mirror of https://github.com/avast/ioc
CacheFlow: Added IoC files
This commit is contained in:
parent
d6c6e7d420
commit
ed51d36205
|
@ -0,0 +1,104 @@
|
|||
# IoC for CacheFlow
|
||||
|
||||
Malware analysis and more technical information at <https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/>
|
||||
|
||||
### Table of Contents
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [Network indicators](#network-indicators)
|
||||
* [Extension IDs](#extension-ids)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### CacheFlow scripts related files
|
||||
```
|
||||
2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051 - manifest.json
|
||||
bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20 - background.js
|
||||
3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d - jquery.js
|
||||
4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a - Intermediary Downloader
|
||||
ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4 - Payload
|
||||
0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0 - Injected script
|
||||
```
|
||||
|
||||
## Network indicators
|
||||
#### C&C domains
|
||||
```
|
||||
abuse-extensions[.]com
|
||||
ampliacion[.]xyz
|
||||
a.xfreeservice[.]com
|
||||
b.xfreeservice[.]com
|
||||
c.xfreeservice[.]com
|
||||
browser-stat[.]com
|
||||
check-stat[.]com
|
||||
check4.scamprotection[.]net
|
||||
connecting-to-the[.]net
|
||||
cornewus[.]com
|
||||
downloader-ig[.]com
|
||||
exstats[.]com
|
||||
ext-feedback[.]com
|
||||
extstatistics[.]com
|
||||
figures-analysis[.]com
|
||||
huffily.mydiaconal[.]com
|
||||
jastats[.]com
|
||||
jokopinter[.]com
|
||||
limbo-urg[.]com
|
||||
mydiaconal[.]com
|
||||
notification-stat[.]com
|
||||
orgun.johnoil[.]com
|
||||
outstole.my-sins[.]com
|
||||
peta-line[.]com
|
||||
root.s-i-z[.]com
|
||||
s3.amazonaws[.]com/directcdn/j6dle93f17c30.js
|
||||
s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js
|
||||
s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js
|
||||
safenewtab[.]com
|
||||
script-protection[.]com
|
||||
server-status[.]xyz
|
||||
servscrpt[.]de
|
||||
stats.script-protection[.]com
|
||||
statslight[.]com
|
||||
ulkon.johnoil[.]com
|
||||
user-experience[.]space
|
||||
user-feedbacks[.]com
|
||||
user.ampliacion[.]xyz
|
||||
xf.gdprvalidate[.]de/partner/8otb939m/index.php
|
||||
```
|
||||
|
||||
## Extension IDs
|
||||
#### A list of Chrome infected browser extensions with IDs
|
||||
```
|
||||
mdpgppkombninhkfhaggckdmencplhmg - Direct Message for Instagram
|
||||
fgaapohcdolaiaijobecfleiohcfhdfb - DM for Instagram
|
||||
iibnodnghffmdcebaglfgnfkgemcbchf - Invisible mode for Instagram Direct Message
|
||||
olkpikmlhoaojbbmmpejnimiglejmboe - Downloader for Instagram
|
||||
bhfoemlllidnfefgkeaeocnageepbael - App Phone for Instagram
|
||||
nilbfjdbacfdodpbdondbbkmoigehodg - Stories for Instagram
|
||||
eikbfklcjampfnmclhjeifbmfkpkfpbn - Universal Video Downloader
|
||||
pfnmibjifkhhblmdmaocfohebdpfppkf - Video Downloader for FaceBook™
|
||||
cgpbghdbejagejmciefmekcklikpoeel - Vimeo™ Video Downloader
|
||||
klejifgmmnkgejbhgmpgajemhlnijlib - Zoomer for Instagram and FaceBook
|
||||
ceoldlgkhdbnnmojajjgfapagjccblib - VK UnBlock. Works fast.
|
||||
mnafnfdagggclnaggnjajohakfbppaih - Odnoklassniki UnBlock. Works quickly.
