APT_CyberCriminal_Campagin_.../2019/2019.08.05.Sharpening_the_Machete/IOCs
cybermonitor 6ecca466ac 2022
2022-04-27 16:20:36 +08:00
..
misp-machete-event.json 2022 2022-04-27 16:20:36 +08:00
README.adoc 2019.08.05.Sharpening_the_Machete 2019-08-06 13:26:28 +08:00
samples.md5 2022 2022-04-27 16:20:36 +08:00
samples.sha1 2022 2022-04-27 16:20:36 +08:00
samples.sha256 2022 2022-04-27 16:20:36 +08:00

= Machete -- Indicators of Compromise

For a technical analysis of Machete, check the white paper available on
https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf[WeLiveSecurity].

A high level summary is also available as a blog post
https://www.welivesecurity.com/2019/08/01/sharpening-machete-cyberespionage/[here].

The https://www.misp-project.org[MISP] event is available in
link:misp-machete-event.json[`misp-machete-event.json`].

== Sample hashes

=== GoogleUpdate.exe

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`048C40EB606DA3DEF08C9F6997C1948AFBBC959B`|Python/Machete.F
|`2E8D8508096CAA38493414F6BA788D0041EA9E15`|Python/Machete.F
|`85BDD7D871108C737701AC30C14A2D343CBDEF94`|Python/Machete.D
|`8ED8CB784512F7DADD147347FC94E945FAF16338`|Python/Machete.F
|`9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E`|Python/Machete.A
|`AB8DD6B0CC950618589603012863B57F7ADB9D9B`|Python/Machete.A
|========================================

=== Chrome.exe

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`318496B58CF5052EFD49A95C721D9165278E9FCE`|Python/Machete.B
|`3BB345032B6D0226D6771BA65FE4DA0FAF628631`|Python/Machete.B
|`946A24DFBD0AE94209EF7C284D3F462548566A3C`|Python/Machete.B
|`984B9202A6DBD7D3DD696CAE1220338A68092DC9`|Python/Machete.B
|`EABD45D0A86113F5CCFF9FD292C1E482A5727815`|Python/Machete.B
|`F05BC018C90B560DC4932758956ADFFBC10588CE`|Python/Machete.B
|========================================

=== GoogleCrash.exe

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`204A2850548E5994D4696E9002F90DFCCBE2093A`|Python/Machete.C
|`3792588EDC809270E6666A4677EC85A3400BA4CF`|Python/Machete.E
|`4899A2C2CECEB92D2CC4ED17D092D1D599379284`|Python/Machete.A
|`A42756280AA352F4612BED85AABF7F3267E676C2`|Python/Machete.E
|`A97CF05AD7F3102BDE45E4B4947ED435EFEA1968`|Python/Machete.E
|========================================

=== RAR/7z SFX: config + malicious components

ESET detection names vary for these samples, depending on the malicious components they hold inside.

[options="header"]
|========================================
|SHA-1 hash|Filename
|`00397DA69B8E748720AEDFD80D78166573C33EC8`|ders.exe
|`03929A5530639C1D9DBD395A298C59FD7EFF1DEC`|chrome.sfx.exe
|`0922DEFB82FF1140BBE3481BAB27564BB966D50B`|ChrOme_UpdAte.sfx.exe
|`0AC64E08E63601AD9D6A4EF019E5B374784AF80A`|chrome.sfx.exe
|`0BA5BCE133B50EF80FD9241C3EA5CB9135CA4EB1`|ders.exe
|`161629F63422AB34108854662313F87A278DD7F5`|chrome.sfx.exe
|`24752DAB28C3ADD4C31591F2EC480CE3CA83E0AA`|python27.exe
|`341F2EFA0FD11B4480D8503BFB81C62AF667D72D`|chrome_Up.sfx.exe
|`4C130AA110B290A0CF4FF1C099EA2A705081A9CB`|Chrome_Update.sfx.exe
|`50C23690C23EE070AD3A20FCED7311BFDF098833`|ders.exe
|`67ECBC1E9A66719C599E6DDED33A85F70DACA13E`|chrome.sfx.exe
|`6A69A2A2D4A2F8690B71386F0F092B04EA5A647D`|ders.exe
|`92C56AF6815597C0135C21EF5A35D41B0E2A460F`|Python_27.exe
|`9E52E1C015B97D4FB2CAC888F8FC69D729AF78F5`|finaser.aes
|`A48A71B9D1C00A683397F97C02E0DBB3F4606863`|ders.exe
|`B6E436A0FFF117A1C3D3D70947F62D4CAC66C95E`|ders.exe
|`C4ACCF6071F51ADE102190C6FA350435FC202654`|Python.27.exe
|`D5238CDE036EEFCC6D8D686B3A00247F27DA894C`|Python.27.exe
|`DDA105D8D894F73B16518D546270E4F783CB5178`|python27.exe
|`E85C1EF38C39B6087EA9AC8171DDD1416B9A5306`|python27.exe
|`FD52B10E9D4E5D343E589627444A6766357D5E47`|Security.exe
|========================================

