mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-24 07:49:57 +00:00
2019.03.13.DMSniff_POS_Malware
This commit is contained in:
parent
f6bb8f0eaf
commit
e765355b6f
BIN
2019/2019.03.13.DMSniff_POS_Malware/DMSniff_POS_Malware.pdf
Normal file
BIN
2019/2019.03.13.DMSniff_POS_Malware/DMSniff_POS_Malware.pdf
Normal file
Binary file not shown.
@ -0,0 +1,167 @@
|
||||
0x40143cL %u.%u.%u
|
||||
0x401474L c:\
|
||||
0x4014abL -%X.
|
||||
0x4014feL .
|
||||
0x40154bL SOFTWARE\Microsoft\Windows\CurrentVersion
|
||||
0x40155bL ProductId
|
||||
0x4015b8L SOFTWARE\Microsoft\Windows NT\CurrentVersion
|
||||
0x4015c8L ProductId
|
||||
0x401678L _%X%X
|
||||
0x401870L wsock32.dll
|
||||
0x40188bL wsock32.dll
|
||||
0x4018a2L __WSAFDIsSet
|
||||
0x4018b7L WSAStartup
|
||||
0x4018ccL send
|
||||
0x4018e1L socket
|
||||
0x4018f6L gethostbyname
|
||||
0x40190bL connect
|
||||
0x401920L closesocket
|
||||
0x401935L select
|
||||
0x40194aL recv
|
||||
0x401ae0L SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
||||
0x401af7L csrss
|
||||
0x401b48L %s "%s"
|
||||
0x401cbcL .com
|
||||
0x401ce9L .org
|
||||
0x401d13L .net
|
||||
0x401d39L .ru
|
||||
0x401d53L .in
|
||||
0x40208bL %X%X
|
||||
0x402184L Name
|
||||
0x402194L Description
|
||||
0x402204L Model
|
||||
0x402214L Size
|
||||
0x402259L SKU
|
||||
0x402269L Model
|
||||
0x40229bL %s-%s-%s-%s
|
||||
0x4022f0L \csrss.exe
|
||||
0x402360L \csrss.exe
|
||||
0x4023abL \csrss.exe
|
||||
0x402a23L \dmsnf.cfg
|
||||
0x402c2fL GET /index.php HTTP/1.1
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 10.0; DSNF_%u=%s=)
|
||||
Connection: Keep-Alive
|
||||
Host: %s
|
||||
|
||||
|
||||
|
||||
0x402cb9L <!-
|
||||
0x402df7L +++++++++++++++++++++++++++7ac103214023
|
||||
0x402e0eL --%s
|
||||
Content-Disposition: form-data; name="userfile[]"; filename="dmp"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
|
||||
0x402e2cL POST /indexu.php HTTP/1.1
|
||||
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
|
||||
Accept-Language: en-US
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; DSNF_%u=%s=)
|
||||
Content-Type: multipart/form-data; boundary=%s
|
||||
Host: %s
|
||||
Content-Length: %u
|
||||
Connection: Keep-Alive
|
||||
Cache-Control: no-cache
|
||||
|
||||
|
||||
|
||||
0x402f7bL
|
||||
--%s--
|
||||
|
||||
|
||||
0x403018L <!-OK->
|
||||
0x40309cL LocalFree
|
||||
0x4030b1L GetCurrentProcessId
|
||||
0x4030c6L Module32First
|
||||
0x4030dbL GetTickCount
|
||||
0x4030f0L GetFileSize
|
||||
0x403105L WriteFile
|
||||
0x40311aL Process32First
|
||||
0x40312fL LoadLibraryA
|
||||
0x403144L DeleteFileA
|
||||
0x403159L GetWindowsDirectoryA
|
||||
0x40316eL OpenProcess
|
||||
0x403183L ReadProcessMemory
|
||||
0x403198L CreateProcessA
|
||||
0x4031adL CreateFileA
|
||||
0x4031c2L LocalAlloc
|
||||
0x4031d7L Process32Next
|
||||
0x4031ecL CloseHandle
