From 8c4e1ffbfb23b83856b9977dbcf8b76c32b0b3bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Nov=C3=A1k?= Date: Wed, 6 Apr 2022 11:28:28 +0200 Subject: [PATCH 1/2] Added IoC for Parrot TDS --- ParrotTDS/README.md | 2 ++ ParrotTDS/network.txt | 46 ++++++++++++++++++++++++++++++++++++++++ ParrotTDS/samples.md5 | 8 +++++++ ParrotTDS/samples.sha1 | 8 +++++++ ParrotTDS/samples.sha256 | 8 +++++++ 5 files changed, 72 insertions(+) create mode 100644 ParrotTDS/README.md create mode 100644 ParrotTDS/network.txt create mode 100644 ParrotTDS/samples.md5 create mode 100644 ParrotTDS/samples.sha1 create mode 100644 ParrotTDS/samples.sha256 diff --git a/ParrotTDS/README.md b/ParrotTDS/README.md new file mode 100644 index 0000000..3430684 --- /dev/null +++ b/ParrotTDS/README.md @@ -0,0 +1,2 @@ +# ParrotTDS_IoC +This repository contains IoCs of the Parrot TDS diff --git a/ParrotTDS/network.txt b/ParrotTDS/network.txt new file mode 100644 index 0000000..8ca7873 --- /dev/null +++ b/ParrotTDS/network.txt @@ -0,0 +1,46 @@ +clickstat360[.]com +statclick[.]net +staticvisit[.]net +webcachespace[.]net +syncadv[.]com +webcachestorage[.]com +parmsplace[.]com +ahrealestatepr[.]com +expresswayautopr[.]com +xomosagency[.]com +codigodebarra[.]co +craigconnors[.]com +lawrencetravelco[.]com +maxxcorp[.]net +2ctmedia[.]com +accountablitypartner[.]com +walmyrivera[.]com +youbyashboutique[.]com +weightlossihp[.]com +codingbit[.]co[.]in +fishslayerjigco[.]com +avanzatechnicalsolutions[.]com +srkpc[.]com +wholesalerandy[.]com +mattingsolutions[.]co +integrativehealthpartners[.]com +wwpcrisis[.]com +lilscrambler[.]com +markbrey[.]com +nuwealthmedia[.]com +pocketstay[.]com +fioressence[.]com +drpease[.]com +refinedwebs[.]com +spillpalletonline[.]com +altcoinfan[.]com +windsorbongvape[.]com +hill-family[.]us +109.234.35[.]249 +141.136.35[.]157 +91.219.236[.]192 +91.219.236[.]202 +194.180.158[.]173 +87.120.8[.]141 +15.76.172[.]110 +45.76.172[.]113 \ No newline at end of file diff --git a/ParrotTDS/samples.md5 b/ParrotTDS/samples.md5 new file mode 100644 index 0000000..a7fc74a --- /dev/null +++ b/ParrotTDS/samples.md5 @@ -0,0 +1,8 @@ +252dce576f9fbb9aaa7114dd7150f320 +8050cab7a651295576e361c1d3a47ae1 +30a320e1ace79672ba59e4ef4b0714b2 +fcc699089107449df02860fbd5ee14b0 +5e8c0513edb7d188b817fad58bc1d607 +252dce576f9fbb9aaa7114dd7150f320 +2a77875b08d4d2bb7b654db33a88f16c +c28b5bb4cc0608fed45b1450a19bf8ed \ No newline at end of file diff --git a/ParrotTDS/samples.sha1 b/ParrotTDS/samples.sha1 new file mode 100644 index 0000000..9d4dca4 --- /dev/null +++ b/ParrotTDS/samples.sha1 @@ -0,0 +1,8 @@ +c07f0a02c284b697dff119839f455836be39d10e +e587f7c71cee0bdba61992b3bf21c75c9ffa226f +bfd262619992d77f941a8afed423261a97c11758 +2a5b98f479541c4de547430e152b5ec2cd98ed4e +71a4784fa9c477472873302188cab1b7261146d3 +c07f0a02c284b697dff119839f455836be39d10e +e68dede6f9288e04eaf0359d5622d721fea7184d +0bf7c6a89c229931f368d4151e25c73faa6baf12 \ No newline at end of file diff --git a/ParrotTDS/samples.sha256 b/ParrotTDS/samples.sha256 new file mode 100644 index 0000000..fdc6700 --- /dev/null +++ b/ParrotTDS/samples.sha256 @@ -0,0 +1,8 @@ +e22e88c8ec0f439eebbb6387eeea0d332f57c137ae85cf1d8d1bb4c7ea8bd2f2 +daabdec3d5a43bb1c0340451be466d9f90eaa0cfac92fb6beaabc59452c473c3 +b63260c1f213c02fcbb5c1a069ab2f1d17031e598fd19673bb639aa7557a9bae +0046fad95da901f398f800ece8af479573a08ebf8db9529851172ead01648faa +15afd9eb66450b440d154e98ed82971f1b968323ff11b839b046ae4bec60f855 +b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad +8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95 +4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21 \ No newline at end of file From 46420fbe85d8c8a3bcd62a367a5d6e2cbc406e81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Nov=C3=A1k?= Date: Wed, 6 Apr 2022 11:44:17 +0200 Subject: [PATCH 2/2] Added IoC for Parrot TDS --- ParrotTDS/README.md | 25 +++++++++++++++++++++++-- ParrotTDS/network.txt | 8 +++++++- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/ParrotTDS/README.md b/ParrotTDS/README.md index 3430684..1e8aed5 100644 --- a/ParrotTDS/README.md +++ b/ParrotTDS/README.md @@ -1,2 +1,23 @@ -# ParrotTDS_IoC -This repository contains IoCs of the Parrot TDS +# IoC for ParrotTDS and related SocGholish campaign + +Analysis is available at https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/. + +## Samples (SHA-256) +#### Binary and related files +##### Parrot TDS +``` +e22e88c8ec0f439eebbb6387eeea0d332f57c137ae85cf1d8d1bb4c7ea8bd2f2 - Proxied version JavaScript +daabdec3d5a43bb1c0340451be466d9f90eaa0cfac92fb6beaabc59452c473c3 - Direct version JavaScript +b63260c1f213c02fcbb5c1a069ab2f1d17031e598fd19673bb639aa7557a9bae - Webshell +``` +##### FakeUpdate +``` +0046fad95da901f398f800ece8af479573a08ebf8db9529851172ead01648faa - FakeUpdate JavaScript +15afd9eb66450b440d154e98ed82971f1b968323ff11b839b046ae4bec60f855 - FakeUpdate appearance JavaScript +``` +##### NetSupport RAT +``` +b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad - NetSupport Client +8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95 - NetSupport Client +4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21 - NetSupport Config +``` diff --git a/ParrotTDS/network.txt b/ParrotTDS/network.txt index 8ca7873..91ef706 100644 --- a/ParrotTDS/network.txt +++ b/ParrotTDS/network.txt @@ -43,4 +43,10 @@ hill-family[.]us 194.180.158[.]173 87.120.8[.]141 15.76.172[.]110 -45.76.172[.]113 \ No newline at end of file +45.76.172[.]113 +5.180.136[.]119 +94.158.247[.]84 +94.158.245[.]113 +94.158.247[.]100 +154.38.242[.]14 +199.247.3[.]55