mirror of
https://github.com/avast/ioc
synced 2024-06-16 03:48:39 +00:00
FakeMBAM: Added IoCs
This commit is contained in:
parent
71731c8946
commit
8e18069593
131
FakeMBAM/README.md
Normal file
131
FakeMBAM/README.md
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
# IOC for FakeMBAM
|
||||||
|
|
||||||
|
Malware analysis and more technical information at <https://decoded.avast.io/janvojtesek/fakembam-backdoor-delivered-through-software-updates/>
|
||||||
|
|
||||||
|
|
||||||
|
### Table of Contents
|
||||||
|
* [Samples (SHA-256)](#samples-sha-256)
|
||||||
|
* [Network indicators](#network-indicators)
|
||||||
|
* [File names](#file-names)
|
||||||
|
* [Registry keys](#registry-keys)
|
||||||
|
|
||||||
|
|
||||||
|
## Samples (SHA-256)
|
||||||
|
#### FakeMBAM installer/FakeMBAM backdoor
|
||||||
|
```
|
||||||
|
391817d625e14d6b5b0115b7215c07d9ef6612cccdb1d6891626fdd5609506bf Qt5Help.dll
|
||||||
|
02be0f263b95017caa20f0fed861d2126e81ec176d542cc7415074f48965f2e0 Qt5WinExtras.dll
|
||||||
|
dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9 MBSetup2.exe
|
||||||
|
f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c MBSetup.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Miner payloads
|
||||||
|
```
|
||||||
|
c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c C:\ProgramData\VMware\VMware Tools\vmmem.exe
|
||||||
|
fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||||
|
b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7 C:\ProgramData\VMware\VMware Tools\vm3dservice.exe
|
||||||
|
7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d C:\ProgramData\VMware\VMware Tools\vm3dservice.exe
|
||||||
|
c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791 C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||||
|
a4447559249f3ce04be4c6d28fc15946cbb8513da76ba522f635bda6a60bedcc C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||||
|
8536d573c4180f5df09f183b9434636127127b2134fbf5dced0360ec6d4ee772 C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||||
|
61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830 C:\ProgramData\VMware\VMware Tools\VMwareHostOpen.exe
|
||||||
|
589377832b1f1e6be2bdbef1753f30e3907c89a680f7f327999d9a1b510aa4ae C:\ProgramData\Mega Tools\ServiceHub.CLR.x64.exe
|
||||||
|
d7a06cba490da60cfbf6f120c33652393f7a1b9176170e57c6cc3649530fca6a C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
|
||||||
|
af49b57c1fc4781a7a38457c0b4a595dbb6b5bd7bc4ccafe15fb6b8ae29e17f8 C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
|
||||||
|
55869621fb2321ab8c8684d10c49e50e6a0b131f215ac0bbfe7c398d08fbea34 C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
|
||||||
|
f761242dfa8cf57faaae2c659f450bcbdc3253134556141eb6e0e282fbd98aa1 C:\ProgramData\Packages\Sega.549981C3F5F10_8wekyb3d8bbwe\ServiceHub.CLR.x64.exe
|
||||||
|
269e14bb368ef26f47416a8fcd7f556bece57f5b6113986dc733c2230efdf398 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
beb718a13ef88b2d7f2126226217e76ea773af609aeae870f55e8eb6ed4c497b C:\ProgramData\Package\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\SearchApp.exe
