From 094707ea9c084a74f67e31b6ada1cf4550bedf18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linkeov=C3=A1=20Romana?= Date: Wed, 28 Aug 2019 12:49:53 +0200 Subject: [PATCH] Almaq: Added IoC files --- Almaq/README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ Almaq/network.txt | 8 ++++++++ Almaq/samples.md5 | 15 +++++++++++++++ Almaq/samples.sha1 | 15 +++++++++++++++ Almaq/samples.sha256 | 15 +++++++++++++++ 5 files changed, 96 insertions(+) create mode 100644 Almaq/README.md create mode 100644 Almaq/network.txt create mode 100644 Almaq/samples.md5 create mode 100644 Almaq/samples.sha1 create mode 100644 Almaq/samples.sha256 diff --git a/Almaq/README.md b/Almaq/README.md new file mode 100644 index 0000000..38979e7 --- /dev/null +++ b/Almaq/README.md @@ -0,0 +1,43 @@ +# IoC for Almaq + +Malware analysis and more technical information at + + +### Table of Contents +* [Samples (SHA-256)](#samples-sha-256) +* [Network indicators](#network-indicators) + +## Samples (SHA-256) +``` +4098d92ead72b1b2749e2d58102327f670a1db2d46c6e74eefbbed7f68167265 - AlMashreqService.dll +9cbc09dd569942582a6ec3d94fb5c9fc70c1e43282dc36dcc8cdf8d0a5131235 - AlMashreqService.dll +8b4baa073900f9602845694f6d1f9358a196ea0b7dfc06ad320f9c162bff0141 - acrobat reader.exe +945426553022101b7a75c6b5cad3d780363193b5412ea077257873b1971dfed3 - adobe.exe +497c2e9aa686f12031df590c124e7a9d0f0b1df7bf52e5fbd9ffa1501e383e93 - Printer.exe +d61b743aa7e5b50f2ebe3f5a4cd31ee97d51282ba083b7dc5265888f5797ab88 - Printr.exe +6fef864850bf8a603305370dc5f522366af6392946a8049647d1423a9a62461c - spoolsv.exe +39f696883838d5ddc91f76fb8f1b547c20a9ef08e1f5e836bf64b7956e7644c3 - Service.exe +32f59e810ab96690c848097686a94c57de6221af6d299ac153f617b7c504bb55 - Service.exe +04e363bd90dea1b18d6f3f4f3f92b00ce55ee1289c05eb575a0f7cd0ab138902 - Dll.exe +2139f4084795ec07ec0ba78292154879c3bb1c495661471017a83355bf5f8af0 - DllLiberary.exe +07884b08b394f1cedec09e8e0bf46a7ef29d904e10cb0079893d294c7ab286a2 - svchost.exe +036760d3a1b4760e9bf5527f0fed0e0a8bb98b6dbec3d5de7d8aba6afbeaf82b - SearchFile.exe +081ea05b7476425189575ce5d30b941a61e252448cc8f8e5bc2a6c290d25d670 - security.exe +078cf6f436eb73112bf4dc00f601e4a82bd4476b55df660a1b19186c8b646fc1 - security.exe +``` + +## Network indicators +### C&C servers +``` +http://servicesx.gearhostpreview[.]com/data.asmx +http://systemservicex.azurewebsites[.]net/data.asmx +http://adobereader.azurewebsites[.]net/data.asmx +http://gcmedservice.azurewebsites[.]net/Scripts.asmx +alhussienweb.ddns[.]net +``` +### FTP servers +``` +ftp://waws-prod-am2-253.ftp.azurewebsites.windows[.]net/site/wwwroot +ftp://waws-prod-sn1-071.ftp.azurewebsites.windows[.]net/site/wwwroot/ +ftp://ftp.gear[.]host/site/wwwroot/ +``` \ No newline at end of file diff --git a/Almaq/network.txt b/Almaq/network.txt new file mode 100644 index 0000000..6e75e7a --- /dev/null +++ b/Almaq/network.txt @@ -0,0 +1,8 @@ +http://servicesx.gearhostpreview[.]com/data.asmx +http://systemservicex.azurewebsites[.]net/data.asmx +http://adobereader.azurewebsites[.]net/data.asmx +http://gcmedservice.azurewebsites[.]net/Scripts.asmx +alhussienweb.ddns[.]net +ftp://waws-prod-am2-253.ftp.azurewebsites.windows[.]net/site/wwwroot +ftp://waws-prod-sn1-071.ftp.azurewebsites.windows[.]net/site/wwwroot/ +ftp://ftp.gear[.]host/site/wwwroot/ \ No newline at end of file diff --git a/Almaq/samples.md5 b/Almaq/samples.md5 new file mode 100644 index 0000000..cf83bab --- /dev/null +++ b/Almaq/samples.md5 @@ -0,0 +1,15 @@ +920507E661C1D84AE628E220E4AE3383 +B67190A447A6CFB3A0797499666C8484 +5A397C3FD9F2DA729329831FB5353FF0 +9E1607D43383A44F657D535447560FDB +EB9309DDFCA03782DE4142C8F07E6F3F +3D812F4E159298B0F11BB882C17C84BA +59A9BA27C4DE5A0EBE47E6DD9AA870A0 +59ACCABC0A8A72015B6CE23A12976682 +27DECCAF2BE6566CCF94DCDE733007AB +1491B24ED0AF833853163BC0D630CFAA +F18925F67AD48F90707A105F6E8D3BE5 +79B34269779A7FD583D2AF73D3843556 +999812BA770FD1126A9EBD01672EAD3A +1BCB90D0C9F4095D7E410F82396DDC71 +556AA37196833F30BDB74A744E15BEFC \ No newline at end of file diff --git a/Almaq/samples.sha1 b/Almaq/samples.sha1 new file mode 100644 index 0000000..f74aaf9 --- /dev/null +++ b/Almaq/samples.sha1 @@ -0,0 +1,15 @@ +6B334E28FB385F29DA6B16598D4617E318A20726 +30ECB28D08508D60C53A3EF7C7EB3CEA7E736D32 +3471D4C8A51318E9248BED4D4E2CFF9BF8FBDF0E +1E354FABB210E89439081CF65D418F2BA57E16B1 +DADEAD32347BFE51FC67D6F10E8ACCFDCCC62F2F +040B1B5A5A6566E917477F1EB82D05FA0781DF18 +D720F03311C8663E3C3C5DA66E492AC8C5A847BB +CB0944E2CD3715363E5AE49F94C8D1134A566F16 +B6CCDA0F3CE2E6766B4ED38F3B3E1277975FE64B +72DFC20631F72BD22F67F4B6265A994360DA6E56 +83B2D342072A3DC747287EA84427F1F45C5FFA82 +19A7DBD86B8B116FC61D404524A1BC66356FDDAF +BFC45A3BAD6A3B88CF52AA1EB38393F3CBEB1615 +0C44F1B288FEF75C0766C8D8E385F2A29D25F755 +520D39E01D203CA8B10D9BFC8218458FBD1E2BE8 \ No newline at end of file diff --git a/Almaq/samples.sha256 b/Almaq/samples.sha256 new file mode 100644 index 0000000..0290c6f --- /dev/null +++ b/Almaq/samples.sha256 @@ -0,0 +1,15 @@ +036760D3A1B4760E9BF5527F0FED0E0A8BB98B6DBEC3D5DE7D8ABA6AFBEAF82B +04E363BD90DEA1B18D6F3F4F3F92B00CE55EE1289C05EB575A0F7CD0AB138902 +07884B08B394F1CEDEC09E8E0BF46A7EF29D904E10CB0079893D294C7AB286A2 +078CF6F436EB73112BF4DC00F601E4A82BD4476B55DF660A1B19186C8B646FC1 +081EA05B7476425189575CE5D30B941A61E252448CC8F8E5BC2A6C290D25D670 +2139F4084795EC07EC0BA78292154879C3BB1C495661471017A83355BF5F8AF0 +32F59E810AB96690C848097686A94C57DE6221AF6D299AC153F617B7C504BB55 +39F696883838D5DDC91F76FB8F1B547C20A9EF08E1F5E836BF64B7956E7644C3 +4098D92EAD72B1B2749E2D58102327F670A1DB2D46C6E74EEFBBED7F68167265 +497C2E9AA686F12031DF590C124E7A9D0F0B1DF7BF52E5FBD9FFA1501E383E93 +6FEF864850BF8A603305370DC5F522366AF6392946A8049647D1423A9A62461C +8B4BAA073900F9602845694F6D1F9358A196EA0B7DFC06AD320F9C162BFF0141 +945426553022101B7A75C6B5CAD3D780363193B5412EA077257873B1971DFED3 +9CBC09DD569942582A6EC3D94FB5C9FC70C1E43282DC36DCC8CDF8D0A5131235 +D61B743AA7E5B50F2EBE3F5A4CD31EE97D51282BA083B7DC5265888F5797AB88 \ No newline at end of file