=== 7z SFX: decoy + downloader

[options="header"]
|========================================
|SHA-1 hash|Filename
|`52B680F472AE463436979DA325DB7AD64D5AF1EF`|Mapa_monitoreo_WRF_ind02052018.scr
|`69109287D41C002FA70BB3D6238C4056B2B24B2F`|Mapa_monitoreo_WRF_ind02052018.scr
|`89C0FDEED36A69099E935A590A103339B0CBE525`|Mapa_monitoreo_WRF_ind02052018.scr
|`9EA7832D83C74C839A49580B4211E627A24571BE`|Programa Formacion en Contratacion Publica.scr
|`BFD0CBEF5B9C329792B38274474F04BD8109DF66`|RGMA0_1_629.scr
|`FB871AACA0DDCF2F009A2D11ECF672CFB61B7357`|CALENDARIO_ACTIVIDADES_COLCO_EC.scr
|`FDE89FCEC30FCAABB3D42ED87180843F3E760CD8`|Mapa_monitoreo_WRF_ind02052018.scr
|========================================

=== RAR SFX: URL config + downloader

[options="header"]
|========================================
|SHA-1 hash|Filename
|`9912BDBE08179122DC3797A2585D463573D1B5A5`|04Down.exe
|`AB16808B5B4706B6265C5FF5FEF8B8460C8A51F8`|4Down.sfx.exe
|`BDAAB0B356EC9FE61FEE1723E1DD52E39DDC6699`|04Down.exe
|`DED6509458DF62D3CE60C68F3A2A87E59F1F96BE`|Down.sfx.exe
|========================================

=== Downloader

[options="header"]
|========================================
|SHA-1 hash|Filename|ESET Detection Name
|`2B7404F6B0075BC1192D61D4AF135D521D5F08A3`|RdrCEF.exe|Python/Machete.A
|`53102E57B40FEACB64566C26D101D9242DECE77C`|Down.exe|Python/Machete.A
|`56E8743E0773286A4B9E055147D96D53A43BECA1`|Down.exe|Python/Machete.A
|`71F69F04307C8F5675DCADEAA80B8C2B95691B01`|Down.exe|Python/Machete.A
|`904137B61F1DED66C8CA76EBF198DEC1B638B5D4`|Down.exe|Python/Machete.A
|`FBB485B40477F5A014E7096747B1B4A494CE50EF`|Down.exe|Python/Machete.A
|========================================

=== RAR/7z SFX: decoy + payload (no downloader)

[options="header"]
|========================================
|SHA-1 hash|Filename
|`0468D3776435E527DBA52B9DA61D38C076DDA09A`|FORMATO UNICO DE RENDIMIENTO OPERATIVO GNB 11JUNIO2019 CZGNB-13 xlsx.scr
|`10EB152039CB0A379DAAB272151BC1BAA8C6D4DB`|Radiograma 004026_pdf.scr
|`173664DE0A9A08218098ABFB86D2C64F25B5EE37`|Diseño_pptx.scr
|`212F3697117D17EC3F299D037845CF3DB20CE88A`|
|`29EA8A983E56229AC69FFF9958319B66C006020B`|RDGMA 1101 001 jpg.scr
|`3562CB8D37E68025787C31A0B4654A1CE209E62F`|20190611101428 pdf.scr
|`35E4ECB61F1FA09BEC8A4528C592D982D33B6C6B`|INVITADOS_MEXICANOS.scr
|`442E6CC28D118CFAF1A5482E2000C7DC00D9A7B9`|
|`5C56AC14CA7159804A9D53FE037CFD0D99D45AB1`|JUNIO_19_PROPUESTA_CLARO_RENOVACION.scr
|`61DE62436B3806A3A645C96677D7AD9D802E30A8`|FORMATO DE NOVEDADES PARA DC PERSONAL xls.scr
|`62800D245A3726CA390D08B7BF17FE2C37F2B3CF`|20190611101331.scr
|`64F1322BF2A898278AA1E73803FDD500B6E5E7C7`|RAD_N_0961_21MAY19.scr
|`79AC512389EF9E27A3598CA2968573DB4F5FD58F`|RAD OFL0120_jpg.scr
|`7A1AD75A1AA73EC72EE21B213FCCA55D57A0CD58`|S_E_ARLETTE_MARENCO_NOTA_INFORMANDO_TERMINO_DE_MISION_001.scr
|`8E0AC29B8BD0C086B20C23B254CF047AA30A0529`|07_1379.scr
|`91F2C7EED2EE92D11BC6B8FD8D3CBA0B02C8D074`|Blason.scr
|`97EDCDFD6E674591C1E809381C7E68F11DFA81FC`|08_1159.scr
|`9D65B55168526161A79F4743A37B1A7358C67037`|INSTRUCCIONES DEL JSO 08JUN19 docx.scr
|`A19648A5576E0B9FC449D89ADDC569BA1350ECFF`|
|`A94916F9696D861FE040891634B3F2DA09557F13`|REPORTE OPERACIONAL 10JUN19 pdf.scr
|`B451F623FE9F315EB886B83F27139FC236A07EC9`|20190611101428.scr
|`C39B9D966AED0372619B3989995AB9AD12F94D38`|NOTA_CICR_00079.scr
|`CF10E0313177FF4C9C588232218078EB870C0079`|BOLETA DE PERMISO NELSON GUERERE docx.scr
|`E8BBCB0F6538D1543BFA3F7A66F20155EBC2BCC8`|JUNIO_27_PROPUESTA_CLARO_RENOVACION.scr
|`EA3D823DF9F0E41AD1DA2FD3492B418693BED8BD`|20190611101331 pdf.scr
|`EB82401CE6B2497AEB1FC666697D7D9CE66E4D5B`|Asimilacion.scr
|========================================

