mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-28 09:51:38 +00:00
.. | ||
hashes.txt | ||
ips.txt | ||
README.md | ||
suricata.rules | ||
yara.yar |
Operation Wocao - Indicators of Compromise
This repository contains the indicators of compromise related to the Operation Wocao report.
Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.
The full report can be found here:
Available IOCs
Filename | Description |
---|---|
ips.txt | The various IPs obversed, either as C2 or as operator IPs. |
hashes.txt | The hashes for various malicious scripts and binaries. |
Available signatures
Filename | Description |
---|---|
yara.yar | Contains Yara signatures to detect various malicious scripts and binaries. |
suricata.rules | Contains Suricata signatures to detect XServer and other malicious traffic. |
Context for IP addresses
IP | Hoster | Active period | Description |
---|---|---|---|
185.244.150.236 | Host Sailor | 2018 | Identified in the memory dump of a compromised machine. Used as a command line argument for a PowerShell backdoor. Also used to access webshells. |
217.182.129.156 | OVH | 2018-2019 | Back-connect used by the agent backdoor. Identified based on compromised machines connecting to this IP with a known suspicious client hello value in the TLS handshake. IP is hardcoded. |
23.254.211.108 | Hostwinds | 2018-2019 | Used to connect to a VPN concentrator with stolen credentials. |
108.61.179.160 | Choopa / Vultr | 2018-2019 | Used to connect to a VPN concentrator with stolen credentials. |
198.46.140.26 | ColoCrossing | 2018-2019 | Used to connect to a VPN concentrator with stolen credentials. |
31.222.185.215 | Rackspace | 2018-2019 | Used to access webshells. |
45.77.229.10 | Choopa / Vultr | 2018-2019 | Used to access webshells. |
46.101.153.58 | Digital Ocean | 2018-2019 | Used to access webshells. |
62.141.37.236 | myLoc | 2018-2019 | Used to access webshells. |
95.179.161.243 | Vultr | 2018-2019 | Used to access webshells. |
138.68.144.161 | Digital Ocean | 2018-2019 | Used to access webshells. |
185.191.228.108 | Cogent Communications | 2018-2019 | Used to access webshells. |
209.97.140.206 | Alameda | 2018-2019 | Used to access webshells. |
46.182.106.190 | Tor exit node | * | Used to access webshells. |
141.255.162.36 | Tor exit node | * | Used to access webshells. |
185.220.101.0 | Tor exit node | * | Used to access webshells. |