IOCs

10

MAY

Debugger Persistence Mechanism

Posted by:  /  Tags: , , ,  /  Comments: 2

Authored By:
TomU @c_APT_ure

Description:
This IOC detects malware that abuses the debugger mechanism to get injected into a legit system process at startup. ThreatExpert uses this sentence with variable executable names: “so that [malware.exe] is injected into the execution sequence of [legit-system.exe] by being installed as its default debugger” A Google search for these terms (on ThreatExpert only) currently gives 2’240 hits (sample query: “site:threatexpert.com Image File Execution Options installs default debugger injected into the execution sequence”).

Reports:
http://www.threatexpert.com/report.aspx?md5=9f7017b619c86759a5c981642c0bb521
http://www.threatexpert.com/report.aspx?md5=0b326488f7b5fc3c18641efbb6807b69
http://www.threatexpert.com/report.aspx?md5=dc6379164bf931aeba991df856fe11f8
http://www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8
http://www.threatexpert.com/report.aspx?md5=48352e3a034a95845864c0f6aad07d39
http://www.threatexpert.com/report.aspx?md5=5458f76466e7ae80f1a57d6038fd9f1e
http://msdn.microsoft.com/en-us/library/a329t4ed%28v=vs.71%29.aspx
http://msdn.microsoft.com/en-us/library/a329t4ed.aspx

Indicators:
OR
   AND
   Registry KeyPath contains SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
   Registry KeyPath contains .exe
   Registry ValueName is Debugger

Download:
35ac9307-155e-4272-8dc0-dd98ed6c6ac5.ioc

2

MAY

PWS-Zbot.gen.xj

Posted by:  /  Tags: , , , , ,

Authored By:
TomU @c_APT_ure

Description:
malware EXE in PWD-protected ZIP delivered via Mail

Reports:
http://www.threatexpert.com/report.aspx?md5=0b326488f7b5fc3c18641efbb6807b69
http://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-VXI/detailed-analysis.aspx
http://r.virscan.org/eb8d79b5fa6a88a21971cd8bc138e28f
http://www.malware-control.com/statics-pages/0b326488f7b5fc3c18641efbb6807b69.php

Indicators:
OR
   File MD5 is 0b326488f7b5fc3c18641efbb6807b69
   File MD5 is d667e6d28b341d5f61e4ed78e8f80232
   File MD5 is 50f0fd1302b597bf4a94643a8bf1e08e
   File MD5 is A37D6F31AB21517E1CFB1F31C215D02C
   File MD5 is 82C1863434C15DB2A63525754751B9C0
   File MD5 is cbe4cb47c73bfd9b8463f6dfae626872
   File MD5 is 1b22c2f6988b89c21b7a5d8b7631f9ca
   File MD5 is f533b6c18dfdd82bf04efc8754071a02
   Sha1sum is b8d14593843d1c1bfb7af4d018070e5bb5746fb3
   File Name contains Details-From-Booking-Com_Reservation
   Network DNS is armyclub.net
   Network DNS is safeoil.net
   Network DNS contains .0zz0.com
   AND
      Registry KeyPath is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image       File Execution Options\userinit.exe
      Registry ValueName is Debugger
   AND
      Registry KeyPath is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet       Settings\5.0\83F20BB1

Download:
25a50f37-eac1-41a9-ac8d-4668df520dd1

8

APR

Ponmocup – #2

Posted by:  /  Tags: , , ,

Authored By:
TomU @c_APT_ure

Description:
Detects an infected system from the ponmocup malware (with what I think is the most common basic indicator

Reports:
http://c-apt-ure.blogspot.com/2012/02/not-apt-but-nasty-malware-ponmocup.html
http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html
http://www9.dyndns-server.com:8080/pub/botnet-links.html
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
http://www.threatexpert.com/report.aspx?md5=1098b041b743fa06e276eca074042b3d
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Ponmocup-A/detailed-analysis.aspx

Indicators:
OR
   AND
      Registry Path contains SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
      Registry Type is REG_BINARY
      OR
         Registry ValueName is 6
         Registry ValueName is 9

Download:
bcb504f2-8f2c-478d-9b25-042e8b952dc6.ioc

24

MAR

Zeus AnalyticDNS.com

Posted by:  /  Tags: , , , , , , ,

Authored By:
@LucasErratus

Description:
This malware is a variant of the Zeus Bot. Change the exe size range to make it fuzzy and detect exe files in the directory it gets dropped to (e.g. 100000 TO 200000). That will allow it to catch all versions and varients that still copy to that location.

