# IoC for CacheFlow Malware analysis and more technical information at ### Table of Contents * [Samples (SHA-256)](#samples-sha-256) * [Network indicators](#network-indicators) * [Extension IDs](#extension-ids) ## Samples (SHA-256) #### CacheFlow scripts related files ``` 2bc86c14609928183bf3d94e1b6f082a07e6ce0e80b1dffc48d3356b6942c051 - manifest.json bdd2ec1f2e5cc0ba3980f7f96cba5bf795a6e012120db9cab0d8981af3fa7f20 - background.js 3dad00763b7f97c27d481242bafa510a89fed19ba60c9487a65fa4e86dcf970d - jquery.js 4e236104f6e155cfe65179e7646bdb825078a9fea39463498c5b8cd99d409e7a - Intermediary Downloader ebf6ca39894fc7d0e634bd6747131efbbd0d736e65e68dcc940e3294d3c93df4 - Payload 0f99ec8031d482d3cefa979fbd61416558e03a5079f43c2d31aaf4ea20ce28a0 - Injected script ``` ## Network indicators #### C&C domains ``` abuse-extensions[.]com ampliacion[.]xyz a.xfreeservice[.]com b.xfreeservice[.]com c.xfreeservice[.]com browser-stat[.]com check-stat[.]com check4.scamprotection[.]net connecting-to-the[.]net cornewus[.]com downloader-ig[.]com exstats[.]com ext-feedback[.]com extstatistics[.]com figures-analysis[.]com huffily.mydiaconal[.]com jastats[.]com jokopinter[.]com limbo-urg[.]com mydiaconal[.]com notification-stat[.]com orgun.johnoil[.]com outstole.my-sins[.]com peta-line[.]com root.s-i-z[.]com s3.amazonaws[.]com/directcdn/j6dle93f17c30.js s3.amazonaws[.]com/wwwjs/ga9anf7c53390.js s3.amazonaws[.]com/wwwjs/hc8e0ccd7266c.js safenewtab[.]com script-protection[.]com server-status[.]xyz servscrpt[.]de stats.script-protection[.]com statslight[.]com ulkon.johnoil[.]com user-experience[.]space user-feedbacks[.]com user.ampliacion[.]xyz xf.gdprvalidate[.]de/partner/8otb939m/index.php ``` ## Extension IDs #### A list of Chrome infected browser extensions with IDs ``` mdpgppkombninhkfhaggckdmencplhmg - Direct Message for Instagram fgaapohcdolaiaijobecfleiohcfhdfb - DM for Instagram iibnodnghffmdcebaglfgnfkgemcbchf - Invisible mode for Instagram Direct Message olkpikmlhoaojbbmmpejnimiglejmboe - Downloader for Instagram bhfoemlllidnfefgkeaeocnageepbael - App Phone for Instagram nilbfjdbacfdodpbdondbbkmoigehodg - Stories for Instagram eikbfklcjampfnmclhjeifbmfkpkfpbn - Universal Video Downloader pfnmibjifkhhblmdmaocfohebdpfppkf - Video Downloader for FaceBook™ cgpbghdbejagejmciefmekcklikpoeel - Vimeo™ Video Downloader klejifgmmnkgejbhgmpgajemhlnijlib - Zoomer for Instagram and FaceBook ceoldlgkhdbnnmojajjgfapagjccblib - VK UnBlock. Works fast. mnafnfdagggclnaggnjajohakfbppaih - Odnoklassniki UnBlock. Works quickly. oknpgmaeedlbdichgaghebhiknmghffa - Upload photo to Instagram™ pcaaejaejpolbbchlmbdjfiggojefllp - Spotify Music Downloader lmcajpniijhhhpcnhleibgiehhicjlnk - The New York Times News lgjogljbnbfjcaigalbhiagkboajmkkj - FORBES akdbogfpgohikflhccclloneidjkogog - Скачать фото и видео из Instagram ``` #### A list of Edge infected browser extensions with IDs ``` lnocaphbapmclliacmbbggnfnjojbjgf - Direct Message for Instagram™ bhcpgfhiobcpokfpdahijhnipenkplji - Instagram Download Video & Image dambkkeeabmnhelekdekfmabnckghdih - App Phone for Instagram dgjmdlifhbljhmgkjbojeejmeeplapej - Universal Video Downloader emechknidkghbpiodihlodkhnljplpjm - Video Downloader for FaceBook™ hajlccgbgjdcjaommiffaphjdndpjcio - Vimeo™ Video Downloader dljdbmkffjijepjnkonndbdiakjfdcic - Volume Controller cjmpdadldchjmljhkigoeejegmghaabp - Stories for Instagram jlkfgpiicpnlbmmmpkpdjkkdolgomhmb - Upload photo to Instagram™ njdkgjbjmdceaibhngelkkloceihelle - Pretty Kitty, The Cat Pet phoehhafolaebdpimmbmlofmeibdkckp - Video Downloader for YouTube pccfaccnfkjmdlkollpiaialndbieibj - SoundCloud Music Downloader fbhbpnjkpcdmcgcpfilooccjgemlkinn - Instagram App with Direct Message DM aemaecahdckfllfldhgimjhdgiaahean - Downloader for Instagram ```