mirror of
https://github.com/avast/ioc
synced 2024-06-28 09:41:14 +00:00
commit
b3d03e6910
104
CacheFlow/README.md
Normal file
104
CacheFlow/README.md
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
# IoC for CacheFlow
|
||||||
|
|
||||||
|
Malware analysis and more technical information at <https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/>
|
||||||
|
|
||||||
|
### Table of Contents
|
||||||
|
* [Samples (SHA-256)](#samples-sha-256)
|
||||||
|
* [Network indicators](#network-indicators)
|
||||||
|
* [Extension IDs](#extension-ids)
|
||||||
|
|
||||||
|
|
||||||
|
## Samples (SHA-256)
|
||||||
|
#### CacheFlow scripts related files
|
||||||
|
```
|
||||||
|
2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051 - manifest.json
|
||||||
|
bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20 - background.js
|
||||||
|
3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d - jquery.js
|
||||||
|
4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a - Intermediary Downloader
|
||||||
|
ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4 - Payload
|
||||||
|
0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0 - Injected script
|
||||||
|
```
|
||||||
|
|
||||||
|
## Network indicators
|
||||||
|
#### C&C domains
|
||||||
|
```
|
||||||
|
abuse-extensions[.]com
|
||||||
|
ampliacion[.]xyz
|
||||||
|
a.xfreeservice[.]com
|
||||||
|
b.xfreeservice[.]com
|
||||||
|
c.xfreeservice[.]com
|
||||||
|
browser-stat[.]com
|
||||||
|
check-stat[.]com
|
||||||
|
check4.scamprotection[.]net
|
||||||
|
connecting-to-the[.]net
|
||||||
|
cornewus[.]com
|
||||||
|
downloader-ig[.]com
|
||||||
|
exstats[.]com
|
||||||
|
ext-feedback[.]com
|
||||||
|
extstatistics[.]com
|
||||||
|
figures-analysis[.]com
|
||||||
|
huffily.mydiaconal[.]com
|
||||||
|
jastats[.]com
|
||||||
|
jokopinter[.]com
|
||||||
|
limbo-urg[.]com
|
||||||
|
mydiaconal[.]com
|
||||||
|
notification-stat[.]com
|
||||||
|
orgun.johnoil[.]com
|
||||||
|
outstole.my-sins[.]com
|
||||||
|
peta-line[.]com
|
||||||
|
root.s-i-z[.]com
|
||||||
|
s3.amazonaws[.]com/directcdn/j6dle93f17c30.js
|
||||||
|
s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js
|
||||||
|
s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js
|
||||||
|
safenewtab[.]com
|
||||||
|
script-protection[.]com
|
||||||
|
server-status[.]xyz
|
||||||
|
servscrpt[.]de
|
||||||
|
stats.script-protection[.]com
|
||||||
|
statslight[.]com
|
||||||
|
ulkon.johnoil[.]com
|
||||||
|
user-experience[.]space
|
||||||
|
user-feedbacks[.]com
|
||||||
|
user.ampliacion[.]xyz
|
||||||
|
xf.gdprvalidate[.]de/partner/8otb939m/index.php
|
||||||
|
```
|
||||||
|
|
||||||
|
## Extension IDs
|
||||||
|
#### A list of Chrome infected browser extensions with IDs
|
||||||
|
```
|
||||||
|
mdpgppkombninhkfhaggckdmencplhmg - Direct Message for Instagram
|
||||||
|
fgaapohcdolaiaijobecfleiohcfhdfb - DM for Instagram
|
||||||
|
iibnodnghffmdcebaglfgnfkgemcbchf - Invisible mode for Instagram Direct Message
|
||||||
|
olkpikmlhoaojbbmmpejnimiglejmboe - Downloader for Instagram
|
||||||
|
bhfoemlllidnfefgkeaeocnageepbael - App Phone for Instagram
|
||||||
|
nilbfjdbacfdodpbdondbbkmoigehodg - Stories for Instagram
|
||||||
|
eikbfklcjampfnmclhjeifbmfkpkfpbn - Universal Video Downloader
|
||||||
|
pfnmibjifkhhblmdmaocfohebdpfppkf - Video Downloader for FaceBook™
|
||||||
|
cgpbghdbejagejmciefmekcklikpoeel - Vimeo™ Video Downloader
|
||||||
|
klejifgmmnkgejbhgmpgajemhlnijlib - Zoomer for Instagram and FaceBook
|
||||||
|
ceoldlgkhdbnnmojajjgfapagjccblib - VK UnBlock. Works fast.
