mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-07-01 03:11:38 +00:00
59 lines
2.0 KiB
Plaintext
59 lines
2.0 KiB
Plaintext
File paths
|
|
%APPDATA%\Microsoft\Word\MSWord.exe
|
|
%APPDATA%\Axpim\ubfic.exe (random)
|
|
%APPDATA%\Axpim\anfel.js (random)
|
|
%APPDATA%\Nuuw\ilebi.xpi (random)
|
|
%APPDATA%\Nuuw\yqyra.js (random)
|
|
%TEMP%\ntlm.exe
|
|
%TEMP%\msvci.dll
|
|
%TEMP%\msvcp.dll
|
|
%TEMP%\msvck.dll
|
|
%TEMP%\msvct.dll
|
|
%TEMP%\msvci.exe (64bit)
|
|
%TEMP%\msvck60.dll (64bit)
|
|
%TEMP%\msvct60.dll (64bit)
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\dws.exe
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msi.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msi.exe
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msi32.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msi60.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msk.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msk60.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msp.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msp60.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\mst.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\mst60.dll
|
|
%APPDATA%\Microsoft\VisualStudio\11.0\msvci60.dll
|
|
%APPDATA%\Axpim\selfdel.bat
|
|
%TEMP%\xmlupd.bat
|
|
pipes
|
|
\\.\pipe\bc367
|
|
\\.\pipe\bc31a7
|
|
Registry paths
|
|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchostUpdate
|
|
-> %TEMP%\ntlm.exe
|
|
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Devices
|
|
-> %TEMP%\ntlm.exe
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchostUpdate
|
|
-> %TEMP%\svchost.exe
|
|
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Devices
|
|
-> %TEMP%\svchost.exe
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dwm service
|
|
-> %TEMP%\dwms.exe
|
|
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Devices
|
|
-> %TEMP%\dwms.exe
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwupdate
|
|
-> %APPDATA%\Microsoft\VisualStudio\11.0\dws.exe
|
|
tasks
|
|
update
|
|
• command schtasks /create /SC DAILY /ST 12:00 /TN update /F /TR %APPDATA%\Microsoft\VisualStudio\11.0\dws.exe
|
|
network activity
|
|
2014-2015 variants:
|
|
reckless.dk/wp-includes/class-pomo.php
|
|
reckless.dk/wp-includes/class.wp-db.php
|
|
fishstalk.esy.es/wp-content/plugins/bbpress/includes/common/menu.php
|
|
fishstalk.esy.es/wp-includes/SimplePie/Net/IPv4.php
|
|
77-ufo.com/wp-includes/class-menu.php
|
|
77-ufo.com/pma/db_table.php
|
|
scientific.otzo.com/rss.php
|