From 8fc421bfa8382f8ab3d5807ecbfc39ba30c45bf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Rub=C3=ADn?= Date: Tue, 23 Apr 2024 09:42:29 +0200 Subject: [PATCH] GuptiMiner: Added IoCs --- GuptiMiner/README.md | 160 + .../extras/PCAP/dns_txt_png_download.pcap | Bin 0 -> 552 bytes .../extras/PCAP/smb_backdoor_networking.pcap | Bin 0 -> 1095 bytes GuptiMiner/extras/mutexes.csv | 1036 +++ GuptiMiner/extras/png_loader.txt | 6043 +++++++++++++++++ GuptiMiner/extras/puppeteer.txt | 944 +++ GuptiMiner/extras/xmrig.txt | 51 + GuptiMiner/network.txt | 51 + GuptiMiner/samples.csv | 25 + GuptiMiner/samples.md5 | 24 + GuptiMiner/samples.sha1 | 24 + GuptiMiner/samples.sha256 | 23 + 12 files changed, 8381 insertions(+) create mode 100644 GuptiMiner/README.md create mode 100644 GuptiMiner/extras/PCAP/dns_txt_png_download.pcap create mode 100644 GuptiMiner/extras/PCAP/smb_backdoor_networking.pcap create mode 100644 GuptiMiner/extras/mutexes.csv create mode 100644 GuptiMiner/extras/png_loader.txt create mode 100644 GuptiMiner/extras/puppeteer.txt create mode 100644 GuptiMiner/extras/xmrig.txt create mode 100644 GuptiMiner/network.txt create mode 100644 GuptiMiner/samples.csv create mode 100644 GuptiMiner/samples.md5 create mode 100644 GuptiMiner/samples.sha1 create mode 100644 GuptiMiner/samples.sha256 diff --git a/GuptiMiner/README.md b/GuptiMiner/README.md new file mode 100644 index 0000000..7f14a86 --- /dev/null +++ b/GuptiMiner/README.md @@ -0,0 +1,160 @@ +# IoC for GuptiMiner + +Malware analysis and more technical information at + +### Table of Contents +* [Samples (SHA-256)](#samples-sha-256) +* [C&Cs](#cnc) +* [Mutexes](#mutexes) +* [PDBs](#pdbs) +## Samples (SHA-256) +#### GuptiMiner binary and related files +``` +c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3 +7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6 +3515113E7127DC41FB34C447F35C143F1B33FD70913034742E44EE7A9DC5CC4C +e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee +de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739 +8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049 +FF884D4C01FCCF08A916F1E7168080A2D740A62A774F18E64F377D23923B0297 +294B73D38B89CE66CFDEFA04B1678EDF1B74A9B7F50343D9036A5D549ADE509A +6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414 +357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b +364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65 +4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21 +487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd +1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe +1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4 +07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d +f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4 +8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34 +74D7F1AF69FB706E87FF0116B8E4FA3A9B87275505E2EE7A32A8628A2D066549 +af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b +31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878 +b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54 +f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e +7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d +``` + +## C&Cs +``` +_spf.microsoft[.]com +acmeautoleasing[.]net +b.guterman[.]net +breedbackfp[.]com +crl.microsoft[.]com +crl.peepzo[.]com +crl.sneakerhost[.]com +desmoinesreg[.]com +dl.sneakerhost[.]com +edgesync[.]net +espcomp[.]net +ext.microsoft[.]com +ext.peepzo[.]com +ext.sneakerhost[.]com +gesucht[.]net +globalsign.microsoft[.]com +icamper[.]net +m.airequipment[.]net +m.cbacontrols[.]com +m.gosoengine[.]com +m.guterman[.]net +m.indpendant[.]com +m.insomniaccinema[.]com +m.korkyt[.]net +m.satchmos[.]net +m.sifraco[.]com +ns.bretzger[.]net +ns.deannacraite[.]com +ns.desmoinesreg[.]com +ns.dreamsoles[.]com +ns.editaccess[.]com +ns.encontacto[.]net +ns.gravelmart[.]net +ns.gridsense[.]net +ns.jetmediauk[.]com +ns.kbdn[.]net +ns.lesagencestv[.]net +ns.penawarkanser[.]net +ns.srnmicro[.]net +ns.suechiLton[.]com +ns.trafomo[.]com +ns1.earthscienceclass[.]com +ns1.peepzo[.]com +ns1.securtelecom[.]com +ns1.sneakerhost[.]com +p.bramco[.]net +p.hashvault[.]pro +r.sifraco[.]com +spf.microsoft[.]com +widgeonhill[.]com +www.bascap[.]net +``` + +## Mutexes +``` +ESOCESS_ +Global\Fri Aug 13 02:17:49 2021 +Global\Fri Aug 13 02:22:55 2021 +Global\Mon Apr 19 06:03:17 2021 +Global\Mon Apr 24 07:19:54 2023 +Global\Mon Feb 27 08:11:25 2023 +Global\Mon Jun 14 03:22:57 2021 +Global\Mon Mar 13 07:29:11 2023 +Global\Mon Mar 22 09:16:00 2021 +Global\Sun Jun 13 08:22:07 2021 +Global\Thu Aug 10 03:25:11 2023 +Global\Thu Aug 12 02:07:58 2021 +Global\Thu Feb 23 08:37:09 2023 +Global\Thu Mar 25 02:03:14 2021 +Global\Thu Mar 25 09:31:19 2021 +Global\Thu Nov 2 08:21:56 2023 +Global\Thu Nov 9 06:19:40 2023 +Global\Tue Apr 25 08:32:05 2023 +Global\Tue Mar 23 02:37:32 2021 +Global\Tue Oct 10 08:07:11 2023 +Global\Wed Aug 11 09:16:37 2021 +Global\Wed Jan 5 09:15:56 2022 +Global\Wed Jun 2 09:43:03 2021 +Global\Wed Mar 1 01:29:48 2023 +Global\Wed Mar 23 08:56:01 2022 +Global\Wed Mar 23 09:06:36 2022 +Global\Wed May 10 06:38:46 2023 +Global1 +GlobalMIVOD_V4 +GMCM1 +MIVOD_6 +MTX_EX01 +Mutex_ONLY_ME_V1 +Mutex_ONLY_ME_V2 +Mutex_ONLY_ME_V3 +PROCESS_ +SLDV014 +SLDV02 +SLDV024 +SLDV04 +SLDV10 +SLDV11 +SLDV13 +SLDV15 +SLDV17 +SLDV22 +SLDV26 +``` + +## PDBs +``` +E:\projects\projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb +E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb +F:\CODE-20221019\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb +F:\Pro\MainWork\Release\MainWork.pdb +F:\Pro\MainWork\x64\Release\MainWork.pdb +F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\Release\MainWork.pdb +F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\x64\Release\MainWork.pdb +F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\Release\MainWork.pdb +F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\x64\Release\MainWork.pdb +F:\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb +F:\V202102\MainWork-VS2017 – Monitor\Release\MainWork.pdb +F:\V202102\MainWork-VS2017 – Monitor\x64\Release\MainWork.pdb +H:\projects\MainWork\Release\MainWork.pdb +``` diff --git a/GuptiMiner/extras/PCAP/dns_txt_png_download.pcap b/GuptiMiner/extras/PCAP/dns_txt_png_download.pcap new file mode 100644 index 0000000000000000000000000000000000000000..65b2be61a8bf5709e0804d4642d3118555b52ec1 GIT binary patch literal 552 zcmca|c+)~A1{MYw`2U}Q;R%rQxcg74j4c;~4Ui4Ot{{q$fx$s=<@WN05UOc-~a#s literal 0 HcmV?d00001 diff --git a/GuptiMiner/extras/PCAP/smb_backdoor_networking.pcap b/GuptiMiner/extras/PCAP/smb_backdoor_networking.pcap new file mode 100644 index 0000000000000000000000000000000000000000..23464fa5a6f2309af23ae010d48fc35c6bf56e80 GIT binary patch literal 1095 zcmbVL&ubGw7=5z_yA*}igXTD(f(Ko8SL%;b8%r$xvFVT&)e@>-#2~Y>bA0-}3Fe`SJF9Z)WG{wKASEr^vfGlGk64Dxk~+ zd2=~$pM#Rrx!=+G{p*0v4zH+j?5VB(BwdMaGz1n`+IFP(N`KKQa0iZ=)s^yUyj)$> zrn)>=Ek!!;d^k&`N>r*?7_V=vCEHDXFKOsFX*{^!NH!lf^<^)(&2>@Wg|~b^>{3E6 zfKyr3OOf`yAna}Q0gFr0z(Ho<%YcDroK}VgUT+csyJDazs5sV^CXbGRlPPvlm>kc> zWdkIRn2Q!6#yU2zh6LMaLL-E4A3*`GV~Wd$ubG0!)%hXp5lhm;UiPz``O||s&1vi5 z;wK`YE*`9%e|d0cP)JdS%db&NjgP1bSvSBHT(j*}PDwvxzlM1j%;FqBJuT7O-z|