|
||||
oknpgmaeedlbdichgaghebhiknmghffa - Upload photo to Instagram™
|
||||
pcaaejaejpolbbchlmbdjfiggojefllp - Spotify Music Downloader
|
||||
lmcajpniijhhhpcnhleibgiehhicjlnk - The New York Times News
|
||||
lgjogljbnbfjcaigalbhiagkboajmkkj - FORBES
|
||||
akdbogfpgohikflhccclloneidjkogog - Скачать фото и видео из Instagram
|
||||
```
|
||||
|
||||
#### A list of Edge infected browser extensions with IDs
|
||||
```
|
||||
lnocaphbapmclliacmbbggnfnjojbjgf - Direct Message for Instagram™
|
||||
bhcpgfhiobcpokfpdahijhnipenkplji - Instagram Download Video & Image
|
||||
dambkkeeabmnhelekdekfmabnckghdih - App Phone for Instagram
|
||||
dgjmdlifhbljhmgkjbojeejmeeplapej - Universal Video Downloader
|
||||
emechknidkghbpiodihlodkhnljplpjm - Video Downloader for FaceBook™
|
||||
hajlccgbgjdcjaommiffaphjdndpjcio - Vimeo™ Video Downloader
|
||||
dljdbmkffjijepjnkonndbdiakjfdcic - Volume Controller
|
||||
cjmpdadldchjmljhkigoeejegmghaabp - Stories for Instagram
|
||||
jlkfgpiicpnlbmmmpkpdjkkdolgomhmb - Upload photo to Instagram™
|
||||
njdkgjbjmdceaibhngelkkloceihelle - Pretty Kitty, The Cat Pet
|
||||
phoehhafolaebdpimmbmlofmeibdkckp - Video Downloader for YouTube
|
||||
pccfaccnfkjmdlkollpiaialndbieibj - SoundCloud Music Downloader
|
||||
fbhbpnjkpcdmcgcpfilooccjgemlkinn - Instagram App with Direct Message DM
|
||||
aemaecahdckfllfldhgimjhdgiaahean - Downloader for Instagram
|
||||
```
|
|
@ -0,0 +1,45 @@
|
|||
import base64
|
||||
import sys
|
||||
|
||||
def strrevsstr(ciphertext: str) -> str:
|
||||
if len(ciphertext) % 4 != 0:
|
||||
ciphertext = ciphertext + (4 - (len(ciphertext) % 4)) * '='
|
||||
ciphertext = ciphertext.replace('-', '+').replace('_', '/')
|
||||
ciphertext = base64.b64decode(ciphertext)
|
||||
|
||||
f = int(ciphertext[0:2], 16)
|
||||
f2 = int(ciphertext[2:3], 16)
|
||||
|
||||
for i in range (3, len(ciphertext)):
|
||||
if ciphertext[i] < ord('0') or ciphertext[i] > ord('9'):
|
||||
first_non_digit_index = i
|
||||
break
|
||||
|
||||
length = int(ciphertext[3:first_non_digit_index])
|
||||
ciphertext = ciphertext[first_non_digit_index+1:]
|
||||
|
||||
if length != len(ciphertext):
|
||||
print("[.] Warning: length mismatch %d != %d" % (length, len(ciphertext)))
|
||||
print("[.] Possibly truncated ciphertext")
|
||||
|
||||
e = f
|
||||
plaintext = ""
|
||||
for i, c in enumerate(ciphertext):
|
||||
b = c ^ e
|
||||
if i > f2:
|
||||
b ^= ciphertext[i - f2]
|
||||
e = c ^ f
|
||||
plaintext += chr(b)
|
||||
|
||||
return plaintext
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) != 2:
|
||||
print("[!] Wrong number of parameters. Expected ciphertext.")
|
||||
exit(1)
|
||||
|
||||
ct = sys.argv[1]
|
||||
|
||||
print(strrevsstr(ct))
|
|
@ -0,0 +1,55 @@
|
|||
A list of NON-malicious extensions used for detecting tech-savvy users.
|
||||
--------------------------------
|
||||
|
||||
aejoelaoggembcahagimdiliamlcdmfm
|
||||
aimiinbnnkboelefkjlenlgimcabobli
|
||||
ajkomeiemllejmopbbjjngpmmikfedad
|
||||
akdgnmcogleenhbclghghlkkdndkjdjc
|
||||
aomidfkchockcldhbkggjokdkkebmdll
|
||||
bblbgcheenepgnnajgfpiicnbbdmmooh
|
||||
bcjindcccaagfpapjjmafapmmgkkhgoa
|
||||
bfbameneiokkgbdmiekhjnmfkcnldhhm
|
||||
bhlhnicpbhignbdhedgjhgdocnmhomnp
|
||||
bkbeeeffjjeopflfhgeknacdieedcoml
|
||||
blfngdefapoapkcdibbdkigpeaffgcil
|
||||
chklaanhfefbnpoihckbnefhakgolnmc
|
||||
cidlcjdalomndpeagkjpnefhljffbnlo
|
||||
clngdbkpkpeebahjckkjfobafhncgmne
|
||||
cppjkneekbjaeellbfkmgnhonkkjfpdn
|
||||
deeboegbjcnfgidliakhpoapnpomphji
|
||||
dfogidghaigoomjdeacndafapdijmiid
|
||||
fdgfkebogiimcoedlicjlajpkdmockpc
