From 39dc3150df1e3ae35fbf02ad754bf3fac4cb6047 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 16 May 2020 13:11:16 +0200
Subject: [PATCH] Attack on academic data centers IOCs

---
 c2-iocs.txt       | 155 ++++++++++------------------------------------
 filename-iocs.txt |  35 ++++++++++-
 hash-iocs.txt     | 110 +++++---------------------------
 string-iocs.txt   |   7 ++-
 4 files changed, 83 insertions(+), 224 deletions(-)

diff --git a/c2-iocs.txt b/c2-iocs.txt
index f04bc21..021a41e 100644
--- a/c2-iocs.txt
+++ b/c2-iocs.txt
@@ -1,125 +1,32 @@
-201.191.202.34
-216.58.192.68
-185.11.146.191
-185.11.146.151
-185.62.190.62
-185.62.190.82
-185.62.190.156
-185.62.190.222
-185.62.190.253
-188.209.49.163
-188.209.52.195
-188.209.49.131
-188.209.49.165
-185.130.5.165
-185.130.5.174
-185.130.5.200
-185.130.5.205
-185.130.5.246
-80.82.64.177
-80.82.78.12
-89.248.168.29
-89.248.172.201
-94.102.53.144
-89.248.162.167
-89.248.162.171
-89.248.166.131
-89.248.168.39
-89.248.172.166
-89.248.172.173
-94.102.49.197
-94.102.63.136
-46.165.251.153
-178.162.199.88
-178.162.205.4
-178.162.205.29
-178.162.205.30
-178.162.211.200
-178.162.211.211
-178.162.211.213
-178.162.211.214
-178.162.211.215
-178.162.211.216
-178.162.211.217
-149.202.153.56
-173.208.196.202
-188.0.236.27
-188.209.52.228
-192.210.220.3
-198.23.238.215
-198.23.238.251
-208.67.1.130
-208.67.1.33
-208.69.31.11
-5.152.206.162
-5.196.8.171
-89.248.162.167
-115.239.248.62
-117.27.158.104
-117.27.158.71
-117.27.158.78
-117.27.158.91
-122.225.103.118
-122.225.103.122
-122.225.103.125
-122.225.103.97
-122.225.109.102
-122.225.109.103
-122.225.109.108
-122.225.109.109
-122.225.109.114
-122.225.109.121
-122.225.109.125
-122.225.109.202
-122.225.109.214
-122.225.109.220
-122.225.109.99
-218.2.0.121
-218.2.0.132
-218.2.0.133
-218.2.0.137
-221.235.188.210
-222.186.34.121
-222.186.58.70
-60.169.77.228
-61.174.50.172
-61.174.50.177
-61.174.50.184
-61.174.50.216
-61.174.51.214
-61.174.51.226
-61.174.51.229
-61.174.51.230
-61.174.51.233
-61.174.51.235
-61.174.50.184
-122.225.103.118
-218.2.0.132
-122.225.103.125
-122.225.109.99
-122.225.103.97
-122.225.103.122
-61.174.51.226
-117.27.158.71
-61.174.51.233
-122.225.109.108
-122.225.109.109
-61.174.50.177
-61.174.51.214
-117.27.158.104
-61.174.50.172
-222.186.34.121
-117.27.158.91
-222.186.58.70
-61.174.51.229
-122.225.109.214
-61.174.50.216
-117.27.158.78
-221.235.188.210
-122.225.109.121
-167.114.153.55
-94.237.37.28
-82.118.242.171
-31.220.61.251
-128.199.199.187
+149.156.26.227
+202.120.32.231
+202.120.58.243
+202.120.58.244
+2001:da8:8000:6300:199:433c:16c7:c668
+2001:da8:8000:6300:1c22:6545:295d:f55c
+2001:da8:8000:6300:1cc4:148e:4368:1d2c
+2001:da8:8000:6300:6c46:cb5b:f478:185e
+2001:da8:8000:6300:7925:5377:34a8:e4b3
+2001:da8:8000:6300:8c84:868e:9c5d:3322
+159.226.161.107
+159.226.234.29
+51.77.135.89
+51.15.177.65
+51.75.52.118
+51.75.144.43
+51.79.53.139
+51.79.86.181
+212.83.166.62
+159.226.88.110
+159.226.62.107
+159.226.170.127
+132.230.222.12
+192.154.2.203
+129.49.37.67
+129.49.170.118
+91.196.70.109
+149.156.26.227
+149.156.26.56
+142.150.255.49
+159.226.234.29
 # END
diff --git a/filename-iocs.txt b/filename-iocs.txt
index ee4e7b9..0644bbd 100644
--- a/filename-iocs.txt
+++ b/filename-iocs.txt
@@ -1,2 +1,35 @@
-demo/evil.jsp
+/apps/.ior/read/.terma
+/apps/.ior/read/.termb
+/etc/fonts/.fonts
+/etc/fonts/.low
+/etc/terminfo/.terma
+/etc/terminfo/.termb
+/.mozilla/plugins/.fonts
+/.mozilla/plugins/.low
+/.mozilla/plugins/.aa
+/.mozilla/plugins/test
+/usr/lib64/.lib/l64
+/var/games/.terma
+/var/games/.termb
+/tmp/aes.tgz
+/tmp/db.tgz 
+/tmp/dbsyn* 
+/tmp/reserved
+/tmp/systemdb 
+/tmp/updatedb
+/tmp/check_power
+/tmp/hdshare
+/tmp/readps
+/usr/bin/on_ac_power 
+/usr/lib/libocs.so 
+/usr/lib64/.lib/l64
+/usr/share/aldi.so
+/usr/share/sos/
+/usr/share/sos/rh.pub
+/usr/share/sos/rh.pub 
+/var/tmp/.lock
+/var/tmp/.lock/clogs 
+/var/tmp/.lock/cpa.h 
+/var/tmp/.lock/ologs 
+/wlcg/arc-ce1/cache/.cache
 # END - DO NOT REMOVE
diff --git a/hash-iocs.txt b/hash-iocs.txt
index 414f7af..84aa100 100644
--- a/hash-iocs.txt
+++ b/hash-iocs.txt
@@ -1,98 +1,16 @@
-329cd07f4dd67947ff10d8a6550ff779;Demo file - evil.jsp
+5ed00cb88d218db8d09352d9058c400c;Loader
+02570c3a85fc1ccea9858ecacdc3a954;Loader
+11a186cd20d74f5dc0febe3d7904c52d;Loader
+dd771b769ceeba0fc1d514a6e6530a70;Loader
+bf16df15225bc83a56b0cf0ec9012360;Loader
+fe9a46254cf233fcafeada013d0ec056;Loader
 
-866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035;Equation APT
-8447dabffd37eb7fcb1bc1d6c6f1d164;Htran Chinese APT Tunneling Tool Sample
-
-5d853a8de18d844a9ab269f3d51e5072;Five Eyes QUERTY Malware20120.dll.bin
-cc8b737edb3f11c9c5dba57035c63103;Five Eyes QUERTY Malware20120.xml
-67ac8dc6589a07d950bd12f534dc9789;Five Eyes QUERTY Malware20120_cmdDef.xml
-40451f20371329b992fb1b85c754d062;Five Eyes QUERTY Malware20121.dll.bin
-ff0afae5c68c5177ed0a3d6339810cae;Five Eyes QUERTY Malware20121.xml
-1bc8f4df4551c6efbbb1fe9f965dca49;Five Eyes QUERTY Malware20121_cmdDef.xml
-0ed11a73694999bc45d18b4189f41ac2;Five Eyes QUERTY Malware20123.sys.bin
-066b6253afc3ad0efe9a15cead4ef7d8;Five Eyes QUERTY Malware20123.xml
-790d1b448e97985deb710a94eb927c27;Five Eyes QUERTY Malware20123_cmdDef.xml
-
-ad61e8daeeba43e442514b177a1b41ad4b7c6727;Skeleton Key Malware
-5083b17ccc50dd0557dfc544f84e2ab55d6acd92;Skeleton Key Malware
-66da7ed621149975f6e643b4f9886cfd;Symantec Report http://goo.gl/9Tmq2e msuta64.dll
-bf45086e6334f647fda33576e2a05826;Symantec Report http://goo.gl/9Tmq2e ole64.dll
-a487f1668390df0f4951b7292bae6ecf;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
-8ba4df29b0593be172ff5678d8a05bb3;Symantec Report http://goo.gl/9Tmq2e HookDC.dll
-f01026e1107b722435126c53b2af47a9;Symantc Report http://goo.gl/9Tmq2e HookDC.dll
-747cc5ce7f2d062ebec6219384b57e8c;Symantec Report http://goo.gl/9Tmq2e ole.dll
-600b604784594e3339776c6563aa45a1;Symantec Report http://goo.gl/9Tmq2e jqs.exe (Backdoor.Winnti dropper)
-48377c1c4cfedebe35733e9c3675f9be;Symantec Report http://goo.gl/9Tmq2e tmp8296.tmp (Backdoor.Winnti variant)
-
-20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92;Regin Malware Sample
-225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430;Regin Malware Sample
-392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e;Regin Malware Sample
-40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b;Regin Malware Sample
-4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be;Regin Malware Sample
-4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9;Regin Malware Sample
-5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823;Regin Malware Sample
-5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90;Regin Malware Sample
-7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7;Regin Malware Sample
-7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926;Regin Malware Sample
-8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13;Regin Malware Sample
-8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7;Regin Malware Sample
-8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db;Regin Malware Sample
-9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f;Regin Malware Sample
-9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379;Regin Malware Sample
-a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355;Regin Malware Sample
-a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880;Regin Malware Sample
-a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35;Regin Malware Sample
-a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669;Regin Malware Sample
-a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
-a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe;Regin Malware Sample
-b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047;Regin Malware Sample
-b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce;Regin Malware Sample
-c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513;Regin Malware Sample
-cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601;Regin Malware Sample
-df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c;Regin Malware Sample
-e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902;Regin Malware Sample
-e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935;Regin Malware Sample
-ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69;Regin Malware Sample
-f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e;Regin Malware Sample
-f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4;Regin Malware Sample
-fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef;Regin Malware Sample
-fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129;Regin Malware Sample
-
-9bec941bec02c7fbe037a97db8c89f18;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-6ce69e4bec14511703a8957e90ded1fa;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-1c05164fede51bf947f1e78cba811063;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-5129c26818ef712bde318dff970eba8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-bdce0ed65f005a11d8e9a6747a3ad08c;Symantec Waterbug Attack http://goo.gl/9Tlk90 tcpdump32c.exe Used for lateral movement across victim’s network
-e04ad0ec258cbbf94910a677f4ea54f0;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
-928d0ef4c17f0be21f2ec5cc96182e0c;Symantec Waterbug Attack http://goo.gl/9Tlk90 mspd32.exe - Used in access privilege elevation attacks and the dumping of SAM through the DLL found in its resource section
-d686ce4ed3c46c3476acf1be0a1324e6;Symantec Waterbug Attack http://goo.gl/9Tlk90 typecli.exe
-22fb51ce6e0bc8b52e9e3810ca9dc2e1;Symantec Waterbug Attack http://goo.gl/9Tlk90 msc32.exe
-df06bde546862336ed75d8da55e7b1cc;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-a85616aec82078233ea25199c5668036;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-b7d80000100f2cb50a37a8a5f21b185f;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-552a8e8d60731022dcb5a89fd4f313ec;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-a1ecf883627a207ed79d0fd103534576;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-560f47c8c50598760914310c6411d3b1;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-b28cbcd6998091f903c06a0a46a0fd8d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-b0952e130f6f8ad207998000a42531de;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-c04190dc190b6002f064e3d13ac22212;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-959ed9d60a8f645fd46b7c7a9b62870c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-305801a809b7d9136ab483682e26d52d;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-e5a9fc45ab11dd0845508d122a6c8c8c;Symantec Waterbug Attack http://goo.gl/9Tlk90 dxsnd32x.exe get details of compromised computer, such as OS version, service pack, host name, network adapter
-bf0e4d46a51f27493cbe47e1cfb1b2ea;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
-22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetsrv.exe gather information
-f156ff2a1694f479a079f6777f0c5af0;Symantec Waterbug Attack http://goo.gl/9Tlk90 pxinsi64.exe 64-bit driver possibly used by vboxdev_win32.dll
-eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 mswme32.exe Collects files with extensions (.*library, *.inf, *.exe, .*dll, .*dot), Encrypts with Trojan.Turla XOR key
-56f423c7a7fef041f3039319f2055509;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
-22149a1ee21e6d60758fe58b34f04952;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnetserv.exe
-eb40189cde69d60ca6f9a3f0531dbc5e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msnet32.exe
-20c9df1e5f426f9eb7461cd99d406904;Symantec Waterbug Attack http://goo.gl/9Tlk90 rpcsrv.exe RPC server using ncacn_np identifier and binds to \\pipe\ hello, Can be used as a proxy
-ed3509b103dc485221c85d865fafafac;Symantec Waterbug Attack http://goo.gl/9Tlk90 charmap32.exe Executes msinfo32.exe /nfo and direct output to winview.nfo
-09886f7c1725fe5b86b28dd79bc7a4d1;Symantec Waterbug Attack http://goo.gl/9Tlk90 mqsvc32.exe Capable of sending exfiltrated data through email using MAPI32.dll
-fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 msrss.exe Registers as a service “svcmgr” with display name ‘Windows Svcmgr’
-fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 dc1.exe
-fb56ce4b853a94ae3f64367c02ec7e31;Symantec Waterbug Attack http://goo.gl/9Tlk90 svcmgr.exe
-98992c12e58745854a885f9630124d3e;Symantec Waterbug Attack http://goo.gl/9Tlk90 msx32.exe Used to encrypt file (supplied as argument on command line) using common Trojan.Turla XOR key, Output written to [FILE NAME].XOR
-
-c709e0963ad64f87d9c7a05ddd2eb7c5;APT28 IOT script https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
+780f236fb3646534832b2da9d5cf6eb0;Cleaner
+c764ba53fa9c5a24a88a1d2e17be6943;Cleaner
+ce7240b8bbb2bee8f300321eef46a41e;Cleaner
+d42553bd420e80ec31df5da2d5b932e0;Cleaner
+65dde869c0e1455de24aadf5aa4538a2;Cleaner
+a0ec7d355dc9e7f232fb47bf401c3138;Cleaner
+261f16ec5d72078f6e3c21551ceaecb2;Cleaner
+0b522e54bf3f276496793c44bec7362b;Cleaner
 # END - DO NOT REMOVE
diff --git a/string-iocs.txt b/string-iocs.txt
index b29755d..0a54a6f 100644
--- a/string-iocs.txt
+++ b/string-iocs.txt
@@ -1,4 +1,5 @@
-<%eval request("ice")%>
-1%27%20OR%201%3D1
-rm /tmp/.c;pkill
+diamorphine
+stratum://
+stratum+tcp
+xmrig
 # END - DO NOT REMOVE - contents passed to grep - double escape square brackets