Indicators:
OR
   DnsEntryItem/Host contains myapp-ups.com
   DnsEntryItem/Host contains analyticdns.com
   File PEInfo VersionInfoList VersionInfo OriginalFilename is Y2gtqjxmvounynm.exe
   File CertificateSubject is Tfrbpcs
   File PEInfo VersionInfoList VersionInfo Companyname is Walter Hintenaus
   File PEInfo VersionInfoList VersionInfo InternalName is Lodge Tuna Angel
   File PEInfo VersionInfoList VersionInfo ProductName is Loyal
   File PEInfo VersionInfoList VersionInfo FileDescription is Seth Achoo Xiv
   Process Handle Name contains -DED2-FBD9A76483EE}
   Process Handle Name contains -6CED-298D15DD51B5}
   Process Handle Name contains -2E3B-B788507ACFBF}
   Process Handle Name contains -377E-962C6878EE14}
   AND
      OR
         AND
            File Extension is exe
            OR
               File Size is [154192 TO 154192]
               File Compile Time is 2011-07-24T05:58:28Z
         AND
            File Extension is tmp
            File Size is 0
      OR
         AND
            File Full Path contains \Users\
            File Full Path contains \AppData\Roaming\
         AND
            File Full path contains \Application Data\
            File Full path contains Documents
            File Full path contains Settings

Download:
10ccb93f-970b-4f0a-8e0c-5772cdd90a20.ioc

19

JAN

Ramnit

Posted by:  /  Tags: , , ,

Authored By:
Christopher Bentley – @cbentle2

Description:
IOC for Ramnit, Advanced Malware that has rookit capabilities, and has been seen to drop addtional malware on the infected host including spam engine.

Reports:
http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html#more
http://www.threatexpert.com/report.aspx?md5=e4633c77362e55dde5fdcda63f826c1b

Indicators:
OR
   Process StringList is \\.\631D2408D44C4f47AC647AB96987D4D5
   Process Handle Name is !IETld!Mutex
   DriverItem/StringList/string is    c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
   DriverItem/StringList/string is \Device\631D2408D44C4f47AC647AB96987D4D5
   Process StringList contains <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST
   DriverItem/StringList/string is 631D2408D44C4f47AC647AB96987D4D5
   AND
       Hook HookDescription is SystemCall
       Hook Hooking Module contains \LOCALS~1\Temp\
       Hook Hooked Module is ntoskrnl.exe
   AND
      Process StringList contains Micorsoft Windows Service
      Process StringList contains TANGrabber
      Process Name is services.exe
   AND
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k netsvcs
      Process arguments is not C:\WINDOWS\System32\svchost -k rpcss
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k LocalService
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k NetworkService
      Process arguments is not C:\WINDOWS\System32\svchost -k DcomLaunch
      Process Name is svchost.exe
      Process arguments is not C:\WINDOWS\System32\svchost.exe -k imgsvc
   AND
      Process Name is svchost.exe
      OR
         Process StringList contains LOCALS~1\Temp\~TM4.tmp
         Process StringList is Hide Browser v1.1
         Process StringList is 220 220 RMNetwork FTP
         Process StringList is Ftp Grabber v1.0
         Process StringList is Virus Module v1.0 (exe, dll only)
         Process StringList is VNC Module v1.0 (Zeus Model)
         Process StringList is Byob Ernie Gild Lotto 2002-2006
         Process StringList is Reich.exe
         Process Handle Name contains CTF.Compart.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.Layouts.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.TMD.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.TimListCache.FMPDefaultsS-1-5-21
         Process Handle Name contains CTF.Asm.MutexDefaultS-1-5-21
         Process Handle Name contains CTF.LBES.MutexDefaultS-1-5-21
         Process Handle Name contains \Start Menu\Programs\Startup
   AND
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas
      Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas
      Process StringList is TModule_POPPeeper
      Process StringList is TModule_Eudora
      Process StringList is TModule_Gmail
      Process StringList is TModule_IncrediMail
      Process StringList is TModule_GroupMailFree
      Process StringList is TModule_VypressAuvis
      Process StringList is TModule_The_Bat
      Process StringList is TModule_Outlook0
      Process StringList is TOutlookIdentItem