=== \_hashlbi.pyw

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`1B3723651E1D321D4F34F2A243D7751D17288257`|Python/Machete.G
|`7FFB9C7DA20C536B694E78538B65726EACB1B055`|Python/Machete.G
|`B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5`|Python/Machete.G
|========================================

=== \_bsdbd.pyw

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3`|Python/Machete.G
|`314D9B4C25DD69453D86E4C7062DCE6DEDDA0533`|Python/Machete.G
|`D4CF22F3DB78BDC1CEB55431857D88166CE677D4`|Python/Machete.G
|========================================

=== \_clypes.pyw

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`26FB301AF7393B5E564B8C802F5795EDEBD7CECF`|Python/Machete.G
|`979859B5A177650EF0549C81FD66D36E9DEA8078`|Python/Machete.G
|`A07E38DF9887EA7811369CD72C57FD6D44523CD6`|Python/Machete.G
|========================================

=== \_elementree.pyw

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`07E383E9FF04F587769845306DC4BFE75630BAAA`|Python/Machete.G
|`3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3`|Python/Machete.G
|`56765B7511372A8E9BE017F48A764D141F485474`|Python/Machete.G
|`CF2DC40926D8747AEC572DFD711BBFD766AADB10`|Python/Machete.G
|========================================

=== \_mssi.pyw

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`6B42091CA2F89A59F4E27E30ACDACF32EB83F824`|Python/Machete.G
|`708F159F2CFE22FF0C4464F2FEDAA0501868BDD8`|Python/Machete.G
|`DE639618B550DBE9071E999AAA5B4FC81F63A5A6`|Python/Machete.G
|========================================

=== \_multiproccessing.pyw

[options="header"]
|========================================
|SHA-1 hash|ESET Detection Name
|`0B6F61AF3E2C6551F15E0F888177EEC91F20BA99`|Python/Machete.G
|`76AABC0AF5D487A80BCBA19555191B46766139FA`|Python/Machete.G
|`7FF87649CA1D9178A02CD9942856D1B590652C6E`|Python/Machete.G
|`8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D`|Python/Machete.G
|`8AF19AA3F18CB35F12EE3966931E11799C3AC5A4`|Python/Machete.G
|`E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD`|Python/Machete.G
|========================================

== Domain names

* `tobabean.expert`
* `koliast.com`
* `u929489355.hostingerapp.com`
* `u154611594.hostingerapp.com`
* `6e24a5fb.ngrok.io`
* `f9527d03.ngrok.io`
* `adtiomtardecessd.zapto.org`
* `mcsi.gotdns.ch`
* `djcaps.gotdns.ch`
* `tokeiss.ddns.net`
* `artyomt.com`
* `lawyersofficial.mipropia.com`
* `ceofanb18.mipropia.com`

== Server IPs

* `185.224.137.63`
* `156.67.222.88`
* `158.69.9.209`
* `142.44.236.215`
* `199.79.63.188`
* `109.61.164.33`