CacheFlow: Added IoC files

2021-02-02 15:58:05 +01:00 · 2021-02-02 15:58:05 +01:00 · ed51d36205
parent d6c6e7d420
commit ed51d36205
7 changed files with 261 additions and 0 deletions
--- a/CacheFlow/README.md
+++ b/CacheFlow/README.md
@ -0,0 +1,104 @@
+# IoC for CacheFlow
+
+Malware analysis and more technical information at <https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/> 
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [Network indicators](#network-indicators)
+* [Extension IDs](#extension-ids)
+
+
+## Samples (SHA-256)
+#### CacheFlow scripts related files
+```
+2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051 - manifest.json
+bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20 - background.js
+3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d - jquery.js
+4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a - Intermediary Downloader
+ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4 - Payload
+0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0 - Injected script
+```
+
+## Network indicators
+#### C&C domains
+```
+abuse-extensions[.]com
+ampliacion[.]xyz
+a.xfreeservice[.]com
+b.xfreeservice[.]com
+c.xfreeservice[.]com
+browser-stat[.]com
+check-stat[.]com
+check4.scamprotection[.]net
+connecting-to-the[.]net
+cornewus[.]com
+downloader-ig[.]com
+exstats[.]com
+ext-feedback[.]com
+extstatistics[.]com
+figures-analysis[.]com
+huffily.mydiaconal[.]com
+jastats[.]com
+jokopinter[.]com
+limbo-urg[.]com
+mydiaconal[.]com
+notification-stat[.]com
+orgun.johnoil[.]com
+outstole.my-sins[.]com
+peta-line[.]com
+root.s-i-z[.]com
+s3.amazonaws[.]com/directcdn/j6dle93f17c30.js
+s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js
+s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js
+safenewtab[.]com
+script-protection[.]com
+server-status[.]xyz
+servscrpt[.]de
+stats.script-protection[.]com
+statslight[.]com
+ulkon.johnoil[.]com
+user-experience[.]space
+user-feedbacks[.]com
+user.ampliacion[.]xyz
+xf.gdprvalidate[.]de/partner/8otb939m/index.php
+```
+
+## Extension IDs
+#### A list of Chrome infected browser extensions with IDs
+```
+mdpgppkombninhkfhaggckdmencplhmg - Direct Message for Instagram
+fgaapohcdolaiaijobecfleiohcfhdfb - DM for Instagram
+iibnodnghffmdcebaglfgnfkgemcbchf - Invisible mode for Instagram Direct Message
+olkpikmlhoaojbbmmpejnimiglejmboe - Downloader for Instagram
+bhfoemlllidnfefgkeaeocnageepbael - App Phone for Instagram
+nilbfjdbacfdodpbdondbbkmoigehodg - Stories for Instagram
+eikbfklcjampfnmclhjeifbmfkpkfpbn - Universal Video Downloader
+pfnmibjifkhhblmdmaocfohebdpfppkf - Video Downloader for FaceBook™
+cgpbghdbejagejmciefmekcklikpoeel - Vimeo™ Video Downloader
+klejifgmmnkgejbhgmpgajemhlnijlib - Zoomer for Instagram and FaceBook
+ceoldlgkhdbnnmojajjgfapagjccblib - VK UnBlock. Works fast.
+mnafnfdagggclnaggnjajohakfbppaih - Odnoklassniki UnBlock. Works quickly.