|
||||||
|
mnafnfdagggclnaggnjajohakfbppaih - Odnoklassniki UnBlock. Works quickly.
|
||||||
|
oknpgmaeedlbdichgaghebhiknmghffa - Upload photo to Instagram™
|
||||||
|
pcaaejaejpolbbchlmbdjfiggojefllp - Spotify Music Downloader
|
||||||
|
lmcajpniijhhhpcnhleibgiehhicjlnk - The New York Times News
|
||||||
|
lgjogljbnbfjcaigalbhiagkboajmkkj - FORBES
|
||||||
|
akdbogfpgohikflhccclloneidjkogog - Скачать фото и видео из Instagram
|
||||||
|
```
|
||||||
|
|
||||||
|
#### A list of Edge infected browser extensions with IDs
|
||||||
|
```
|
||||||
|
lnocaphbapmclliacmbbggnfnjojbjgf - Direct Message for Instagram™
|
||||||
|
bhcpgfhiobcpokfpdahijhnipenkplji - Instagram Download Video & Image
|
||||||
|
dambkkeeabmnhelekdekfmabnckghdih - App Phone for Instagram
|
||||||
|
dgjmdlifhbljhmgkjbojeejmeeplapej - Universal Video Downloader
|
||||||
|
emechknidkghbpiodihlodkhnljplpjm - Video Downloader for FaceBook™
|
||||||
|
hajlccgbgjdcjaommiffaphjdndpjcio - Vimeo™ Video Downloader
|
||||||
|
dljdbmkffjijepjnkonndbdiakjfdcic - Volume Controller
|
||||||
|
cjmpdadldchjmljhkigoeejegmghaabp - Stories for Instagram
|
||||||
|
jlkfgpiicpnlbmmmpkpdjkkdolgomhmb - Upload photo to Instagram™
|
||||||
|
njdkgjbjmdceaibhngelkkloceihelle - Pretty Kitty, The Cat Pet
|
||||||
|
phoehhafolaebdpimmbmlofmeibdkckp - Video Downloader for YouTube
|
||||||
|
pccfaccnfkjmdlkollpiaialndbieibj - SoundCloud Music Downloader
|
||||||
|
fbhbpnjkpcdmcgcpfilooccjgemlkinn - Instagram App with Direct Message DM
|
||||||
|
aemaecahdckfllfldhgimjhdgiaahean - Downloader for Instagram
|
||||||
|
```
|
45
CacheFlow/extras/decryptor_strrevsstr.py
Normal file
45
CacheFlow/extras/decryptor_strrevsstr.py
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
import base64
|
||||||
|
import sys
|
||||||
|
|
||||||
|
def strrevsstr(ciphertext: str) -> str:
|
||||||
|
if len(ciphertext) % 4 != 0:
|
||||||
|
ciphertext = ciphertext + (4 - (len(ciphertext) % 4)) * '='
|
||||||
|
ciphertext = ciphertext.replace('-', '+').replace('_', '/')
|
||||||
|
ciphertext = base64.b64decode(ciphertext)
|
||||||
|
|
||||||
|
f = int(ciphertext[0:2], 16)
|
||||||
|
f2 = int(ciphertext[2:3], 16)
|
||||||
|
|
||||||
|
for i in range (3, len(ciphertext)):
|
||||||
|
if ciphertext[i] < ord('0') or ciphertext[i] > ord('9'):
|
||||||
|
first_non_digit_index = i
|
||||||
|
break
|
||||||
|
|
||||||
|
length = int(ciphertext[3:first_non_digit_index])
|
||||||
|
ciphertext = ciphertext[first_non_digit_index+1:]
|
||||||
|
|
||||||
|
if length != len(ciphertext):
|
||||||
|
print("[.] Warning: length mismatch %d != %d" % (length, len(ciphertext)))
|
||||||
|
print("[.] Possibly truncated ciphertext")
|
||||||
|
|
||||||
|
e = f
|
||||||
|
plaintext = ""
|
||||||
|
for i, c in enumerate(ciphertext):
|
||||||
|
b = c ^ e
|
||||||
|
if i > f2:
|
||||||
|
b ^= ciphertext[i - f2]
|
||||||
|
e = c ^ f
|
||||||
|
plaintext += chr(b)
|
||||||
|
|
||||||
|
return plaintext
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) != 2:
|
||||||
|
print("[!] Wrong number of parameters. Expected ciphertext.")
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
ct = sys.argv[1]
|
||||||
|
|
||||||
|
print(strrevsstr(ct))
|
55
CacheFlow/extras/developer_extensions.txt
Normal file
55
CacheFlow/extras/developer_extensions.txt
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
A list of NON-malicious extensions used for detecting tech-savvy users.
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
aejoelaoggembcahagimdiliamlcdmfm
|
||||||
|
aimiinbnnkboelefkjlenlgimcabobli
|
||||||
|
ajkomeiemllejmopbbjjngpmmikfedad
|
||||||
|
akdgnmcogleenhbclghghlkkdndkjdjc
|
||||||
|
aomidfkchockcldhbkggjokdkkebmdll
|
||||||
|
bblbgcheenepgnnajgfpiicnbbdmmooh
|
||||||
|
bcjindcccaagfpapjjmafapmmgkkhgoa
|
||||||
|
bfbameneiokkgbdmiekhjnmfkcnldhhm
|
||||||
|
bhlhnicpbhignbdhedgjhgdocnmhomnp
|
||||||
|
bkbeeeffjjeopflfhgeknacdieedcoml
|
||||||
|
blfngdefapoapkcdibbdkigpeaffgcil
|
||||||
|
chklaanhfefbnpoihckbnefhakgolnmc
|
||||||
|
cidlcjdalomndpeagkjpnefhljffbnlo
|
||||||
|
clngdbkpkpeebahjckkjfobafhncgmne
|
||||||
|
cppjkneekbjaeellbfkmgnhonkkjfpdn
|
||||||
|
deeboegbjcnfgidliakhpoapnpomphji
|
||||||
|
dfogidghaigoomjdeacndafapdijmiid
|
||||||
|
fdgfkebogiimcoedlicjlajpkdmockpc
|
||||||
|
fmkadmapgofadopljbjfkapdkoienihi
|
||||||
|
fnbdnhhicmebfgdgglcdacdapkcihcoh
|
||||||
|
fngmhnnpilhplaeedifhccceomclgfbg
|
||||||
|
fpkknkljclfencbdbgkenhalefipecmb
|
||||||
|
gbammbheopgpmaagmckhpjbfgdfkpadb
|
||||||
|
gcbommkclmclpchllfjekcdonpmejbdp
|
||||||
|
ggfgijbpiheegefliciemofobhmofgce
|
||||||
|
gppongmhjkpfnbhagpmjfkannfbllamg
|
||||||
|
hafdlehgocfcodbgjnpecfajgkeejnaa
|
||||||
|
hmhgeddbohgjknpmjagkdomcpobmllji
|
||||||
|
iahamcpedabephpcgkeikbclmaljebjp
|
||||||
|
iahnhfdhidomcpggpaimmmahffihkfnj
|
||||||
|
iiglodndmmefofehaibmaignglbpdald
|
||||||
|
jafmfknfnkoekkdocjiaipcnmkklaajd
|
||||||
|
jdkknkkbebbapilgoeccciglkfbmbnfm
|
||||||
|
jgbbilmfbammlbbhmmgaagdkbkepnijn
|
||||||
|
jifpbeccnghkjeaalbbjmodiffmgedin
|
||||||
|
jknemblkbdhdcpllfgbfekkdciegfboi
|
||||||
|
jmbmjnojfkcohdpkpjmeeijckfbebbon
|
||||||
|
kajfghlhfkcocafkcjlajldicbikpgnp
|
||||||
|
kejbdjndbnbjgmefkgdddjlbokphdefk
|
||||||
|
lkfkkhfhhdkiemehlpkgjeojomhpccnh
|
||||||
|
lkmofgnohbedopheiphabfhfjgkhfcgf
|
||||||
|
lmhkpmbekcpmknklioeibfkpmmfibljd
|
||||||
|
mbnbehikldjhnfehhnaidhjhoofhpehk
|
||||||
|
mdnleldcmiljblolnjhpnblkcekpdkpa
|
||||||
|
nbhcbdghjpllgmfilhnhkllmkecfmpld
|
||||||
|
nnpljppamoaalgkieeciijbcccohlpoh
|
||||||
|
oebpmncolmhiapingjaagmapififiakb
|
||||||
|
oelggcmknbjmhkpgjfhakedcfnkgbdpg
|
||||||
|
okpjlejfhacmgjkmknjhadmkdbcldfcb
|
||||||
|
piekbefgpgdecckjcpffhnacjflfoddg
|
||||||
|
pnhplgjpclknigjpccbcnmicgcieojbh
|
||||||
|
ppmmlchacdbknfphdeafcbmklcghghmd
|
39
CacheFlow/network.txt
Normal file
39
CacheFlow/network.txt
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
abuse-extensions[.]com
|
||||||
|
ampliacion[.]xyz
|
||||||
|
a.xfreeservice[.]com
|
||||||
|
b.xfreeservice[.]com
|
||||||
|
c.xfreeservice[.]com
|
||||||
|
browser-stat[.]com
|
||||||
|
check-stat[.]com
|
||||||
|
check4.scamprotection[.]net
|
||||||
|
connecting-to-the[.]net
|
||||||
|
cornewus[.]com
|
||||||
|
downloader-ig[.]com
|
||||||
|
exstats[.]com
|
||||||
|
ext-feedback[.]com
|
||||||
|
extstatistics[.]com
|
||||||
|
figures-analysis[.]com
|
||||||
|
huffily.mydiaconal[.]com
|
||||||
|
jastats[.]com
|
||||||
|
jokopinter[.]com
|
||||||
|
limbo-urg[.]com
|
||||||
|
mydiaconal[.]com
|
||||||
|
notification-stat[.]com
|
||||||
|
orgun.johnoil[.]com
|
||||||
|
outstole.my-sins[.]com
|
||||||
|
peta-line[.]com
|
||||||
|
root.s-i-z[.]com
|
||||||
|
s3.amazonaws[.]com/directcdn/j6dle93f17c30.js
|
||||||
|
s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js
|
||||||
|
s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js
|
||||||
|
safenewtab[.]com
|
||||||
|
script-protection[.]com
|
||||||
|
server-status[.]xyz
|
||||||
|
servscrpt[.]de
|
||||||
|
stats.script-protection[.]com
|
||||||
|
statslight[.]com
|
||||||
|
ulkon.johnoil[.]com
|
||||||
|
user-experience[.]space
|
||||||
|
user-feedbacks[.]com
|
||||||
|
user.ampliacion[.]xyz
|
||||||
|
xf.gdprvalidate[.]de/partner/8otb939m/index.php
|
6
CacheFlow/samples.md5
Normal file
6
CacheFlow/samples.md5
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
0e75e132c2d625c3c96905ed39820900
|
||||||
|
0ad35814955ff9d8ef57c8f18d79673b
|
||||||
|
b2fce3b027d27324a8dab3d8567d4ac8
|
||||||
|
c6ea657aca5a4d51c369d806fae0eb6e
|
||||||
|
b317b951ced883da8a1cff68d2a00c7c
|
||||||
|
b9131a8791d3e3f31cbd4218bd1079a6
|
6
CacheFlow/samples.sha1
Normal file
6
CacheFlow/samples.sha1
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
a4c942142cb4e450891564d0db4498a73df67ba1
|
||||||
|
8431b4ca1234b63454a8b83d1b54094312072ea3
|
||||||
|
fe99439b248f1e2efd698e3016101a6ba19703a4
|
||||||
|
a505109d67ab2cca7e776863d45b3fa817de2c8d
|
||||||
|
f509bc59dd4259324fb1f1ebeaa2576952eee4f0
|
||||||
|
788c4967071d3f018380610bb9c23b1d5e2bbf22
|
6
CacheFlow/samples.sha256
Normal file
6
CacheFlow/samples.sha256
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051
|
||||||
|
bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20
|
||||||
|
3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d
|
||||||
|
4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a
|
||||||
|
ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4
|
||||||
|
0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0
|
Loading…
Reference in New Issue
Block a user