mirror of
https://github.com/valitydev/APT_CyberCriminal_Campagin_Collections.git
synced 2024-11-06 16:55:28 +00:00
2018.10.17.GreyEnergy
This commit is contained in:
CyberMonitor
parent
865d643828
commit
8f1436ab21
1
2018/2018.10.17.GreyEnergy/.python-version
Normal file
1
2018/2018.10.17.GreyEnergy/.python-version
Normal file
@ -0,0 +1 @@
|
||||
2.7.15
|
||||
BIN
2018/2018.10.17.GreyEnergy/ESET_GreyEnergy.pdf
Normal file
BIN
2018/2018.10.17.GreyEnergy/ESET_GreyEnergy.pdf
Normal file
Binary file not shown.
225
2018/2018.10.17.GreyEnergy/IOC.txt
Normal file
225
2018/2018.10.17.GreyEnergy/IOC.txt
Normal file
@ -0,0 +1,225 @@
|
||||
= GreyEnergy -- Indicators of Compromise
|
||||
|
||||
For a description of GreyEnergy, please see the article about
|
||||
https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/[GreyEnergy]
|
||||
on https://www.welivesecurity.com[WeLiveSecurity].
|
||||
|
||||
== ESET detection names
|
||||
- VBA/TrojanDownloader.Agent.EYV
|
||||
- Win32/Agent.SCT
|
||||
- Win32/Agent.SCM
|
||||
- Win32/Agent.SYN
|
||||
- Win64/Agent.SYN
|
||||
- Win32/Agent.WTD
|
||||
- Win32/GreyEnergy
|
||||
- Win64/GreyEnergy
|
||||
- Win32/Diskcoder.MoonrakerPetya.A
|
||||
- PHP/Agent.JS
|
||||
- PHP/Agent.JX
|
||||
- PHP/Agent.KJ
|
||||
- PHP/Agent.KK
|
||||
- PHP/Agent.KL
|
||||
- PHP/Agent.KM
|
||||
- PHP/Agent.KN
|
||||
- PHP/Agent.KO
|
||||
- PHP/Agent.KP
|
||||
- PHP/Agent.KQ
|
||||
- PHP/Agent.KR
|
||||
- PHP/Agent.KS
|
||||
- PHP/Agent.KT
|
||||
- PHP/Agent.KU
|
||||
- PHP/Agent.LC
|
||||
- PHP/Agent.NBP
|
||||
- PHP/Kryptik.AB
|
||||
- PHP/TrojanProxy.Agent.B
|
||||
- ASP/Agent.L
|
||||
- Win64/HackTool.PortScanner.A
|
||||
- Win32/HackTool.PortScanner.A
|
||||
- Win64/Riskware.Mimikatz.A
|
||||
- Win64/Riskware.Mimikatz.AE
|
||||
- Win64/Riskware.Mimikatz.AH
|
||||
- Win32/Winexe.A
|
||||
- Win64/Winexe.A
|
||||
- Win64/Winexe.B
|
||||
|
||||
== Samples
|
||||
|
||||
All hashes are SHA-1
|
||||
|
||||
=== GreyEnergy document
|
||||
|
||||
----
|
||||
177AF8F6E8D6F4952D13F88CDF1887CB7220A645
|
||||
----
|
||||
|
||||
=== GreyEnergy mini
|
||||
|
||||
----
|
||||
455D9EB9E11AA9AF9717E0260A70611FF84EF900
|
||||
51309371673ACD310F327A10476F707EB914E255
|
||||
CB11F36E271306354998BB8ABB6CA67C1D6A3E24
|
||||
CC1CE3073937552459FB8ED0ADB5D56FA00BCD43
|
||||
30AF51F1F7CB9A9A46DF3ABFFB6AE3E39935D82C
|
||||
----
|
||||
|
||||
=== GreyEnergy droppers
|
||||
|
||||
----
|
||||
04F75879132B0BFBA96CB7B210124BC3D396A7CE
|
||||
69E2487EEE4637FE62E47891154D97DFDF8AAD57
|
||||
716EFE17CD1563FFAD5E5E9A3E0CAC3CAB725F92
|
||||
93EF4F47AC160721768A00E1A2121B45A9933A1D
|
||||
94F445B65BF9A0AB134FAD2AAAD70779EAFD9288
|
||||
A414F0A651F750EEA18F6D6C64627C4720548581
|
||||
B3EF67F7881884A2E3493FE3D5F614DBBC51A79B
|
||||
EBD5DC18C51B6FB0E9985A3A9E86FF66E22E813E
|
||||
EC7E018BA36F07E6DADBE411E35B0B92E3AD8ABA
|
||||
----
|
||||
|
||||
=== GreyEnergy dropped DLLs
|
||||
|
||||
----
|
||||
0B5D24E6520B8D6547526FCBFC5768EC5AD19314
|
||||
10D7687C44BECA4151BB07F78C6E605E8A552889
|
||||
2A7EE7562A6A5BA7F192B3D6AED8627DFFDA4903
|
||||
3CBDC146441E4858A1DE47DF0B4B795C4B0C2862
|
||||
4E137F04A2C5FA64D5BF334EF78FE48CF7C7D626
|
||||
62E00701F62971311EF8E57F33F6A3BA8ED28BF7
|
||||
646060AC31FFDDFBD02967216BC71556A0C1AEDF
|
||||
748FE84497423ED209357E923BE28083D42D69DE
