mirror of
https://github.com/avast/ioc
synced 2024-06-16 11:58:39 +00:00
FakeMBAM: Added IoCs
This commit is contained in:
parent
71731c8946
commit
8e18069593
131
FakeMBAM/README.md
Normal file
131
FakeMBAM/README.md
Normal file
@ -0,0 +1,131 @@
|
||||
# IOC for FakeMBAM
|
||||
|
||||
Malware analysis and more technical information at <https://decoded.avast.io/janvojtesek/fakembam-backdoor-delivered-through-software-updates/>
|
||||
|
||||
|
||||
### Table of Contents
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [Network indicators](#network-indicators)
|
||||
* [File names](#file-names)
|
||||
* [Registry keys](#registry-keys)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### FakeMBAM installer/FakeMBAM backdoor
|
||||
```
|
||||
391817d625e14d6b5b0115b7215c07d9ef6612cccdb1d6891626fdd5609506bf Qt5Help.dll
|
||||
02be0f263b95017caa20f0fed861d2126e81ec176d542cc7415074f48965f2e0 Qt5WinExtras.dll
|
||||
dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9 MBSetup2.exe
|
||||
f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c MBSetup.exe
|
||||
```
|
||||
|
||||
#### Miner payloads
|
||||
```
|
||||
c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c C:\ProgramData\VMware\VMware Tools\vmmem.exe
|
||||
fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||
b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7 C:\ProgramData\VMware\VMware Tools\vm3dservice.exe
|
||||
7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d C:\ProgramData\VMware\VMware Tools\vm3dservice.exe
|
||||
c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791 C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||
a4447559249f3ce04be4c6d28fc15946cbb8513da76ba522f635bda6a60bedcc C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||
8536d573c4180f5df09f183b9434636127127b2134fbf5dced0360ec6d4ee772 C:\ProgramData\VMware\VMware Tools\vmtoolsd.exe
|
||||
61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830 C:\ProgramData\VMware\VMware Tools\VMwareHostOpen.exe
|
||||
589377832b1f1e6be2bdbef1753f30e3907c89a680f7f327999d9a1b510aa4ae C:\ProgramData\Mega Tools\ServiceHub.CLR.x64.exe
|
||||
d7a06cba490da60cfbf6f120c33652393f7a1b9176170e57c6cc3649530fca6a C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
|
||||
af49b57c1fc4781a7a38457c0b4a595dbb6b5bd7bc4ccafe15fb6b8ae29e17f8 C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
|
||||
55869621fb2321ab8c8684d10c49e50e6a0b131f215ac0bbfe7c398d08fbea34 C:\ProgramData\Sega Tools\ServiceHub.CLR.x64.exe
|
||||
f761242dfa8cf57faaae2c659f450bcbdc3253134556141eb6e0e282fbd98aa1 C:\ProgramData\Packages\Sega.549981C3F5F10_8wekyb3d8bbwe\ServiceHub.CLR.x64.exe
|
||||
269e14bb368ef26f47416a8fcd7f556bece57f5b6113986dc733c2230efdf398 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
beb718a13ef88b2d7f2126226217e76ea773af609aeae870f55e8eb6ed4c497b C:\ProgramData\Package\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\SearchApp.exe