|
||||||
|
70830ed1357efd6b373faeaa52701369e2ae7bf9ad74e2f9355b5499ecef1123 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
277cb64e6cd1155c21f6f169d77036ea6e4a36288494f2dfc39d2e76191197d9 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
f8288ecb42478dd37335669a956b4e1adb3400928e1ec440a24882163a9cbbe8 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
edd918e7fe5dbb8e66464939c4a62132d5a3ba17d081c56f0a23beffb2c0ca0c C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
4c36a69540ffb7ac3655170148fe9f358bf0fc926baa7ef96611a7688727f76f C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
468968df636c3a3b7ef85b0ff528aeb403eaae7c943e4eebfbe5b98de19ff711 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
a10277ffaec4e691cb1fa51fd65d2b7e045b138b0689ad7f5e0b79d855822df6 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
#### data.pak
|
||||||
|
```
|
||||||
|
3036593e424bd4628593131b445408ba6a4039ef08e2fcdda1558010cc39ef37 data.pak
|
||||||
|
43bcec1d5149d43afbb4439eb88f59dcdbf1de363828a022e4a0b6474440223c data.pak
|
||||||
|
503e1b04708db7bf22935beee235965e503c370692904fb0c37344fd29696036 data.pak
|
||||||
|
624ae4069182064f1801beec52dee3195f15a306ccaaba4a798a5b1823fe0df8 data.pak
|
||||||
|
709e71ec3837520552e76c72796c6422a0713da88e227ac423d80e6f727c32a9 data.pak
|
||||||
|
7223641157529b6152503f4cf3cd2bbe358e325ebf0cef3b3930e058012c9de4 data.pak
|
||||||
|
768ceff0ddc67c5ea8858c6b1e80ddcac0907ded692efd33502c85eff370852a data.pak
|
||||||
|
893b242669d076f2460a789f951611dc58ab73c47f7b582fe504d7ecd0d18f29 data.pak
|
||||||
|
931e705984f60011b18aa0c38fb18f2040b87233dd94b506e7f20e504da58b6d data.pak
|
||||||
|
97e57ce2aded883a2eefc4a5cf60d162b98a3637abb2424e77083820c76422fa data.pak
|
||||||
|
97f8cd6db13a4e17d1aa84ce8950c153156b50f2eb29f5e3cd1a4496f50e7e0a data.pak
|
||||||
|
9734166814c8db737d472241e72bde437236da59a94d4991bb81589ce9271fad data.pak
|
||||||
|
```
|
||||||
|
|
||||||
|
## Network indicators
|
||||||
|
#### C&C URLs
|
||||||
|
```
|
||||||
|
https://apis.bytestech[.]dev/get/data
|
||||||
|
https://apis.mbytestech[.]com/get/data
|
||||||
|
https://apis.masterbyte[.]nl/get/data
|
||||||
|
https://d3ko3huol26z6z.cloudfront[.]net/get/data
|
||||||
|
https://d1t8lqzz4q8388.cloudfront[.]net/get/data
|
||||||
|
https://agonistatdata[.]site/get/data
|
||||||
|
https://apolistatdata[.]site/get/data
|
||||||
|
https://augustatdata[.]site/get/data
|
||||||
|
https://dq96vx43jmub5.cloudfront[.]net/get/data
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Download URLs
|
||||||
|
```
|
||||||
|
http://dl.bytestech[.]dev/1/mbsetup.exe
|
||||||
|
http://dl.bytestech[.]dev/2/mbsetup.exe
|
||||||
|
http://dl.bytestech[.]dev/3/mbsetup.exe
|
||||||
|
http://dl.bytestech[.]dev/mbsetup2.exe
|
||||||
|
http://dl.cloudnetbytes[.]com/3/mbsetup.exe
|
||||||
|
```
|
||||||
|
#### Private mining pool IP addresses
|
||||||
|
```
|
||||||
|
142.4.214[.]15
|
||||||
|
164.90.228[.]90
|
||||||
|
134.122.75[.]91
|
||||||
|
134.122.95[.]252
|
||||||
|
188.124.36[.]164
|
||||||
|
54.93.189[.]78
|
||||||
|
