diff --git a/CacheFlow/README.md b/CacheFlow/README.md new file mode 100644 index 0000000..782be13 --- /dev/null +++ b/CacheFlow/README.md @@ -0,0 +1,104 @@ +# IoC for CacheFlow + +Malware analysis and more technical information at + +### Table of Contents +* [Samples (SHA-256)](#samples-sha-256) +* [Network indicators](#network-indicators) +* [Extension IDs](#extension-ids) + + +## Samples (SHA-256) +#### CacheFlow scripts related files +``` +2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051 - manifest.json +bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20 - background.js +3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d - jquery.js +4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a - Intermediary Downloader +ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4 - Payload +0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0 - Injected script +``` + +## Network indicators +#### C&C domains +``` +abuse-extensions[.]com +ampliacion[.]xyz +a.xfreeservice[.]com +b.xfreeservice[.]com +c.xfreeservice[.]com +browser-stat[.]com +check-stat[.]com +check4.scamprotection[.]net +connecting-to-the[.]net +cornewus[.]com +downloader-ig[.]com +exstats[.]com +ext-feedback[.]com +extstatistics[.]com +figures-analysis[.]com +huffily.mydiaconal[.]com +jastats[.]com +jokopinter[.]com +limbo-urg[.]com +mydiaconal[.]com +notification-stat[.]com +orgun.johnoil[.]com +outstole.my-sins[.]com +peta-line[.]com +root.s-i-z[.]com +s3.amazonaws[.]com/directcdn/j6dle93f17c30.js +s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js +s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js +safenewtab[.]com +script-protection[.]com +server-status[.]xyz +servscrpt[.]de +stats.script-protection[.]com +statslight[.]com +ulkon.johnoil[.]com +user-experience[.]space +user-feedbacks[.]com +user.ampliacion[.]xyz +xf.gdprvalidate[.]de/partner/8otb939m/index.php +``` + +## Extension IDs +#### A list of Chrome infected browser extensions with IDs +``` +mdpgppkombninhkfhaggckdmencplhmg - Direct Message for Instagram +fgaapohcdolaiaijobecfleiohcfhdfb - DM for Instagram +iibnodnghffmdcebaglfgnfkgemcbchf - Invisible mode for Instagram Direct Message +olkpikmlhoaojbbmmpejnimiglejmboe - Downloader for Instagram +bhfoemlllidnfefgkeaeocnageepbael - App Phone for Instagram +nilbfjdbacfdodpbdondbbkmoigehodg - Stories for Instagram +eikbfklcjampfnmclhjeifbmfkpkfpbn - Universal Video Downloader +pfnmibjifkhhblmdmaocfohebdpfppkf - Video Downloader for FaceBook™ +cgpbghdbejagejmciefmekcklikpoeel - Vimeo™ Video Downloader +klejifgmmnkgejbhgmpgajemhlnijlib - Zoomer for Instagram and FaceBook +ceoldlgkhdbnnmojajjgfapagjccblib - VK UnBlock. Works fast. +mnafnfdagggclnaggnjajohakfbppaih - Odnoklassniki UnBlock. Works quickly. +oknpgmaeedlbdichgaghebhiknmghffa - Upload photo to Instagram™ +pcaaejaejpolbbchlmbdjfiggojefllp - Spotify Music Downloader +lmcajpniijhhhpcnhleibgiehhicjlnk - The New York Times News +lgjogljbnbfjcaigalbhiagkboajmkkj - FORBES +akdbogfpgohikflhccclloneidjkogog - Скачать фото и видео из Instagram +``` + +#### A list of Edge infected browser extensions with IDs +``` +lnocaphbapmclliacmbbggnfnjojbjgf - Direct Message for Instagram™ +bhcpgfhiobcpokfpdahijhnipenkplji - Instagram Download Video & Image +dambkkeeabmnhelekdekfmabnckghdih - App Phone for Instagram +dgjmdlifhbljhmgkjbojeejmeeplapej - Universal Video Downloader +emechknidkghbpiodihlodkhnljplpjm - Video Downloader for FaceBook™ +hajlccgbgjdcjaommiffaphjdndpjcio - Vimeo™ Video Downloader +dljdbmkffjijepjnkonndbdiakjfdcic - Volume Controller +cjmpdadldchjmljhkigoeejegmghaabp - Stories for Instagram +jlkfgpiicpnlbmmmpkpdjkkdolgomhmb - Upload photo to Instagram™ +njdkgjbjmdceaibhngelkkloceihelle - Pretty Kitty, The Cat Pet +phoehhafolaebdpimmbmlofmeibdkckp - Video Downloader for YouTube +pccfaccnfkjmdlkollpiaialndbieibj - SoundCloud Music Downloader +fbhbpnjkpcdmcgcpfilooccjgemlkinn - Instagram App with Direct Message DM +aemaecahdckfllfldhgimjhdgiaahean - Downloader for Instagram +``` diff --git a/CacheFlow/extras/decryptor_strrevsstr.py b/CacheFlow/extras/decryptor_strrevsstr.py new file mode 100644 index 0000000..f454f73 --- /dev/null +++ b/CacheFlow/extras/decryptor_strrevsstr.py @@ -0,0 +1,45 @@ +import base64 +import sys + +def strrevsstr(ciphertext: str) -> str: + if len(ciphertext) % 4 != 0: + ciphertext = ciphertext + (4 - (len(ciphertext) % 4)) * '=' + ciphertext = ciphertext.replace('-', '+').replace('_', '/') + ciphertext = base64.b64decode(ciphertext) + + f = int(ciphertext[0:2], 16) + f2 = int(ciphertext[2:3], 16) + + for i in range (3, len(ciphertext)): + if ciphertext[i] < ord('0') or ciphertext[i] > ord('9'): + first_non_digit_index = i + break + + length = int(ciphertext[3:first_non_digit_index]) + ciphertext = ciphertext[first_non_digit_index+1:] + + if length != len(ciphertext): + print("[.] Warning: length mismatch %d != %d" % (length, len(ciphertext))) + print("[.] Possibly truncated ciphertext") + + e = f + plaintext = "" + for i, c in enumerate(ciphertext): + b = c ^ e + if i > f2: + b ^= ciphertext[i - f2] + e = c ^ f + plaintext += chr(b) + + return plaintext + + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("[!] Wrong number of parameters. Expected ciphertext.") + exit(1) + + ct = sys.argv[1] + + print(strrevsstr(ct)) \ No newline at end of file diff --git a/CacheFlow/extras/developer_extensions.txt b/CacheFlow/extras/developer_extensions.txt new file mode 100644 index 0000000..dd9af8c --- /dev/null +++ b/CacheFlow/extras/developer_extensions.txt @@ -0,0 +1,55 @@ +A list of NON-malicious extensions used for detecting tech-savvy users. +-------------------------------- + +aejoelaoggembcahagimdiliamlcdmfm +aimiinbnnkboelefkjlenlgimcabobli +ajkomeiemllejmopbbjjngpmmikfedad +akdgnmcogleenhbclghghlkkdndkjdjc +aomidfkchockcldhbkggjokdkkebmdll +bblbgcheenepgnnajgfpiicnbbdmmooh +bcjindcccaagfpapjjmafapmmgkkhgoa +bfbameneiokkgbdmiekhjnmfkcnldhhm +bhlhnicpbhignbdhedgjhgdocnmhomnp +bkbeeeffjjeopflfhgeknacdieedcoml +blfngdefapoapkcdibbdkigpeaffgcil +chklaanhfefbnpoihckbnefhakgolnmc +cidlcjdalomndpeagkjpnefhljffbnlo +clngdbkpkpeebahjckkjfobafhncgmne +cppjkneekbjaeellbfkmgnhonkkjfpdn +deeboegbjcnfgidliakhpoapnpomphji +dfogidghaigoomjdeacndafapdijmiid +fdgfkebogiimcoedlicjlajpkdmockpc +fmkadmapgofadopljbjfkapdkoienihi +fnbdnhhicmebfgdgglcdacdapkcihcoh +fngmhnnpilhplaeedifhccceomclgfbg +fpkknkljclfencbdbgkenhalefipecmb +gbammbheopgpmaagmckhpjbfgdfkpadb +gcbommkclmclpchllfjekcdonpmejbdp +ggfgijbpiheegefliciemofobhmofgce +gppongmhjkpfnbhagpmjfkannfbllamg +hafdlehgocfcodbgjnpecfajgkeejnaa +hmhgeddbohgjknpmjagkdomcpobmllji +iahamcpedabephpcgkeikbclmaljebjp +iahnhfdhidomcpggpaimmmahffihkfnj +iiglodndmmefofehaibmaignglbpdald +jafmfknfnkoekkdocjiaipcnmkklaajd +jdkknkkbebbapilgoeccciglkfbmbnfm +jgbbilmfbammlbbhmmgaagdkbkepnijn +jifpbeccnghkjeaalbbjmodiffmgedin +jknemblkbdhdcpllfgbfekkdciegfboi +jmbmjnojfkcohdpkpjmeeijckfbebbon +kajfghlhfkcocafkcjlajldicbikpgnp +kejbdjndbnbjgmefkgdddjlbokphdefk +lkfkkhfhhdkiemehlpkgjeojomhpccnh +lkmofgnohbedopheiphabfhfjgkhfcgf +lmhkpmbekcpmknklioeibfkpmmfibljd +mbnbehikldjhnfehhnaidhjhoofhpehk +mdnleldcmiljblolnjhpnblkcekpdkpa +nbhcbdghjpllgmfilhnhkllmkecfmpld +nnpljppamoaalgkieeciijbcccohlpoh +oebpmncolmhiapingjaagmapififiakb +oelggcmknbjmhkpgjfhakedcfnkgbdpg +okpjlejfhacmgjkmknjhadmkdbcldfcb +piekbefgpgdecckjcpffhnacjflfoddg +pnhplgjpclknigjpccbcnmicgcieojbh +ppmmlchacdbknfphdeafcbmklcghghmd \ No newline at end of file diff --git a/CacheFlow/network.txt b/CacheFlow/network.txt new file mode 100644 index 0000000..553b9df --- /dev/null +++ b/CacheFlow/network.txt @@ -0,0 +1,39 @@ +abuse-extensions[.]com +ampliacion[.]xyz +a.xfreeservice[.]com +b.xfreeservice[.]com +c.xfreeservice[.]com +browser-stat[.]com +check-stat[.]com +check4.scamprotection[.]net +connecting-to-the[.]net +cornewus[.]com +downloader-ig[.]com +exstats[.]com +ext-feedback[.]com +extstatistics[.]com +figures-analysis[.]com +huffily.mydiaconal[.]com +jastats[.]com +jokopinter[.]com +limbo-urg[.]com +mydiaconal[.]com +notification-stat[.]com +orgun.johnoil[.]com +outstole.my-sins[.]com +peta-line[.]com +root.s-i-z[.]com +s3.amazonaws[.]com/directcdn/j6dle93f17c30.js +s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js +s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js +safenewtab[.]com +script-protection[.]com +server-status[.]xyz +servscrpt[.]de +stats.script-protection[.]com +statslight[.]com +ulkon.johnoil[.]com +user-experience[.]space +user-feedbacks[.]com +user.ampliacion[.]xyz +xf.gdprvalidate[.]de/partner/8otb939m/index.php diff --git a/CacheFlow/samples.md5 b/CacheFlow/samples.md5 new file mode 100644 index 0000000..f27e47a --- /dev/null +++ b/CacheFlow/samples.md5 @@ -0,0 +1,6 @@ +0e75e132c2d625c3c96905ed39820900 +0ad35814955ff9d8ef57c8f18d79673b +b2fce3b027d27324a8dab3d8567d4ac8 +c6ea657aca5a4d51c369d806fae0eb6e +b317b951ced883da8a1cff68d2a00c7c +b9131a8791d3e3f31cbd4218bd1079a6 diff --git a/CacheFlow/samples.sha1 b/CacheFlow/samples.sha1 new file mode 100644 index 0000000..ebd8ab9 --- /dev/null +++ b/CacheFlow/samples.sha1 @@ -0,0 +1,6 @@ +a4c942142cb4e450891564d0db4498a73df67ba1 +8431b4ca1234b63454a8b83d1b54094312072ea3 +fe99439b248f1e2efd698e3016101a6ba19703a4 +a505109d67ab2cca7e776863d45b3fa817de2c8d +f509bc59dd4259324fb1f1ebeaa2576952eee4f0 +788c4967071d3f018380610bb9c23b1d5e2bbf22 diff --git a/CacheFlow/samples.sha256 b/CacheFlow/samples.sha256 new file mode 100644 index 0000000..1f92d9c --- /dev/null +++ b/CacheFlow/samples.sha256 @@ -0,0 +1,6 @@ +2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051 +bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20 +3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d +4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a +ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4 +0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0