Authored By: 
TomU @c_APT_ure

Description: 

This IOC detects malware that abuses the WinLogon Shell as persistence mechanism to startup. Normally this value should just be “explorer.exe”.

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1567958#none
The following registry elements have been changed:
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SHELL = %APPDATA%\07F4HkiN.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SHELL = %APPDATA%\07F4HkiN.exe

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1585881#none
The following registry elements have been changed:
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SHELL = %APPDATA%\5w4yher54uyhw4.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SHELL = %APPDATA%\5w4yher54uyhw4.exe

http://www.threatexpert.com/report.aspx?md5=0e961bed52b8063945c9d528ad0669ed
The newly created Registry Value is:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = “Explorer.exe “C:\recycled\SVCHOST.exe”"

Reports:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1585881
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1567958
http://www.threatexpert.com/report.aspx?md5=0e961bed52b8063945c9d528ad0669ed

Indicators:

OR
  AND
   Registry Keypath contains SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
   Registry Value Name is SHELL
    OR
     Registry Value contains %AppData%
     Registry Value contains %Application Data%
     Registry Value contains %User Profile%
     Registry Value contains \Users
     Registry Value contains \Documents
     Registry Value contains %Temp%
     Registry Value contains \Recycled
     Registry Value contains \Temp

Download:
93b3a82d-230d-49e9-926c-c0e506fda033

Authored By:
RAustin @W3nd1g04n6

Description:
The Eclipse RAT malware provides remote access to an infected machine. This IOC is based on basis static analysis of numerous identified payloads. Some import functions in KERNEL32.dll and ADVAPI32.dll vary from sample to sample, and one sample does not include the WININET.dll import. Additionally, samples appear to have evolved over time to combine or modularize functionality, as ADVAPI32.dll import functions for one sample appears to fully combine the import functions of two distinct combinations from different samples. These samples have been used in targeted attacks. Samples included both client and server samples.

