SHARE
TWEET

URSNIF/IFSB IOC's

James_inthe_box Feb 14th, 2018 (edited) 2,004 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Drops itself in:
  2. C:\Users\<user>\AppData\Roaming\Microsoft\<random>\[a-z]{8}.exe;  may have name like:
  3. crypptsp.exe
  4. devissec.exe
  5. bcrypnet.exe
  6. aviftenc.exe
  7. adprtext.exe
  8.  
  9. Seen injecting into:
  10. C:\Windows\system32\svchost.exe
  11. C:\Windows\explorer.exe
  12.  
  13. May createe several bi[n] files:
  14. C:\Users\<users>\AppData\Local\Temp\<random>.bi[n]
  15.  
  16. Method of persistence:
  17. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<random>
  18.  
  19. sets:
  20. HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\<UUID>\Client
  21.  
  22. Checks external address:
  23. ipinfo.io/ip
  24.  
  25. Sends c2 traffic via 443 and sometimes 80
  26.  
  27. GET version
  28. Uses "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" as UA
  29. links look like:
  30. /images/CDzdWeMdka_2/BfAsviJFG6f/T9Rq5AfZ_2FRhq/wYLOYjZ2kpDQ4XI_2BZwt/yVJmdVq3Ma9Wa9SZ/klxiE0bP3j8wA4h/vtLlwXFoWU5fug7Wvt/s7GX7nvfe/Uzo_2BIguff_2FBEmrye/EHAgf2o8IhaWJPp9E2d/590F5.gif
  31.  
  32. POST version:
  33. Uses "Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0" as UA
  34. links look like:
  35. Uc3jIdGLBD2d_2Bg0eAd/BjVypUozDtfR/1Ys6jjeV/vPQ86aL7O1F1LiLLXLRLi/YPhLKJ5Jf_2BMyxVrsd/oPqZstY_2BSxf1rh/jPRNN28T1LBQfB/iZrtHqH1jisCjolJ/VYA_2BAxYEbo3Bd3XCbosS/vInzmwMy44i/kw0X8jwqh31kc/n5NcknEHIn6Hn8F/wdwlHFHU/tyjmH
  36.  
  37. currently downloading as .class files.
  38.  
  39. additional bat file certutil method:  https://pastebin.com/mERmdFvM
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top