|
||||
70830ed1357efd6b373faeaa52701369e2ae7bf9ad74e2f9355b5499ecef1123 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
277cb64e6cd1155c21f6f169d77036ea6e4a36288494f2dfc39d2e76191197d9 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
f8288ecb42478dd37335669a956b4e1adb3400928e1ec440a24882163a9cbbe8 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
edd918e7fe5dbb8e66464939c4a62132d5a3ba17d081c56f0a23beffb2c0ca0c C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
4c36a69540ffb7ac3655170148fe9f358bf0fc926baa7ef96611a7688727f76f C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
468968df636c3a3b7ef85b0ff528aeb403eaae7c943e4eebfbe5b98de19ff711 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
a10277ffaec4e691cb1fa51fd65d2b7e045b138b0689ad7f5e0b79d855822df6 C:\ProgramData\USOPrivate\SearchApp.exe
|
||||
```
|
||||
|
||||
#### data.pak
|
||||
```
|
||||
3036593e424bd4628593131b445408ba6a4039ef08e2fcdda1558010cc39ef37 data.pak
|
||||
43bcec1d5149d43afbb4439eb88f59dcdbf1de363828a022e4a0b6474440223c data.pak
|
||||
503e1b04708db7bf22935beee235965e503c370692904fb0c37344fd29696036 data.pak
|
||||
624ae4069182064f1801beec52dee3195f15a306ccaaba4a798a5b1823fe0df8 data.pak
|
||||
709e71ec3837520552e76c72796c6422a0713da88e227ac423d80e6f727c32a9 data.pak
|
||||
7223641157529b6152503f4cf3cd2bbe358e325ebf0cef3b3930e058012c9de4 data.pak
|
||||
768ceff0ddc67c5ea8858c6b1e80ddcac0907ded692efd33502c85eff370852a data.pak
|
||||
893b242669d076f2460a789f951611dc58ab73c47f7b582fe504d7ecd0d18f29 data.pak
|
||||
931e705984f60011b18aa0c38fb18f2040b87233dd94b506e7f20e504da58b6d data.pak
|
||||
97e57ce2aded883a2eefc4a5cf60d162b98a3637abb2424e77083820c76422fa data.pak
|
||||
97f8cd6db13a4e17d1aa84ce8950c153156b50f2eb29f5e3cd1a4496f50e7e0a data.pak
|
||||
9734166814c8db737d472241e72bde437236da59a94d4991bb81589ce9271fad data.pak
|
||||
```
|
||||
|
||||
## Network indicators
|
||||
#### C&C URLs
|
||||
```
|
||||
https://apis.bytestech[.]dev/get/data
|
||||
https://apis.mbytestech[.]com/get/data
|
||||
https://apis.masterbyte[.]nl/get/data
|
||||
https://d3ko3huol26z6z.cloudfront[.]net/get/data
|
||||
https://d1t8lqzz4q8388.cloudfront[.]net/get/data
|
||||
https://agonistatdata[.]site/get/data
|
||||
https://apolistatdata[.]site/get/data
|
||||
https://augustatdata[.]site/get/data
|
||||
https://dq96vx43jmub5.cloudfront[.]net/get/data
|
||||
```
|
||||
|
||||
#### Download URLs
|
||||
```
|
||||
http://dl.bytestech[.]dev/1/mbsetup.exe
|
||||
http://dl.bytestech[.]dev/2/mbsetup.exe
|
||||
http://dl.bytestech[.]dev/3/mbsetup.exe
|
||||
http://dl.bytestech[.]dev/mbsetup2.exe
|
||||
http://dl.cloudnetbytes[.]com/3/mbsetup.exe
|
||||
```
|
||||
#### Private mining pool IP addresses
|
||||
```
|
||||
142.4.214[.]15
|
||||
164.90.228[.]90
|
||||
