Bilgi Güvenliği Forensic Malware Analysis: Poseidon POS Malware

C&C IP Addresses

151.236.11.167
185.13.32.132
185.13.32.48
31.184.192.196
91.220.131.116
91.220.131.87
C&C Domains

linturefa.com
xablopefgr.com
tabidzuwek.com
lacdileftre.ru
tabidzuwek.com
xablopefgr.com
lacdileftre.ru
weksrubaz.ru
linturefa.ru
mifastubiv.ru
xablopefgr.ru
tabidzuwek.ru
quartlet.com
horticartf.com
kilaxuntf.ru
dreplicag.ru
fimzusoln.ru
wetguqan.ru

Network IoC

POST   <IP ADDRESS>/ldl01/viewtopic.php

POST   <IP ADDRESS>/pes2/viewtopic.php

Malware files SHA256

pes13.exe    761264541adde52e68b11ebb4721964b32fd7bef95edf54872b176ba7e898211
pes13n[1].exe    adfa83564f2d2c4330af59cb277b46e60fb69c5c1b7581a34722ee7f9d747695
(random).exe    7fd1525005da2635c839b384eede2d343d38178110172b8b5611a198531ce6d8
(random).exe    66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75
update.exe    334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4
pes13.exe    600a8ca37f0007e80dc89c6116f2828c92f84a5af09b9c4b85a5795c66bf7b2b
updatte.exe    5bb4714548f76eeb234410237f6235dca0a07faa1643f42bbbdc922cddfd0e91
pes13t.exe    712f58b4bdf86c791d126df041baedc239298c32f2f5c15a0bbc55d27a18b45e
pesl.exe    4316e0b019a7b45ed0ebf5bcf24b5cac6be8323b381e4c776f13d36482fbb16d
pes13n.exe    82a3262671783f01a5084f1e465b6b505afae28a8f20ce27f618bdfc8251338c
pes13t.exe    8b7252c0e7cc4b2311bda423f08cf62fdb75de591c62babd40693147ef022a7a
pes13l.exe    87af6581a28d48dfcd1608b6119f05c304848dee14fbed6a1171f2a6d4e94c62
winhost.exe    06b8c96134b7d67bd16fbc1c9a14de5e6746482e5e472839c0d32518bce13131
winhost.exe    217f513522b15b87066ab4a4c20aba4814372d6a846e0ad55bf5bf246338e927
(random).exe    342a249efd5ec1555f5f43097546dbcc1c3758d8569b482447c904e88d664eba
winhost.exe    d409b56868f0ddb58f11d5b218f313c2787a6cdcfaa240ba8b8d94ea4f4a34a5
pes13.exe    d97f9207541f9baf785a6849cabc667f5fa26aed78284049d8529e64ab71a195
update.exe    334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4
pes13l.exe    4316e0b019a7b45ed0ebf5bcf24b5cac6be8323b381e4c776f13d36482fbb16d
pes13l.exe    87af6581a28d48dfcd1608b6119f05c304848dee14fbed6a1171f2a6d4e94c62
pes13t.exe    8b7252c0e7cc4b2311bda423f08cf62fdb75de591c62babd40693147ef022a7a
pes13n.exe    82a3262671783f01a5084f1e465b6b505afae28a8f20ce27f618bdfc8251338c
pes13n[1].exe    adfa83564f2d2c4330af59cb277b46e60fb69c5c1b7581a34722ee7f9d747695
pes13t.exe    712f58b4bdf86c791d126df041baedc239298c32f2f5c15a0bbc55d27a18b45e
updatte.exe    5bb4714548f76eeb234410237f6235dca0a07faa1643f42bbbdc922cddfd0e91
winhost.exe    06b8c96134b7d67bd16fbc1c9a14de5e6746482e5e472839c0d32518bce13131
winhost32.exe    217f513522b15b87066ab4a4c20aba4814372d6a846e0ad55bf5bf246338e927
winhost.exe     d409b56868f0ddb58f11d5b218f313c2787a6cdcfaa240ba8b8d94ea4f4a34a5
update.exe    40fb28952afad2ae16ef586bfb9394a250fc7480d37a58770f3b3a9cd32e9212
(Unpacked Loader)    745795aed3a9dd120d2420f64e0f7c009a6a5822389b61cc844b7b576b46f70f
(Unpacked Loader)    5037a55b975c5ddb48252f07a80fddb3345e7add288b163981ca53f674bd60ad
(Unpacked Loader)    a73dc0e39d44e903a2047c8d1a94a12b358cf116d92d9ebe93b1433eeb96e8e7
pes13.exe    761264541adde52e68b11ebb4721964b32fd7bef95edf54872b176ba7e898211
(random).exe    66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75
N/A    600a8ca37f0007e80dc89c6116f2828c92f84a5af09b9c4b85a5795c66bf7b2b
N/A    7fd1525005da2635c839b384eede2d343d38178110172b8b5611a198531ce6d8
(random).exe    342a249efd5ec1555f5f43097546dbcc1c3758d8569b482447c904e88d664eba
pes13.exe    d97f9207541f9baf785a6849cabc667f5fa26aed78284049d8529e64ab71a195
(Unpacked FindStr)    f0918b168757c6c27f8f319f523ab8c0067770c14cdc9bac5e3cc3ab6e2f6a5e
(Unpacked FindStr)    66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75

