18 Şubat 2015 Çarşamba

Carbanak APT

 BAT file to detect infection

@echo off
for /f %%a in ('hostname') do set "name=%%a" echo %name%
del /f %name%.log 2> nul
if exist "c:\Documents and settings\All users\application data\
mozilla\*.bin" echo "BIN detected" >> %name%.log
if exist %SYSTEMROOT%\System32\com\svchost.exe echo "COM
detected" >> %name%.log
if exist "c:\ProgramData\mozilla\*.bin" echo "BIN2 detected"
>> %name%.log
if exist %SYSTEMROOT%\paexec* echo "Paexec detected"
>> %name%.log
if exist %SYSTEMROOT%\Syswow64\com\svchost.exe echo "COM64
detected" >> %name%.log
SC QUERY state= all | find "SERVICE_NAME" | findstr "Sys$"
if q%ERRORLEVEL% == q0 SC QUERY state= all | find
"SERVICE_NAME" | findstr "Sys$" >> %name%.log
if not exist %name%.log echo Ok > %name%.log xcopy /y %name%.log
"\\<IP>\logVirus

IoC s   CNC IPs & Domains

108.61.197.254
112.78.3.142
118.163.216.107
131.72.138.18
141.60.162.150
146.185.220.200
162.221.183.109
162.221.183.11
173.201.45.158
173.237.187.203
174.143.147.168
185.10.56.59
185.10.56.59:443
185.10.58.175
188.138.16.214
188.138.98.105
188.40.224.76
190.97.165.126
194.44.218.102
195.113.26.195
198.101.229.24
199.255.116.12
199.79.62.69
204.227.182.242
208.109.248.146
209.222.30.5
216.170.117.7
216.170.117.88
217.172.183.184
217.172.186.179
218.76.220.106
31.131.17.79
31.131.17.81
37.235.54.48
37.46.114.148
37.59.202.124
5.101.146.184
5.135.111.89
5.61.32.118
5.61.38.52
50.115.127.36
50.115.127.37
55.198.6.56
61.7.219.61
62.75.224.229
66.55.133.86
67.103.159.140
69.64.48.125
74.208.170.163
78.129.184.4
79.99.6.187
81.4.110.128
83.16.41.202
83.166.234.250
83.246.67.58
85.25.117.154
85.25.20.109
85.25.207.212
87.106.8.177
87.98.153.34
88.198.184.241
91.194.254.38
91.194.254.90
91.194.254.91
91.194.254.92
91.194.254.93
91.194.254.94
91.194.254.98
93.95.102.109
93.95.99.232
94.247.178.230
95.0.250.113
adguard.name
beefeewhewhush-eelu.biz
blizko.net
comixed.org
coral-trevel.com
datsun-auto.com
di-led.com
financialnewson-line.pw
financialwiki.pw
flowindaho.info
freemsk-dns.com
gjhhghjg6798.com
glonass-map.com
great-codes.com
icafyfootsinso.ru
idedroatyxoaxi.ru
vaserivaseeer.biz
microloule461soft-c1pol361.com
microsoftc1pol361.com
mind-finder.com
operatemesscont.net
paradise-plaza.com
public-dns.us
publics-dns.com
systemsvc.net
system-svc.net
traider-pro.com
travel-maps.info
update-java.net
veslike.com
wefwe3223wfdsf.com
worldnews24.pw
worldnewsonline.pw

