MpIncident: init IoCs

2021-07-01 10:55:31 +02:00 · 2021-07-01 10:55:31 +02:00 · a61e7d5546
parent 918203d337
commit a61e7d5546
4 changed files with 77 additions and 0 deletions
--- a/MpIncident/README.md
+++ b/MpIncident/README.md
@ -0,0 +1,50 @@
+# IoC from Backdoored Client from Mongolian CA MonPass
+
+Malware analysis and more technical information at <https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/>
+
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [Network indicators](#network-indicators)
+
+## Samples (SHA-256)
+```
+4A43FA8A3305C2A17F6A383FB68F02515F589BA112C6E95F570CE421CC690910
+hxxps://jquery-code.ml/Download/Browser_Plugin.exe 
+hxxp://micsoftin.us:2086/dow/83.bmp
+hxxp://37.61.205.212:8880/dow/Aili.pdf
+
+e2596f015378234d9308549f08bcdca8eadbf69e488355cddc9c2425f77b7535
+379d5eef082825d71f199ab8b9b6107c764b7d77cf04c2af1adee67b356b5c7a
+a7e9e2bec3ad283a9a0b130034e822c8b6dfd26dda855f883a3a4ff785514f97
+	-hxxp://download.google-images.ml:8880/download/x37.bmp
+
+f21a9c69bfca6f0633ba1e669e5cf86bd8fc55b2529cd9b064ff9e2e129525e8
+-hxxp://download.google-images.ml:8880/downloa/37.bmp
+-hxxp://37.61.205.212:8880/download/Browers_plugin.exe
+
+28e050d086e7d055764213ab95104a0e7319732c041f947207229ec7dfcd72c8
+	-hxxp://download.google-images.ml:8880/downloa/37.bmp
+
+5cebdb91c7fc3abac1248deea6ed6b87fde621d0d407923de7e1365ce13d6dbe
+-hxxp://micsoftin.us:2086/dow/83.bmp
+
+456b69628caa3edf828f4ba987223812cbe5bbf91e6bbf167e21bef25de7c9d2
+	-hxxp://download.google-images.ml:8880/download/DNSs.bat
+
+9834945a07cf20a0be1d70a8f7c2aa8a90e625fa86e744e539b5fe3676ef14a9
+	-hxxp://download.google-images.ml:8880/download/DNSs.bat
+	-hxxp://download.google-images.ml:8880/download/x37.bmp
+```
+
+## Network indicators
+### C&C servers
+```
+37.61.205[.]212
+micsoftin[.]us
+jquery-code[.]ml
+download.google-images[.]ml
+dev.google-dev[.]ml
+internet.google-dev[.]ml
+jquery.google-dev[.]ml
+```
--- a/MpIncident/samples.md5
+++ b/MpIncident/samples.md5
@ -0,0 +1,9 @@
+0dca25cb980e13b125c2490e63ffdd86
+2a61b97914cfb6810e37ebebb440e943
+41dc7763def09be7f2e8a4dbc9922434
+738f46546f6d4a79e2d917b26bf8a93a
+6136add51eda5b198b6d36dc0c693e20
+0fab8fa2ef340a93f0b062d575ade5b7
+a241ff3d86925a4a12916b401536b019
+e451a8a028da21cf0faa97881f226dfc
+abcd461bdb6a6537b7a36848a87b5ea6
--- a/MpIncident/samples.sha1
+++ b/MpIncident/samples.sha1
@ -0,0 +1,9 @@
+74995058f9e7fa6951821c0568fdaf168cace179
+6fb68fcbc578b4eda978b463345d2919eed70020
+ff703024e0b59fe20495d6b9f568bedddc8b12e1
+834e80f6fa9935fd3184c25e4e37b0a068a773ee
+fc33ae4120496b81fbad82b14821ea996ce46ce7
+7c425c48861e39f2613ff72199f711e761165054
+d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184
+3880ee01f2fc37dcae2c840799c7a8a71f31a0ed
+e99d5a620a488133f4da24e1f8d2d5e68542b6f3
--- a/MpIncident/samples.sha256
+++ b/MpIncident/samples.sha256
@ -0,0 +1,9 @@
+F21A9C69BFCA6F0633BA1E669E5CF86BD8FC55B2529CD9B064FF9E2E129525E8
+A7E9E2BEC3AD283A9A0B130034E822C8B6DFD26DDA855F883A3A4FF785514F97
+5CEBDB91C7FC3ABAC1248DEEA6ED6B87FDE621D0D407923DE7E1365CE13D6DBE
+9834945A07CF20A0BE1D70A8F7C2AA8A90E625FA86E744E539B5FE3676EF14A9
+456B69628CAA3EDF828F4BA987223812CBE5BBF91E6BBF167E21BEF25DE7C9D2
+28E050D086E7D055764213AB95104A0E7319732C041F947207229EC7DFCD72C8
+4A43FA8A3305C2A17F6A383FB68F02515F589BA112C6E95F570CE421CC690910
+E2596F015378234D9308549F08BCDCA8EADBF69E488355CDDC9C2425F77B7535
+379D5EEF082825D71F199AB8B9B6107C764B7D77CF04C2AF1ADEE67B356B5C7A