RegistryItem.ioc

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="e0edb25d-7c1f-47b8-a946-fd221f691b6f" last-modified="2015-03-13T18:44:34" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>Win.Trojan.PoSeidon RegistryItem Indicators</short_description>
  <description>Matches known RegistryItem Text values that indicate Win.Trojan.PoSeidon execution and persistence</description>
  <authored_by>CSS</authored_by>
  <authored_date>2015-03-13T18:43:44</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="417e8123-acd5-478a-9684-7e3e4aa978af">
      <Indicator operator="OR" id="daa54c25-69be-4861-b133-3f1afa212295">
        <IndicatorItem id="4b85d71d-c9db-4d19-bdb8-df85534acbfa" condition="contains">
          <Context document="RegistryItem" search="RegistryItem/Text" type="mir" />
          <Content type="string">winhost</Content>
        </IndicatorItem>
      </Indicator>
      <Indicator operator="OR" id="0769905d-4dd5-495b-b020-424c0ec38668">
        <IndicatorItem id="d0753250-b775-4595-a9e3-94049abac685" condition="contains">
          <Context document="RegistryItem" search="RegistryItem/Text" type="mir" />
          <Content type="string">pes13</Content>
        </IndicatorItem>
      </Indicator>
    </Indicator>
  </definition>
</ioc>

ProcessItem.ioc

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="9e47b686-3777-4437-895f-f976f885137b" last-modified="2015-03-12T17:40:12" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>Win.Trojan.PoSeidon ProcessItem Indicators</short_description>
  <description>Matches against known values of ProcessItem Names for Win.Trojan.PoSeidon</description>
  <authored_by>CSS</authored_by>
  <authored_date>2015-03-12T17:38:56</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="1ff356dd-50fc-4391-8412-b542a8356171">
      <IndicatorItem id="6e6988c3-c363-406b-b309-76567c5ee885" condition="contains">
        <Context document="ProcessItem" search="ProcessItem/name" type="mir" />
        <Content type="string">winhost</Content>
      </IndicatorItem>
    </Indicator>
  </definition>
</ioc>

FileItem.ioc

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="fff9f497-f324-4514-bc35-e7d4f8ffcaa6" last-modified="2015-03-12T22:06:28" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>Win.Trojan.PoSeidon FileItem Indicators</short_description>
  <description>Matches variations of filenames known to be associated with Win.Trojan.PoSeidon</description>
  <authored_by>CSS</authored_by>
  <authored_date>2015-03-12T22:04:08</authored_date>
  <links />
  <definition>

    <Indicator operator="OR" id="51e6f9f8-0f05-45e8-b3ff-a4d8ecdf3eed">

      <Indicator operator="OR" id="3f168456-c81e-4718-8cb5-4b8f36476bf0">
        <IndicatorItem id="cd7b568d-2b01-446d-b357-4dba83b91beb" condition="contains">
          <Context document="FileItem" search="FileItem/FileName" type="mir" />
          <Content type="string">winhost</Content>
        </IndicatorItem>
      </Indicator>

      <Indicator operator="OR" id="35c3d7fa-b2db-45f9-afa0-875c5f3de16c">
        <IndicatorItem id="48f2dd5c-65a3-4d58-9728-b51ddd6e1589" condition="contains">
          <Context document="FileItem" search="FileItem/FileName" type="mir" />
          <Content type="string">pes13</Content>
        </IndicatorItem>
      </Indicator>

      <Indicator operator="OR" id="9fd74c08-a85b-4413-9444-4fF000ce5b73">
        <IndicatorItem id="48f2dd5c-65a3-4d58-9728-b51ddd6e1589" condition="contains">
          <Context document="FileItem" search="FileItem/FileName" type="mir" />
          <Content type="string">updatte</Content>
        </IndicatorItem>
      </Indicator>

    </Indicator>

  </definition>
</ioc>

Ref: http://blogs.cisco.com/security/talos/poseidon#more-165632

Bilgi Güvenliği Forensic Malware Analysis

23 Mart 2015 Pazartesi

Poseidon POS Malware

Hiç yorum yok:

Yorum Gönder