Skip to content

Commit

Permalink
Fenrir with Sandworm Centreon IOCs and Strings
Browse files Browse the repository at this point in the history
  • Loading branch information
Neo23x0 committed Feb 16, 2021
1 parent 6038a09 commit 5d0fa82
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 228 deletions.
125 changes: 1 addition & 124 deletions c2-iocs.txt
Original file line number Diff line number Diff line change
@@ -1,125 +1,2 @@
201.191.202.34
216.58.192.68
185.11.146.191
185.11.146.151
185.62.190.62
185.62.190.82
185.62.190.156
185.62.190.222
185.62.190.253
188.209.49.163
188.209.52.195
188.209.49.131
188.209.49.165
185.130.5.165
185.130.5.174
185.130.5.200
185.130.5.205
185.130.5.246
80.82.64.177
80.82.78.12
89.248.168.29
89.248.172.201
94.102.53.144
89.248.162.167
89.248.162.171
89.248.166.131
89.248.168.39
89.248.172.166
89.248.172.173
94.102.49.197
94.102.63.136
46.165.251.153
178.162.199.88
178.162.205.4
178.162.205.29
178.162.205.30
178.162.211.200
178.162.211.211
178.162.211.213
178.162.211.214
178.162.211.215
178.162.211.216
178.162.211.217
149.202.153.56
173.208.196.202
188.0.236.27
188.209.52.228
192.210.220.3
198.23.238.215
198.23.238.251
208.67.1.130
208.67.1.33
208.69.31.11
5.152.206.162
5.196.8.171
89.248.162.167
115.239.248.62
117.27.158.104
117.27.158.71
117.27.158.78
117.27.158.91
122.225.103.118
122.225.103.122
122.225.103.125
122.225.103.97
122.225.109.102
122.225.109.103
122.225.109.108
122.225.109.109
122.225.109.114
122.225.109.121
122.225.109.125
122.225.109.202
122.225.109.214
122.225.109.220
122.225.109.99
218.2.0.121
218.2.0.132
218.2.0.133
218.2.0.137
221.235.188.210
222.186.34.121
222.186.58.70
60.169.77.228
61.174.50.172
61.174.50.177
61.174.50.184
61.174.50.216
61.174.51.214
61.174.51.226
61.174.51.229
61.174.51.230
61.174.51.233
61.174.51.235
61.174.50.184
122.225.103.118
218.2.0.132
122.225.103.125
122.225.109.99
122.225.103.97
122.225.103.122
61.174.51.226
117.27.158.71
61.174.51.233
122.225.109.108
122.225.109.109
61.174.50.177
61.174.51.214
117.27.158.104
61.174.50.172
222.186.34.121
117.27.158.91
222.186.58.70
61.174.51.229
122.225.109.214
61.174.50.216
117.27.158.78
221.235.188.210
122.225.109.121
167.114.153.55
94.237.37.28
82.118.242.171
31.220.61.251
128.199.199.187
176.31.225.204
# END
4 changes: 2 additions & 2 deletions fenrir.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ SYSLOG_FACILITY=local4
DO_C2_CHECK=1

# Exclusions
MAX_FILE_SIZE=2000 # max file size to check in kilobyte, default 2 MB
CHECK_ONLY_RELEVANT_EXTENSIONS=1
MAX_FILE_SIZE=8000 # max file size to check in kilobyte, default 2 MB
CHECK_ONLY_RELEVANT_EXTENSIONS=1 # ELF binaries get always checked
declare -a RELEVANT_EXTENSIONS=('exe' 'jsp' 'dll' 'txt' 'js' 'vbs' 'bat' 'tmp' 'dat' 'sys' 'php' 'jspx' 'pl' 'war' 'sh' 'asp' 'aspx' 'jspx'); # use lower-case
# files in these directories will be checked with string grep
# regradless of their size and extension
Expand Down
7 changes: 7 additions & 0 deletions filename-iocs.txt
Original file line number Diff line number Diff line change
@@ -1,2 +1,9 @@
demo/evil.jsp
# END - DO NOT REMOVE
/tmp/.applocktx
/tmp/.applock$
/usr/local/centreon/www/search.php
/usr/share/centreon/www/search.php
/usr/share/centreon/www/modules/Discovery/include/DB−Drop.php
/usr/share/centreon/www/htmlHeader.php
/configtx\.json
99 changes: 2 additions & 97 deletions hash-iocs.txt
Original file line number Diff line number Diff line change
@@ -1,98 +1,3 @@
329cd07f4dd67947ff10d8a6550ff779;Demo file - evil.jsp

866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035;Equation APT
8447dabffd37eb7fcb1bc1d6c6f1d164;Htran Chinese APT Tunneling Tool Sample

5d853a8de18d844a9ab269f3d51e5072;Five Eyes QUERTY Malware20120.dll.bin
cc8b737edb3f11c9c5dba57035c63103;Five Eyes QUERTY Malware20120.xml
67ac8dc6589a07d950bd12f534dc9789;Five Eyes QUERTY Malware20120_cmdDef.xml
40451f20371329b992fb1b85c754d062;Five Eyes QUERTY Malware20121.dll.bin
ff0afae5c68c5177ed0a3d6339810cae;Five Eyes QUERTY Malware20121.xml
1bc8f4df4551c6efbbb1fe9f965dca49;Five Eyes QUERTY Malware20121_cmdDef.xml
0ed11a73694999bc45d18b4189f41ac2;Five Eyes QUERTY Malware20123.sys.bin
066b6253afc3ad0efe9a15cead4ef7d8;Five Eyes QUERTY Malware20123.xml
790d1b448e97985deb710a94eb927c27;Five Eyes QUERTY Malware20123_cmdDef.xml

ad61e8daeeba43e442514b177a1b41ad4b7c6727;Skeleton Key Malware
5083b17ccc50dd0557dfc544f84e2ab55d6acd92;Skeleton Key Malware
66da7ed621149975f6e643b4f9886cfd;Symantec Report http://goo.gl/9Tmq2e msuta64.dll
bf45086e6334f647fda33576e2a05826;Symantec Report http://goo.gl/9Tmq2e ole64.dll
a487f1668390df0f4951b7292bae6ecf;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
8ba4df29b0593be172ff5678d8a05bb3;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
f01026e1107b722435126c53b2af47a9;Symantc Report http://goo.gl/9Tmq2e HookDC.dll
747cc5ce7f2d062ebec6219384b57e8c;Symantec Report http://goo.gl/9Tmq2e ole.dll
600b604784594e3339776c6563aa45a1;Symantec Report http://goo.gl/9Tmq2e jqs.exe (Backdoor.Winnti dropper)
48377c1c4cfedebe35733e9c3675f9be;Symantec Report http://goo.gl/9Tmq2e tmp8296.tmp (Backdoor.Winnti variant)

20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92;Regin Malware Sample
225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430;Regin Malware Sample
392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e;Regin Malware Sample
40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b;Regin Malware Sample
4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be;Regin Malware Sample
4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9;Regin Malware Sample
5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823;Regin Malware Sample
5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90;Regin Malware Sample
7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7;Regin Malware Sample
7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926;Regin Malware Sample
8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13;Regin Malware Sample
8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7;Regin Malware Sample
8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db;Regin Malware Sample
9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f;Regin Malware Sample
9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379;Regin Malware Sample
a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355;Regin Malware Sample
a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880;Regin Malware Sample
a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35;Regin Malware Sample
a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669;Regin Malware Sample
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047;Regin Malware Sample
b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce;Regin Malware Sample
c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513;Regin Malware Sample
cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601;Regin Malware Sample
df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c;Regin Malware Sample
e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902;Regin Malware Sample
e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935;Regin Malware Sample
ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69;Regin Malware Sample
f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e;Regin Malware Sample
f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4;Regin Malware Sample
fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef;Regin Malware Sample
fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129;Regin Malware Sample