|
||||
0x403201L CopyFileA
|
||||
0x403216L CreateToolhelp32Snapshot
|
||||
0x40322bL GetModuleHandleA
|
||||
0x403240L SetFilePointer
|
||||
0x403255L ReadFile
|
||||
0x40326aL VirtualQueryEx
|
||||
0x403292L #KHALMNPR.EXE#LBTWiz.exe#ati2evxx.exe#atiesrxx.exe#atieclxx.exe#TrueSuiteService.exe#TrueService.exe#ibmpmsvc.exe#RtHDVCpl.exe#tpfnf6r.exe#LVOSDSVC.exe#TPOSDSVC.exe#TPONSCR.exe#TpScrex.exe#TPHKSVC.exe#tpnumlkd.exe#tpnumlk.exe#ctfmon.exe#msiexec.exe#wdfmgr.exe#wscntfy.exe#SynTPHelper.exe#SynTPEnh.exe#smss.exe#csrss.exe#winlogon.exe#spoolsv.exe#taskmgr.exe#wininit.exe#nvvsvc.exe#btwdins.exe#GoogleUpdate.exe#lsass.exe#LogonUI.exe#hkcmd.exe#wuauclt.exe#igfxpers.exe#igfxsrvc.exe#igfxext.exe#jusched.exe#patch.exe#rthdcpl.exe#mobsync.exe#MsMpEng.exe#msseces.exe#sidebar.exe#internat.exe#WmiPrvSE.exe#SLsvc.exe#kadxmain.exe#SkyTel.exe#realsched.exe#reader_sl.exe#nvxdsync.exe#nvsvc32.exe#ntrtscan.exe#ETDService.exe#HeciServer.exe#ETDCtrl.exe#ETDCtrlHelper.exe#
|
||||
0x40330bL VMware
|
||||
0x403332L audio
|
||||
0x403359L Apple
|
||||
0x403380L License
|
||||
0x4033a7L FontCache
|
||||
0x4033ceL Touch
|
||||
0x4033f5L icon
|
||||
0x40341cL torrent
|
||||
0x403443L Phone
|
||||
0x40346aL Tray
|
||||
0x403491L Icon
|
||||
0x4034b8L FlashPlayer
|
||||
0x4034dfL movie
|
||||
0x403506L vmware
|
||||
0x40352dL tray
|
||||
0x403554L video
|
||||
0x40357bL Torrent
|
||||
0x4035a2L sound
|
||||
0x4035c9L Skype
|
||||
0x403611L #
|
||||
0x403683L 32\Dwm.exe
|
||||
0x4036aaL 32\TpShocks.exe
|
||||
0x4036d1L \pwrmgrv\
|
||||
0x4036f8L \Audio
|
||||
0x40371fL \Video
|
||||
0x403746L \Movie
|
||||
0x40376dL Audio\
|
||||
0x403794L Video\
|
||||
0x4037bbL Movie\
|
||||
0x4037e2L \Apple
|
||||
0x403809L \iPod\
|
||||
0x403830L \DVD
|
||||
0x403857L \QuickTime\
|
||||
0x40387eL \Foxit Software\
|
||||
0x4038a5L \K-Lite C
|
||||
0x4038ccL Games\
|
||||
0x4038f3L Player\
|
||||
0x40391aL \Windows Defender\
|
||||
0x403941L \DAEMON Tools
|
||||
0x403968L \Synaptics\
|
||||
0x40398fL \Roxio\
|
||||
0x4039b6L \Adobe\
|
||||
0x4039ddL \Lenovo\
|
||||
0x403a00L \ThinkPad\
|
||||
0x403bbeL
|
||||
|
||||
=====[
|
||||
0x403be4L ]=(
|
||||
0x403c0eL )=====
|
||||
|
||||
|
||||
|
||||
0x403d1dL advapi32.dll
|
||||
0x403d38L advapi32.dll
|
||||
0x403d4fL RegCloseKey
|
||||
0x403d64L RegSetValueExA
|
||||
0x403d79L LookupPrivilegeValueA
|
||||
0x403d8eL RegCreateKeyExA
|
||||
0x403da3L OpenProcessToken
|
||||
0x403db8L AdjustTokenPrivileges
|
||||
0x403dfcL kernel32.dll
|
||||
0x403e11L GetProcAddress
|
||||
0x403e2cL CreateThread
|
||||
0x403e87L \dmp.tmp
|
||||
0x403ea7L SeDebugPrivilege
|
||||
0x401db7L ROOT\CIMV2
|
||||
0x401e47L WQL
|
||||
0x402174L SELECT * FROM Win32_Processor
|
||||
0x4021c9L SELECT * FROM Win32_ComputerSystemProduct
|
||||
0x4021f4L SELECT * FROM Win32_DiskDrive
|
||||
0x402249L SELECT * FROM Win32_BaseBoard
