From 2a46ed46e6b358f48eeac6a3f7260e27cd44d4b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 19 Feb 2018 14:36:50 +0100 Subject: [PATCH] False Positives --- iocs/otx-filename-iocs.txt | 68 ++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 36 deletions(-) diff --git a/iocs/otx-filename-iocs.txt b/iocs/otx-filename-iocs.txt index 2ea95ca..5d75b73 100644 --- a/iocs/otx-filename-iocs.txt +++ b/iocs/otx-filename-iocs.txt @@ -1,19 +1,15 @@ -C:\\Users\\user\\AppData\\Roaming\\Macromedia\\Flash;Malware: Hancitor (Chanitor or Tordal) -C:\\Users\\user~1\\AppData\\Local\\Temp\\;Malware: Hancitor (Chanitor or Tordal) -C:\\Users\\user\\AppData\\Roaming\\Adobe\\Acrobat\\11\.0\\Security\\CRLCache\\;Malware: Hancitor (Chanitor or Tordal) -C:\\Users\\user~1\\AppData\\Local\\Temp,,;Malware: Hancitor (Chanitor or Tordal) -C:\\Users\\user~1\\AppData\\Local\\Temp\\;Ransomware: GLOBEIMPOSTER -C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\qrehcsuv\.default\\datareporting\\archived\\;Ransomware: GLOBEIMPOSTER -C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\;Ransomware: GLOBEIMPOSTER -C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content\.IE5\\;Ransomware: GLOBEIMPOSTER +C:\\Users\\user\\AppData\\Roaming\\Macromedia\\Flash;Malware: Hancitor (Chanitor or Tordal) +C:\\Users\\user~1\\AppData\\Local\\Temp\\;Malware: Hancitor (Chanitor or Tordal) +C:\\Users\\user\\AppData\\Roaming\\Adobe\\Acrobat\\11\.0\\Security\\CRLCache\\;Malware: Hancitor (Chanitor or Tordal) +C:\\Users\\user~1\\AppData\\Local\\Temp,,;Malware: Hancitor (Chanitor or Tordal) +C:\\Users\\user~1\\AppData\\Local\\Temp\\;Ransomware: GLOBEIMPOSTER +C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\qrehcsuv\.default\\datareporting\\archived\\;Ransomware: GLOBEIMPOSTER +C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\;Ransomware: GLOBEIMPOSTER +C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content\.IE5\\;Ransomware: GLOBEIMPOSTER com\.system\.update\.systemupdate;Google Security: Tizi Android Malware https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.htm com\.dailyworkout\.tizi;Google Security: Tizi Android Malware https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.htm com\.press\.nasa\.com\.tanofresh;Google Security: Tizi Android Malware https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.htm -UPS Express #69084735_XTZ#KYVBA \(01 Nov 17\)\-1\.doc;PowerShell EMOTET Delivery -C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\;Kerkoporta (Greek) ransomware -C:\\Users\\user\\AppData\\Local\\Microsoft\\CLR_v4\.0_32\\UsageLogs\\;Kerkoporta (Greek) ransomware -C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\;Kerkoporta (Greek) ransomware -C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Windows Update Protocol\\;Kerkoporta (Greek) ransomware +UPS Express #69084735_XTZ#KYVBA \(01 Nov 17\)\-1\.doc;PowerShell EMOTET Delivery C:\\ProgramData\\ManagerApp\\d3d9\.dll;BlackOasis APT and new targeted attacks leveraging zero-day exploit - Securelist https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-d C:\\ProgramData\\ManagerApp\\msvcr90\.dll;BlackOasis APT and new targeted attacks leveraging zero-day exploit - Securelist https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-d C:\\ProgramData\\ManagerApp\\install\.cab;BlackOasis APT and new targeted attacks leveraging zero-day exploit - Securelist https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-d @@ -33,29 +29,29 @@ C:\\Windows\\perfc;Petya Ransomware (IOCs from First Run in 2016 and June 2017 v READ ME ABOUT DECRYPTION\.txt;Analyzing the Fileless, Code-injecting SOREBRECT Ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-co C:\\Flash player\\vlc\.exe;New Kasper samples https://www.hybrid-analysis.com/sample/6a48b5211b622ffe49ae4e32ada72bb4d9db40576 C:\\WINDOWS\\system32\\msg;WannaCry/Wcry Ransomware https://www.virustotal.com/en/file/f01644082db3fa50ba9f4773f11f062ab785c9db02a3a -wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -%homedrive%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -%windows%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -%userprofile%\\Desktop\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -%LocalLow%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -%Local%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -%AppData%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 -@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -%homedrive%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -%windows%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -%userprofile%\\Desktop\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -%LocalLow%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -%Local%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -%AppData%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 -@Please_Read_Me@\.txt;WannaCry Ransomware Campaign mai_12_2017 -wcry\.exe;WannaCry Ransomware Campaign mai_12_2017 -C:\\WINDOWS\\tasksche\.exe;WannaCry Indicators -C:\\Windows\\mssecsvc\.exe;WannaCry Indicators -C:\\taskse\.exe;WannaCry Indicators -C:\\taskdl\.exe;WannaCry Indicators -C:\\m\.vbs;WannaCry Indicators -C:\\111\.exe;WannaCry Indicators -C:\\@WanaDecryptor@\.exe;WannaCry Indicators +wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +%homedrive%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +%windows%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +%userprofile%\\Desktop\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +%LocalLow%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +%Local%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +%AppData%\\wanacry\.exe;WannaCry Ransomware Campaign mai_12_2017 +@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +%homedrive%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +%windows%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +%userprofile%\\Desktop\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +%LocalLow%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +%Local%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +%AppData%\\@WanaDecryptor@\.exe;WannaCry Ransomware Campaign mai_12_2017 +@Please_Read_Me@\.txt;WannaCry Ransomware Campaign mai_12_2017 +wcry\.exe;WannaCry Ransomware Campaign mai_12_2017 +C:\\WINDOWS\\tasksche\.exe;WannaCry Indicators +C:\\Windows\\mssecsvc\.exe;WannaCry Indicators +C:\\taskse\.exe;WannaCry Indicators +C:\\taskdl\.exe;WannaCry Indicators +C:\\m\.vbs;WannaCry Indicators +C:\\111\.exe;WannaCry Indicators +C:\\@WanaDecryptor@\.exe;WannaCry Indicators C:\\ProgramData\\Dropebox*;New Carbanak / Anunak Attack Methodology https://www.trustwave.com/Resources/SpiderLabs-Blog/Carbanak-Continues-To-Evolve %HOMEPATH%\\Intel\\\{BFF4219E\-C7D1\-2880\-AE58\-9C9CD9701C90\};New Carbanak / Anunak Attack Methodology https://www.trustwave.com/Resources/SpiderLabs-Blog/Carbanak-Continues-To-Evolve %HOMEPATH%\\Intel;New Carbanak / Anunak Attack Methodology https://www.trustwave.com/Resources/SpiderLabs-Blog/Carbanak-Continues-To-Evolve