Indicators:
OR
   OR
      Network DNS contains ctx-na.purpledaily.com
      Network DNS contains walk.bigish.net
      Network DNS contains ftel.marsbrother.com
   OR
      Port Remote IP contains 63.192.38.11
      Port Remote IP contains 66.85.188.151
   OR
      UrlHistory URL contains ctx-na.purpledaily.com
      UrlHistory URL contains walk.bigish.net
      UrlHistory URL contains ftel.marsbrother.com
   OR
      AND
         File PE Type is Executable
         File PE Subsystem is Windows_GUI
         File Digital Signature Exists is false
         File Digital Signature Verified is false
         AND
            File Import Name is WS2_32.dll
            File Import Function is WS2_32.dll:000b
            File Import Function is WS2_32.dll:0073
            File Import Function is WS2_32.dll:0039
            File Import Function is WS2_32.dll:000c
            OR
               File Import Function is WS2_32.dll:0034
               File Import Function is WS2_32.dll:006f
         AND
            File Import Function is URLDownloadToFileA
            File Import Name is urlmon.dll
         OR
            File Import Function is not WININET.dll
            AND
               File Import Name is WININET.dll
               File Import Function Name is InternetWriteFile
               File Import Function Name is DeleteUrlCacheEntry
               File Import Function Name is HttpSendRequestExA
               File Import Function Name is HttpQueryInfoA
               File Import Function Name is InternetConnectA
               File Import Function Name is InternetQueryDataAvailable
               File Import Function Name is InternetReadFile
               File Import Function Name is InternetSetOptionA
               File Import Function Name is InternetQueryOptionA
               File Import Function Name is InternetCloseHandle
               File Import Function Name is InternetOpenA
               File Import Function Name is HttpSendRequestA
               File Import Function Name is HttpAddRequestHeaderA
               File Import Function Name is HttpEndRequestA
               File Import Function Name is HttpOpenRequestA
         AND
            File Import Name contains ADVAPI32.dll
            OR
               AND
                  File Import Function is OpenProcessToken
                  File Import Function is OpenProcessToken
                  File Import Function is LookupAccountSidA
                  File Import Function is GetTokenInformation
                  File Import Function is CreateProcessWithLogonW
                  File Import Function is AdjustTokenPrivileges
                  File Import Function is LookupPrivilegeValueA
                  File Import Function is not OpenSCManagerA
                  File Import Function is not ChangeServiceConfig2A
                  File Import Function is not CloseServiceHandle
                  File Import Function is not ControlService
                  File Import Function is not CreateServiceA
                  File Import Function is not DeleteService
                  File Import Function is not OpenServiceA
                  File Import Function is not RegisterServiceCtrlHandlerA
                  File Import Function is not SetServiceStatus
                  File Import Function is not StartServiceCtrlDispatcherA
               AND
                  File Import Function is OpenProcessToken
                  File Import Function is LookupAccountSidA
                  File Import Function is GetTokenInformation
                  File Import Function is CreateProcessWithLogonW
                  File Import Function is AdjustTokenPrivileges
                  File Import Function is LookupPrivilegeValueA
                  File Import Function is OpenSCManagerA
                  File Import Function is ChangeServiceConfig2A
                  File Import Function is CloseServiceHandle
                  File Import Function is ControlService
                  File Import Function is CreateServiceA
                  File Import Function is DeleteService
                  File Import Function is OpenServiceA
                  File Import Function is RegisterServiceCtrlHandlerA
                  File Import Function is SetServiceStatus
                  File Import Function is StartServiceCtrlDispatcherA
               AND
                  File Import Function is OpenSCManagerA
                  File Import Function is ChangeServiceConfig2A
                  File Import Function is CloseServiceHandle
                  File Import Function is ControlService
                  File Import Function is CreateServiceA
                  File Import Function is DeleteService
                  File Import Function is OpenServiceA
                  File Import Function is RegisterServiceCtrlHandlerA
                  File Import Function is SetServiceStatus
                  File Import Function is StartServiceCtrlDispatcherA
                  File Import Function is not LookupPrivilegeValueA
                  File Import Function is not AdjustTokenPrivileges
                  File Import Function is not CreateProcessWithLogonW
                  File Import Function is not GetTokenInformation
                  File Import Function is not LookupAccountSidA
                  File Import Function is not OpenProcessToken
         AND
            File Import Name is KERNEL32.dll
            File Import Function is CloseHandle
            File Import Function is CreateEventA
            File Import Function is CreateFileA
            File Import Function is CreatePipe
            File Import Function is CreateProcessA
            File Import Function is CreateThread
            File Import Function is DeleteCriticalSection
            File Import Function is EnterCriticalSection
            File Import Function is ExitProcess
            File Import Function is ExtirThread
            File Import Function is FlushFileBuffers
            File Import Function is FreeEnvironmentStringA
            File Import Function is FreeEnvironmentStringW
            File Import Function is GetACP
            File Import Function is GetCommandLineA
            File Import Function is GetConsoleCP
            File Import Function is GetConsoleMode
            File Import Function is GetConsoleOutputCP
            File Import Function is GetCPInfo
            File Import Function is GetCurrentProcess
            File Import Function is GetCurrentProcessId
            File Import Function is GetCurrentThreadId
            File Import Function is GetEnvironmentStrings
            File Import Function is GetEnvironmentStringsW
            File Import Function is GetFileType
            File Import Function is GetLastError
            File Import Function is GetLocaleInfoA
            File Import Function is GetModuleFileNameA
            File Import Function is GetModuleHandleA
            File Import Function is GetModuleHandleW
            File Import Function is GetOEMCP
            File Import Function is GetProcAddress
            File Import Function is GetStartupInfoA
            File Import Function is GetStdHandle
            File Import Function is GetStringTypeA
            File Import Function is GetStringTypeW
            File Import Function is GetSystemDirectoryA
            File Import Function is GetSystemTimeAsFileTime