|
@ -0,0 +1,54 @@
|
||||
#Domains
|
||||
albdfhln.com
|
||||
snbhdfln.com
|
||||
enbdfhln.com
|
||||
ksbfdlch.com
|
||||
kobdflnh.com
|
||||
alcgkown.com
|
||||
encgkown.com
|
||||
ksckgweo.com
|
||||
sndvjpqt.com
|
||||
sneomuwn.com
|
||||
rxemuown.com
|
||||
alfpmrnq.org
|
||||
algspvqt.org
|
||||
alhvrytw.org
|
||||
aliyuown.org
|
||||
koiyuwno.org
|
||||
aljnwpyo.org
|
||||
alkpmrnq.net
|
||||
snkrpmnq.net
|
||||
enkpmrnq.net
|
||||
allqntpr.net
|
||||
kolqnprt.net
|
||||
almspvqt.net
|
||||
alntqwrv.net
|
||||
alovrytw.net
|
||||
alvpnsor.in
|
||||
alwqntpr.in
|
||||
almspvru.net
|
||||
enmspvru.net
|
||||
alovsmtx.net
|
||||
|
||||
#IPs
|
||||
169.239.128.110
|
||||
95.213.246.242
|
||||
190.115.18.241
|
||||
185.144.83.85
|
||||
209.99.40.222
|
||||
5.45.86.234
|
||||
208.91.197.91
|
||||
37.1.202.157
|
||||
208.100.26.251
|
||||
185.82.203.225
|
||||
54.37.205.28
|
||||
146.185.239.17
|
||||
|
||||
#Samples:
|
||||
b8ec727d4f97edaaa8ddeeac3673a1aed94ee95aacde5f93e66fc0db30c3dec8
|
||||
770113543f9c189d306ea2984482ee445c9c4723a6e415cf7614b0a448f38b66
|
||||
f33aaa2360e89fc9015cb14d9441b87f169a5ca0451aa9d9adfd440946212668
|
||||
|
||||
#Rules:
|
||||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FlashPoint DMSniff UserAgent"; flow:established,to_server; content:"DSNF_"; http_user_agent; classtype:trojan-activity; sid:9000030; rev:1; metadata:author Jason Reaves;)
|
||||
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FlashPoint DMSniff Checkin Response"; flow:established,to_client; content:"200"; http_stat_code; content:"<title>Error</title>"; content:"<!-"; within: 20; content:"->This Account Has Been Suspended"; http_server_body; classtype:trojan-activity; sid:9000031; rev:1; metadata:author Jason Reaves;)
|
@ -24,6 +24,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
||||
* [MITRE Att&CK: Group](https://attack.mitre.org/groups/)
|
||||
|
||||
## 2019
|
||||
* Mar 13 - [[FlashPoint] ‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses](https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/) | [Local](../../blob/master/2019/2019.03.13.DMSniff_POS_Malware)
|
||||
* Mar 13 - [[CheckPoint] Operation Sheep: Pilfer-Analytics SDK in Action](https://research.checkpoint.com/operation-sheep-pilfer-analytics-sdk-in-action/) | [Local](../../blob/master/2019/2019.03.13.Operation_Sheep)
|
||||
* Mar 12 - [[Pala Alto Network] Operation Comando: How to Run a Cheap and Effective Credit Card Business](https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/) | [Local](../../blob/master/2019/2019.03.12.Operation_Comando)
|
||||
* Mar 11 - [[ESET] Gaming industry still in the scope of attackers in Asia](https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/) | [Local](../../blob/master/2019/2019.03.11.Gaming-Industry.Asia)
|
||||
|
Loading…
Reference in New Issue
Block a user