Download:
5c03d9e7-c67c-45e8-aa2f-326bc5ddc76a.ioc

6

JAN

Duqu

Posted by:  /  Tags: , ,

Authored By:
Christopher Bentley – @cbentle2

Description:
Generic indicator for the DUQU virus. Based on Stuxtnet

Reports:
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

Indicators:
OR
   File MD5 is 0a566b1616c8afeef214372b1a0580c7
   File MD5 is 0eecd17c6c215b358b7b872b74bfd800
   File MD5 is 4541e850a228eb69fd0f0e924624b245
   File MD5 is b4ac366e24204d821376653279cbad86
   File MD5 is e8d6b4dadb96ddb58775e6c85b10b6cc
   File MD5 is c9a31ea148232b201fe7cb7db5c75f5e
   File MD5 is f60968908f03372d586e71d87fe795cd
   File MD5 is 9749d38ae9b9ddd81b50aad679ee87ec
   File Name is cmi4432.pnf
   File Name is cmi4464.pnf
   File Name is netp191.PNF
   File Name is jiminet7.sys
   File Name is cmi4432.sys
   File Name is nfred965.sys
   File Name is nred961.sys
   File PEInfo ResourceInfoList ResourceInfo Name is 302
   Port Remote IP is 68.132.129.18
   Port Remote IP is 206.183.111.97
   Process StringList is kasperskychk.dyndns.org
   Port Remote IP is 77.241.93.160
   Service Name is JmiNET3
   Service Name is cmi4432
   Process Handle Name contains adp
   Process Handle Name contains ~DQ
   Process StringList is \DEVICE\Gdp1
   Service Path contains C:\Windows\System32\drivers
   AND
      Registry Path contains HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet       Settings\Zones\4\
      Registry Text contains CF1D
   AND
      EventLog source is DCOM
      EventLog ID is 32212354481
      EventLog type is Error
   OR
      Hook Hooked Module is ntdll.dll

IOC File:
5add2090-312b-4628-a4f8-c42d1ca7c2a9.ioc

6

JAN

Generic Process Path Indicator

Posted by:  /  Tags: , ,

Authored By:
Christopher Bentley – @cbentle2

Description:
Generic Indicator to identify Common commands not run from their default process path locations.
cmd.exe, csrss.exe, explorer.exe, lsass.exe,services.exe, spoolsv.exe, smss.exe, svchost.exe, winlogon.exe and ctfmon.exe

Indicators:
OR
   AND
       Process Name is explorer.exe
       Process path is not C:\WINDOWS\
   AND
       Process Name is cmd.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is lsass.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is services.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is csrss.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is spoolsrv.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is smss.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is svchost.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is winlogon.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is ctfmon.exe
       Process path is not C:\WINDOWS\system32

IOC File:
7fe9ed86-72f5-4444-b99e-72ae535154fa.ioc

5

JAN

Morto

Posted by:  /  Tags: , , ,

Authored By:
Keith Gilbert – @digital4rensics

Description:
Finds common Morto infections and alerts on either the dropper, loader, or payload. Tested with success, no FPs. DNS & Process entries have not been verified.

Category:
Worm

Reports:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3AWin32%2FMorto.A

Indicators:
OR
   DnsEntryItem/RecordName contains qfsl.net
   DnsEntryItem/RecordName contains ms.jifr
   File Full Path contains Windows\Offline Web Pages\1.40_TestDdos
   File Full Path contains Windows\Offline Web Pages\cache.txt
   File Full Path contains Windows\clb.dll
   File Full Path contains Windows\clb.dll.bak
   AND
      Registry Path contains SYSTEM\WPA
      OR
         Registry ValueName is ie
         Registry ValueName is md
         Registry ValueName is sr
         Registry Value is Sens
         Registry Value is 6to4
         Registry ValueName is sn
   AND
      Registry Path contains SYSTEM\ControlSet001\Control\Windows
      Registry ValueName is NoPopUpsOnBoot
      Registry Text is 00000001
   AND
      Registry Path contains Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
      Registry Value contains rundll32.exe=RUNASADMIN
   AND
      Process Name is svchost.exe
      Process StringList contains letmein
      Process Handle Name contains System32\Sens32.dll

