API tools faq
paste
Advertisement
Guest User

ESET - Gazer Backdoor

a guest
Sep 5th, 2017
643
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.84 KB | None | 0 0
raw download clone embed print report
  1. ESET - Gazer Backdoor
  2.  
  3. IoCS
  4. Filenames
  5. • %TEMP%\KB943729.log
  6. • %TEMP%\CVRG72B5.tmp.cvr
  7. • %TEMP%\CVRG1A6B.tmp.cvr
  8. • %TEMP%\CVRG38D9.tmp.cvr
  9. • %TEMP%\~DF1E06.tmp
  10. • %HOMEPATH%\ntuser.dat.LOG3
  11. • %HOMEPATH%\AppData\Local\Adobe\AdobeUpdater.exe
  12. Registry keys
  13. • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ScreenSaver
  14. • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Explorer\ScreenSaver
  15. C&C URLs
  16. • daybreakhealthcare.co.uk/wp-includes/themees.php
  17. • simplecreative.design/wp-content/plugins/calculated- elds-form/single.php
  18. • 169.255.137.203/rss_0.php
  19. • outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php
  20. • zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.
  21. php
  22. • ales.ball-mill.es/ck nder/core/connector/php/php4/CommandHandler/CommandHandler.php
  23. • dyskurs.com.ua/wp-admin/includes/map-menu.php
  24. • warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php
  25. • 217.171.86.137/con g.php
  26. • 217.171.86.137/rss_0.php
  27. • shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php
  28. • www.aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php
  29. • baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php
  30. • soligro.com/wp-includes/pomo/db.php
  31. • giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php
  32. • tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php
  33. • kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/
  34. test/Reader/BuildTest.php
  35. • sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/
  36. activation/activation.php
  37. • chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/
  38. ngglegacy/admin/templates/manage_gallery/gallery_preview_page_ eld.old.php
  39. • hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php
  40. • zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php
  41. • weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php
  42. Mutexes
  43. {531511FA-190D-5D85-8A4A-279F2F592CC7}
  44. 21
  45. Gazing at Gazer
  46. Turla’s new second stage backdoor
  47. Hashes
  48. Table 6. Gazer sample hashes
  49. SHA1 hash
  50. Component Compilation Certi cate Time
  51. Eset Detection Name
  52. 27FA78DE705EbAA4b11C4b5FE7277F91906b3F92
  53. Gazer wiper x32
  54. 07/04/2016 15:04:24
  55. not signed
  56. Win32/Turla.CL
  57. 35F205367E2E5F8A121925bbAE6FF07626b526A7
  58. Gazer loader x32
  59. 05/02/2002 17:36:10
  60. admin@solidloop.org
  61. valid from 14/10/2015 to 14/10/2016
  62. Win32/Turla.CC
  63. b151CD7C4F9E53A8DCbDEb7CE61CCDD146Eb68Ab
  64. Gazer loader x32
  65. 05/02/2002 17:36:10
  66. admin@solidloop.org
  67. valid from 14/10/2015 to 14/10/2016
  68. Win32/Turla.CC
  69. E40bb5bEEC5678537E8FE537F872b2AD6b77E08A
  70. Gazer loader x32
  71. 05/02/2002 17:36:10
  72. admin@solidloop.org
  73. valid from 14/10/2015 to 14/10/2016
  74. Win32/Turla.CC
  75. 522E5F02C06AD215C9D0C23C5A6A523D34AE4E91
  76. Gazer loader x64
  77. 05/02/2002 17:36:26
  78. admin@solidloop.org
  79. valid from 14/10/2015 to 14/10/2016
  80. Win64/Turla.AA
  81. C380038A57FFb8C064851b898F630312FAbCbbA7
  82. Gazer loader x64
  83. 05/02/2002 17:36:26
  84. admin@solidloop.org
  85. valid from 14/10/2015 to 14/10/2016
  86. Win64/Turla.AA
  87. 267F144D771b4E2832798485108DECD505Cb824A
  88. Gazer loader x64
  89. 05/02/2002 17:36:26
  90. admin@solidloop.org
  91. valid from 14/10/2015 to 14/10/2016
  92. Win64/Turla.AA
  93. 52F6D09CCCDbC38D66C184521E7CCF6b28C4b4D9
  94. Gazer loader x32
  95. 04/10/2002 18:31:37
  96. admin@solidloop.org
  97. valid from 14/10/2015 to 14/10/2016
  98. Win32/Turla.CC
  99. 475C59744ACCb09724DAE610763b7284646Ab63F
  100. Gazer loader x32
  101. 04/10/2002 18:31:37
  102. admin@solidloop.org
  103. valid from 14/10/2015 to 14/10/2016
  104. Win32/Turla.CC
  105. 22542A3245D52b7bCDb3EAEF5b8b2693F451F497
  106. Gazer loader x32
  107. 04/10/2002 18:31:37
  108. admin@solidloop.org
  109. valid from 14/10/2015 to 14/10/2016
  110. Win32/Turla.CC
  111. 2b9FAA8b0FCADAC710C7b2b93D492FF1028b5291
  112. Gazer loader x64
  113. 04/10/2002 18:34:18
  114. admin@solidloop.org
  115. valid from 14/10/2015 to 14/10/2016
  116. Win64/Turla.AA
  117. E05Ab6978C17724b7C874F44F8A6CbFb1C56418D
  118. Gazer loader x64
  119. 04/10/2002 18:34:18
  120. admin@solidloop.org
  121. valid from 14/10/2015 to 14/10/2016
  122. Win64/Turla.AA
  123. 6DEC3438D212b67356200bbAC5EC7FA41C716D86
  124. Gazer loader x64
  125. 04/10/2002 18:34:18
  126. admin@solidloop.org
  127. valid from 14/10/2015 to 14/10/2016
  128. Win64/Turla.AA
  129. b548863DF838069455A76D2A63327434C02D0D9D
  130. Gazer loader x64
  131. 09/01/2016 19:30:10
  132. not signed
  133. Win64/Turla.AA
  134. C3E6511377DFE85A34E19b33575870DDA8884C3C
  135. Gazer loader x64
  136. 06/02/2016 19:29:15
  137. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  138. Win64/Turla.AA
  139. 9FF4F59CA26388C37D0b1F0E0b22322D926E294A
  140. Gazer loader x64
  141. 16/02/2016 16:00:44
  142. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  143. Win64/Turla.AA
  144. 22
  145. Gazing at Gazer
  146. Turla’s new second stage backdoor
  147. SHA1 hash Component Compilation Certi cate Eset Detection Time Name
  148. 029AA51549D0b9222Db49A53D2604D79AD1C1E59
  149. Gazer loader x64
  150. 18/02/2016 15:29:58
  151. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  152. Win64/Turla.AA
  153. CECC70F2b2D50269191336219A8F893D45F5E979
  154. Gazer loader x64
  155. 01/01/2017 08:39:30
  156. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  157. Win64/Turla.AG
  158. 7FAC4FC130637AFAb31C56CE0A01E555D5DEA40D
  159. Gazer loader x64
  160. 11/06/2017 23:43:51
  161. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  162. Win64/Turla.AD
  163. 5838A51426CA6095b1C92b87E1bE22276C21A044
  164. Gazer loader x32
  165. 19/06/2017 01:28:51
  166. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  167. Win32/Turla.CF
  168. 3944253F6b7019EED496FAD756F4651bE0E282b4
  169. Gazer loader x64
  170. 19/06/2017 01:30:00
  171. admin@ ultimatecomsup.biz valid from 16/12/2015 to 16/12/2017
  172. Win64/Turla.AD
  173. 228DA957A9ED661E17E00EFbA8E923FD17FAE054
  174. Gazer orchestrator x32
  175. 05/02/2002 17:31:28
  176. not signed
  177. Win32/Turla.CF
  178. 295D142A7bDCED124FDCC8EDFE49b9F3ACCEAb8A
  179. Gazer orchestrator x32
  180. 05/02/2002 17:31:28
  181. not signed
  182. Win32/Turla.CF
  183. 0F97F599FAb7F8057424340C246D3A836C141782
  184. Gazer orchestrator x32
  185. 05/02/2002 17:31:28
  186. not signed
  187. Win32/Turla.CF
  188. Dbb185E493A0FDC959763533D86D73F986409F1b
  189. Gazer orchestrator x32
  190. 05/02/2002 17:31:28
  191. not signed
  192. Win32/Turla.CC
  193. 4701828DEE543b994ED2578b9E0D3991F22bD827
  194. Gazer orchestrator x64
  195. 05/02/2002 17:34:25
  196. not signed
  197. Win64/Turla.AA
  198. 6FD611667bA19691958b5b72673b9b802EDD7FF8
  199. Gazer orchestrator x64
  200. 05/02/2002 17:34:25
  201. not signed
  202. Win64/Turla.AA
  203. FCAbEb735C51E2b8Eb6Fb07bDA8b95401D069bD8
  204. Gazer orchestrator x64
  205. 05/02/2002 17:34:25
  206. not signed
  207. Win64/Turla.AA
  208. 75831DF9CbCFD7bF812511148D2A0F117324A75F
  209. Gazer orchestrator x32
  210. 04/10/2002 18:31:28
  211. not signed
  212. Win32/Turla.CC
  213. bAE3AE65C32838Fb52A0F5AD2CDE8659D2bFF9F3
  214. Gazer orchestrator x32
  215. 04/10/2002 18:31:28
  216. not signed
  217. Win32/Turla.CC
  218. 37FF6841419ADC51EEb8756660b2Fb46F3Eb24ED
  219. Gazer orchestrator x64
  220. 04/10/2002 18:33:02
  221. not signed
  222. Win64/Turla.AA
  223. 9E6DE3577b463451b7AFCE24Ab646EF62AD6C2bD
  224. Gazer orchestrator x64
  225. 04/10/2002 18:33:02
  226. not signed
  227. Win64/Turla.AA
  228. 795C6EE27b147FF0A05C0477F70477E315916E0E
  229. Gazer orchestrator x64
  230. 04/10/2002 18:33:02
  231. not signed
  232. Win64/Turla.AA
  233. 8184AD9D6bbD03E99A397F8E925FA66CFbE5CF1b
  234. Gazer orchestrator x64
  235. 09/01/2016 19:28:29
  236. not signed
  237. Win64/Turla.AA
  238. 7CED96b08D7593E28FEE616ECCbC6338896517CF
  239. Gazer orchestrator x64
  240. 06/02/2016 19:29:04
  241. not signed
  242. Win64/Turla.AA
  243. 63C534630C2CE0070AD203F9704F1526E83AE586
  244. Gazer orchestrator x64
  245. 06/02/2016 19:29:04
  246. not signed
  247. Win64/Turla.AA
  248. 23F1E3bE3175D49E7b262CD88CFD517694DCbA18
  249. Gazer orchestrator x64
  250. 18/02/2016 15:29:32
  251. not signed
  252. Win64/Turla.AA
  253. 23
  254. Gazing at Gazer
  255. Turla’s new second stage backdoor
  256. SHA1 hash Component Compilation Certi cate Eset Detection Time Name
  257. 7A6F1486269AbDC1D658Db618DC3C6F2AC85A4A7
  258. Gazer orchestrator x64
  259. 01/01/2017 08:39:19
  260. not signed
  261. Win64/Turla.AG
  262. 11b35320Fb1CF21D2E57770D8D8b237Eb4330EAA
  263. Gazer orchestrator x64
  264. 11/06/2017 23:42:28
  265. not signed
  266. Win64/Turla.AD
  267. E8A2bAD87027F2bF3ECAE477F805DE13FCCC0181
  268. Gazer orchestrator x32
  269. 19/06/2017 01:28:21
  270. not signed
  271. Win32/Turla.CF
  272. 950F0b0C7701835C5FbDb6C5698A04b8AFE068E6
  273. Gazer orchestrator x64
  274. 19/06/2017 01:29:46
  275. not signed
  276. Win64/Turla.AD
  277. A5EEC8C6AADF784994bF68D9D937bb7AF3684D5C
  278. Gazer comm x64
  279. 05/02/2002 17:57:07
  280. admin@solidloop.org
  281. valid from 14/10/2015 to 14/10/2016
  282. Win64/Turla.AH
  283. 411EF895FE8DD4E040E8bF4048F4327F917E5724
  284. Gazer comm x32
  285. 05/02/2002 17:58:22
  286. admin@solidloop.org
  287. valid from 14/10/2015 to 14/10/2016
  288. Win32/Turla.CC
  289. C1288DF9022bCD2C0A217b1536DFA83928768D06
  290. Gazer comm x32
  291. 06/02/2016 19:23:52
  292. not signed
  293. Win32/Turla.CC
  294. 4b6EF62D5D59F2FE7F245DD3042DC7b83E3CC923
  295. Gazer comm x32
  296. 11/06/2017 23:44:24
  297. not signed
  298. Win32/Turla.CF
  299. 7F54F9F2A6909062988AE87C1337F3CF38D68D35
  300. Gazer wiper x32
  301. 05/02/2002 17:39:07
  302. admin@solidloop.org
  303. valid from 14/10/2015 to 14/10/2016
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!