Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- APT1: Additional Comment Crew Indicators of Compromise
- http://www.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise
- Network indicators
- Network based indications of possible compromise by the comment crew attackers.
- HTTP POST traffic containing
- • name=GeorgeBush&userid=<4 digit number>&other=
- HTTP GET traffic to pages with paths:
- • aspnet_client/report.asp
- • Resource/device_Tr.asp
- • images/device_index.asp
- • news/media/info.html
- • backsangho.jpg
- • addCats.asp
- • SmartNav.jpg
- • nblogo2.jpg
- Domains
- • GT446.ezua.COM
- • aunewsonline.com
- • avvmail.com
- • cas.ibooks.tk
- • cas.m-e.org.ru
- • colville.com
- • cvba.com
- • deebeedesigns.ca
- • dev.teamattire.com
- • doversolutions.co.in
- • download.epac.to
- • drgeorges.com
- • dril-quip.deltae.com.br
- • dsds.co.kr
- • [REMOVED].ruok.org
- • engineer.lflinkup.org
- • exactearth.info.tm
- • fbrshop.com
- • firebirdonline.com
- • forceoptions.net
- • freelanceindy.com
- • ftp.xmahone.ocry.com
- • garyhart.com
- • gobroadreach.com
- • hint.happyforever.com
- • hojutsu.com
- • imly.org
- • interradiology.com
- • jimnaugle.com
- • kayauto.net
- • keenathomas.com
- • ks.utworld.ch
- • mast.zyns.com
- • media.conci.com.au
- • media.finanstalk.ru
- • media.metdf.com.au
- • meeting.toh.info
- • mountainvalley.americanunfinished.com
- • mrswehrman.com
- • mwa.net
- • news.hqrls.com
- • odysseus.qs-va.orbcomm.net
- • ohb-technology.brgh.de
- • omegalogos.org
- • pastorsrest.com
- • portal.itsaol.com
- • progammerli.com
- • rbaparts.com
- • report.crabdance.com
- • [REMOVED].photo-frame.com
- • route.cisco.ns01.info
- • shunleewest.com
- • slowblog.com
- • smilecare.com
- • software.myftp.info
- • soko.com
- • tcw.homier.com
- • [REMOVED]comminc.us.to
- • [REMOVED].arnotex.com
- • thecrownsgolf.org
- • [REMOVED].alfalcons.com
- • twocirclesmusic.com
- • un.linuxd.org
- • update.sektori.org
- • us.gnpes.org
- • vwrm.com
- • woodagency.com
- • worldnews.kickingdruging.toythieves.com
- Internet protocol addresses
- • 140.116.70.8
- • 143.89.35.7
- • 143.89.35.7
- • 150.176.164.6
- • 202.105.39.39
- • 202.39.61.136
- • 202.6.235.83
- • 203.200.205.245
- • 204.111.73.150
- • 209.124.51.194
- • 209.124.51.219
- • 209.161.249.125
- • 209.208.114.83
- • 209.233.16.84
- • 209.253.17.229
- • 211.232.57.235
- • 212.130.19.154
- • 218.232.66.12
- • 218.233.206.2
- • 218.234.17.30
- • 24.73.192.154
- • 46.149.18.151
- • 60.248.52.95
- • 61.219.67.1
- • 63.192.38.11
- • 64.80.153.108
- • 65.105.157.228
- • 65.110.1.32
- • 65.114.195.226
- • 65.89.173.68
- • 66.151.16.30
- • 66.155.114.145
- • 66.170.3.43
- • 66.228.132.53
- • 66.228.132.8
- • 68.17.104.162
- • 68.96.31.136
- • 69.20.5.219
- • 69.25.50.10
- • 69.28.168.10
- • 69.74.43.87
- • 69.90.123.6
- • 69.90.18.22
- • 69.90.18.23
- • 70.108.241.36
- • 70.62.232.98
- • 74.86.197.56
- • 74.93.92.50
- • 78.95.63.1
- File indicators
- File based indications of possible compromise by the comment crew attackers.
- Filenames and locations:
- • %TEMP%\AdobeARM.exe
- • %TEMP%\iTunesHelper.exe
- • %PROGRAMS%\Startup\AdobeRe.exe
- • rouj.exe
- • %USERPROFILE%\Local Settings\iexplore.exe
- • %USERAPPDATA%\Microsoft\wuauclt.exe
- • %PROGRAMS%\Startup\adobeup.exe
- • %TEMP%\AdobeUpdater.exe
- • NTLMSVC.DLL
- • %PROGRAMS%\Startup\adobe_sl.lnk
- • %TEMP%\runinfo.exe
- File version Info:
- Product: SoundMAX service agent
- Description: Microsoft NTLM Service Holder
- Product & Description: JpgAsp
- System indicators
- System based indications of possible compromise by the comment crew attackers.
- Registry entries:
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Acroread"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCheck"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCom"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IMSCMig"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"McUpdate"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Register"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"systemupdate"
- • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wininstaller"
- • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVSVC"
- • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeUpdate"
- Service names:
- • aec
- • elpmasym
- • Net CLR
- Email indicators
- Email based indications of possible compromise by the comment crew attackers.
- Subject lines
- • Capt [REMOVED] update
- • Fw: LES Request
- • Libya crisis
- • Five Simple Questions for Democrats on Spending Cuts
- • Behind the Easing of Israeli-Palestinian Tensions
- • Business Exec Urges Broad Trade Agenda To Curb China Role In Latin America
- • President Chavezs Comments About President Obama and the United States on Sundays "Alo,Presidente"
- • FW: New Standdard Operational Procedures (SOPs) between the
- • AGENDA
- • [REMOVED] Help You Save Enough for Retirement
- • Human right of north Afica under war
- • Spreading Civil Unrest in the Middle East and North Africa
- • The latest analysis on Syria
- • International Atomic Energy Agency invite you to attend Atomic Energy Summit
- • GAC Monthly Report
- • Emergency notification
- • Meeting information of [REMOVED]
- • Meeting information of [REMOVED]
- • Meeting notice from [REMOVED]
- • Meeting notice from [REMOVED]
- • FY12 Government Opportunities
- • Yemen para for SC briefing
- • Fighting Protectionism and Promoting Trade and Investment
- • Weekly Security Report
- • Agenda of [REMOVED] Visit in July 2011
- • Agenda of [REMOVED] Visit in July 2011
- • Obituary Notice
- • Updated Roster 20110712
- • 2011 project budget
- • [REMOVED] National Security Seminar
- • Current internatinal situation surrounding Syria
- • New Update of Health & Medical force
- • FW:How to Get Free Airline Tickets
- • Nuclear Security and Summit Diplomacy
- • Fw: [REMOVED] Defence & Security Industry Mission to [REMOVED] 201
- • [REMOVED] heriketlik pilani
- • 2012 Global aerospace and defense industry outlook
- Email attachment names
- • update.exe
- • CTF 2011 (MF).xls
- • BBC Monitoring reports..xls
- • Five Simple Questions for Democrats on Spending Cuts.doc
- • Behind the Easing of Israeli-Palestinian Tensions.doc
- • Business Exec Urges Broad Trade AgendaTo Curb China Role In Latin America.doc
- • PatriotLMSR2009Fin .doc
- • New SOPs for HEC Coord with NATO.pdf
- • agenda201005.pdf
- • Human right report of noth Afica under the war.scr
- • Middle_East_Civil_Unrest.pdf
- • Protests Spread in Syria.pdf
- • Cybersecurity and Cyber War.pdf
- • The Meeting intivation of International Atomic Energy Agency 06-05-2011.scr
- • meeting invitation of British Council 2011.scr
- • Meeting information details of [REMOVED].exe
- • Meeting information details of [REMOVED].exe
- • Meeting detail information from [REMOVED].scr
- • Meeting detail information from [REMOVED].scr
- • FY12 Government Opportunities.pdf
- • China's Jasmine protests.pdf
- • Yemen para for SC briefing.doc
- • DECLARATION- COMMENTS.Netherlands.pdf
- • weekly_security_report-06-20-2011__-__06-26-2011.pdf
- • 2011.xls
- • Obituary.xls
- • Updated_roster.xls
- • 2011 project budget.xls
- • Participant_Contacts.xls
- • Current international situation surrounding Syria.doc
- • Update of Health & Medical force.xls
- • How to Get Free Airline Tickets.pdf
- • REPLY_ FORM.doc
- • Global A&D outlook 2012.pdf
- • Global_A&D_outlook_2012.pdf
- References
- Mandiant Indicators of Compromise
- http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement