mirror of
https://github.com/valitydev/APT_CyberCriminal_Campagin_Collections.git
synced 2024-11-07 09:08:58 +00:00
226 lines
5.9 KiB
Plaintext
226 lines
5.9 KiB
Plaintext
= GreyEnergy -- Indicators of Compromise
|
|
|
|
For a description of GreyEnergy, please see the article about
|
|
https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/[GreyEnergy]
|
|
on https://www.welivesecurity.com[WeLiveSecurity].
|
|
|
|
== ESET detection names
|
|
- VBA/TrojanDownloader.Agent.EYV
|
|
- Win32/Agent.SCT
|
|
- Win32/Agent.SCM
|
|
- Win32/Agent.SYN
|
|
- Win64/Agent.SYN
|
|
- Win32/Agent.WTD
|
|
- Win32/GreyEnergy
|
|
- Win64/GreyEnergy
|
|
- Win32/Diskcoder.MoonrakerPetya.A
|
|
- PHP/Agent.JS
|
|
- PHP/Agent.JX
|
|
- PHP/Agent.KJ
|
|
- PHP/Agent.KK
|
|
- PHP/Agent.KL
|
|
- PHP/Agent.KM
|
|
- PHP/Agent.KN
|
|
- PHP/Agent.KO
|
|
- PHP/Agent.KP
|
|
- PHP/Agent.KQ
|
|
- PHP/Agent.KR
|
|
- PHP/Agent.KS
|
|
- PHP/Agent.KT
|
|
- PHP/Agent.KU
|
|
- PHP/Agent.LC
|
|
- PHP/Agent.NBP
|
|
- PHP/Kryptik.AB
|
|
- PHP/TrojanProxy.Agent.B
|
|
- ASP/Agent.L
|
|
- Win64/HackTool.PortScanner.A
|
|
- Win32/HackTool.PortScanner.A
|
|
- Win64/Riskware.Mimikatz.A
|
|
- Win64/Riskware.Mimikatz.AE
|
|
- Win64/Riskware.Mimikatz.AH
|
|
- Win32/Winexe.A
|
|
- Win64/Winexe.A
|
|
- Win64/Winexe.B
|
|
|
|
== Samples
|
|
|
|
All hashes are SHA-1
|
|
|
|
=== GreyEnergy document
|
|
|
|
----
|
|
177AF8F6E8D6F4952D13F88CDF1887CB7220A645
|
|
----
|
|
|
|
=== GreyEnergy mini
|
|
|
|
----
|
|
455D9EB9E11AA9AF9717E0260A70611FF84EF900
|
|
51309371673ACD310F327A10476F707EB914E255
|
|
CB11F36E271306354998BB8ABB6CA67C1D6A3E24
|
|
CC1CE3073937552459FB8ED0ADB5D56FA00BCD43
|
|
30AF51F1F7CB9A9A46DF3ABFFB6AE3E39935D82C
|
|
----
|
|
|
|
=== GreyEnergy droppers
|
|
|
|
----
|
|
04F75879132B0BFBA96CB7B210124BC3D396A7CE
|
|
69E2487EEE4637FE62E47891154D97DFDF8AAD57
|
|
716EFE17CD1563FFAD5E5E9A3E0CAC3CAB725F92
|
|
93EF4F47AC160721768A00E1A2121B45A9933A1D
|
|
94F445B65BF9A0AB134FAD2AAAD70779EAFD9288
|
|
A414F0A651F750EEA18F6D6C64627C4720548581
|
|
B3EF67F7881884A2E3493FE3D5F614DBBC51A79B
|
|
EBD5DC18C51B6FB0E9985A3A9E86FF66E22E813E
|
|
EC7E018BA36F07E6DADBE411E35B0B92E3AD8ABA
|
|
----
|
|
|
|
=== GreyEnergy dropped DLLs
|
|
|
|
----
|
|
0B5D24E6520B8D6547526FCBFC5768EC5AD19314
|
|
10D7687C44BECA4151BB07F78C6E605E8A552889
|
|
2A7EE7562A6A5BA7F192B3D6AED8627DFFDA4903
