mirror of
https://github.com/avast/ioc
synced 2024-06-28 09:41:14 +00:00
49 lines
2.0 KiB
Markdown
49 lines
2.0 KiB
Markdown
![]() |
# IoC for Meh part 2
|
||
|
|
||
|
Malware analysis and more technical information at <https://decoded.avast.io/janrubin/meh-2-2/>
|
||
|
|
||
|
The technical analysis of the first part of the blogpost series can be found at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
|
||
|
IoCs of the first part of the blogpost series can be found at <https://github.com/avast/ioc/tree/master/Meh>
|
||
|
|
||
|
### Table of Contents
|
||
|
* [Samples (SHA-256)](#samples-sha-256)
|
||
|
* [File names](#file-names)
|
||
|
* [Network indicators](#network-indicators)
|
||
|
|
||
|
|
||
|
## Samples (SHA-256)
|
||
|
#### Meh binary and related files
|
||
|
```
|
||
|
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
|
||
|
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
|
||
|
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
|
||
|
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
|
||
|
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
|
||
|
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
|
||
|
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
|
||
|
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
|
||
|
1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d - Meh password stealer
|
||
|
3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b - cpux64.bin
|
||
|
57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195 - cpux86.bin
|
||
|
722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d - cpux64.bin unpacked
|
||
|
e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa - cpux86.bin unpacked
|
||
|
```
|
||
|
|
||
|
## File names
|
||
|
```
|
||
|
C:\ProgramData\Intel\Wireless\
|
||
|
C:\Users\<user>\AppData\Local\Temp\test.txt
|
||
|
C:\Users\<user>\AppData\Local\Temp\torrent.txt
|
||
|
```
|
||
|
|
||
|
## Network indicators
|
||
|
#### C&C servers
|
||
|
```
|
||
|
http[:]//193-22-92-35.intesre.com
|
||
|
http[:]//0.le4net00.net
|
||
|
http[:]//83.171.237.231
|
||
|
http[:]//deploy.static.blazingtechnologies.io
|
||
|
http[:]//0.weathdata.nu
|
||
|
http[:]//124.red-79-152-243.dynamicip.fina-tdl.io
|
||
|
```
|