18.184.46[.]95
|
||||||
|
35.180.226[.]235
|
||||||
|
46.101.118[.]136
|
||||||
|
46.101.195[.]40
|
||||||
|
185.132.176[.]153
|
||||||
|
139.59.156[.]70
|
||||||
|
15.236.226[.]247
|
||||||
|
46.101.120[.]189
|
||||||
|
34.254.170[.]193
|
||||||
|
18.159.45[.]239
|
||||||
|
52.57.156[.]29
|
||||||
|
134.122.77[.]49
|
||||||
|
35.180.36[.]209
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## File names
|
||||||
|
```
|
||||||
|
%ProgramFiles%\Malwarebytes\Qt5Help.dll
|
||||||
|
%ProgramFiles(x86)%\Malwarebytes\Qt5Help.dll
|
||||||
|
%ProgramFiles%\Malwarebytes\data.pak
|
||||||
|
%ProgramFiles(x86)%\Malwarebytes\data.pak
|
||||||
|
%ProgramData%\VMware\VMware Tools\vmmem.exe
|
||||||
|
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
|
||||||
|
%ProgramData%\VMware\VMware Tools\vm3dservice.exe
|
||||||
|
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
|
||||||
|
%ProgramData%\VMware\VMware Tools\VMwareHostOpen.exe
|
||||||
|
%ProgramData%\Mega Tools\ServiceHub.CLR.x64.exe
|
||||||
|
%ProgramData%\Sega Tools\ServiceHub.CLR.x64.exe
|
||||||
|
%ProgramData%\Packages\Sega.549981C3F5F10_8wekyb3d8bbwe\ServiceHub.CLR.x64.exe
|
||||||
|
%ProgramData%\Package\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\SearchApp.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
## Registry keys
|
||||||
|
```
|
||||||
|
HKLM\SOFTWARE\Wow6432Node\Malwarebytes\LicenseKey
|
||||||
|
HKLM\SOFTWARE\Malwarebytes\LicenseKey
|
||||||
|
```
|
29
FakeMBAM/network.txt
Normal file
29
FakeMBAM/network.txt
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
bytestech[.]dev
|
||||||
|
mbytestech[.]com
|
||||||
|
masterbyte[.]nl
|
||||||
|
d3ko3huol26z6z.cloudfront[.]net
|
||||||
|
d1t8lqzz4q8388.cloudfront[.]net
|
||||||
|
agonistatdata[.]site
|
||||||
|
apolistatdata[.]site
|
||||||
|
augustatdata[.]site
|
||||||
|
dq96vx43jmub5.cloudfront[.]net
|
||||||
|
cloudnetbytes[.]com
|
||||||
|
142.4.214[.]15
|
||||||
|
164.90.228[.]90
|
||||||
|
134.122.75[.]91
|
||||||
|
134.122.95[.]252
|
||||||
|
188.124.36[.]164
|
||||||
|
54.93.189[.]78
|
||||||
|
18.184.46[.]95
|
||||||
|
35.180.226[.]235
|
||||||
|
46.101.118[.]136
|
||||||
|
46.101.195[.]40
|
||||||
|
185.132.176[.]153
|
||||||
|
139.59.156[.]70
|
||||||
|
15.236.226[.]247
|
||||||
|
46.101.120[.]189
|
||||||
|
34.254.170[.]193
|
||||||
|
18.159.45[.]239
|
||||||
|
52.57.156[.]29
|
||||||
|
134.122.77[.]49
|
||||||
|
35.180.36[.]209
|
38
FakeMBAM/samples.md5
Normal file
38
FakeMBAM/samples.md5
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
08defaf0b22cf32604bdc121595727c0
|
||||||
|
0a956722ce13a46fe08a3690620d5dac
|
||||||
|
0e898ee0e7a8e2165ae737f2d540686c
|
||||||
|
15811809b32c258a4c3a0385db251c08
|
||||||
|
20efaf9fae9340afd4ea38cfde20915e
|
||||||
|
241603449769f19d5edbf1af3d604d33
|
||||||
|
2a9b17b97d41864855465155b9f4d0c5
|
||||||
|
3d9b1620a35055bc811cc9afef8b3055
|
||||||
|
3fc25036735ab0bdc655f4ec8396e289
|
||||||
|
4597f6a6d4cdecff0f43a7da5d7db370
|
||||||
|
4a8982935d9fd546297141fc7d81bf63
|
||||||
|
4f0c7aa726e0cfa4d94bd418b0698c9d
|
||||||
|
4fc936993d0199c84e4e3a0cb2fc0cb3