134.122.75[.]91
|
||||
134.122.95[.]252
|
||||
188.124.36[.]164
|
||||
54.93.189[.]78
|
||||
18.184.46[.]95
|
||||
35.180.226[.]235
|
||||
46.101.118[.]136
|
||||
46.101.195[.]40
|
||||
185.132.176[.]153
|
||||
139.59.156[.]70
|
||||
15.236.226[.]247
|
||||
46.101.120[.]189
|
||||
34.254.170[.]193
|
||||
18.159.45[.]239
|
||||
52.57.156[.]29
|
||||
134.122.77[.]49
|
||||
35.180.36[.]209
|
||||
```
|
||||
|
||||
|
||||
## File names
|
||||
```
|
||||
%ProgramFiles%\Malwarebytes\Qt5Help.dll
|
||||
%ProgramFiles(x86)%\Malwarebytes\Qt5Help.dll
|
||||
%ProgramFiles%\Malwarebytes\data.pak
|
||||
%ProgramFiles(x86)%\Malwarebytes\data.pak
|
||||
%ProgramData%\VMware\VMware Tools\vmmem.exe
|
||||
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
|
||||
%ProgramData%\VMware\VMware Tools\vm3dservice.exe
|
||||
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
|
||||
%ProgramData%\VMware\VMware Tools\VMwareHostOpen.exe
|
||||
%ProgramData%\Mega Tools\ServiceHub.CLR.x64.exe
|
||||
%ProgramData%\Sega Tools\ServiceHub.CLR.x64.exe
|
||||
%ProgramData%\Packages\Sega.549981C3F5F10_8wekyb3d8bbwe\ServiceHub.CLR.x64.exe
|
||||
%ProgramData%\Package\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\SearchApp.exe
|
||||
```
|
||||
|
||||
## Registry keys
|
||||
```
|
||||
HKLM\SOFTWARE\Wow6432Node\Malwarebytes\LicenseKey
|
||||
HKLM\SOFTWARE\Malwarebytes\LicenseKey
|
||||
```
|
29
FakeMBAM/network.txt
Normal file
29
FakeMBAM/network.txt
Normal file
@ -0,0 +1,29 @@
|
||||
bytestech[.]dev
|
||||
mbytestech[.]com
|
||||
masterbyte[.]nl
|
||||
d3ko3huol26z6z.cloudfront[.]net
|
||||
d1t8lqzz4q8388.cloudfront[.]net
|
||||
agonistatdata[.]site
|
||||
apolistatdata[.]site
|
||||
augustatdata[.]site
|
||||
dq96vx43jmub5.cloudfront[.]net
|
||||
cloudnetbytes[.]com
|
||||
142.4.214[.]15
|
||||
164.90.228[.]90
|
||||
134.122.75[.]91
|
||||
134.122.95[.]252
|
||||
188.124.36[.]164
|
||||
54.93.189[.]78
|
||||
18.184.46[.]95
|
||||
35.180.226[.]235
|
||||
46.101.118[.]136
|
||||
46.101.195[.]40
|
||||
185.132.176[.]153
|
||||
139.59.156[.]70
|
||||
15.236.226[.]247
|
||||
46.101.120[.]189
|
||||
34.254.170[.]193
|
||||
18.159.45[.]239
|
||||
52.57.156[.]29
|
||||
134.122.77[.]49
|
||||
35.180.36[.]209
|
38
FakeMBAM/samples.md5
Normal file
38
FakeMBAM/samples.md5
Normal file
@ -0,0 +1,38 @@
|
||||
08defaf0b22cf32604bdc121595727c0
|
||||
0a956722ce13a46fe08a3690620d5dac
|
||||
0e898ee0e7a8e2165ae737f2d540686c
|
||||
15811809b32c258a4c3a0385db251c08
|
||||
20efaf9fae9340afd4ea38cfde20915e
|
||||
241603449769f19d5edbf1af3d604d33
|
||||
2a9b17b97d41864855465155b9f4d0c5
|
||||
3d9b1620a35055bc811cc9afef8b3055
|
||||
3fc25036735ab0bdc655f4ec8396e289
|
||||
4597f6a6d4cdecff0f43a7da5d7db370
|
||||
4a8982935d9fd546297141fc7d81bf63
|
||||
4f0c7aa726e0cfa4d94bd418b0698c9d
|
||||
4fc936993d0199c84e4e3a0cb2fc0cb3
|
||||
516802c3849732b6c28453d7a80e2720