            File Import Function is GetTickCount
            File Import Function is HeapAlloc
            File Import Function is HeapCreate
            File Import Function is HeapFree
            File Import Function is HeapReAlloc
            File Import Function is HeapSize
            File Import Function is InitializeCriticalSectionAndSpingCount
            File Import Function is InterlockedDecrement
            File Import Function is InterlockedIncrement
            File Import Function is IsDebuggerPresent
            File Import Function is IsValidCodePage
            File Import Function is LCMapStringA
            File Import Function is LCMapStringW
            File Import Function is LeaveCriticalSection
            File Import Function is LoadLibraryA
            File Import Function is MultiByteToWideChar
            File Import Function is PeekNamedPipe
            File Import Function is QueryPerformanceCounter
            File Import Function is ReadFile
            File Import Function is RtlUnwind
            File Import Function is SetEvent
            File Import Function is SetFilePointer
            File Import Function is SetHandleCount
            File Import Function is SetLastError
            File Import Function is SetStdHandle
            File Import Function is SetUnhandledExceptionFilter
            File Import Function is Sleep
            File Import Function is TerminateProcess
            File Import Function is TlsAlloc
            File Import Function is TlsFree
            File Import Function is TlsGetValue
            File Import Function is TlsSetValue
            File Import Function is UnhandledExceptionFilter
            File Import Function is VirtualAlloc
            File Import Function is VirtualFree
            File Import Function is WaitForSingleObject
            File Import Function is WideCharToMultiByte
            File Import Function is WriteConsoleA
            File Import Function is WriteConsoleW
            File Import Function is WriteFile
            OR
               AND
                  File Import Function is CompareStringA
                  File Import Function is CompareStringW
                  File Import Function is GetPrivateProfileStringA
                  File Import Function is GetTimeZoneInformation
                  File Import Function is SetEnvironmentVariableA
                  File Import Function is WirePrivateProfileStringA
                  File Import Function is CopyFileA
                  File Import Function is ConnectNamedPipe
                  File Import Function is CreateNamedPipeA
                  File Import Function is DisconnectNamedPipe
                  File Import Function is GetCurrentDirectoryA
                  File Import Function is GetProcessHeap
                  File Import Function is GetVersionExA
                  File Import Function is InitializeCriticalSection
                  File Import Function is OpenProcess
                  File Import Function is RaiseException
                  File Import Function is SetCurrentDirectoryA
                  File Import Function is SetEndOfFile
                  File Import Function is TerminateThread
               AND
                  File Import Function is not CompareStringA
                  File Import Function is not CompareStringW
                  File Import Function is not GetPrivateProfileStringA
                  File Import Function is not GetTimeZoneInformation
                  File Import Function is not SetEnvironmentVariableA
                  File Import Function is not WritePrivateProfileStringA
                  File Import Function is CopyFileA
                  File Import Function is not ConnectNamedPipe
                  File Import Function is not ConnectNamedPipeA
                  File Import Function is not DisconnectNamedPipe
                  File Import Function is not GetCurrentDirectoryA
                  File Import Function is not GetProcessHeap
                  File Import Function is not GetVersionExA
                  File Import Function is not InitializeCriticalSection
                  File Import Function is not OpenProcess
                  File Import Function is not RaiseException
                  File Import Function is not SetCurrentDirectoryA
                  File Import Function is not SetEndOfFile
                  File Import Function is not TerminateThread
               AND
                  File Import Function is not CompareStringA
                  File Import Function is not CompareStringW
                  File Import Function is not GetPrivateProfileStringA
                  File Import Function is not GetTimeZoneInformation
                  File Import Function is not SetEnvironmentVariableA
                  File Import Function is not WritePrivateProfileStringA
                  File Import Function is not CopyFileA
                  File Import Function is ConnectNamedPipe
                  File Import Function is CreateNamedPipeA
                  File Import Function is DisconnectNamedPipe
                  File Import Function is GetCurrentDirectoryA
                  File Import Function is GetProcessHeap
                  File Import Function is GetVersionExA
                  File Import Function is InitializeCriticalSection
                  File Import Function is OpenProcess
                  File Import Function is RaiseException
                  File Import Function is SetCurrentDirectoryA
                  File Import Function is SetEndOfFile
                  File Import Function is TerminateThread
   AND
      OR
         File Strings contains e:\pjts2008\Eclipse_A\Release\Eclipse_Client_B.pdb
         File Strings contains E:\pjts2008\Eclipse_A\Release\Eclipse_Client_Service_EXE_B.pdb
         File Strings contains E:\XiaoME\SunCloud-Code\Eclipse_A1.2\Release\Eclipse_Client_Service_EXE_B.pdb
         File Strings contains E:\pjts2008\Eclipse_A\Release\servc.pdb
         File Strings contains C:\Ocear\Project-VS2008\Eclipse_A1.1\Release\Eclipse_Client_B.pdb
         AND
            File Strings contains Eclipse
            OR
               File Strings contains SunCloud-Code
               File Strings contains pjts2008
               File Strings contains XiaoME
      OR
         File Strings contains fail to pickout cm!
         File Strings contains ?AVbad_exception@std@@
         File Strings contains ?AVtype_info@@
         File Strings contains WAKPDT
         File Strings contains ECLIPSEC
         File Strings contains toobu.ini
         File Strings contains UA-CPU
         File Strings contains get command loop
         File Strings contains break or tout
         File Strings contains sileep
         File Strings contains cmd sleep!
         File Strings contains \\.\pipe\ssnp
      AND
         File PE Subsystem is Windows_GUI
         File PE Type is Executable
         File Digital Signature Exists is false
         File Digital Signature Verified is false
   OR
      Process Handle Name contains \\.\pipe\ssnp
      Process Handle Name contains ssnp
   OR
      File MD5 is b921e0d11127af9613804c63cddd86ca
      File MD5 is 582207d1f939f80bacc36a7790f40dc8
      File MD5 is 1b517ea2aae0ed0a71f6e74e34e860e1
      File MD5 is 3ce55c6994101faec00b5b7c2fee494f
      File MD5 is f82d3b270b16780044817978f4f3fe1a
      File MD5 is fb0b900de6d286321fd6d20c6c4f5679

Download
5ac00f68-05dc-4d4d-a240-b34ff49241a4.ioc

Authored By:
TomU @c_APT_ure

Description:
This IOC detects Kernel32.dll imports commonly used by Ponmocup malware (based on analysis of 5 samples found on VT). Out of 44 imports that all 5 samples had in common I selected a smaller list of what I think (hope!) is a rare combination. The detection should work on memory or files alike. The MD5 list is just for reference, since it’s unlikely that these exact samples are found elsewhere.

Reports:
https://www.virustotal.com/file/da82533bccee1c9a44d12d1c43f8d9f28e6e92ef91b7034bfffd89c14732328d/analysis/
https://www.virustotal.com/file/da3ed6da86f3b3fcfc9326565502a5a8c2bf044d28b688fb9fa03a42d0e69e4e/analysis/
https://www.virustotal.com/file/c4798a227a795641ee3e9312ad50d0303378a654b771b6687ff750b066d81f7a/analysis/
https://www.virustotal.com/file/d73773487e1d6c6c615a65f32844125cbb77c192b397683acac224a458a105dc/analysis/
https://www.virustotal.com/file/ccc5d07f6a0359d65d3efc488bb4beb8b283ca92f20b2c8633f746ebf80e0e2b/analysis/

Indicators:
OR
   File MD5 is bb479a7e69c5e1c503aa6dd506c732f3
   File MD5 is 8f66942f1e6c418c018ba847a994c13d
   File MD5 is a4019c2a98b1117e0311b30e5b6c030a
   File MD5 is af9940f74984e1b73b9984a4f628f7ec
   File MD5 is dcbf251d0215c279278b733f579ed388
   AND
      File Import Function is WideCharToMultiByte
      File Import Function is MultiByteToWideChar
      File Import Function is UnhandledExceptionFilter
      File Import Function is SetHandleCount
      File Import Function is RtlUnwind
      File Import Function is QueryPerformanceCounter
      File Import Function is LCMapStringW
      File Import Function is GetVersionExA
      File Import Function is GetTickCount
      File Import Function is GetSystemTimeAsFileTime
      File Import Function is GetStringTypeW
      File Import Function is GetStdHandle
      File Import Function is GetStartupInfoA
      File Import Function is GetOEMCP
      File Import Function is GetLocaleInfoA
      File Import Function is GetEnvironmentStringsW
      File Import Function is GetCurrentThreadID
      File Import Function is GetCPInfo
      File Import Function is GetCommandLineA
      File Import Function is GetACP
      File Import Function is FreeEnvironmentStringsW
   AND
      Process StringList contains KERNEL32.DLL
      Process StringList contains WideCharToMultiByte
      Process StringList contains MultiByteToWideChar
      Process StringList contains UnhandledExceptionFilter
      Process StringList contains SetHandleCount
      Process StringList contains RtlUnwind
      Process StringList contains QueryPerformanceCounter
      Process StringList contains LCMapStringW
      Process StringList contains GetVersionExA
      Process StringList contains GetTickCount
      Process StringList contains GetSystemTimeAsFileTime
      Process StringList contains GetStringTypeW
      Process StringList contains GetStdHandle
      Process StringList contains GetStartupInfoA
      Process StringList contains GetOEMCP
      Process StringList contains GetLocaleInfoA
      Process StringList contains GetEnvironmentStringsW
      Process StringList contains GetCurrentThreadId
      Process StringList contains GetCPInfo
      Process StringList contains GetCommandLineA
      Process StringList contains GetACP
      Process StringList contains FreeEnvironmentStringsW

Download:
32a6b675-6c98-4d2d-b8c8-3d879517878f.ioc

Authored By:
TomU @c_APT_ure

Description:
This IOC detects disabled sysadmin tools (task manager, registry editor) presumably by malware.
ThreatExpert uses these sentences:
“to prevent users from starting Task Manager (Taskmgr.exe)” and
“to disable the Windows registry editors (Regedt32.exe and Regedit.exe)”
A Google search for these terms (on ThreatExpert only) currently gives up to 9’370 hits (sample query: “site:threatexpert.com DisableTaskMgr”).