|
||||||
|
516802c3849732b6c28453d7a80e2720
|
||||||
|
53325e205e2132192624dfffc21b97c7
|
||||||
|
548ad791ee992ce93a2c3d04bb6424ee
|
||||||
|
628a0c623d6d1fe037b8845e0e533cc2
|
||||||
|
6439974f94df37164c67a93d9d072346
|
||||||
|
6ae4aaf713642dbcee9902f493f2cea8
|
||||||
|
71151f8a1aab1cbaa7f9f388873550ab
|
||||||
|
78322472e79ea0afba4d46595dc8bada
|
||||||
|
78f5094fa66a9aa4dc10470d5c3e3155
|
||||||
|
79c23de77762c2beae09a9354b906bf8
|
||||||
|
7cb49a953fe41ec48b5695d8c1bdc68f
|
||||||
|
938f12260b44298f87b0e0b62b9a6c5e
|
||||||
|
98d14fc694dcac2216fb8f888c560b3a
|
||||||
|
a463122f1c5eec0f06b34ea5c038f3bb
|
||||||
|
a69412cba06f3ff29a7aa424c5806645
|
||||||
|
bb1c06d9c5636f1f6c9d1e5d64344906
|
||||||
|
c35b2a50093122203687539bb4c20aec
|
||||||
|
c3f6c66e6efcfd3cf56c810ef2db8b12
|
||||||
|
d444135bc9490929bbed7252f12c704b
|
||||||
|
d4f013fc3278065d855bbc1de14ee473
|
||||||
|
d690a4cc7794f4c2f65fa0f43cff5a3f
|
||||||
|
da1678f8e9122100beaf0b7d27a0963e
|
||||||
|
e353d2b6f0c83dd060719ffc4bb18c67
|
||||||
|
f937f3efad1675c48b404c723eeec0b0
|
||||||
|
fd24588efb959c93f5f0211e3523c19b
|
38
FakeMBAM/samples.sha1
Normal file
38
FakeMBAM/samples.sha1
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
035de4136fd7c5f2800230ac5cb4f63f52f519f9
|
||||||
|
7e7910c3526c0ed425ab82f904367ca85f0302bf
|
||||||
|
259e46dba9fe849d1154f8c8cd909da86725981f
|
||||||
|
f244ee60293d6ee378f41e72774cde9a2f380e45
|
||||||
|
b21eee3bc4672292f18eed1d1876ac031ec5c3eb
|
||||||
|
6ee455ef1e76babe2ef941ac74ac9388332db2f2
|
||||||
|
c17f95e75037dea7a8c636118f7a24eabb5bd09d
|
||||||
|
846d586dd0ad891b70709dfbe4dd012ca5f20886
|
||||||
|
4ec12e30102a7f0b7e7728fb3fdd04dd0afeecd5
|
||||||
|
ae8597c83754ef0c0771c0e97dc3fe4dd82a6363
|
||||||
|
7054d2c2231311991670c43ab2dba6d70cb6eb55
|
||||||
|
cea7e643817ccf5be7c01c29520bc44edcc6d0a7
|
||||||
|
fc0ba08372031291dba626fab3f97cd0a5711dda
|
||||||
|
4255f26e9bc6804a0db276603a7f86b6625a4ac4
|
||||||
|
a4155926cb923a59ce017afa7b9764d38b92c0ed
|
||||||
|
7e6d62f8e48ab08d507956637859e590156167b9
|
||||||
|
8c4ecf2d90fbfb7d1871ecbe430397d3c4586c3f
|
||||||
|
e9fb2aa23d598ebad57d5bf2d0c08362ecd3ef9e
|
||||||
|
fff92aa8bcf6fae354e7a9d84d1a383bd6cc67b3
|
||||||
|
706bfbe37753b84dcd85579d26a0df74b4c4d47b
|
||||||
|
f5c8fc52983867178eeb635e489b6e9a4f78c0b4
|
||||||
|
308d7b65782f72ce17c330d8f2d6922aee7169c5
|
||||||
|
dd3c2e989557533aa05b04c8b9034d57f8aeb3e7
|
||||||
|
ae2dd2091650f8cae0d475f887f6361b46f68a53
|
||||||
|
d2ebe768847321b45599dd89b743cebe0d1ee533
|
||||||
|
55a41b4a6e5312e00d6284d82251efc7a97e19eb
|
||||||
|
9413089dd11251d58d98314e2fdd5a409d53a9d6
|
||||||
|
39bdb6978f6976d0a2e201fee0ec1c71f815a999
|
||||||
|
bdcdf59639ff0126209477254a6c709d1965359f
|
||||||
|
4f06b8d9ddb64fc4b24ab2a40ccdbbbd25d0d591
|
||||||
|
4c488937d6cd74359f6dea7910a17c0f201b2b4e
|
||||||
|
4474598ac25db468e21dac32d45b645d3a50a9d8
|
||||||
|
c654c4d035cab4a443026490aff4314e9ad87b7c
|
||||||
|
93b892759e6f7db11d5ff544d3c5fda91a5b3923
|
||||||
|
fbb5ff3fbde775344179163a960f1a05b53359a2
|
||||||
|
f6412176f0f206dfcec97ab1d7333ce7d8c56f28