|
||||
53325e205e2132192624dfffc21b97c7
|
||||
548ad791ee992ce93a2c3d04bb6424ee
|
||||
628a0c623d6d1fe037b8845e0e533cc2
|
||||
6439974f94df37164c67a93d9d072346
|
||||
6ae4aaf713642dbcee9902f493f2cea8
|
||||
71151f8a1aab1cbaa7f9f388873550ab
|
||||
78322472e79ea0afba4d46595dc8bada
|
||||
78f5094fa66a9aa4dc10470d5c3e3155
|
||||
79c23de77762c2beae09a9354b906bf8
|
||||
7cb49a953fe41ec48b5695d8c1bdc68f
|
||||
938f12260b44298f87b0e0b62b9a6c5e
|
||||
98d14fc694dcac2216fb8f888c560b3a
|
||||
a463122f1c5eec0f06b34ea5c038f3bb
|
||||
a69412cba06f3ff29a7aa424c5806645
|
||||
bb1c06d9c5636f1f6c9d1e5d64344906
|
||||
c35b2a50093122203687539bb4c20aec
|
||||
c3f6c66e6efcfd3cf56c810ef2db8b12
|
||||
d444135bc9490929bbed7252f12c704b
|
||||
d4f013fc3278065d855bbc1de14ee473
|
||||
d690a4cc7794f4c2f65fa0f43cff5a3f
|
||||
da1678f8e9122100beaf0b7d27a0963e
|
||||
e353d2b6f0c83dd060719ffc4bb18c67
|
||||
f937f3efad1675c48b404c723eeec0b0
|
||||
fd24588efb959c93f5f0211e3523c19b
|
38
FakeMBAM/samples.sha1
Normal file
38
FakeMBAM/samples.sha1
Normal file
@ -0,0 +1,38 @@
|
||||
035de4136fd7c5f2800230ac5cb4f63f52f519f9
|
||||
7e7910c3526c0ed425ab82f904367ca85f0302bf
|
||||
259e46dba9fe849d1154f8c8cd909da86725981f
|
||||
f244ee60293d6ee378f41e72774cde9a2f380e45
|
||||
b21eee3bc4672292f18eed1d1876ac031ec5c3eb
|
||||
6ee455ef1e76babe2ef941ac74ac9388332db2f2
|
||||
c17f95e75037dea7a8c636118f7a24eabb5bd09d
|
||||
846d586dd0ad891b70709dfbe4dd012ca5f20886
|
||||
4ec12e30102a7f0b7e7728fb3fdd04dd0afeecd5
|
||||
ae8597c83754ef0c0771c0e97dc3fe4dd82a6363
|
||||
7054d2c2231311991670c43ab2dba6d70cb6eb55
|
||||
cea7e643817ccf5be7c01c29520bc44edcc6d0a7
|
||||
fc0ba08372031291dba626fab3f97cd0a5711dda
|
||||
4255f26e9bc6804a0db276603a7f86b6625a4ac4
|
||||
a4155926cb923a59ce017afa7b9764d38b92c0ed
|
||||
7e6d62f8e48ab08d507956637859e590156167b9
|
||||
8c4ecf2d90fbfb7d1871ecbe430397d3c4586c3f
|
||||
e9fb2aa23d598ebad57d5bf2d0c08362ecd3ef9e
|
||||
fff92aa8bcf6fae354e7a9d84d1a383bd6cc67b3
|
||||
706bfbe37753b84dcd85579d26a0df74b4c4d47b
|
||||
f5c8fc52983867178eeb635e489b6e9a4f78c0b4
|
||||
308d7b65782f72ce17c330d8f2d6922aee7169c5
|
||||
dd3c2e989557533aa05b04c8b9034d57f8aeb3e7
|
||||
ae2dd2091650f8cae0d475f887f6361b46f68a53
|
||||
d2ebe768847321b45599dd89b743cebe0d1ee533
|
||||
55a41b4a6e5312e00d6284d82251efc7a97e19eb
|
||||
9413089dd11251d58d98314e2fdd5a409d53a9d6
|
||||
39bdb6978f6976d0a2e201fee0ec1c71f815a999
|
||||
bdcdf59639ff0126209477254a6c709d1965359f
|
||||
4f06b8d9ddb64fc4b24ab2a40ccdbbbd25d0d591
|
||||
4c488937d6cd74359f6dea7910a17c0f201b2b4e
|
||||
4474598ac25db468e21dac32d45b645d3a50a9d8
|
||||
c654c4d035cab4a443026490aff4314e9ad87b7c
|
||||
93b892759e6f7db11d5ff544d3c5fda91a5b3923
|
||||
fbb5ff3fbde775344179163a960f1a05b53359a2
|
||||
f6412176f0f206dfcec97ab1d7333ce7d8c56f28
|
||||
40a83bf13b52c256b4394da2dd2aa4510184b5c2
|
||||
