Advertisement
threatintel

APT1 - Comment Crew: Indicators of Compromise

Feb 22nd, 2013
6,622
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.89 KB | None | 0 0
  1. APT1: Additional Comment Crew Indicators of Compromise
  2. http://www.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise
  3.  
  4. Network indicators
  5.  
  6. Network based indications of possible compromise by the comment crew attackers.
  7.  
  8. HTTP POST traffic containing
  9. • name=GeorgeBush&userid=<4 digit number>&other=
  10.  
  11. HTTP GET traffic to pages with paths:
  12. • aspnet_client/report.asp
  13. • Resource/device_Tr.asp
  14. • images/device_index.asp
  15. • news/media/info.html
  16. • backsangho.jpg
  17. • addCats.asp
  18. • SmartNav.jpg
  19. • nblogo2.jpg
  20.  
  21. Domains
  22. • GT446.ezua.COM
  23. • aunewsonline.com
  24. • avvmail.com
  25. • cas.ibooks.tk
  26. • cas.m-e.org.ru
  27. • colville.com
  28. • cvba.com
  29. • deebeedesigns.ca
  30. • dev.teamattire.com
  31. • doversolutions.co.in
  32. • download.epac.to
  33. • drgeorges.com
  34. • dril-quip.deltae.com.br
  35. • dsds.co.kr
  36. • [REMOVED].ruok.org
  37. • engineer.lflinkup.org
  38. • exactearth.info.tm
  39. • fbrshop.com
  40. • firebirdonline.com
  41. • forceoptions.net
  42. • freelanceindy.com
  43. • ftp.xmahone.ocry.com
  44. • garyhart.com
  45. • gobroadreach.com
  46. • hint.happyforever.com
  47. • hojutsu.com
  48. • imly.org
  49. • interradiology.com
  50. • jimnaugle.com
  51. • kayauto.net
  52. • keenathomas.com
  53. • ks.utworld.ch
  54. • mast.zyns.com
  55. • media.conci.com.au
  56. • media.finanstalk.ru
  57. • media.metdf.com.au
  58. • meeting.toh.info
  59. • mountainvalley.americanunfinished.com
  60. • mrswehrman.com
  61. • mwa.net
  62. • news.hqrls.com
  63. • odysseus.qs-va.orbcomm.net
  64. • ohb-technology.brgh.de
  65. • omegalogos.org
  66. • pastorsrest.com
  67. • portal.itsaol.com
  68. • progammerli.com
  69. • rbaparts.com
  70. • report.crabdance.com
  71. • [REMOVED].photo-frame.com
  72. • route.cisco.ns01.info
  73. • shunleewest.com
  74. • slowblog.com
  75. • smilecare.com
  76. • software.myftp.info
  77. • soko.com
  78. • tcw.homier.com
  79. • [REMOVED]comminc.us.to
  80. • [REMOVED].arnotex.com
  81. • thecrownsgolf.org
  82. • [REMOVED].alfalcons.com
  83. • twocirclesmusic.com
  84. • un.linuxd.org
  85. • update.sektori.org
  86. • us.gnpes.org
  87. • vwrm.com
  88. • woodagency.com
  89. • worldnews.kickingdruging.toythieves.com
  90.  
  91. Internet protocol addresses
  92. • 140.116.70.8
  93. • 143.89.35.7
  94. • 143.89.35.7
  95. • 150.176.164.6
  96. • 202.105.39.39
  97. • 202.39.61.136
  98. • 202.6.235.83
  99. • 203.200.205.245
  100. • 204.111.73.150
  101. • 209.124.51.194
  102. • 209.124.51.219
  103. • 209.161.249.125
  104. • 209.208.114.83
  105. • 209.233.16.84
  106. • 209.253.17.229
  107. • 211.232.57.235
  108. • 212.130.19.154
  109. • 218.232.66.12
  110. • 218.233.206.2
  111. • 218.234.17.30
  112. • 24.73.192.154
  113. • 46.149.18.151
  114. • 60.248.52.95
  115. • 61.219.67.1
  116. • 63.192.38.11
  117. • 64.80.153.108
  118. • 65.105.157.228
  119. • 65.110.1.32
  120. • 65.114.195.226
  121. • 65.89.173.68
  122. • 66.151.16.30
  123. • 66.155.114.145
  124. • 66.170.3.43
  125. • 66.228.132.53
  126. • 66.228.132.8
  127. • 68.17.104.162
  128. • 68.96.31.136
  129. • 69.20.5.219
  130. • 69.25.50.10
  131. • 69.28.168.10
  132. • 69.74.43.87
  133. • 69.90.123.6
  134. • 69.90.18.22
  135. • 69.90.18.23
  136. • 70.108.241.36
  137. • 70.62.232.98
  138. • 74.86.197.56
  139. • 74.93.92.50
  140. • 78.95.63.1
  141.  
  142. File indicators
  143.  
  144. File based indications of possible compromise by the comment crew attackers.
  145.  
  146. Filenames and locations:
  147. • %TEMP%\AdobeARM.exe
  148. • %TEMP%\iTunesHelper.exe
  149. • %PROGRAMS%\Startup\AdobeRe.exe
  150. • rouj.exe
  151. • %USERPROFILE%\Local Settings\iexplore.exe
  152. • %USERAPPDATA%\Microsoft\wuauclt.exe
  153. • %PROGRAMS%\Startup\adobeup.exe
  154. • %TEMP%\AdobeUpdater.exe
  155. • NTLMSVC.DLL
  156. • %PROGRAMS%\Startup\adobe_sl.lnk
  157. • %TEMP%\runinfo.exe
  158.  
  159. File version Info:
  160.  
  161. Product: SoundMAX service agent
  162. Description: Microsoft NTLM Service Holder
  163. Product & Description: JpgAsp
  164.  
  165. System indicators
  166.  
  167. System based indications of possible compromise by the comment crew attackers.
  168.  
  169. Registry entries:
  170. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Acroread"
  171. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update"
  172. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCheck"
  173. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCom"
  174. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IMSCMig"
  175. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"McUpdate"
  176. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Register"
  177. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"
  178. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"systemupdate"
  179. • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wininstaller"
  180. • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVSVC"
  181. • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeUpdate"
  182.  
  183. Service names:
  184. • aec
  185. • elpmasym
  186. • Net CLR
  187.  
  188. Email indicators
  189.  
  190. Email based indications of possible compromise by the comment crew attackers.
  191.  
  192. Subject lines
  193. • Capt [REMOVED] update
  194. • Fw: LES Request
  195. • Libya crisis
  196. • Five Simple Questions for Democrats on Spending Cuts
  197. • Behind the Easing of Israeli-Palestinian Tensions
  198. • Business Exec Urges Broad Trade Agenda To Curb China Role In Latin America
  199. • President Chavezs Comments About President Obama and the United States on Sundays "Alo,Presidente"
  200. • FW: New Standdard Operational Procedures (SOPs) between the
  201. • AGENDA
  202. • [REMOVED] Help You Save Enough for Retirement
  203. • Human right of north Afica under war
  204. • Spreading Civil Unrest in the Middle East and North Africa
  205. • The latest analysis on Syria
  206. • International Atomic Energy Agency invite you to attend Atomic Energy Summit
  207. • GAC Monthly Report
  208. • Emergency notification
  209. • Meeting information of [REMOVED]
  210. • Meeting information of [REMOVED]
  211. • Meeting notice from [REMOVED]
  212. • Meeting notice from [REMOVED]
  213. • FY12 Government Opportunities
  214. • Yemen para for SC briefing
  215. • Fighting Protectionism and Promoting Trade and Investment
  216. • Weekly Security Report
  217. • Agenda of [REMOVED] Visit in July 2011
  218. • Agenda of [REMOVED] Visit in July 2011
  219. • Obituary Notice
  220. • Updated Roster 20110712
  221. • 2011 project budget
  222. • [REMOVED] National Security Seminar
  223. • Current internatinal situation surrounding Syria
  224. • New Update of Health & Medical force
  225. • FW:How to Get Free Airline Tickets
  226. • Nuclear Security and Summit Diplomacy
  227. • Fw: [REMOVED] Defence & Security Industry Mission to [REMOVED] 201
  228. • [REMOVED] heriketlik pilani
  229. • 2012 Global aerospace and defense industry outlook
  230.  
  231. Email attachment names
  232. • update.exe
  233. • CTF 2011 (MF).xls
  234. • BBC Monitoring reports..xls
  235. • Five Simple Questions for Democrats on Spending Cuts.doc
  236. • Behind the Easing of Israeli-Palestinian Tensions.doc
  237. • Business Exec Urges Broad Trade AgendaTo Curb China Role In Latin America.doc
  238. • PatriotLMSR2009Fin .doc
  239. • New SOPs for HEC Coord with NATO.pdf
  240. • agenda201005.pdf
  241. • Human right report of noth Afica under the war.scr
  242. • Middle_East_Civil_Unrest.pdf
  243. • Protests Spread in Syria.pdf
  244. • Cybersecurity and Cyber War.pdf
  245. • The Meeting intivation of International Atomic Energy Agency 06-05-2011.scr
  246. • meeting invitation of British Council 2011.scr
  247. • Meeting information details of [REMOVED].exe
  248. • Meeting information details of [REMOVED].exe
  249. • Meeting detail information from [REMOVED].scr
  250. • Meeting detail information from [REMOVED].scr
  251. • FY12 Government Opportunities.pdf
  252. • China's Jasmine protests.pdf
  253. • Yemen para for SC briefing.doc
  254. • DECLARATION- COMMENTS.Netherlands.pdf
  255. • weekly_security_report-06-20-2011__-__06-26-2011.pdf
  256. • 2011.xls
  257. • Obituary.xls
  258. • Updated_roster.xls
  259. • 2011 project budget.xls
  260. • Participant_Contacts.xls
  261. • Current international situation surrounding Syria.doc
  262. • Update of Health & Medical force.xls
  263. • How to Get Free Airline Tickets.pdf
  264. • REPLY_ FORM.doc
  265. • Global A&D outlook 2012.pdf
  266. • Global_A&D_outlook_2012.pdf
  267.  
  268. References
  269.  
  270. Mandiant Indicators of Compromise
  271. http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement