From 8e18069593d16d595a31c6ccb2ccb520fe0e1acb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Vojt=C4=9B=C5=A1ek?= <vojtesek@avast.com>
Date: Tue, 13 Oct 2020 13:19:46 +0200
Subject: [PATCH] FakeMBAM: Added IoCs

---
 FakeMBAM/README.md      | 131 ++++++++++++++++++++++++++++++++++++++++
 FakeMBAM/network.txt    |  29 +++++++++
 FakeMBAM/samples.md5    |  38 ++++++++++++
 FakeMBAM/samples.sha1   |  38 ++++++++++++
 FakeMBAM/samples.sha256 |  38 ++++++++++++
 5 files changed, 274 insertions(+)
 create mode 100644 FakeMBAM/README.md
 create mode 100644 FakeMBAM/network.txt
 create mode 100644 FakeMBAM/samples.md5
 create mode 100644 FakeMBAM/samples.sha1
 create mode 100644 FakeMBAM/samples.sha256

diff --git a/FakeMBAM/README.md b/FakeMBAM/README.md
new file mode 100644
index 0000000..81c37d1
--- /dev/null
+++ b/FakeMBAM/README.md
@@ -0,0 +1,131 @@
+# IOC for FakeMBAM
+
+Malware analysis and more technical information at <https://decoded.avast.io/janvojtesek/fakembam-backdoor-delivered-through-software-updates/>
+
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [Network indicators](#network-indicators)
+* [File names](#file-names)
+* [Registry keys](#registry-keys)
+
+
+## Samples (SHA-256)
+#### FakeMBAM installer/FakeMBAM backdoor
+```
+391817d625e14d6b5b0115b7215c07d9ef6612cccdb1d6891626fdd5609506bf Qt5Help.dll
+02be0f263b95017caa20f0fed861d2126e81ec176d542cc7415074f48965f2e0 Qt5WinExtras.dll
+dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9 MBSetup2.exe
+f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c MBSetup.exe
+```
+
+#### Miner payloads
+```
+c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c C:\ProgramData\VMware\VMware Tools\vmmem.exe
+fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
+b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7 C:\ProgramData\VMware\VMware Tools\vm3dservice.exe
+7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d C:\ProgramData\VMware\VMware Tools\vm3dservice.exe
+c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791 C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
+a4447559249f3ce04be4c6d28fc15946cbb8513da76ba522f635bda6a60bedcc C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
+8536d573c4180f5df09f183b9434636127127b2134fbf5dced0360ec6d4ee772 C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
+61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830 C:\ProgramData\VMware\VMware Tools\VMwareHostOpen.exe
+589377832b1f1e6be2bdbef1753f30e3907c89a680f7f327999d9a1b510aa4ae C:\ProgramData\Mega Tools\ServiceHub.CLR.x64.exe
+d7a06cba490da60cfbf6f120c33652393f7a1b9176170e57c6cc3649530fca6a C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
+af49b57c1fc4781a7a38457c0b4a595dbb6b5bd7bc4ccafe15fb6b8ae29e17f8 C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
+55869621fb2321ab8c8684d10c49e50e6a0b131f215ac0bbfe7c398d08fbea34 C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
+f761242dfa8cf57faaae2c659f450bcbdc3253134556141eb6e0e282fbd98aa1 C:\ProgramData\Packages\Sega.549981C3F5F10_8wekyb3d8bbwe\ServiceHub.CLR.x64.exe
+269e14bb368ef26f47416a8fcd7f556bece57f5b6113986dc733c2230efdf398 C:\ProgramData\USOPrivate\SearchApp.exe
+beb718a13ef88b2d7f2126226217e76ea773af609aeae870f55e8eb6ed4c497b C:\ProgramData\Package\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\SearchApp.exe
