Hash,62652f074924bb961d74099bc7b95731 +Hash,1fba1876c88203a2ae6a59ce0b5da2a1 +Hash,cf8502b8b67d11fbb0c75ebcf741db15 +Hash,fb775e900872e01f65e606b722719594 +Hash,73f14f320facbdd29ae6f0628fa6f198dc86ba3428b3eddbfc39cf36224cebb9 +Hash,3d2885edf1f70ce4eb1e9519f47a669f +Filename,config.exe +Filename,Strike.doc +Filename,malware.doc +Filename,PDFOPENER_CONSOLE.exe +Filename,Ma_1.tmp +Filename,Wextract +Filename,The%20United%20Nations%20Counter.doc.docx +Filename,netsrvs.exe +Filename,Date.dotm +Filename,ssl.docx +Filename,o040t.exe +Filename,m8f7s.exe +Filename,d5tjo.exe +Filename,LogManager.tmp +Filename,edg1CF5.tmp +Filename,ntuser.swp +Filename,svchost64.swp +Filename,ntuser.dat.swp +Filename,455aa96e-804g-4bcf-bcf8-f400b3a9cfe9.PackageExtraction +Filename,Svchost32.swp +Filename,Svchost64.swp +Filename,update5x.dll +Filename,22092014_ver621.dll      +Filename,netsrv.exe +Filename,netsrva.exe +Filename,netsrvd.exe +Filename,netsrvs.exe +Filename,vminst.tmp +Filename,tdtess.exe +Filename,test_oracle.xls +Filename,ur96r.exe +Filename,The North Korean weapons program now testing USA range.docx +Filename,F123321.exe +Filename,ISIS terrorizes jewish people.docx +Domain,wethearservice.com +Domain,mywindows24.in +Domain,microsoft-office.solutions +Domain,code.jguery.net +Domain,1m100.tech +Domain,cloudflare-statics.com +Domain,cachevideo.com +Domain,winfeedback.net +Domain,terendmicro.com +Domain,alkamaihd.com +Domain,msv-updates.gsvr-static.co +Domain,fbstatic-a.space +Domain,broadcast-microsoft.tech +Domain,sharepoint-microsoft.co +Domain,newsfeeds-microsoft.press +Domain,owa-microsoft.online +Domain,digicert.online +Domain,cloudflare-analyse.com +Domain,israelnewsagency.link +Domain,akamaitechnology.tech +Domain,winupdate64.org +Domain,ads-youtube.net +Domain,cortana-search.com +Domain,nsserver.host +Domain,nameserver.win +Domain,symcd.xyz +Domain,fdgdsg.xyz +Domain,dnsserv.host +Domain,winupdate64.com +Domain,ssl-gstatic.online +Domain,updatedrivers.org +Domain,alkamaihd.net +Domain,update.microsoft-office.solutions +Domain,javaupdate.co +Domain,outlook360.org +Domain,winupdate64.net +Domain,trendmicro.tech +Domain,qoldenlines.net +Domain,windefender.org +Domain,1e100.tech +Domain,chromeupdates.online +Domain,ads-youtube.online +Domain,akamaitechnology.com +Domain,cloudmicrosoft.net +Domain,js.jguery.online +Domain,azurewebsites.tech +Domain,elasticbeanstalk.tech +Domain,jguery.online +Domain,microsoft-security.host +Domain,microsoft-ds.com +Domain,jguery.net +Domain,primeminister-goverment-techcenter.tech +Domain,officeapps-live.com +Domain,microsoft-tool.com +Domain,cissco.net +Domain,js.jguery.net +Domain,f-tqn.com +Domain,javaupdator.com +Domain,officeapps-live.net +Domain,ipresolver.org +Domain,intelchip.org +Domain,outlook360.net +Domain,windowkernel.com +Domain,wheatherserviceapi.info +Domain,windowslayer.in +Domain,sdlc-esd-oracle.online +Domain,mpmicrosoft.com +Domain,officeapps-live.org +Domain,cachevideo.online +Domain,win-update.com +Domain,labs-cloudfront.com +Domain,windowskernel14.com +Domain,fbstatic-akamaihd.com +Domain,mcafee-analyzer.com +Domain,cloud-analyzer.com +Domain,fb-statics.com +Domain,ynet.link +Domain,twiter-statics.info +Domain,diagnose.microsoft-office.solutions +Domain,mswordupdate17.com +Domain,gsvr-static.co +Domain,news-bbc.press +Domain,mandalasanati.info +Domain,office-msupdate.solutions +Domain,windows-updates.solutions +Domain,akamai-net.network +Domain,azureedge-net.services +Domain,doucbleclick.tech +Domain,windows-updates.services +Domain,windows-updates.network +Domain,cloudfront.site +Domain,netcdn-cachefly.network +Domain,akamaized.online +Domain,cdninstagram.center +Domain,googlusercontent.center +DNSName,ea-in-f354.1e100.ads-youtube.net +DNSName,ns1.ynet.link +DNSName,ns2.ynet.link +DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com +DNSName,pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube.online +DNSName,ns1.winfeedback.net +DNSName,ns2.winfeedback.net +DNSName,msupdate.diagnose.microsoft-office.solutions +DNSName,www.alkamaihd.net +DNSName,c20.jdk.cdn-external-ie.1e100.alkamaihd.net +DNSName,ns2.img.twiter-statics.info +DNSName,api.img.twiter-statics.info +DNSName,ns1.img.twiter-statics.info +DNSName,ns1.officeapps-live.net +DNSName,ns1.wheatherserviceapi.info +DNSName,ns2.microsoft-tool.com +DNSName,ns2.f-tqn.com +DNSName,carl.ns.cloudflare.com.sdlc-esd-oracle.online +DNSName,ns1.cortana-search.com +DNSName,40.dc.c0ad.ip4.dyn.gsvr-static.co +DNSName,40.dc.c2ad.ip4.dyn.gsvr-static.co +DNSName,ns2.winupdate64.org +DNSName,ns1.f-tqn.com +DNSName,ns2.cortana-search.com +DNSName,ns1.symcd.xyz +DNSName,ns2.symcd.xyz +DNSName,ns1.winupdate64.org +DNSName,ns1.microsoft-tool.com +DNSName,ns2.officeapps-live.com +DNSName,ns1.israelnewsagency.link +DNSName,ns2.israelnewsagency.link +DNSName,ns1.cissco.net +DNSName,ns2.cissco.net +DNSName,ns1.cachevideo.online +DNSName,ns2.cachevideo.online +DNSName,www.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com +DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.www.alkamaihd.com +DNSName,dhb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co +DNSName,main.windowskernel14.com +DNSName,www.winupdate64.net +DNSName,ae13-0-hk2-96cbe-1a-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com +DNSName,be-5-0-ibr01-lts-ntwk-msn.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com +DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com +DNSName,cyb.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co +DNSName,ns1.winupdate64.com +DNSName,ns1.twiter-statics.info +DNSName,40.dc.c0ad.ip4.dyn.gsvr-static.co +DNSName,update.microsoft-office.solutions +DNSName,wk-in-f104.1e100.n.microsoft.qoldenlines.net +DNSName,ns1.fb-statics.com +DNSName,ns2.fb-statics.com +DNSName,is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology +DNSName,img.gmailtagmanager.com +DNSName,wk-in-f104.1c100.n.microsoft-security.host +DNSName,msnbot-sd7-46-cdn.microsoft-security.host +DNSName,msnbot-sd7-46-img.microsoft-security.host +DNSName,ns2.winupdate64.com +DNSName,msnbot-sd7-46-194.microsoft-security.host +DNSName,ea-in-f155.1e100.microsoft-security.host +DNSName,msnbot-207-46-194.microsoft-security.host +DNSName,img.twiter-statics.info +DNSName,msnbot-sd7-46-cdn.microsoft-security.host +DNSName,ns2.wheatherserviceapi.info +DNSName,ns1.windowkernel.com +DNSName,ns2.windowkernel.com +DNSName,ns2.fbstatic-a.space +DNSName,ns1.fbstatic-a.space +DNSName,api.TwitEr-Statics.info +DNSName,ns2.mcafee-analyzer.com +DNSName,21666.mpmicrosoft.com +DNSName,22830.officeapps-live.org +DNSName,15236.mcafee-analyzer.com +DNSName,ns2.static.dyn-usr.gsrv02.ssl-gstatic.online +DNSName,ns1.mcafee-analyzer.com +DNSName,ns1.fbstatic-akamaihd.com +DNSName,ns1.static.dyn-usr.gsrv01.ssl-gstatic.online +DNSName,ns2.officeapps-live.org +DNSName,wk-in-f104.1e100.n.microsoft-security.host +DNSName,ns1.mpmicrosoft.com +DNSName,www.microsoft-security.host +DNSName,ns2.fbstatic-akamaihd.com +DNSName,ns1.cachevideo.online +DNSName,wk-in-f100.1e100.n.microsoft-security.host +DNSName,ns1.officeapps-live.org +DNSName,ns2.mpmicrosoft.com +DNSName,ns02.nsserver.host +DNSName,ns2.cachevideo.online +DNSName,be-5-0-ibr01-lts-ntwk-msn.alkamaihd.com +DNSName,static.dyn-usr.g-blc-se.d45.a63.akamai.alkamaihd.com +DNSName,www.alkamaihd.com +DNSName,ae13-0-hk2-96cbe-1a-ntwk-msn.alkamaihd.com +DNSName,ns2.microsoft-ds.com +DNSName,adcenter.microsoft-ds.com +DNSName,ns1.microsoft-ds.com +DNSName,ns1.mswordupdate17.com +DNSName,ns2.mswordupdate17.com +DNSName,c.mswordupdate17.com +DNSName,ns1.cloudflare-analyse.com +DNSName,static.dyn-usr.f-loginme.c19.a23.akamaitechnology.com +DNSName,ns2.cloudflare-analyse.com +DNSName,ns1.cloud-analyzer.com +DNSName,ns2.cloud-analyzer.com +DNSName,ns01.nsserver.host +DNSName,ns1.fb-statics.com +DNSName,ns02.dnsserv.host +DNSName,15236.cachevideo.online +DNSName,ns2.fb-statics.com +DNSName,ns2.twiter-statics.info +DNSName,ea-in-f113.1e100.microsoft-security.host +DNSName,static.dyn-usr.f-login-me.c19.a.akamaitechnology.tech +DNSName,ea-in-f155.1e100.microsoft-security.host +DNSName,float.2963.bm-imp.akamaitechnology.tech +DNSName,ns1.mcafee-analyzer.com +DNSName,ns2.mcafee-analyzer.com +DNSName,ns1.mpmicrosoft.com +DNSName,ns2.mpmicrosoft.com +DNSName,jpsrv-java-jdkec1.javaupdate.co +DNSName,microsoft-active.directory_update-change-policy.primeminister-goverment-techcenter.tech +DNSName,jpsrv-java-jdkec3.javaupdate.co +DNSName,nameserver02.javaupdate.co +DNSName,jpsrv-java-jdkec2.javaupdate.co +DNSName,static.dyn-usr.f-login-me.c19.a23.akamaitechnology.com +DNSName,static.dyn-usr.g-blc-se.d45.a63.alkamaihd.net +DNSName,ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech +DNSName,ns1.static.dyn-usr.gsrv01.ssl- gstatic.online +DNSName,ns2.static.dyn-usr.gsrv02.ssl- gstatic.online +DNSName,static.primeminister-goverment-techcenter.tech +DNSName,ns1.outlook360.org +DNSName,d45.a63.alkamaihd.net +DNSName,ns1.officeapps-live.org +DNSName,ns2.outlook360.org +DNSName,ns2.officeapps-live.org +DNSName,ns2.win-update.com +DNSName,aaa.stage.14043411.email.sharepoint-microsoft.co +DNSName,ns1.updatedrivers.org +DNSName,a17-h16.g11.iad17.as.pht-external.c15.qoldenlines.net +DNSName,ns1.windefender.org +DNSName,is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com +DNSName,ns2.windefender.org +DNSName,ns1.win-update.com +DNSName,ns2.updatedrivers.org +DNSName,ns1.mpmicrosoft.com +DNSName,ns1.officeapps-live.org +DNSName,ns2.officeapps-live.org +DNSName,ns2.ipresolver.org +DNSName,ns1.ipresolver.org +DNSName,www.is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology.com +DNSName,11716.cachevideo.com +DNSName,ns1.intelchip.org +DNSName,ns2.cachevideo.com +DNSName,7737.cloudflare-statics.com +DNSName,7052.cloudflare-statics.com +DNSName,7737.digicert.online +DNSName,ns1.cloudflare-statics.com +DNSName,24984.cachevideo.com +DNSName,ns1.digicert.online +DNSName,ns2.digicert.online +DNSName,24984.digicert.online +DNSName,ns1.fbstatic-akamaihd.com +DNSName,ns2.fbstatic-akamaihd.com +DNSName,ns1.javaupdator.com +DNSName,ns2.outlook360.net +DNSName,ns01.nameserver.win +DNSName,ns2.javaupdator.com +DNSName,ns2.intelchip.org +DNSName,TATIC.DYN-USR.GSRV01.SSL-GSTATIC.ONLINe +DNSName,STATIC.DYN-USR.GSRV01.SSL-GSTATIC.online +DNSName,ns1.labs-cloudfront.com +DNSName,ns2.labs-cloudfront.com +DNSName,www.broadcast-microsoft.tech +DNSName,www.newsfeeds-microsoft.press +DNSName,www.owa-microsoft.online +DNSName,static.c20.jdk.cdn-external-ie.1e100.tech +DNSName,ns1.cloud-analyzer.com +DNSName,ns2.cloud-analyzer.com +DNSName,ns2.cloudflare-statics.com +DNSName,ns1.cachevideo.com +DNSName,ns1.outlook360.net +DNSName,3012.digicert.online +DNSName,24984.cloudflare-statics.com +DNSName,7737.cachevideo.com +DNSName,hda.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co +DNSName,msdn.winupdate64.net +DNSName,kja.stage.12735072.40.dc.c0ad.ip4.sta.gsvr-static.co +Detection name,BKDR_COBEACON.A +Detection name,TROJ_POWPICK.A +Detection name,HKTL_PASSDUMP +Detection name,TROJ_SODREVR.A +Detection name,TROJ_POWSHELL.C +Detection name,BKDR_CONBEA.A +Detection name,TSPY64_REKOTIB.A +Detection name,HKTL_DIRZIP +Detection name,TROJ_WAPPOME.A diff --git a/2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt b/2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt new file mode 100644 index 0000000..2c271a3 --- /dev/null +++ b/2017/2017.07.27.Operation_Wilted_Tulip/yara-apt_wilted_tulip.txt @@ -0,0 +1,142 @@ +/* + Yara Rule Set + Author: Florian Roth + Date: 2017-07-23 + Identifier: Operation Wilted Tulip + Reference: http://www.clearskysec.com/tulip +*/ + +import "pe" + +/* Rule Set ----------------------------------------------------------------- */ + + +rule WiltedTulip_tdtess { + meta: + description = "Detects malicious service used in Operation Wilted Tulip" + author = "Florian Roth" + reference = "http://www.clearskysec.com/tulip" + date = "2017-07-23" + hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34" + strings: + $x1 = "d2lubG9naW4k" fullword wide /* base64 encoded string 'winlogin$' */ + $x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii + + $s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii + $s2 = "winlogin.exe" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of them ) ) +} + +rule WiltedTulip_matryoshka_Injector { + meta: + description = "Detects