In addition it detects certain security features disabled by malware.
“to disable notification of firewall, antivirus and/or update status through the Windows Security Center”

The last AND should check for empty value, so not sure if “value contains not 0″ works for this.
Also not sure if “value contains 1″ will match “1″ and “0×00000001″.

Reports:
http://www.threatexpert.com/report.aspx?md5=5022bc00e22ebec939c18825845ea32d
http://www.threatexpert.com/report.aspx?md5=51ad6e2129bed025a73d6b22965df5ca
http://support.microsoft.com/kb/831787
http://support.microsoft.com/kb/555480

Indicators:
OR
   AND
      Registry KeyPath contains Software\Microsoft\Windows\CurrentVersion\Policies\System
      OR
         Registry ValueName is DisableTaskMgr
         Registry ValueName is DisableRegistryTools
         Registry ValueName is DisableRegedit
      OR
         Registry Value contains 1
         Registry Value contains 2
   AND
      Registry Value contains 1
      OR
         Registry KeyPath contains SOFTWARE\Policies\Microsoft\Windows Defender
         Registry KeyPath contains SOFTWARE\Policies\Microsoft\Windows Defender
         Registry KeyPath contains SOFTWARE\Microsoft\Internet Explorer\Download
         Registry KeyPath contains SOFTWARE\Microsoft\Security Center\Svc
         Registry KeyPath contains SOFTWARE\Microsoft\Security Center
      OR
         Registry ValueName is DontReportInfectionInformation
         Registry ValueName is DisableAntiSpyware
         Registry ValueName is RunInvalidSignatures
         Registry ValueName is UACDisableNotify
         Registry ValueName is AutoUpdateDisableNotify
         Registry ValueName is AntiVirusDisableNotify
         Registry ValueName is FirewallDisableNotify
         Registry ValueName is AntiVirusOverride
   AND
      Registry KeyPath contains SOFTWARE\Microsoft\Security Center
      Registry Value contains not 0
      OR
         Registry ValueName is AntiVirusOverride
         Registry ValueName is FirewallOverride
   AND
      Registry KeyPath contains SOFTWARE\Microsoft\Internet Explorer\Download
      Registry ValueName is CheckExeSignatures
      Registry Value is no

Download:
66e24787-a3da-4bea-b322-e10c0a30a80b.ioc

Authored By:
@dfirn00b

Description:
This is looking for indicators found from a recent ZeroAccess/Siref variant. Files are located in users profile\local settings\application data\{}\@ or \n and also seen in c:\windows\installer. Registry KeyPath Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 was also seen based on Sophos blog post.

Reports:
http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/

Indicators:
OR
   AND
      OR
         File Path contains Windows\Installer\{
         File Path contains Local Settings\Application Data\{
      OR
         File Name is @
         File Name is n
         File Created Time contains 2008-04-14
   AND
      File Name is n
      File PE Type is Dll
      File Export Function contains ?GetWindows
   AND
      OR
         Process Name is svchost.exe
         Process Name is Explorer.exe
      AND
         OR
            Process Section Name contains }\n
            Process Section name contains }\@
            Process Handle Name contains }\U
   AND
      Port Protocol contains UDP
      OR
         Port localPort contains 16464
         Port localPort contains 16471
         Port LocalPort contains 16461
   AND
      Registry KeyPath contains Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
      AND
         Registry Text contains \\.\globalroot\systemroot\Installer\{
         Registry Text contains }\n

Download:
0d0a744b-f7bf-453d-9105-5662bc27086e.ioc

Authored By:
RAustin

Description:
A variant of the Sykipot/Wyksol Trojan used in recent attacks. This malware was distributed as a drive-by download exploiting CVE-2012-1889. The initial payload (834D1D492E873DFD0C47A91B221E0258) is XOR encoded with a key of 0×95, skipping any bytes that are 0×00 or 0×95. This unencoded payload has been used in multiple targeted campaigns to provide backdoor access to infected systems