+70830ed1357efd6b373faeaa52701369e2ae7bf9ad74e2f9355b5499ecef1123 C:\ProgramData\USOPrivate\SearchApp.exe
+277cb64e6cd1155c21f6f169d77036ea6e4a36288494f2dfc39d2e76191197d9 C:\ProgramData\USOPrivate\SearchApp.exe
+f8288ecb42478dd37335669a956b4e1adb3400928e1ec440a24882163a9cbbe8 C:\ProgramData\USOPrivate\SearchApp.exe
+edd918e7fe5dbb8e66464939c4a62132d5a3ba17d081c56f0a23beffb2c0ca0c C:\ProgramData\USOPrivate\SearchApp.exe
+4c36a69540ffb7ac3655170148fe9f358bf0fc926baa7ef96611a7688727f76f C:\ProgramData\USOPrivate\SearchApp.exe
+468968df636c3a3b7ef85b0ff528aeb403eaae7c943e4eebfbe5b98de19ff711 C:\ProgramData\USOPrivate\SearchApp.exe
+a10277ffaec4e691cb1fa51fd65d2b7e045b138b0689ad7f5e0b79d855822df6 C:\ProgramData\USOPrivate\SearchApp.exe
+```
+
+#### data.pak
+```
+3036593e424bd4628593131b445408ba6a4039ef08e2fcdda1558010cc39ef37 data.pak
+43bcec1d5149d43afbb4439eb88f59dcdbf1de363828a022e4a0b6474440223c data.pak
+503e1b04708db7bf22935beee235965e503c370692904fb0c37344fd29696036 data.pak
+624ae4069182064f1801beec52dee3195f15a306ccaaba4a798a5b1823fe0df8 data.pak
+709e71ec3837520552e76c72796c6422a0713da88e227ac423d80e6f727c32a9 data.pak
+7223641157529b6152503f4cf3cd2bbe358e325ebf0cef3b3930e058012c9de4 data.pak
+768ceff0ddc67c5ea8858c6b1e80ddcac0907ded692efd33502c85eff370852a data.pak
+893b242669d076f2460a789f951611dc58ab73c47f7b582fe504d7ecd0d18f29 data.pak
+931e705984f60011b18aa0c38fb18f2040b87233dd94b506e7f20e504da58b6d data.pak
+97e57ce2aded883a2eefc4a5cf60d162b98a3637abb2424e77083820c76422fa data.pak
+97f8cd6db13a4e17d1aa84ce8950c153156b50f2eb29f5e3cd1a4496f50e7e0a data.pak
+9734166814c8db737d472241e72bde437236da59a94d4991bb81589ce9271fad data.pak
+```
+
+## Network indicators
+#### C&C URLs
+```
+https://apis.bytestech[.]dev/get/data
+https://apis.mbytestech[.]com/get/data
+https://apis.masterbyte[.]nl/get/data
+https://d3ko3huol26z6z.cloudfront[.]net/get/data
+https://d1t8lqzz4q8388.cloudfront[.]net/get/data
+https://agonistatdata[.]site/get/data
+https://apolistatdata[.]site/get/data
+https://augustatdata[.]site/get/data
+https://dq96vx43jmub5.cloudfront[.]net/get/data
+```
+
+#### Download URLs
+```
+http://dl.bytestech[.]dev/1/mbsetup.exe
+http://dl.bytestech[.]dev/2/mbsetup.exe
+http://dl.bytestech[.]dev/3/mbsetup.exe
+http://dl.bytestech[.]dev/mbsetup2.exe
+http://dl.cloudnetbytes[.]com/3/mbsetup.exe
+```
+#### Private mining pool IP addresses
+```
+142.4.214[.]15
+164.90.228[.]90
+134.122.75[.]91
+134.122.95[.]252
+188.124.36[.]164
+54.93.189[.]78
+18.184.46[.]95
+35.180.226[.]235
+46.101.118[.]136
+46.101.195[.]40
+185.132.176[.]153
+139.59.156[.]70
+15.236.226[.]247
+46.101.120[.]189
+34.254.170[.]193
+18.159.45[.]239
+52.57.156[.]29
+134.122.77[.]49
+35.180.36[.]209
+```
+
+
+## File names
+```
+%ProgramFiles%\Malwarebytes\Qt5Help.dll
+%ProgramFiles(x86)%\Malwarebytes\Qt5Help.dll
+%ProgramFiles%\Malwarebytes\data.pak
+%ProgramFiles(x86)%\Malwarebytes\data.pak
+%ProgramData%\VMware\VMware Tools\vmmem.exe
+%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
+%ProgramData%\VMware\VMware Tools\vm3dservice.exe
+%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
+%ProgramData%\VMware\VMware Tools\VMwareHostOpen.exe
+%ProgramData%\Mega Tools\ServiceHub.CLR.x64.exe
+%ProgramData%\Sega Tools\ServiceHub.CLR.x64.exe
+%ProgramData%\Packages\Sega.549981C3F5F10_8wekyb3d8bbwe\ServiceHub.CLR.x64.exe
+%ProgramData%\Package\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\SearchApp.exe
+```
+
+## Registry keys
+```
+HKLM\SOFTWARE\Wow6432Node\Malwarebytes\LicenseKey
+HKLM\SOFTWARE\Malwarebytes\LicenseKey
+```
diff --git a/FakeMBAM/network.txt b/FakeMBAM/network.txt
new file mode 100644
index 0000000..f48ff1e
--- /dev/null
+++ b/FakeMBAM/network.txt
@@ -0,0 +1,29 @@
+bytestech[.]dev
+mbytestech[.]com
+masterbyte[.]nl
+d3ko3huol26z6z.cloudfront[.]net
+d1t8lqzz4q8388.cloudfront[.]net
+agonistatdata[.]site
+apolistatdata[.]site
+augustatdata[.]site
+dq96vx43jmub5.cloudfront[.]net
+cloudnetbytes[.]com
+142.4.214[.]15
+164.90.228[.]90
+134.122.75[.]91
+134.122.95[.]252
+188.124.36[.]164
+54.93.189[.]78
+18.184.46[.]95
+35.180.226[.]235
+46.101.118[.]136
+46.101.195[.]40
+185.132.176[.]153
+139.59.156[.]70
+15.236.226[.]247
+46.101.120[.]189
+34.254.170[.]193
+18.159.45[.]239
+52.57.156[.]29
+134.122.77[.]49
+35.180.36[.]209
diff --git a/FakeMBAM/samples.md5 b/FakeMBAM/samples.md5
new file mode 100644
index 0000000..eba2309
--- /dev/null
+++ b/FakeMBAM/samples.md5
@@ -0,0 +1,38 @@
+08defaf0b22cf32604bdc121595727c0
+0a956722ce13a46fe08a3690620d5dac
+0e898ee0e7a8e2165ae737f2d540686c
+15811809b32c258a4c3a0385db251c08
+20efaf9fae9340afd4ea38cfde20915e
+241603449769f19d5edbf1af3d604d33
+2a9b17b97d41864855465155b9f4d0c5
+3d9b1620a35055bc811cc9afef8b3055
+3fc25036735ab0bdc655f4ec8396e289
+4597f6a6d4cdecff0f43a7da5d7db370
+4a8982935d9fd546297141fc7d81bf63
+4f0c7aa726e0cfa4d94bd418b0698c9d
+4fc936993d0199c84e4e3a0cb2fc0cb3
+516802c3849732b6c28453d7a80e2720
+53325e205e2132192624dfffc21b97c7
+548ad791ee992ce93a2c3d04bb6424ee
+628a0c623d6d1fe037b8845e0e533cc2
+6439974f94df37164c67a93d9d072346
+6ae4aaf713642dbcee9902f493f2cea8
+71151f8a1aab1cbaa7f9f388873550ab
+78322472e79ea0afba4d46595dc8bada
+78f5094fa66a9aa4dc10470d5c3e3155
+79c23de77762c2beae09a9354b906bf8
+7cb49a953fe41ec48b5695d8c1bdc68f
+938f12260b44298f87b0e0b62b9a6c5e
+98d14fc694dcac2216fb8f888c560b3a
+a463122f1c5eec0f06b34ea5c038f3bb
+a69412cba06f3ff29a7aa424c5806645
+bb1c06d9c5636f1f6c9d1e5d64344906
+c35b2a50093122203687539bb4c20aec
+c3f6c66e6efcfd3cf56c810ef2db8b12
+d444135bc9490929bbed7252f12c704b
+d4f013fc3278065d855bbc1de14ee473
+d690a4cc7794f4c2f65fa0f43cff5a3f
+da1678f8e9122100beaf0b7d27a0963e
+e353d2b6f0c83dd060719ffc4bb18c67
+f937f3efad1675c48b404c723eeec0b0
+fd24588efb959c93f5f0211e3523c19b
diff --git a/FakeMBAM/samples.sha1 b/FakeMBAM/samples.sha1
new file mode 100644
index 0000000..40b192b
--- /dev/null
+++ b/FakeMBAM/samples.sha1
@@ -0,0 +1,38 @@
+035de4136fd7c5f2800230ac5cb4f63f52f519f9
+7e7910c3526c0ed425ab82f904367ca85f0302bf
+259e46dba9fe849d1154f8c8cd909da86725981f
+f244ee60293d6ee378f41e72774cde9a2f380e45
+b21eee3bc4672292f18eed1d1876ac031ec5c3eb
+6ee455ef1e76babe2ef941ac74ac9388332db2f2
+c17f95e75037dea7a8c636118f7a24eabb5bd09d
+846d586dd0ad891b70709dfbe4dd012ca5f20886
+4ec12e30102a7f0b7e7728fb3fdd04dd0afeecd5
+ae8597c83754ef0c0771c0e97dc3fe4dd82a6363
+7054d2c2231311991670c43ab2dba6d70cb6eb55
+cea7e643817ccf5be7c01c29520bc44edcc6d0a7
+fc0ba08372031291dba626fab3f97cd0a5711dda
+4255f26e9bc6804a0db276603a7f86b6625a4ac4
+a4155926cb923a59ce017afa7b9764d38b92c0ed
+7e6d62f8e48ab08d507956637859e590156167b9
+8c4ecf2d90fbfb7d1871ecbe430397d3c4586c3f
+e9fb2aa23d598ebad57d5bf2d0c08362ecd3ef9e
+fff92aa8bcf6fae354e7a9d84d1a383bd6cc67b3
+706bfbe37753b84dcd85579d26a0df74b4c4d47b
