IOCs

Archive for the ‘Virus’ Category

6

JAN

Duqu

Posted by:  /  Tags: , ,

Authored By:
Christopher Bentley – @cbentle2

Description:
Generic indicator for the DUQU virus. Based on Stuxtnet

Reports:
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

Indicators:
OR
   File MD5 is 0a566b1616c8afeef214372b1a0580c7
   File MD5 is 0eecd17c6c215b358b7b872b74bfd800
   File MD5 is 4541e850a228eb69fd0f0e924624b245
   File MD5 is b4ac366e24204d821376653279cbad86
   File MD5 is e8d6b4dadb96ddb58775e6c85b10b6cc
   File MD5 is c9a31ea148232b201fe7cb7db5c75f5e
   File MD5 is f60968908f03372d586e71d87fe795cd
   File MD5 is 9749d38ae9b9ddd81b50aad679ee87ec
   File Name is cmi4432.pnf
   File Name is cmi4464.pnf
   File Name is netp191.PNF
   File Name is jiminet7.sys
   File Name is cmi4432.sys
   File Name is nfred965.sys
   File Name is nred961.sys
   File PEInfo ResourceInfoList ResourceInfo Name is 302
   Port Remote IP is 68.132.129.18
   Port Remote IP is 206.183.111.97
   Process StringList is kasperskychk.dyndns.org
   Port Remote IP is 77.241.93.160
   Service Name is JmiNET3
   Service Name is cmi4432
   Process Handle Name contains adp
   Process Handle Name contains ~DQ
   Process StringList is \DEVICE\Gdp1
   Service Path contains C:\Windows\System32\drivers
   AND
      Registry Path contains HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet       Settings\Zones\4\
      Registry Text contains CF1D
   AND
      EventLog source is DCOM
      EventLog ID is 32212354481
      EventLog type is Error
   OR
      Hook Hooked Module is ntdll.dll

IOC File:
5add2090-312b-4628-a4f8-c42d1ca7c2a9.ioc