Want more features on Pastebin? Sign Up, it's FREE!
Guest

APT1 - Comment Crew: Indicators of Compromise

By: threatintel on Feb 22nd, 2013  |  syntax: None  |  size: 7.89 KB  |  views: 2,433  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. APT1: Additional Comment Crew Indicators of Compromise
  2. http://www.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise
  3.  
  4. Network indicators
  5.  
  6. Network based indications of possible compromise by the comment crew attackers.
  7.  
  8. HTTP POST traffic containing
  9. •     name=GeorgeBush&userid=<4 digit number>&other=
  10.  
  11. HTTP GET traffic to pages with paths:
  12. •     aspnet_client/report.asp
  13. •     Resource/device_Tr.asp
  14. •     images/device_index.asp
  15. •     news/media/info.html
  16. •     backsangho.jpg
  17. •     addCats.asp
  18. •     SmartNav.jpg
  19. •     nblogo2.jpg
  20.  
  21. Domains
  22. •     GT446.ezua.COM
  23. •     aunewsonline.com
  24. •     avvmail.com
  25. •     cas.ibooks.tk
  26. •     cas.m-e.org.ru
  27. •     colville.com
  28. •     cvba.com
  29. •     deebeedesigns.ca
  30. •     dev.teamattire.com
  31. •     doversolutions.co.in
  32. •     download.epac.to
  33. •     drgeorges.com
  34. •     dril-quip.deltae.com.br
  35. •     dsds.co.kr
  36. •     [REMOVED].ruok.org
  37. •     engineer.lflinkup.org
  38. •     exactearth.info.tm
  39. •     fbrshop.com
  40. •     firebirdonline.com
  41. •     forceoptions.net
  42. •     freelanceindy.com
  43. •     ftp.xmahone.ocry.com
  44. •     garyhart.com
  45. •     gobroadreach.com
  46. •     hint.happyforever.com
  47. •     hojutsu.com
  48. •     imly.org
  49. •     interradiology.com
  50. •     jimnaugle.com
  51. •     kayauto.net
  52. •     keenathomas.com
  53. •     ks.utworld.ch
  54. •     mast.zyns.com
  55. •     media.conci.com.au
  56. •     media.finanstalk.ru
  57. •     media.metdf.com.au
  58. •     meeting.toh.info
  59. •     mountainvalley.americanunfinished.com
  60. •     mrswehrman.com
  61. •     mwa.net
  62. •     news.hqrls.com
  63. •     odysseus.qs-va.orbcomm.net
  64. •     ohb-technology.brgh.de
  65. •     omegalogos.org
  66. •     pastorsrest.com
  67. •     portal.itsaol.com
  68. •     progammerli.com
  69. •     rbaparts.com
  70. •     report.crabdance.com
  71. •     [REMOVED].photo-frame.com
  72. •     route.cisco.ns01.info
  73. •     shunleewest.com
  74. •     slowblog.com
  75. •     smilecare.com
  76. •     software.myftp.info
  77. •     soko.com
  78. •     tcw.homier.com
  79. •     [REMOVED]comminc.us.to
  80. •     [REMOVED].arnotex.com
  81. •     thecrownsgolf.org
  82. •     [REMOVED].alfalcons.com
  83. •     twocirclesmusic.com
  84. •     un.linuxd.org
  85. •     update.sektori.org
  86. •     us.gnpes.org
  87. •     vwrm.com
  88. •     woodagency.com
  89. •     worldnews.kickingdruging.toythieves.com
  90.  
  91. Internet protocol addresses
  92. •     140.116.70.8
  93. •     143.89.35.7
  94. •     143.89.35.7
  95. •     150.176.164.6
  96. •     202.105.39.39
  97. •     202.39.61.136
  98. •     202.6.235.83
  99. •     203.200.205.245
  100. •     204.111.73.150
  101. •     209.124.51.194
  102. •     209.124.51.219
  103. •     209.161.249.125
  104. •     209.208.114.83
  105. •     209.233.16.84
  106. •     209.253.17.229
  107. •     211.232.57.235
  108. •     212.130.19.154
  109. •     218.232.66.12
  110. •     218.233.206.2
  111. •     218.234.17.30
  112. •     24.73.192.154
  113. •     46.149.18.151
  114. •     60.248.52.95
  115. •     61.219.67.1
  116. •     63.192.38.11
  117. •     64.80.153.108
  118. •     65.105.157.228
  119. •     65.110.1.32
  120. •     65.114.195.226
  121. •     65.89.173.68
  122. •     66.151.16.30
  123. •     66.155.114.145
  124. •     66.170.3.43
  125. •     66.228.132.53
  126. •     66.228.132.8
  127. •     68.17.104.162
  128. •     68.96.31.136
  129. •     69.20.5.219
  130. •     69.25.50.10
  131. •     69.28.168.10
  132. •     69.74.43.87
  133. •     69.90.123.6
  134. •     69.90.18.22
  135. •     69.90.18.23
  136. •     70.108.241.36
  137. •     70.62.232.98
  138. •     74.86.197.56
  139. •     74.93.92.50
  140. •     78.95.63.1
  141.  
  142. File indicators
  143.  
  144. File based indications of possible compromise by the comment crew attackers.
  145.  
  146. Filenames and locations:
  147. •     %TEMP%\AdobeARM.exe
  148. •     %TEMP%\iTunesHelper.exe
  149. •     %PROGRAMS%\Startup\AdobeRe.exe
  150. •     rouj.exe
  151. •     %USERPROFILE%\Local Settings\iexplore.exe
  152. •     %USERAPPDATA%\Microsoft\wuauclt.exe
  153. •     %PROGRAMS%\Startup\adobeup.exe
  154. •     %TEMP%\AdobeUpdater.exe
  155. •     NTLMSVC.DLL
  156. •     %PROGRAMS%\Startup\adobe_sl.lnk
  157. •     %TEMP%\runinfo.exe
  158.  
  159. File version Info:
  160.  
  161. Product: SoundMAX service agent
  162. Description: Microsoft NTLM Service Holder
  163. Product & Description: JpgAsp
  164.  
  165. System indicators
  166.  
  167. System based indications of possible compromise by the comment crew attackers.
  168.  
  169. Registry entries:
  170. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Acroread"
  171. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update"
  172. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCheck"
  173. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCom"
  174. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IMSCMig"
  175. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"McUpdate"
  176. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Register"
  177. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"
  178. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"systemupdate"
  179. •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wininstaller"
  180. •     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVSVC"
  181. •     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeUpdate"
  182.  
  183. Service names:
  184. •     aec
  185. •     elpmasym
  186. •     Net CLR
  187.  
  188. Email indicators
  189.  
  190. Email based indications of possible compromise by the comment crew attackers.
  191.  
  192. Subject lines
  193. •     Capt [REMOVED] update
  194. •     Fw: LES Request
  195. •     Libya crisis
  196. •     Five Simple Questions for Democrats on Spending Cuts
  197. •     Behind the Easing of Israeli-Palestinian Tensions
  198. •     Business Exec Urges Broad Trade Agenda To Curb China Role In Latin America
  199. •     President Chavezs Comments About President Obama and the United States on Sundays "Alo,Presidente"
  200. •     FW: New Standdard Operational Procedures (SOPs) between the
  201. •     AGENDA
  202. •     [REMOVED] Help You Save Enough for Retirement
  203. •     Human right of north Afica under war
  204. •     Spreading Civil Unrest in the Middle East and North Africa
  205. •     The latest analysis on Syria
  206. •     International Atomic Energy Agency invite you to attend Atomic Energy Summit
  207. •     GAC Monthly Report
  208. •     Emergency notification
  209. •     Meeting information of [REMOVED]
  210. •     Meeting information of [REMOVED]
  211. •     Meeting notice from [REMOVED]
  212. •     Meeting notice from [REMOVED]
  213. •     FY12 Government Opportunities
  214. •     Yemen para for SC briefing
  215. •     Fighting Protectionism and Promoting Trade and Investment
  216. •     Weekly Security Report
  217. •     Agenda of [REMOVED] Visit in July 2011
  218. •     Agenda of [REMOVED]  Visit in July 2011
  219. •     Obituary Notice
  220. •     Updated Roster 20110712
  221. •     2011 project budget
  222. •     [REMOVED]  National Security Seminar
  223. •     Current internatinal situation surrounding Syria
  224. •     New Update of Health & Medical force
  225. •     FW:How to Get Free Airline Tickets
  226. •     Nuclear Security and Summit Diplomacy
  227. •     Fw: [REMOVED]  Defence & Security Industry Mission to [REMOVED]  201
  228. •     [REMOVED] heriketlik pilani
  229. •     2012 Global aerospace and defense industry outlook
  230.  
  231. Email attachment names
  232. •     update.exe
  233. •     CTF 2011 (MF).xls
  234. •     BBC Monitoring reports..xls
  235. •     Five Simple Questions for Democrats on Spending Cuts.doc
  236. •     Behind the Easing of Israeli-Palestinian Tensions.doc
  237. •     Business Exec Urges Broad Trade AgendaTo Curb China Role In Latin America.doc
  238. •     PatriotLMSR2009Fin .doc
  239. •     New SOPs for HEC Coord with NATO.pdf
  240. •     agenda201005.pdf
  241. •     Human right report of noth Afica under the war.scr
  242. •     Middle_East_Civil_Unrest.pdf
  243. •     Protests Spread in Syria.pdf
  244. •     Cybersecurity and Cyber War.pdf
  245. •     The Meeting intivation of International Atomic Energy Agency 06-05-2011.scr
  246. •     meeting invitation of British Council 2011.scr
  247. •     Meeting information details of [REMOVED].exe
  248. •     Meeting information details of [REMOVED].exe
  249. •     Meeting detail information from [REMOVED].scr
  250. •     Meeting detail information from [REMOVED].scr
  251. •     FY12 Government Opportunities.pdf
  252. •     China's Jasmine protests.pdf
  253. •     Yemen para for SC briefing.doc
  254. •     DECLARATION- COMMENTS.Netherlands.pdf
  255. •     weekly_security_report-06-20-2011__-__06-26-2011.pdf
  256. •     2011.xls
  257. •     Obituary.xls
  258. •     Updated_roster.xls
  259. •     2011 project budget.xls
  260. •     Participant_Contacts.xls
  261. •     Current international situation surrounding Syria.doc
  262. •     Update of Health & Medical force.xls
  263. •     How to Get Free Airline Tickets.pdf
  264. •     REPLY_ FORM.doc
  265. •     Global A&D outlook 2012.pdf
  266. •     Global_A&D_outlook_2012.pdf
  267.  
  268. References
  269.  
  270. Mandiant Indicators of Compromise
  271. http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
clone this paste RAW Paste Data