Reports:
http://labs.alienvault.com/labs/index.php/2012/sykipot-is-back/

Indicators:
OR
   File MD5 is 0B30A9C2A99DDF81DF864FE19CF3DFAD
   OR
      UrlHistory URL contains e-landusa.net
      UrlHistory URL contains help.e-landusa.net/get?asp?nm=index.dat&hnm=
      Network DNS contains e-landusa.net
      UrlHistory URL contains help.e-landusa.net/put.asp?nm=p.log
   OR
      AND
         File Detected Anomalies contains checksum_is_zero
         File PE Subsystem contains GUI
         File PE Type contains Executable
         Compile Time contains 2012-06-20T06:58:24Z
         File EntryPoint Sig Name contains Microsoft Visual C++ 6.0
         File Digital Signature Exists is false
         File Size is 25088
         AND
            File Import Name is MSVCRT.dll
            File Import Name is USER32.dll
            AND
               File Import Name is WININET.dll
               File Import Function is InternetWriteFile
               File Import Function is HttpEndRequestA
               File Import Function is InternetOpenA
               File Import Function is InternetCrackUrlA
               File Import Function is InternetConnectA
               File Import Function is HttpSendRequestExA
               File Import Function is HttpSendRequestA
               File Import Function is InternetQueryOptionA
               File Import Function is HttpQueryInfoA
               File Import Function is InternetReadFile
               File Import Function is InternetCloseHandle
               File Import Function is HttpOpenRequestA
               File Import Function is HttpAddRequestHeadersA
            AND
               File Import Name is iphlpapi.dll
               File Import Function is GetNetworkParams
               File Import Function is GetAdaptersInfo
            AND
               File Import Name is WS2_32.dll
               File Import Function is WS2_32.dll:000c
               File Import Function is WS2_32.dll:0074
               File Import Function is WS2_32.dll:0009
               File Import Function is WS2_32.dll:0009
               File Import Function is WS2_32.dll:0034
               File Import Function is WS2_32.dll:0073
            AND
               File Import Name is KERNEL32.dll
               File Import Function is WinExec
               File Import Function is CreateMutexA
            AND
               File Import Name is ADVAPI32.dll
               File Import Function is ImpersonateSelf
               File Import Function is OpenThreatToken
               File Import Function is OpenProcessToken
               File Import Function is RevertToSelf
               File Import Function is RegCreateKeyA
               File Import Function is RegDeleteValueA
               File Import Function is RegCloseKey
               File Import Function is QueryServiceStatus
               File Import Function is OpenServiceA
               File Import Function is CloseServiceHandle
               File Import Function is RegSetValueExA
               File Import Function is AdjustTokenPrivileges
               File Import Function is LookpPrivilegeValueA
               File Import Function is StartServiceA
      AND
         Registry Path contains SOFTWARE\Microsoft\Windows\CurrentVersion\Run
         Registry Text contains Powerh
      AND
         File Strings contains sleeph
         File Strings contains EXITH
         File Strings contains runh
         File Strings contains delh
         File Strings contains starth
         File Strings contains To start the service successfully!
         File Strings contains The to start the service to fail!
         File Strings contains serviceslisth
         File Strings contains tasklisth
         File Strings contains processh
         File Strings contains porth
         File Strings contains Stop the service success!
         File Strings contains Stop the service fails!
         File Strings contains hhhhhhhhhhhhhhPowerhhdddddddddddddhhhhhhhhhhhhhh
      AND
         AND
            File Import Name is iphlpapi.dll
            File Import Function is GetNetworkParams
            File Import Function is GetAdaptersInfo
         AND
            File Import Name is MSVCRT.dll
            File Import Function is memset
            File Import Function is _strnicmp
            File Import Function is _controlfp
            File Import Function is __set_app_type
            File Import Function is __p__fmode
            File Import Function is __p__commode
            File Import Function is _adjust_fdiv
            File Import Function is __setusermatherr
            File Import Function is _initterm
            File Import Function is __getmainargs
            File Import Function is __p__initenv
            File Import Function is _XcptFilter
            File Import Function is _exit
            File Import Function is gmtime
            File Import Function is asctime
            File Import Function is strcmp
            File Import Function is strstr
            File Import Function is fseek
            File Import Function is ftell
            File Import Function is rewind
            File Import Function is fread
            File Import Function is strcpy
            File Import Function is fopen
            File Import Function is fwrite
            File Import Function is fclose
            File Import Function is malloc
            File Import Function is strcat
            File Import Function is strchr
            File Import Function is strlen
            File Import Function is strncpy
            File Import Function is _splitpath
            File Import Function is atoi
            File Import Function is free
            File Import Function is exit
            File Import Function is sprintf
            File Import Function is memcpy
            File Import Function is _strlwr
            File Import Function is printf
            File Import Function is _except_handler3
         AND
            File Import Name is PSAPI.dll