|
|
3CBDC146441E4858A1DE47DF0B4B795C4B0C2862
|
|
4E137F04A2C5FA64D5BF334EF78FE48CF7C7D626
|
|
62E00701F62971311EF8E57F33F6A3BA8ED28BF7
|
|
646060AC31FFDDFBD02967216BC71556A0C1AEDF
|
|
748FE84497423ED209357E923BE28083D42D69DE
|
|
B75D0379C5081958AF83A542901553E1710979C7
|
|
BFC164E5A28A3D56B8493B1FC1CA4A12FA1AC6AC
|
|
C1EB0150E2FCC099465C210B528BF508D2C64520
|
|
CBB7BA92CDF86FA260982399DAB8B416D905E89B
|
|
DF051C67EE633231E4C76EC247932C1A9868C14F
|
|
DFD8665D91C508FAF66E2BC2789B504670762EA2
|
|
E2436472B984F4505B4B938CEE6CAE26EF043FC7
|
|
E3E61DF9E0DD92C98223C750E13001CBB73A1E31
|
|
E496318E6644E47B07D6CAB00B93D27D0FE6B415
|
|
EDA505896FFF9A29BD7EAE67FD626D7FFA36C7B2
|
|
F00BEFDF08678B642B69D128F2AFAE32A1564A90
|
|
F36ECAC8696AA0862AD3779CA464B2CD399D8099
|
|
----
|
|
|
|
=== GreyEnergy in-memory-only DLLs
|
|
|
|
----
|
|
0BCECB797306D30D0BA5EAEA123B5BF69981EFF4
|
|
11159DB91B870E6728F1A7835B5D8BE9424914B9
|
|
6ABD4B82A133C4610E5779C876FCB7E066898380
|
|
848F0DBF50B582A87399428D093E5903FFAEEDCD
|
|
99A81305EF6E45F470EEE677C6491045E3B4D33A
|
|
A01036A8EFE5349920A656A422E959A2B9B76F02
|
|
C449294E57088E2E2B9766493E48C98B8C9180F8
|
|
C7FC689FE76361EF4FDC1F2A5BAB71C0E2E09746
|
|
D24FC871A721B2FD01F143EB6375784144365A84
|
|
DA617BC6DCD2083D93A9A83D4F15E3713D365960
|
|
E4FCAA1B6A27AA183C6A3A46B84B5EAE9772920B
|
|
----
|
|
|
|
=== Moonraker Petya
|
|
|
|
----
|
|
1AA1EF7470A8882CA81BB9894630433E5CCE4373
|
|
----
|
|
|
|
=== PHP and ASP scripts
|
|
|
|
----
|
|
10F4D12CF8EE15747BFB618F3731D81A905AAB04
|
|
13C5B14E19C9095ABA3F1DA56B1A76793C7144B9
|
|
1BA30B645E974DE86F24054B238FE77A331D0D2C
|
|
34F8323B3B6BCF4B47D0ABEFCF9E38E15ECD2858
|
|
438C8F9607E06E7AC1261F99F8311B004C23DEC3
|
|
4D1C282F9942EC87C5B4D9363187AFDC120F4DC7
|
|
4E0C5CCFFB7E2D17C26F82DB5564E47F141300B3
|
|
5377ADB779DE325A74838C0815EEA958B4822F82
|
|
58A69A8D1B94E751050DECF87F2572E09794F0F8
|
|
5DD34FB1C8E224C17DCE04E02A4409E9393BCE58
|
|
639BCE78F961C4B9ECD9FE1A8537733388B99857
|
|
7127B880C8E31FBEB1D376EB55A6F878BC77B21A
|
|
71BA8FE0C9C32A9B987E2BB827FE54DAE905D65E
|
|
78A7FBDD6ADF073EA6D835BE69084E071B4DA395
|
|
81332D2F96A354B1B8E11984918C43FB9B5CB9DB
|
|
8CC008B3189F8CE9A96C2C41F864D019319EB2EE
|
|
940DE46CD8C50C28A9C0EFC65AEE7D567117941B
|
|
A415E12591DD47289E235E7022A6896CB2BFDE96
|
|
D3AE97A99D826F49AD03ADDC9F0D5200BE46AB5E
|
|
