From a5fcb22cd8518ebb31aab74f69f628fe48393b13 Mon Sep 17 00:00:00 2001 From: j0hnf Date: Sun, 16 Feb 2014 03:33:29 +0000 Subject: [PATCH] added indicators of compromise from the kaspersky careto report --- IOCs/README | 1 + IOCs/kaspersky_careto_C2.txt | 17 +++++++++++ IOCs/kaspersky_careto_domains.txt | 26 +++++++++++++++++ IOCs/kaspersky_careto_files.txt | 47 ++++++++++++++++++++++++++++++ IOCs/kaspersky_careto_registry.txt | 1 + 5 files changed, 92 insertions(+) create mode 100644 IOCs/README create mode 100644 IOCs/kaspersky_careto_C2.txt create mode 100644 IOCs/kaspersky_careto_domains.txt create mode 100644 IOCs/kaspersky_careto_files.txt create mode 100644 IOCs/kaspersky_careto_registry.txt diff --git a/IOCs/README b/IOCs/README new file mode 100644 index 00000000..01a7cc29 --- /dev/null +++ b/IOCs/README @@ -0,0 +1 @@ +Lists of indicators of compromise diff --git a/IOCs/kaspersky_careto_C2.txt b/IOCs/kaspersky_careto_C2.txt new file mode 100644 index 00000000..74ad8c56 --- /dev/null +++ b/IOCs/kaspersky_careto_C2.txt @@ -0,0 +1,17 @@ +190.10.9.209 +190.105.232.46 +196.40.84.94 +200.122.160.25 +202.150.211.102 +202.150.214.50 +202.75.56.123 +202.75.56.231 +202.75.58.153 +210.48.153.236 +223.25.232.161 +37.235.63.127 +75.126.146.114 +81.0.233.15 +82.208.40.11 +62.149.227.3 +75.126.146.114 diff --git a/IOCs/kaspersky_careto_domains.txt b/IOCs/kaspersky_careto_domains.txt new file mode 100644 index 00000000..aee5a862 --- /dev/null +++ b/IOCs/kaspersky_careto_domains.txt @@ -0,0 +1,26 @@ +nthost.shacknet.nu +tunga.homedns.org +prosoccer1.dyndns.info +prosoccer2.dyndns.info +nav1002.ath.cx +pininfarina.dynalias.com +wqq.dyndns.org +pl400.dyndns.org +services.serveftp.org +sv.serveftp.org +cherry1962.dyndns.org +carrus.gotdns.com +ricush.ath.cx +takami.podzone.net +dfup.selfip.org +wwnav.selfip.net +fast8.homeftp.org +ctronlinenews.dyndns.tv +mango66.dyndns.org +gx5639.dyndns.tv +services.serveftp.org +*.redirserver.net +*.swupdt.com +*.msupdt.com +*.appleupdt.com +*.linkconf.net diff --git a/IOCs/kaspersky_careto_files.txt b/IOCs/kaspersky_careto_files.txt new file mode 100644 index 00000000..b7b17c5f --- /dev/null +++ b/IOCs/kaspersky_careto_files.txt @@ -0,0 +1,47 @@ +%system%\objframe.dll +%system%\shlink32.dll +%system%\shlink64.dll +cdllait32.dll +cdllait64.dll +cdlluninstallws32.dll +cdlluninstallws64.dll +cdlluninstallsgh32.dll +cdlluninstallsgh64.dll +%system%\c_50225.nls +%system%\c_50227.nls +%system%\c_50229.nls +%system%\c_51932.nls +%system%\c_51936.nls +%system%\c_51949.nls +%system%\c_51950.nls +%system%\c_57002.nls +%system%\c_57006.nls +%system%\c_57008.nls +%system%\c_57010.nls +%system%\cdgext32.dll +%system%\cfgbkmgrs.dll +%system%\cfgmgr64.dll +%system%\comsvrpcs.dll +%system%\d3dx8_20.dll +%system%\dllcomm.dll +%system%\drivers\wmimgr.sys +%system%\drvinfo.bin +%system%\FCache.bin +%system%\FFExtendedCommand.dll +%system%\gpktcsp32.dll +%system%\HPQueue.bin +%system%\LPQueue.bin +%system%\mdwmnsp.dll +%system%\rpcdist.dll +%system%\scsvrft.dll +%system%\sdptbw.dll +%system%\slbkbw.dll +%system%\skypeie6plugin.dll +%system%\wmspdmgr.dll +%temp%\~DF01AC74D8BE15EE01.tmp +%temp%\~DF23BF45A473C42B56.tmp +%temp%\~DFA0528CD81300F372.tmp +%temp%\~DF8471938479DA49221.tmp +%appdata%\microsoft\c_27803.nls +%appdata%\microsoft\objframe.dll +%appdata%\microsoft\shmgr.dll diff --git a/IOCs/kaspersky_careto_registry.txt b/IOCs/kaspersky_careto_registry.txt new file mode 100644 index 00000000..c03e88fd --- /dev/null +++ b/IOCs/kaspersky_careto_registry.txt @@ -0,0 +1 @@ +[HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32]