MD5 Hashes

0022c1fe1d6b036de2a08d50ac5446a5
0155738045b331f44d300f4a7d08cf21
0275585c3b871405dd299d458724db3d
0ad4892ead67e65ec3dd4c978fce7d92
0ad6da9e62a2c985156a9c53f8494171
1046652e0aaa682f89068731fa5e8e50
10e0699f20e31e89c3becfd8bf24cb4c
1300432e537e7ba07840adecf38e543b
15a4eb525072642bb43f3c188a7c3504
16cda323189d8eba4248c0a2f5ad0d8f
1713e551b8118e45d6ea3f05ec1be529
1a4635564172393ae9f43eab85652ba5
1b9b9c8db7735f1793f981d0be556d88
1d1ed892f62559c3f8234c287cb3437c
1e127b92f7102fbd7fa5375e4e5c67d1
1e47e12d11580e935878b0ed78d2294f
1f43a8803498482d360befc6dfab4218
1fd4a01932df638a8c761abacffa0207
20f8e962b2b63170b228ccaff51aeb7d
26d6bb7a4e84bec672fc461487344829
2908afb4de41c64a45e1eb2503169108
2c6112e1e60f083467dc159ffb1ceb6d
2cba1a82a78f4dcbad1087c1b71588c9
2e2aa05a217aacf3105b4ba2288ad475
36cdf98bc79b6997dd4e3a6bed035dca
36dfd1f3bc58401f7d8b56af682f2c38
39012fb6f3a93897f6c5edb1a57f76a0
3dc8c4af51c8c367fbe7c7feef4f6744
407795b49789c2f9ca6eca1fbab3c73e
45691956a1ba4a8ecc912aeb9f1f0612
4afafa81731f8f02ba1b58073b47abdf
4e107d20832fff89a41f04c4dff1739b
4f16b33c074f1c31d26d193ec74aaa56
50f70e18fe0dedabefe9bf7679b6d56c
5443b81fbb439972de9e45d801ce907a
55040dd42ccf19b5af7802cba91dbd7f
551d41e2a4dd1497b3b27a91922d29cc
56bfe560518896b0535e0e4da44266d6
5aeecb78181f95829b6eeeefb2ce4975
5da203fa799d79ed5dde485c1ed6ba76
608bdeb4ce66c96b7a9289f8cf57ce02
6163103103cdacdc2770bd8e9081cfb4
629f0657e70901e3134dcae2e2027396
643c0b9904b32004465b95321bb525eb
6e564dadc344cd2d55374dbb00646d1b
735ff7defe0aaa24e13b6795b8e85539
751d2771af1694c0d5db9d894bd134ca
763b335abecbd3d9a6d923a13d6c2519
763e07083887ecb83a87c24542d70dc5
7b30231709f1ac69e4c9db584be692f0
7d0bbdda98f44a5b73200a2c157077df
7e3253abefa52aeae9b0451cfb273690
874058e8d8582bf85c115ce319c5b0af
88c0af9266679e655298ce19e231dff1
8ace0c156eb6f1548b96c593a15cbb25
933ab95dbf7eb0e9d9470a9272bfaff3
93e44ecfcffdbb1f7f3119251ddb7670
972092cbe7791d27fc9ff6e9acc12cc3
9865bb3b4e7112ec9269a98e029cf5cb
9ad8c68b478e9030859d8395d3fdb870
9f455f0efe8c5ff69adcc456dcf00da6
a1979aa159e0c54212122fd8acb24383
a4bfd2cfbb235d869d87f5485853edae
a8dc8985226b7b2c468bb82bad3e4d76
aa55dedff7f5dbe2cc4a47f2f8d44f94
ac5d3fc9da12255759a4a7e4eb3d63e7
acb01930466438d3ee981cb4fc57e196
acb4c5e2f92c84df15faa4846f17ff4e
b2e6d273a9b32739c9a26f267ab7d198
b328a01f5b82830cc250e0e429fca69f
b400bb2a2f9f0ce176368dc709359d3d
b6c08d0db4ca1d9e16f3e164745810ff
b79f7d41e30cf7d69a4d5d19dda8942e
bddbb91388dd2c01068cde88a5fb939e
c179ad6f118c97d3db5e04308d48f89e
c1b48ca3066214a8ec988757cc3022b3
c2472adbc1f251acf26b6deb8e7a174b
c687867e2c92448992c0fd00a2468752
c77331b822ca5b78c31b637984eda029
cb915d1bd7f21b29edc179092e967331
cc294f8727addc5d363bb23e10be4af2
d943ccb4a3c802d304ac29df259d14f2
db3e8d46587d86519f46f912700372e0
dbd7d010c4657b94f49ca85e4ff88790
e06a0257449fa8dc4ab8ccb6fbf2c50b
e613e5252a7172329ee25525758180a4
e742242f28842480e5c2b3357b7fd6ab
e938f73a10e3d2afbd77dd8ecb3a3854
eaee5bf17195a03d6bf7189965ee1bdb
ef8e417e5adb2366a3279d6680c3b979
f4eddae1c0b40bfedeb89e814a2267a5
f66992766d8f9204551b3c42336b4f6d
fad3a7ea0a0c6cb8e20e43667f560d7f
fbc310a9c431577f3489237d48763eea
ff7fd55796fa66c8245c0b90157c57c7
100d516821d99b09718b362d5a4b9a2f
6ae1bb06d10f253116925371c8e3e74b
72eff79f772b4c910259e3716f1acf49
85a26581f9aadeaa6415c01de60f932d
9ad6e0db5e2f6b59f14dd55ded057b69
a70fea1e6eaa77bdfa07848712efa259
be935b4b3c620558422093d643e2edfe
c70cce41ef0e4a206b5b48fa2d460ba4
41fb85acedc691bc6033fa2c4cf6a0bc
1684a5eafd51852c43b4bca48b58980f
08f83d98b18d3dff16c35a20e24ed49a                   

Reference : https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf

Hiç yorum yok:

Yorum Gönder