E69F5FF2FCD18698BB584B6BC15136D61EB4F594
|
|
E83A090D325E4A9E30B88A181396D62FEF5D54D5
|
|
ECF21EFC09E4E2ACFEEB71FB78CB1F518E1F5724
|
|
----
|
|
|
|
=== Custom port scanner
|
|
|
|
----
|
|
B371A5D6465DC85C093A5FB84D7CDDEB1EFFCC56
|
|
B40BDE0341F52481AE1820022FA8376E53A20040
|
|
----
|
|
|
|
=== Mimikatz
|
|
|
|
----
|
|
89D7E0DA80C9973D945E6F62E843606B2E264F7E
|
|
8B295AB4789105F9910E4F3AF1B60CBBA8AD6FC0
|
|
AD6F835F239DA6683CAA54FCCBCFDD0DC40196BE
|
|
----
|
|
|
|
=== WinExe
|
|
|
|
----
|
|
0666B109B0128599D535904C1F7DDC02C1F704F2
|
|
2695FCFE83AB536D89147184589CCB44FC4A60F3
|
|
3608EC28A9AD7AF14325F764FB2F356731F1CA7A
|
|
37C837FB170164CBC88BEAE720DF128B786A71E0
|
|
594B809343FEB1D14F80F0902D764A9BF0A8C33C
|
|
7C1F7CE5E57CBDE9AC7755A7B755171E38ABD70D
|
|
90122C0DC5890F9A7B5774C6966EA694A590BD38
|
|
C59F66808EA8F07CBDE74116DDE60DAB4F9F3122
|
|
CEB96B364D6A8B65EA8FA43EB0A735176E409EB0
|
|
FCEAA83E7BD9BCAB5EFBA9D1811480B8CB0B8A3E
|
|
----
|
|
|
|
== Network indicators
|
|
|
|
=== GreyEnergy mini's C&C servers URLs
|
|
|
|
----
|
|
https://82.118.236[.]23:8443/27c00829d57988279f3ec61a05dee75a
|
|
http://82.118.236[.]23:8080/27c00829d57988279f3ec61a05dee75a
|
|
https://88.198.13[.]116:8443/xmlservice
|
|
http://88.198.13[.]116:8080/xmlservice
|
|
https://217.12.204[.]100/news/
|
|
http://217.12.204[.]100/news/
|
|
http://pbank.co[.]ua/favicon.ico (IP: 185.128.40.90)
|
|
----
|
|
|
|
=== GreyEnergy's C&C servers IP addresses
|
|
|
|
[options="header"]
|
|
|=====
|
|
| Active period | IP address
|
|
| 2015 - 2016 | `109.200.202.7`
|
|
| 2015 - 2015 | `193.105.134.68`
|
|
| 2015 - 2016 | `163.172.7.195`
|
|
| 2015 - 2016 | `163.172.7.196`
|
|
| 2016 - 2016 | `5.149.248.77`
|
|
| 2016 - 2016 | `31.148.220.112`
|
|
| 2016 - 2016 | `62.210.77.169`
|
|
| 2016 - 2016 | `85.25.211.10`
|
|
| 2016 - 2016 | `138.201.198.164`
|
|
| 2016 - 2017 | `124.217.254.55`
|
|
| 2017 - 2017 | `46.249.49.231`
|
|
| 2017 - 2017 | `37.59.14.94`
|
|
| 2017 - 2017 | `213.239.202.149`
|
|
| 2017 - 2017 | `88.198.13.116`
|
|
| 2017 - 2017 | `217.12.202.111`
|
|
| 2017 - 2017 | `176.31.116.140`
|
|
| 2017 - 2018 | `185.217.0.121`
|
|
| 2017 - 2018 | `178.150.0.200`
|
|
| 2018 - 2018 | `176.121.10.137`
|
|
| 2018 - 2018 | `178.255.40.194`
|
|
| 2018 - 2018 | `193.105.134.56`
|
|
| 2018 - 2018 | `94.130.88.50`
|
|
| 2018 - 2018 | `185.216.33.126`
|
|
|=====
|