c2f759043b7c3cb94b84a7fd38511a87ae5b52ce
|
38
FakeMBAM/samples.sha256
Normal file
38
FakeMBAM/samples.sha256
Normal file
@ -0,0 +1,38 @@
|
||||
02be0f263b95017caa20f0fed861d2126e81ec176d542cc7415074f48965f2e0
|
||||
269e14bb368ef26f47416a8fcd7f556bece57f5b6113986dc733c2230efdf398
|
||||
277cb64e6cd1155c21f6f169d77036ea6e4a36288494f2dfc39d2e76191197d9
|
||||
3036593e424bd4628593131b445408ba6a4039ef08e2fcdda1558010cc39ef37
|
||||
391817d625e14d6b5b0115b7215c07d9ef6612cccdb1d6891626fdd5609506bf
|
||||
43bcec1d5149d43afbb4439eb88f59dcdbf1de363828a022e4a0b6474440223c
|
||||
468968df636c3a3b7ef85b0ff528aeb403eaae7c943e4eebfbe5b98de19ff711
|
||||
4c36a69540ffb7ac3655170148fe9f358bf0fc926baa7ef96611a7688727f76f
|
||||
503e1b04708db7bf22935beee235965e503c370692904fb0c37344fd29696036
|
||||
55869621fb2321ab8c8684d10c49e50e6a0b131f215ac0bbfe7c398d08fbea34
|
||||
589377832b1f1e6be2bdbef1753f30e3907c89a680f7f327999d9a1b510aa4ae
|
||||
61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830
|
||||
624ae4069182064f1801beec52dee3195f15a306ccaaba4a798a5b1823fe0df8
|
||||
70830ed1357efd6b373faeaa52701369e2ae7bf9ad74e2f9355b5499ecef1123
|
||||
709e71ec3837520552e76c72796c6422a0713da88e227ac423d80e6f727c32a9
|
||||
7223641157529b6152503f4cf3cd2bbe358e325ebf0cef3b3930e058012c9de4
|
||||
768ceff0ddc67c5ea8858c6b1e80ddcac0907ded692efd33502c85eff370852a
|
||||
7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d
|
||||
8536d573c4180f5df09f183b9434636127127b2134fbf5dced0360ec6d4ee772
|
||||
893b242669d076f2460a789f951611dc58ab73c47f7b582fe504d7ecd0d18f29
|
||||
931e705984f60011b18aa0c38fb18f2040b87233dd94b506e7f20e504da58b6d
|
||||
9734166814c8db737d472241e72bde437236da59a94d4991bb81589ce9271fad
|
||||
97e57ce2aded883a2eefc4a5cf60d162b98a3637abb2424e77083820c76422fa
|
||||
97f8cd6db13a4e17d1aa84ce8950c153156b50f2eb29f5e3cd1a4496f50e7e0a
|
||||
a10277ffaec4e691cb1fa51fd65d2b7e045b138b0689ad7f5e0b79d855822df6
|
||||
a4447559249f3ce04be4c6d28fc15946cbb8513da76ba522f635bda6a60bedcc
|
||||
af49b57c1fc4781a7a38457c0b4a595dbb6b5bd7bc4ccafe15fb6b8ae29e17f8
|
||||
b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7
|
||||
beb718a13ef88b2d7f2126226217e76ea773af609aeae870f55e8eb6ed4c497b
|
||||
c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c
|
||||
c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791
|
||||
d7a06cba490da60cfbf6f120c33652393f7a1b9176170e57c6cc3649530fca6a
|
||||
dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9
|
||||
edd918e7fe5dbb8e66464939c4a62132d5a3ba17d081c56f0a23beffb2c0ca0c
|
||||
f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c
|
||||
f761242dfa8cf57faaae2c659f450bcbdc3253134556141eb6e0e282fbd98aa1
|
||||
f8288ecb42478dd37335669a956b4e1adb3400928e1ec440a24882163a9cbbe8
|
||||
fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede
|
Loading…
Reference in New Issue
Block a user