IOC File:
326c3286-1a3c-403f-8e78-61f3ce1f3ab1.ioc

5

JAN

Ponmocup

Posted by:  /  Tags: , , ,  /  Comments: 3

Authored By:
Christopher Bentley

Description:
IOC for Ponmocup\Vundo

Reports:
http://www9.dyndns-server.com:8080/pub/botnet-links.html

Indicators:
OR
   File MD5 is 820ed1d99e2b771d915e033450fa0b0f
   File MD5 is bd291073fc2cb39456886d091a5ee85c
   File MD5 is 593af63840f11883610ba95d6744c4b1
   Network DNS contains checkwebspeed.net
   Process Handle Name is WBEMPROVIDERSTATICMUTEX
   Registry Path is HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop
   Registry Path is HKEY_CURRENT_USER\Software\zpppmcegc
   Port Remote IP is 96.126.106.156
   Process Stringlist contains http://imagehut4.cn/update/utu.da
   Process Handle Name contains \temp\scse.tmp
   Process Handle Name contains \temp\scsf.tmp
   Port Remote IP contains 184.105.178.92
   Registry Path contains HKEY_LOCAL_MACHINE\Software\Nojrkfkyp
   Process Handle Name Contains C:\WINDOWS\system32\drivers\etc\hosts
   Port Remote IP contains 94.75.201.35
   Port Remote IP contains 85.17.139.239
   Port Remote IP contains 85.17.139.238
   Port Remote IP contains 85.17.188.195
   Port Remote IP contains 94.75.201.36
   Port Remote IP contains 94.75.234.98
   Port Remote IP contains 94.75.234.107
   Port Remote IP contains 174.36.82.151
   Port Remote IP contains 78.159.100.32
   Registry Path contains HKEY_CURRENT_USER\Software\GHUZPSK
   Process StringList contains html/license_43EC922A3D0E1F403834ED406BA80D5A686E

Download:
c6245aef-5583-449e-92df-87f6b253de2c.ioc

5

JAN

Shylock

Posted by:  /  Tags: , , ,

Authored By:
Christopher Bentley

Updated On: Feb. 6 2012

Description:
Banking Trojan discovered by Trusteer Shylock intercepts network traffic and attempts to add malicious code to it.

Category:
Trojan

Reports:
http://quequero.org/uicwiki/index.php?title=Shylock_via_%20volatility

Indicators:
OR
   Process StringList contains _SHUTDOWN
   Process StringList contains MASTER_
   Process StringList contains EVT_VNC
   Process StringList contains EVT_BACK
   Process StringList is extensadv.cc
   Process StringList is topbeat.cc
   Process StringList is brainsphere.cc
   Process StringList is commonworldme.cc
   Process StringList is gigacat.cc
   Process StringList is nw-serv.cc
   Process StringList contains IE_Hook::GetRequestInfo
   Process StringList contains FF_Hook::getRequestInfo
   Process StringList contains EX_Hook::CreateProcess
   Port Remote IP is 178.208.75.226
   Port Remote IP is 81.177.170.135
   Port Remote IP is 88.198.50.150
   Port Remote IP is 65.55.87.173
   Port Remote IP is 91.223.180.66
   Port Remote IP is 92.60.177.233
   Port Remote IP is 92.60.177.234
   Port Remote IP is 93.190.45.75
   Process StringList contains hijackdll.dll
   Process Handle Name contains MTX_
   Process StringList is FF::PR_WriteHook entry
   Process StringList is FF::PR_WriteHook exit
   Process StringList is HijackProcessAttach::*** MASTER *** MASTER *** MASTER *** %s PID=%u
   HijackProcessAttach::entry
   Process StringList is FF::BEFORE INJECT
   Process StringList is FF::AFTER INJECT
   Process StringList is IE::BEFORE INJECT
   Process StringList is IE::AFTER INJECT
   Process StringList is *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC    *** %s
   Process StringList is *** LOG INJECTS *** %s
   Process StringList is *** inject to process %s not allowed
   Process StringList is *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks ***    BackSocks *** BackSocks *** %s
   Process StringList is .?AVFF_Hook@@
   Process StringList is .?AVIE_Hook@@
   Process StringList contains Inject::InjectDllFromMemory
   Process StringList contains paragua-analyst.cc
   Process StringList contains BadSocks.dll

IOC File:
1623644e-7016-46ff-b302-07b7a75bfbe8.ioc