hack tool used in Operation Wilted Tulip" + author = "Florian Roth" + reference = "http://www.clearskysec.com/tulip" + date = "2017-07-23" + hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed" + hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509" + strings: + $s1 = "Injector.dll" fullword ascii + $s2 = "ReflectiveLoader" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or + ( + pe.exports("__dec") and + pe.exports("_check") and + pe.exports("_dec") and + pe.exports("start") and + pe.exports("test") + ) +} + +rule WiltedTulip_Zpp { + meta: + description = "Detects hack tool used in Operation Wilted Tulip" + author = "Florian Roth" + reference = "http://www.clearskysec.com/tulip" + date = "2017-07-23" + hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb" + hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918" + hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf" + strings: + $x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide + $x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide + + $s1 = "LT Time invalid" fullword wide + $s2 = "doCompressInNetWorkDirectory" fullword ascii + $s3 = "files remaining ,total file save = " fullword wide + $s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii + $s5 = "Destinition Directory Not Found" fullword wide + $s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii + condition: + uint16(0) == 0x5a4d and filesize < 30KB and ( 1 of ($x*) or 3 of them ) +} + +rule WiltedTulip_Netsrv_netsrvs { + meta: + description = "Detects sample from Operation Wilted Tulip" + author = "Florian Roth" + reference = "http://www.clearskysec.com/tulip" + date = "2017-07-23" + hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5" + hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77" + hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a" + hash4 = "bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361" + hash5 = "07ab795eeb16421a50c36257e6e703188a0fef9ed87647e588d0cd2fcf56fe43" + strings: + $s1 = "Process %d Created" fullword ascii + $s2 = "%s\\system32\\rundll32.exe" fullword wide + $s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide + + $c1 = "slbhttps" fullword ascii + $c2 = "/slbhttps" fullword wide + $c3 = "/slbdnsk1" fullword wide + $c4 = "netsrv" fullword wide + $c5 = "/slbhttps" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) and 1 of ($c*) ) ) +} + +rule WiltedTulip_ReflectiveLoader { + meta: + description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip" + author = "Florian Roth" + reference = "http://www.clearskysec.com/tulip" + date = "2017-07-23" + hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904" + hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a" + hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f" + hash4 = "cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0" + hash5 = "eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89" + strings: + $x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii + $x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii + $x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii + $x4 = "Failed to impersonate token from %d (%u)" fullword ascii + $x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii + $x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii + condition: + ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) or + ( 2 of them ) or + pe.exports("_ReflectiveLoader@4") +} + +rule WiltedTulip_Matryoshka_RAT { + meta: + description = "Detects Matryoshka RAT used in Operation Wilted Tulip" + author = "Florian Roth" + reference = "http://www.clearskysec.com/tulip" + date = "2017-07-23" + hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab" + hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32" + strings: + $s1 = "%S:\\Users\\public" fullword wide + $s2 = "ntuser.dat.swp" fullword wide + $s3 = "Job Save / Load Config" fullword wide + $s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii + $s5 = "winupdate64.com" fullword ascii + $s6 = "Job Save KeyLogger" fullword wide + condition: + ( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them ) +}