|
||||
B75D0379C5081958AF83A542901553E1710979C7
|
||||
BFC164E5A28A3D56B8493B1FC1CA4A12FA1AC6AC
|
||||
C1EB0150E2FCC099465C210B528BF508D2C64520
|
||||
CBB7BA92CDF86FA260982399DAB8B416D905E89B
|
||||
DF051C67EE633231E4C76EC247932C1A9868C14F
|
||||
DFD8665D91C508FAF66E2BC2789B504670762EA2
|
||||
E2436472B984F4505B4B938CEE6CAE26EF043FC7
|
||||
E3E61DF9E0DD92C98223C750E13001CBB73A1E31
|
||||
E496318E6644E47B07D6CAB00B93D27D0FE6B415
|
||||
EDA505896FFF9A29BD7EAE67FD626D7FFA36C7B2
|
||||
F00BEFDF08678B642B69D128F2AFAE32A1564A90
|
||||
F36ECAC8696AA0862AD3779CA464B2CD399D8099
|
||||
----
|
||||
|
||||
=== GreyEnergy in-memory-only DLLs
|
||||
|
||||
----
|
||||
0BCECB797306D30D0BA5EAEA123B5BF69981EFF4
|
||||
11159DB91B870E6728F1A7835B5D8BE9424914B9
|
||||
6ABD4B82A133C4610E5779C876FCB7E066898380
|
||||
848F0DBF50B582A87399428D093E5903FFAEEDCD
|
||||
99A81305EF6E45F470EEE677C6491045E3B4D33A
|
||||
A01036A8EFE5349920A656A422E959A2B9B76F02
|
||||
C449294E57088E2E2B9766493E48C98B8C9180F8
|
||||
C7FC689FE76361EF4FDC1F2A5BAB71C0E2E09746
|
||||
D24FC871A721B2FD01F143EB6375784144365A84
|
||||
DA617BC6DCD2083D93A9A83D4F15E3713D365960
|
||||
E4FCAA1B6A27AA183C6A3A46B84B5EAE9772920B
|
||||
----
|
||||
|
||||
=== Moonraker Petya
|
||||
|
||||
----
|
||||
1AA1EF7470A8882CA81BB9894630433E5CCE4373
|
||||
----
|
||||
|
||||
=== PHP and ASP scripts
|
||||
|
||||
----
|
||||
10F4D12CF8EE15747BFB618F3731D81A905AAB04
|
||||
13C5B14E19C9095ABA3F1DA56B1A76793C7144B9
|
||||
1BA30B645E974DE86F24054B238FE77A331D0D2C
|
||||
34F8323B3B6BCF4B47D0ABEFCF9E38E15ECD2858
|
||||
438C8F9607E06E7AC1261F99F8311B004C23DEC3
|
||||
4D1C282F9942EC87C5B4D9363187AFDC120F4DC7
|
||||
4E0C5CCFFB7E2D17C26F82DB5564E47F141300B3
|
||||
5377ADB779DE325A74838C0815EEA958B4822F82
|
||||
58A69A8D1B94E751050DECF87F2572E09794F0F8
|
||||
5DD34FB1C8E224C17DCE04E02A4409E9393BCE58
|
||||
639BCE78F961C4B9ECD9FE1A8537733388B99857
|
||||
7127B880C8E31FBEB1D376EB55A6F878BC77B21A
|
||||
71BA8FE0C9C32A9B987E2BB827FE54DAE905D65E
|
||||
78A7FBDD6ADF073EA6D835BE69084E071B4DA395
|
||||
81332D2F96A354B1B8E11984918C43FB9B5CB9DB
|
||||
8CC008B3189F8CE9A96C2C41F864D019319EB2EE
|
||||
940DE46CD8C50C28A9C0EFC65AEE7D567117941B
|
||||
A415E12591DD47289E235E7022A6896CB2BFDE96
|
||||
D3AE97A99D826F49AD03ADDC9F0D5200BE46AB5E
|
||||
E69F5FF2FCD18698BB584B6BC15136D61EB4F594
|
||||
E83A090D325E4A9E30B88A181396D62FEF5D54D5
|
||||
ECF21EFC09E4E2ACFEEB71FB78CB1F518E1F5724
|
||||
----
|
||||
|
||||
=== Custom port scanner
|
||||
|
||||
----
|
||||
B371A5D6465DC85C093A5FB84D7CDDEB1EFFCC56
|
||||
B40BDE0341F52481AE1820022FA8376E53A20040
|
||||
----
|
||||
|
||||
=== Mimikatz
|
||||
|
||||
----
|
||||
89D7E0DA80C9973D945E6F62E843606B2E264F7E
|
||||
8B295AB4789105F9910E4F3AF1B60CBBA8AD6FC0
|
||||
AD6F835F239DA6683CAA54FCCBCFDD0DC40196BE
|
||||
----
|
||||
|
||||
=== WinExe
|
||||
|
||||
----
|
||||
0666B109B0128599D535904C1F7DDC02C1F704F2
|
||||
2695FCFE83AB536D89147184589CCB44FC4A60F3
|
||||
3608EC28A9AD7AF14325F764FB2F356731F1CA7A
|
||||
37C837FB170164CBC88BEAE720DF128B786A71E0
|
||||
594B809343FEB1D14F80F0902D764A9BF0A8C33C
|
||||
7C1F7CE5E57CBDE9AC7755A7B755171E38ABD70D
|
||||
90122C0DC5890F9A7B5774C6966EA694A590BD38
|
||||
C59F66808EA8F07CBDE74116DDE60DAB4F9F3122
|
||||
CEB96B364D6A8B65EA8FA43EB0A735176E409EB0
|
||||
FCEAA83E7BD9BCAB5EFBA9D1811480B8CB0B8A3E
|
||||
----
|
||||
|
||||
== Network indicators
|
||||
|
||||
=== GreyEnergy mini's C&C servers URLs
|
||||
|
||||
----
|
||||
https://82.118.236[.]23:8443/27c00829d57988279f3ec61a05dee75a
|
||||
http://82.118.236[.]23:8080/27c00829d57988279f3ec61a05dee75a
|
||||
https://88.198.13[.]116:8443/xmlservice
|
||||
http://88.198.13[.]116:8080/xmlservice
|
||||
https://217.12.204[.]100/news/
|
||||
http://217.12.204[.]100/news/
|
||||
http://pbank.co[.]ua/favicon.ico (IP: 185.128.40.90)
|
||||
----
|
||||
|
||||
=== GreyEnergy's C&C servers IP addresses
|
||||
|
||||
[options="header"]
|
||||
|=====
|
||||
| Active period | IP address
|
||||
| 2015 - 2016 | `109.200.202.7`
|
||||
| 2015 - 2015 | `193.105.134.68`
|
||||
| 2015 - 2016 | `163.172.7.195`
|
||||
| 2015 - 2016 | `163.172.7.196`
|
||||
| 2016 - 2016 | `5.149.248.77`
|
||||
| 2016 - 2016 | `31.148.220.112`
|
||||
| 2016 - 2016 | `62.210.77.169`
|
||||
| 2016 - 2016 | `85.25.211.10`
|
||||
| 2016 - 2016 | `138.201.198.164`
|
||||
| 2016 - 2017 | `124.217.254.55`
|
||||
| 2017 - 2017 | `46.249.49.231`
|
||||
| 2017 - 2017 | `37.59.14.94`
|
||||
| 2017 - 2017 | `213.239.202.149`
|
||||
| 2017 - 2017 | `88.198.13.116`
|
||||
| 2017 - 2017 | `217.12.202.111`
|
||||
| 2017 - 2017 | `176.31.116.140`
|
||||
| 2017 - 2018 | `185.217.0.121`
|
||||
| 2017 - 2018 | `178.150.0.200`
|
||||
| 2018 - 2018 | `176.121.10.137`
|
||||
| 2018 - 2018 | `178.255.40.194`
|
||||
| 2018 - 2018 | `193.105.134.56`
|
||||
| 2018 - 2018 | `94.130.88.50`
|
||||
| 2018 - 2018 | `185.216.33.126`
|
||||
|=====
|
||||
BIN
2018/2018.10.17.GreyEnergy/blog_GreyEnergy_Updated.pdf
Normal file
BIN
2018/2018.10.17.GreyEnergy/blog_GreyEnergy_Updated.pdf
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -1 +0,0 @@
|
||||
96f10cfa6ba24c9ecd08aa6d37993fe4
|
||||
@ -19,6 +19,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
||||
* Oct 19 - [[Kaspersky] DarkPulsar](https://securelist.com/darkpulsar/88199/) | [Local](../../blob/master/2018/2018.10.19.DarkPulsar)
|
||||
* Oct 18 - [[CISCO] Tracking Tick Through Recent Campaigns Targeting East Asia](https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html) | [Local](../../blob/master/2018/2018.10.18.Datper_Bronze_Butler)
|
||||
* Oct 18 - [[McAfee] Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf) | [Local](../../blob/master/2018/2018.10.18.Operation_Oceansalt)
|
||||
* Oct 17 - [[ESET] GreyEnergy: Updated arsenal of one of the most dangerous threat actors](https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/) | [Local](../../blob/master/2018/2018.10.17.GreyEnergy)
|
||||
* Oct 17 - [[Yoroi] Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)](https://blog.yoroi.company/?p=1829) | [Local](../../blob/master/2018/2018.10.17.Targeting_the_Naval_Industry)
|
||||
* Oct 15 - [[Kaspersky] Octopus-infested seas of Central Asia](https://securelist.com/octopus-infested-seas-of-central-asia/88200/) | [Local](../../blob/master/2018/2018.10.15.Octopus_Central_Asia)
|
||||
* Oct 11 - [[Symantec] Gallmaker: New Attack Group Eschews Malware to Live off the Land](https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group) | [Local](../../blob/master/2018/2018.10.11.Gallmaker)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user