            File Import Function is EnumProcesses
            File Import Function is EnumProcessModules
            File Import Function is GetModuleFileNameExA
         AND
            File Import Name is WS2_32.dll
            File Import Function is WS2_32.dll:0073
            File Import Function is WS2_32.dll:0034
            File Import Function is WS2_32.dll:0008
            File Import Function is WS2_32.dll:0009
            File Import Function is WS2_32.dll:0074
            File Import Function is WS2_32.dll:000c
         AND
            File Import Name is USER32.dll
            File Import Function Name is LoadIconA
            File Import Function Name is LoadCursorA
            File Import Function Name is RegisterClassExA
            File Import Function Name is CreateWindowExA
            File Import Function Name is GetMessageA
            File Import Function Name is TranslateMessage
            File Import Function Name is DispatchMessageA
            File Import Function Name is DefWindowProcA
            File Import Function Name is PostQuitMessage
         AND
            File Import Name is KERNEL32.dll
            File Import Function is HeapAlloc
            File Import Function is GetTickCount
            File Import Function is lstrlenA
            File Import Function is GetModuleFileNameA
            File Import Function is ResumeThread
            File Import Function is CreateProcessA
            File Import Function is HeapFree
            File Import Function is SetPriorityClass
            File Import Function is lstrcatA
            File Import Function is GetEnvironmentVariableA
            File Import Function is GetShortPathNameA
            File Import Function is OpenProcess
            File Import Function is GlobalAlloc
            File Import Function is FindFirstFileA
            File Import Function is FileTimeToSystemTime
            File Import Function is FindNextFileA
            File Import Function is GetVersionExA
            File Import Function is GetTempPathA
            File Import Function is CloseHandle
            File Import Function is GetLongPathNameA
            File Import Function is CreateFileA
            File Import Function is GetFileSize
            File Import Function is DeleteFileA
            File Import Function is GetLocalTime
            File Import Function is WinExec
            File Import Function is GetCurrentThreat
            File Import Function is GetCurrentProcess
            File Import Function is LocalAlloc
            File Import Function is LocalFree
            File Import Function is GetComputerNameA
            File Import Function is CreateMutexA
            File Import Function is GetLastError
            File Import Function is CreateThread
            File Import Function is Sleep
            File Import Function is LoadLibraryA
            File Import Function is GetProcAddress
            File Import Function is FreeLibrary
            File Import Function is GetProcessHeap
            File Import Function is CreateToolhelp32Snapshot
            File Import Function is lstrcopyA
            File Import Function is Process32First
            File Import Function is Process32Next
            File Import Function is Module32First
            File Import Function is SetThreadPriority
         AND
            File Import Name is ADVAPI32.dll
            File Import Function is EnumServicesStatusA
            File Import Function is ControlService
            File Import Function is ImpersonateSelf
            File Import Function is OpenThreadToken
            File Import Function is OpenProcessToken
            File Import Function is AllocateAndInitializeSid
            File Import Function is InitializeSecurityDescriptor
            File Import Function is GetLengthSid
            File Import Function is InitializeAcl
            File Import Function is AddAccessAllowedAce
            File Import Function is SetSecurityDescriptorDacl
            File Import Function is SetSecurityDescriptorGroup
            File Import Function is SetSecurityDescriptorOwner
            File Import Function is IsValidSecurityDescriptor
            File Import Function is AccessCheck
            File Import Function is RevertToSelf
            File Import Function is FreeSid
            File Import Function is RegCreateKeyA
            File Import Function is RegDeleteValueA
            File Import Function is RegCloseKey
            File Import Function is QueryServiceStatus
            File Import Function is OpenServiceA
            File Import Function is CloseServiceHandle
            File Import Function is OpenSCManagerA
            File Import Function is GetUserNameA
            File Import Function is RegSetValueExA
            File Import Function is AdjustTokenPrivileges
            File Import Function is LookupPrivilegeValueA
            File Import Function is StartServiceA
         AND
            File Import Name is WININET.dll
            File Import Function is InternetWriteFile
            File Import Function is HttpEndRequestA
            File Import Function is InternetOpenA
            File Import Function is InternetCrackUrlA
            File Import Function is InternetConnectA
            File Import Function is HttpSendRequestExA
            File Import Function is HttpSendRequestA
            File Import Function is InternetQueryOptionA
            File Import Function is InternetSetOptionA
            File Import Function is HttpQueryInfoA
            File Import Function is InternetReadFile
            File Import Function is InternetCloseHandle
            File Import Function is HttpOpenRequestA
            File Import Function is HttpAddRequestHeadersA
   AND
      File MD5 is 834D1D492E873DFD0C47A91B221E0258
      File Size is 25088
   OR
      Process Handle Name contains hhhhhhhhhhhhhhPowerhhdddddddddddddhhhhhhhhhhhhhh
      Process SectionMd5Sum is 0B30A9C2A99DDF81DF864FE19CF3DFAD