9bec941bec02c7fbe037a97db8c89f18;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
6ce69e4bec14511703a8957e90ded1fa;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
1c05164fede51bf947f1e78cba811063;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
5129c26818ef712bde318dff970eba8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
bdce0ed65f005a11d8e9a6747a3ad08c;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
e04ad0ec258cbbf94910a677f4ea54f0;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
928d0ef4c17f0be21f2ec5cc96182e0c;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
d686ce4ed3c46c3476acf1be0a1324e6;Symantec Waterbug Attack http://goo.gl/9Tlk90 typecli.exe
22fb51ce6e0bc8b52e9e3810ca9dc2e1;Symantec Waterbug Attack http://goo.gl/9Tlk90 msc32.exe
df06bde546862336ed75d8da55e7b1cc;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
a85616aec82078233ea25199c5668036;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
b7d80000100f2cb50a37a8a5f21b185f;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
552a8e8d60731022dcb5a89fd4f313ec;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
a1ecf883627a207ed79d0fd103534576;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
560f47c8c50598760914310c6411d3b1;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
b28cbcd6998091f903c06a0a46a0fd8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
b0952e130f6f8ad207998000a42531de;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
c04190dc190b6002f064e3d13ac22212;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
959ed9d60a8f645fd46b7c7a9b62870c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
305801a809b7d9136ab483682e26d52d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
e5a9fc45ab11dd0845508d122a6c8c8c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
bf0e4d46a51f27493cbe47e1cfb1b2ea;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
f156ff2a1694f479a079f6777f0c5af0;Symantec Waterbug Attack http://goo.gl/9Tlk90 pxinsi64.exe 64-bit driver possibly used by vboxdev_win32.dll
eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 mswme32.exe Collects files with extensions (.*library, *.inf, *.exe, .*dll, .*dot), Encrypts with Trojan.Turla XOR key
56f423c7a7fef041f3039319f2055509;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnet32.exe
20c9df1e5f426f9eb7461cd99d406904;Symantec Waterbug Attack http://goo.gl/9Tlk90 rpcsrv.exe RPC server using ncacn_np identifier and binds to \\pipe\ hello, Can be used as a proxy
ed3509b103dc485221c85d865fafafac;Symantec Waterbug Attack http://goo.gl/9Tlk90 charmap32.exe Executes msinfo32.exe /nfo and direct output to winview.nfo
09886f7c1725fe5b86b28dd79bc7a4d1;Symantec Waterbug Attack http://goo.gl/9Tlk90 mqsvc32.exe Capable of sending exfiltrated data through email using MAPI32.dll
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 msrss.exe Registers as a service “svcmgr” with display name ‘Windows Svcmgr’
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 dc1.exe
fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 svcmgr.exe
98992c12e58745854a885f9630124d3e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msx32.exe Used to encrypt file (supplied as argument on command line) using common Trojan.Turla XOR key, Output written to [FILE NAME].XOR

c709e0963ad64f87d9c7a05ddd2eb7c5;APT28 IOT script https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
84837778682450cdca43d1397afd2310;PAS Webshell
92ef0aaf5f622b1253e5763f11a08857;Exaramel Malware
# END - DO NOT REMOVE
12 changes: 7 additions & 5 deletions string-iocs.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
eval request(
bash -i >/dev/tcp/
chmod +x /tmp/
() { :; };
packed with the UPX executable packer
/tmp/.applock
.substr(md5(strrev(
Archive created by P.A.S.
socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print
SQL Dump created by P.A.S.
odhyrfjcnfkdtslt
configtx.json
# END - DO NOT REMOVE - contents passed to grep - double escape square brackets

0 comments on commit 5d0fa82

Please sign in to comment.