|
||||
fmkadmapgofadopljbjfkapdkoienihi
|
||||
fnbdnhhicmebfgdgglcdacdapkcihcoh
|
||||
fngmhnnpilhplaeedifhccceomclgfbg
|
||||
fpkknkljclfencbdbgkenhalefipecmb
|
||||
gbammbheopgpmaagmckhpjbfgdfkpadb
|
||||
gcbommkclmclpchllfjekcdonpmejbdp
|
||||
ggfgijbpiheegefliciemofobhmofgce
|
||||
gppongmhjkpfnbhagpmjfkannfbllamg
|
||||
hafdlehgocfcodbgjnpecfajgkeejnaa
|
||||
hmhgeddbohgjknpmjagkdomcpobmllji
|
||||
iahamcpedabephpcgkeikbclmaljebjp
|
||||
iahnhfdhidomcpggpaimmmahffihkfnj
|
||||
iiglodndmmefofehaibmaignglbpdald
|
||||
jafmfknfnkoekkdocjiaipcnmkklaajd
|
||||
jdkknkkbebbapilgoeccciglkfbmbnfm
|
||||
jgbbilmfbammlbbhmmgaagdkbkepnijn
|
||||
jifpbeccnghkjeaalbbjmodiffmgedin
|
||||
jknemblkbdhdcpllfgbfekkdciegfboi
|
||||
jmbmjnojfkcohdpkpjmeeijckfbebbon
|
||||
kajfghlhfkcocafkcjlajldicbikpgnp
|
||||
kejbdjndbnbjgmefkgdddjlbokphdefk
|
||||
lkfkkhfhhdkiemehlpkgjeojomhpccnh
|
||||
lkmofgnohbedopheiphabfhfjgkhfcgf
|
||||
lmhkpmbekcpmknklioeibfkpmmfibljd
|
||||
mbnbehikldjhnfehhnaidhjhoofhpehk
|
||||
mdnleldcmiljblolnjhpnblkcekpdkpa
|
||||
nbhcbdghjpllgmfilhnhkllmkecfmpld
|
||||
nnpljppamoaalgkieeciijbcccohlpoh
|
||||
oebpmncolmhiapingjaagmapififiakb
|
||||
oelggcmknbjmhkpgjfhakedcfnkgbdpg
|
||||
okpjlejfhacmgjkmknjhadmkdbcldfcb
|
||||
piekbefgpgdecckjcpffhnacjflfoddg
|
||||
pnhplgjpclknigjpccbcnmicgcieojbh
|
||||
ppmmlchacdbknfphdeafcbmklcghghmd
|
|
@ -0,0 +1,39 @@
|
|||
abuse-extensions[.]com
|
||||
ampliacion[.]xyz
|
||||
a.xfreeservice[.]com
|
||||
b.xfreeservice[.]com
|
||||
c.xfreeservice[.]com
|
||||
browser-stat[.]com
|
||||
check-stat[.]com
|
||||
check4.scamprotection[.]net
|
||||
connecting-to-the[.]net
|
||||
cornewus[.]com
|
||||
downloader-ig[.]com
|
||||
exstats[.]com
|
||||
ext-feedback[.]com
|
||||
extstatistics[.]com
|
||||
figures-analysis[.]com
|
||||
huffily.mydiaconal[.]com
|
||||
jastats[.]com
|
||||
jokopinter[.]com
|
||||
limbo-urg[.]com
|
||||
mydiaconal[.]com
|
||||
notification-stat[.]com
|
||||
orgun.johnoil[.]com
|
||||
outstole.my-sins[.]com
|
||||
peta-line[.]com
|
||||
root.s-i-z[.]com
|
||||
s3.amazonaws[.]com/directcdn/j6dle93f17c30.js
|
||||
s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js
|
||||
s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js
|
||||
safenewtab[.]com
|
||||
script-protection[.]com
|
||||
server-status[.]xyz
|
||||
servscrpt[.]de
|
||||
stats.script-protection[.]com
|
||||
statslight[.]com
|
||||
ulkon.johnoil[.]com
|
||||
user-experience[.]space
|
||||
user-feedbacks[.]com
|
||||
user.ampliacion[.]xyz
|
||||
xf.gdprvalidate[.]de/partner/8otb939m/index.php
|
|
@ -0,0 +1,6 @@
|
|||
0e75e132c2d625c3c96905ed39820900
|
||||
0ad35814955ff9d8ef57c8f18d79673b
|
||||
b2fce3b027d27324a8dab3d8567d4ac8
|
||||
c6ea657aca5a4d51c369d806fae0eb6e
|
||||
b317b951ced883da8a1cff68d2a00c7c
|
||||
b9131a8791d3e3f31cbd4218bd1079a6
|
|
@ -0,0 +1,6 @@
|
|||
a4c942142cb4e450891564d0db4498a73df67ba1
|
||||
8431b4ca1234b63454a8b83d1b54094312072ea3
|
||||
fe99439b248f1e2efd698e3016101a6ba19703a4
|
||||
a505109d67ab2cca7e776863d45b3fa817de2c8d
|
||||
f509bc59dd4259324fb1f1ebeaa2576952eee4f0
|
||||
788c4967071d3f018380610bb9c23b1d5e2bbf22
|
|
@ -0,0 +1,6 @@
|
|||
2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051
|
||||
bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20
|
||||
3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d
|
||||
4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a
|
||||
ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4
|
||||
0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0
|
Loading…
Reference in New Issue