|
||||||
|
40a83bf13b52c256b4394da2dd2aa4510184b5c2
|
||||||
|
c2f759043b7c3cb94b84a7fd38511a87ae5b52ce
|
38
FakeMBAM/samples.sha256
Normal file
38
FakeMBAM/samples.sha256
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
02be0f263b95017caa20f0fed861d2126e81ec176d542cc7415074f48965f2e0
|
||||||
|
269e14bb368ef26f47416a8fcd7f556bece57f5b6113986dc733c2230efdf398
|
||||||
|
277cb64e6cd1155c21f6f169d77036ea6e4a36288494f2dfc39d2e76191197d9
|
||||||
|
3036593e424bd4628593131b445408ba6a4039ef08e2fcdda1558010cc39ef37
|
||||||
|
391817d625e14d6b5b0115b7215c07d9ef6612cccdb1d6891626fdd5609506bf
|
||||||
|
43bcec1d5149d43afbb4439eb88f59dcdbf1de363828a022e4a0b6474440223c
|
||||||
|
468968df636c3a3b7ef85b0ff528aeb403eaae7c943e4eebfbe5b98de19ff711
|
||||||
|
4c36a69540ffb7ac3655170148fe9f358bf0fc926baa7ef96611a7688727f76f
|
||||||
|
503e1b04708db7bf22935beee235965e503c370692904fb0c37344fd29696036
|
||||||
|
55869621fb2321ab8c8684d10c49e50e6a0b131f215ac0bbfe7c398d08fbea34
|
||||||
|
589377832b1f1e6be2bdbef1753f30e3907c89a680f7f327999d9a1b510aa4ae
|
||||||
|
61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830
|
||||||
|
624ae4069182064f1801beec52dee3195f15a306ccaaba4a798a5b1823fe0df8
|
||||||
|
70830ed1357efd6b373faeaa52701369e2ae7bf9ad74e2f9355b5499ecef1123
|
||||||
|
709e71ec3837520552e76c72796c6422a0713da88e227ac423d80e6f727c32a9
|
||||||
|
7223641157529b6152503f4cf3cd2bbe358e325ebf0cef3b3930e058012c9de4
|
||||||
|
768ceff0ddc67c5ea8858c6b1e80ddcac0907ded692efd33502c85eff370852a
|
||||||
|
7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d
|
||||||
|
8536d573c4180f5df09f183b9434636127127b2134fbf5dced0360ec6d4ee772
|
||||||
|
893b242669d076f2460a789f951611dc58ab73c47f7b582fe504d7ecd0d18f29
|
||||||
|
931e705984f60011b18aa0c38fb18f2040b87233dd94b506e7f20e504da58b6d
|
||||||
|
9734166814c8db737d472241e72bde437236da59a94d4991bb81589ce9271fad
|
||||||
|
97e57ce2aded883a2eefc4a5cf60d162b98a3637abb2424e77083820c76422fa
|
||||||
|
97f8cd6db13a4e17d1aa84ce8950c153156b50f2eb29f5e3cd1a4496f50e7e0a
|
||||||
|
a10277ffaec4e691cb1fa51fd65d2b7e045b138b0689ad7f5e0b79d855822df6
|
||||||
|
a4447559249f3ce04be4c6d28fc15946cbb8513da76ba522f635bda6a60bedcc
|
||||||
|
af49b57c1fc4781a7a38457c0b4a595dbb6b5bd7bc4ccafe15fb6b8ae29e17f8
|
||||||
|
b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7
|
||||||
|
beb718a13ef88b2d7f2126226217e76ea773af609aeae870f55e8eb6ed4c497b
|
||||||
|
c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c
|
||||||
|
c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791
|
||||||
|
d7a06cba490da60cfbf6f120c33652393f7a1b9176170e57c6cc3649530fca6a
|
||||||
|
dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9
|
||||||
|
edd918e7fe5dbb8e66464939c4a62132d5a3ba17d081c56f0a23beffb2c0ca0c
|
||||||
|
f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c
|
||||||
|
f761242dfa8cf57faaae2c659f450bcbdc3253134556141eb6e0e282fbd98aa1
|
||||||
|
f8288ecb42478dd37335669a956b4e1adb3400928e1ec440a24882163a9cbbe8
|
||||||
|
fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede
|
Loading…
Reference in New Issue
Block a user