Download:
baa24c6a-a223-4919-b3e5-08c4809e434d.ioc

Authored By:
RAustin

Description:
Sample of the c0d0s0 Trojan malware obtained from Malware.lu. This particular malware is capable of recording key strokes and sending them to a remote command and control server. This IOC was tested on Windows XP only.

Indicators:
OR
   File MD5 is 77EA70B6F7F76EEFE158CD3160023196
   Network DNS contains woskagz.dyndns.org
   UrlHistory URL contains woskagz.dyndns.org
   OR
      AND
         File Compile Time is 2011-04-15T17:07:23Z
         File Export Function contains start
         File Detected Anomalies is checksum_is_zero
         File Digital Signature Exists is false
         File Section Name is Shared
         File Size is 28672
         File PE Type contains Dll
         File PE Subsystem contains GUI
         File Name contains tpgenlic.dll
         File EntryPoint Sig Name contains Microsoft Visual C++ 6.0 DLL
      AND
         File Name is wmplay32.chq
         OR
            File Path contains %SystemRoot%\help
            AND
               File Path contains Documents and Settings
               File Path contains Application Data
      OR
         AND
            File Section Name contains .rdata
            File PE Type contains Dll
            File PE Subsystem contains GUI
            File Strings contains c0d0so0
            OR
               File Strings contains DUDE_AM_I_SHARP-3.14159265358979×6.626176
               File Strings contains WHO_A_R_E_YOU?2.99792458×1.25663706143592
               File Strings contains BASTARD_&&_BITCHES
         AND
            File Section Name is .data
            File PE Type contains Dll
            File PE Subsystem contains GUI
            File Strings contains C0d0so0
            OR
               File Strings contains start
               File Strings contains wmplay32.chq
               File Strings contains woskagz.dyndns.org

Download:
8e94f947-b6a7-4e47-98a4-ae2178aae308.ioc

Authored By:
Cedric PERNET

Description:
IOC to detect a Bredolab malware variant. Process handle name is _system_xxxxxxx_ (where xxx are random hex digits)

Indicators:
OR
   Network String URI contains /load.php?id=0
   Process Handle Name contains _SYSTEM_
   File Name contains wiaserv
   OR
      Network String URI contains contains controller.php?
      Network String URI contains action=bot&
      Network String URI contains action=report&guid=
      AND
         Network String General contains Magic-Number:
         Network String General contains Entity-Info:
   OR
      File Full Path contains \wbem\
      File Full path contains \WinsMgr.exe\
      File Full Path contains \BootMgr.exe\

Download:
8ec4e9b3-cc47-4ada-8f45-31735102b32c

Authored By:
Christiaan Beek

Description:
Based on the blog written by ESET

Reports:
http://blog.eset.com/2012/06/21/acadmedre-a-technical-analysis-2

Indicators:
OR
   File MD5 is 7B563740F41E495A68B70CBB22980B20
   AND
      File Strings contains FAS4-FILE
      File Name is acad.fas
   OR
      Registry KeyPath contains HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
      Registry ValueName contains FILE-H
      Registry Value contains T

Download:
ACAD_Medra_A

Authored By:
Zourick

Description:
Basic host based indicators found in reports.

Reports:
http://www.crysys.hu/skywiper/skywiper.pdf
https://www.securelist.com/en/blog?weblogid=208193538

Indicators:
OR
   File MD5 is bb5441af1e1741fca600e9c433cb1550
   File MD5 is d53b39fb50841ff163f6e9cfd8b52c2e
   File MD5 is bdc9e04388bda8527b398a8c34667e18
   File MD5 is c9e00c9d94d1a790d5923b050b0bd741
   File MD5 is 296e04abb00ea5f18ba021c34e486746
   File MD5 is 5ad73d2e4e33bb84155ee4b35fbefc2b
   File MD5 is dcf8dab7e0fc7a3eaf6368e05b3505c5
   File MD5 is 06a84ad28bbc9365eb9e08c697555154
   File MD5 is ec992e35e794947a17804451f2a8857e
   File MD5 is 296e04abb00ea5f18ba021c34e486746
   File MD5 is b604c68cd46f8839979da49bb2818c36
   File Name contains ~DEB93D.tmp
   File Full Path contains windows\system32\mssecmgr.ocx
   AND
      Registry KeyPath contains SYSTEM\CurrentControlSet\Control\Lsa\Autenthication\
      OR
         Registry Value contains mssecmgr.ocx
         Registry Value contains authpack.ocx

Download:
a385732f-71cc-4035-a0c5-c671e78d1fb0.ioc