+oknpgmaeedlbdichgaghebhiknmghffa - Upload photo to Instagram™
+pcaaejaejpolbbchlmbdjfiggojefllp - Spotify Music Downloader
+lmcajpniijhhhpcnhleibgiehhicjlnk - The New York Times News
+lgjogljbnbfjcaigalbhiagkboajmkkj - FORBES
+akdbogfpgohikflhccclloneidjkogog - Скачать фото и видео из Instagram
+```
+
+#### A list of Edge infected browser extensions with IDs
+```
+lnocaphbapmclliacmbbggnfnjojbjgf - Direct Message for Instagram™
+bhcpgfhiobcpokfpdahijhnipenkplji - Instagram Download Video & Image
+dambkkeeabmnhelekdekfmabnckghdih - App Phone for Instagram
+dgjmdlifhbljhmgkjbojeejmeeplapej - Universal Video Downloader
+emechknidkghbpiodihlodkhnljplpjm - Video Downloader for FaceBook™
+hajlccgbgjdcjaommiffaphjdndpjcio - Vimeo™ Video Downloader
+dljdbmkffjijepjnkonndbdiakjfdcic - Volume Controller
+cjmpdadldchjmljhkigoeejegmghaabp - Stories for Instagram
+jlkfgpiicpnlbmmmpkpdjkkdolgomhmb - Upload photo to Instagram™
+njdkgjbjmdceaibhngelkkloceihelle - Pretty Kitty, The Cat Pet
+phoehhafolaebdpimmbmlofmeibdkckp - Video Downloader for YouTube
+pccfaccnfkjmdlkollpiaialndbieibj - SoundCloud Music Downloader
+fbhbpnjkpcdmcgcpfilooccjgemlkinn - Instagram App with Direct Message DM
+aemaecahdckfllfldhgimjhdgiaahean - Downloader for Instagram
+```
--- a/CacheFlow/extras/decryptor_strrevsstr.py
+++ b/CacheFlow/extras/decryptor_strrevsstr.py
@ -0,0 +1,45 @@
+import base64
+import sys
+
+def strrevsstr(ciphertext: str) -> str:
+	if len(ciphertext) % 4 != 0:
+		ciphertext = ciphertext + (4 - (len(ciphertext) % 4)) * '='
+	ciphertext = ciphertext.replace('-', '+').replace('_', '/')
+	ciphertext = base64.b64decode(ciphertext)
+
+	f = int(ciphertext[0:2], 16)
+	f2 = int(ciphertext[2:3], 16)
+
+	for i in range (3, len(ciphertext)):
+		if ciphertext[i] < ord('0') or ciphertext[i] > ord('9'):
+			first_non_digit_index = i
+			break
+
+	length = int(ciphertext[3:first_non_digit_index])
+	ciphertext = ciphertext[first_non_digit_index+1:]
+
+	if length != len(ciphertext):
+		print("[.] Warning: length mismatch %d != %d" % (length, len(ciphertext)))
+		print("[.] Possibly truncated ciphertext")
+
+	e = f
+	plaintext = ""
+	for i, c in enumerate(ciphertext):
+		b = c ^ e
+		if i > f2:
+			b ^= ciphertext[i - f2]
+		e = c ^ f
+		plaintext += chr(b)
+
+	return plaintext
+
+
+
+if __name__ == "__main__":
+	if len(sys.argv) != 2:
+		print("[!] Wrong number of parameters. Expected ciphertext.")
+		exit(1)
+
+	ct = sys.argv[1]
+
+	print(strrevsstr(ct))
--- a/CacheFlow/extras/developer_extensions.txt
+++ b/CacheFlow/extras/developer_extensions.txt
@ -0,0 +1,55 @@
+A list of NON-malicious extensions used for detecting tech-savvy users.
+--------------------------------
+
+aejoelaoggembcahagimdiliamlcdmfm
+aimiinbnnkboelefkjlenlgimcabobli
+ajkomeiemllejmopbbjjngpmmikfedad
+akdgnmcogleenhbclghghlkkdndkjdjc
+aomidfkchockcldhbkggjokdkkebmdll
+bblbgcheenepgnnajgfpiicnbbdmmooh
+bcjindcccaagfpapjjmafapmmgkkhgoa
+bfbameneiokkgbdmiekhjnmfkcnldhhm
+bhlhnicpbhignbdhedgjhgdocnmhomnp
+bkbeeeffjjeopflfhgeknacdieedcoml
+blfngdefapoapkcdibbdkigpeaffgcil
+chklaanhfefbnpoihckbnefhakgolnmc
+cidlcjdalomndpeagkjpnefhljffbnlo
+clngdbkpkpeebahjckkjfobafhncgmne
+cppjkneekbjaeellbfkmgnhonkkjfpdn
+deeboegbjcnfgidliakhpoapnpomphji
+dfogidghaigoomjdeacndafapdijmiid
+fdgfkebogiimcoedlicjlajpkdmockpc
+fmkadmapgofadopljbjfkapdkoienihi
+fnbdnhhicmebfgdgglcdacdapkcihcoh
+fngmhnnpilhplaeedifhccceomclgfbg
+fpkknkljclfencbdbgkenhalefipecmb
+gbammbheopgpmaagmckhpjbfgdfkpadb
+gcbommkclmclpchllfjekcdonpmejbdp
+ggfgijbpiheegefliciemofobhmofgce
+gppongmhjkpfnbhagpmjfkannfbllamg
+hafdlehgocfcodbgjnpecfajgkeejnaa
+hmhgeddbohgjknpmjagkdomcpobmllji
+iahamcpedabephpcgkeikbclmaljebjp
+iahnhfdhidomcpggpaimmmahffihkfnj
+iiglodndmmefofehaibmaignglbpdald
+jafmfknfnkoekkdocjiaipcnmkklaajd
+jdkknkkbebbapilgoeccciglkfbmbnfm
+jgbbilmfbammlbbhmmgaagdkbkepnijn
+jifpbeccnghkjeaalbbjmodiffmgedin
+jknemblkbdhdcpllfgbfekkdciegfboi
+jmbmjnojfkcohdpkpjmeeijckfbebbon
+kajfghlhfkcocafkcjlajldicbikpgnp
+kejbdjndbnbjgmefkgdddjlbokphdefk
+lkfkkhfhhdkiemehlpkgjeojomhpccnh
+lkmofgnohbedopheiphabfhfjgkhfcgf
+lmhkpmbekcpmknklioeibfkpmmfibljd
+mbnbehikldjhnfehhnaidhjhoofhpehk
+mdnleldcmiljblolnjhpnblkcekpdkpa
+nbhcbdghjpllgmfilhnhkllmkecfmpld
+nnpljppamoaalgkieeciijbcccohlpoh
+oebpmncolmhiapingjaagmapififiakb
+oelggcmknbjmhkpgjfhakedcfnkgbdpg
+okpjlejfhacmgjkmknjhadmkdbcldfcb
+piekbefgpgdecckjcpffhnacjflfoddg
+pnhplgjpclknigjpccbcnmicgcieojbh
+ppmmlchacdbknfphdeafcbmklcghghmd
--- a/CacheFlow/network.txt
+++ b/CacheFlow/network.txt
@ -0,0 +1,39 @@
+abuse-extensions[.]com
+ampliacion[.]xyz
+a.xfreeservice[.]com
+b.xfreeservice[.]com
+c.xfreeservice[.]com
+browser-stat[.]com
+check-stat[.]com
+check4.scamprotection[.]net
+connecting-to-the[.]net
+cornewus[.]com
+downloader-ig[.]com
+exstats[.]com
+ext-feedback[.]com
+extstatistics[.]com
+figures-analysis[.]com
+huffily.mydiaconal[.]com
+jastats[.]com
+jokopinter[.]com
+limbo-urg[.]com
+mydiaconal[.]com
+notification-stat[.]com
+orgun.johnoil[.]com
+outstole.my-sins[.]com
+peta-line[.]com
+root.s-i-z[.]com
+s3.amazonaws[.]com/directcdn/j6dle93f17c30.js
+s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js
+s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js
+safenewtab[.]com
+script-protection[.]com
+server-status[.]xyz
+servscrpt[.]de
+stats.script-protection[.]com
+statslight[.]com
+ulkon.johnoil[.]com
+user-experience[.]space
+user-feedbacks[.]com
+user.ampliacion[.]xyz
+xf.gdprvalidate[.]de/partner/8otb939m/index.php
--- a/CacheFlow/samples.md5
+++ b/CacheFlow/samples.md5
@ -0,0 +1,6 @@
+0e75e132c2d625c3c96905ed39820900
+0ad35814955ff9d8ef57c8f18d79673b
+b2fce3b027d27324a8dab3d8567d4ac8
+c6ea657aca5a4d51c369d806fae0eb6e
+b317b951ced883da8a1cff68d2a00c7c
+b9131a8791d3e3f31cbd4218bd1079a6
--- a/CacheFlow/samples.sha1
+++ b/CacheFlow/samples.sha1
@ -0,0 +1,6 @@
+a4c942142cb4e450891564d0db4498a73df67ba1
+8431b4ca1234b63454a8b83d1b54094312072ea3
+fe99439b248f1e2efd698e3016101a6ba19703a4
+a505109d67ab2cca7e776863d45b3fa817de2c8d
+f509bc59dd4259324fb1f1ebeaa2576952eee4f0
+788c4967071d3f018380610bb9c23b1d5e2bbf22
--- a/CacheFlow/samples.sha256
+++ b/CacheFlow/samples.sha256
@ -0,0 +1,6 @@
+2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051
+bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20
+3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d
+4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a
+ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4
+0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0