+f5c8fc52983867178eeb635e489b6e9a4f78c0b4
+308d7b65782f72ce17c330d8f2d6922aee7169c5
+dd3c2e989557533aa05b04c8b9034d57f8aeb3e7
+ae2dd2091650f8cae0d475f887f6361b46f68a53
+d2ebe768847321b45599dd89b743cebe0d1ee533
+55a41b4a6e5312e00d6284d82251efc7a97e19eb
+9413089dd11251d58d98314e2fdd5a409d53a9d6
+39bdb6978f6976d0a2e201fee0ec1c71f815a999
+bdcdf59639ff0126209477254a6c709d1965359f
+4f06b8d9ddb64fc4b24ab2a40ccdbbbd25d0d591
+4c488937d6cd74359f6dea7910a17c0f201b2b4e
+4474598ac25db468e21dac32d45b645d3a50a9d8
+c654c4d035cab4a443026490aff4314e9ad87b7c
+93b892759e6f7db11d5ff544d3c5fda91a5b3923
+fbb5ff3fbde775344179163a960f1a05b53359a2
+f6412176f0f206dfcec97ab1d7333ce7d8c56f28
+40a83bf13b52c256b4394da2dd2aa4510184b5c2
+c2f759043b7c3cb94b84a7fd38511a87ae5b52ce
diff --git a/FakeMBAM/samples.sha256 b/FakeMBAM/samples.sha256
new file mode 100644
index 0000000..1492e6d
--- /dev/null
+++ b/FakeMBAM/samples.sha256
@@ -0,0 +1,38 @@
+02be0f263b95017caa20f0fed861d2126e81ec176d542cc7415074f48965f2e0
+269e14bb368ef26f47416a8fcd7f556bece57f5b6113986dc733c2230efdf398
+277cb64e6cd1155c21f6f169d77036ea6e4a36288494f2dfc39d2e76191197d9
+3036593e424bd4628593131b445408ba6a4039ef08e2fcdda1558010cc39ef37
+391817d625e14d6b5b0115b7215c07d9ef6612cccdb1d6891626fdd5609506bf
+43bcec1d5149d43afbb4439eb88f59dcdbf1de363828a022e4a0b6474440223c
+468968df636c3a3b7ef85b0ff528aeb403eaae7c943e4eebfbe5b98de19ff711
+4c36a69540ffb7ac3655170148fe9f358bf0fc926baa7ef96611a7688727f76f
+503e1b04708db7bf22935beee235965e503c370692904fb0c37344fd29696036
+55869621fb2321ab8c8684d10c49e50e6a0b131f215ac0bbfe7c398d08fbea34
+589377832b1f1e6be2bdbef1753f30e3907c89a680f7f327999d9a1b510aa4ae
+61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830
+624ae4069182064f1801beec52dee3195f15a306ccaaba4a798a5b1823fe0df8
+70830ed1357efd6b373faeaa52701369e2ae7bf9ad74e2f9355b5499ecef1123
+709e71ec3837520552e76c72796c6422a0713da88e227ac423d80e6f727c32a9
+7223641157529b6152503f4cf3cd2bbe358e325ebf0cef3b3930e058012c9de4
+768ceff0ddc67c5ea8858c6b1e80ddcac0907ded692efd33502c85eff370852a
+7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d
+8536d573c4180f5df09f183b9434636127127b2134fbf5dced0360ec6d4ee772
+893b242669d076f2460a789f951611dc58ab73c47f7b582fe504d7ecd0d18f29
+931e705984f60011b18aa0c38fb18f2040b87233dd94b506e7f20e504da58b6d
+9734166814c8db737d472241e72bde437236da59a94d4991bb81589ce9271fad
+97e57ce2aded883a2eefc4a5cf60d162b98a3637abb2424e77083820c76422fa
+97f8cd6db13a4e17d1aa84ce8950c153156b50f2eb29f5e3cd1a4496f50e7e0a
+a10277ffaec4e691cb1fa51fd65d2b7e045b138b0689ad7f5e0b79d855822df6
+a4447559249f3ce04be4c6d28fc15946cbb8513da76ba522f635bda6a60bedcc
+af49b57c1fc4781a7a38457c0b4a595dbb6b5bd7bc4ccafe15fb6b8ae29e17f8
+b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7
+beb718a13ef88b2d7f2126226217e76ea773af609aeae870f55e8eb6ed4c497b
+c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c
+c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791
+d7a06cba490da60cfbf6f120c33652393f7a1b9176170e57c6cc3649530fca6a
+dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9
+edd918e7fe5dbb8e66464939c4a62132d5a3ba17d081c56f0a23beffb2c0ca0c
+f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c
+f761242dfa8cf57faaae2c659f450bcbdc3253134556141eb6e0e282fbd98aa1
+f8288ecb42478dd37335669a956b4e1adb3400928e1ec440a24882163a9cbbe8
+fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede