Reader Jake sent us an awesome bundle of RAT-related mayhem collected during performance of his duties while investigating the unfortunate and prolonged compromise of a company we'll fictitiously call Hazrat Supply. Really, I'm shocked, can you tell? With the plethora of malicious files shared with us in this package it represents a huge opportunity to create some related IOCs with Mandiant's IOCe as well as run some of this evil through my preferred toolkit with which to identify then build said IOCs. We'll do this in three parts as I'm handler on duty for the next three days (lucky you); there's lots here to play with (lucky me). Let me give you a quick manifest first: bybtt.cc3 MD5 c2f0ba16a767d839782a36f8f5bbfcbc mylcx.exe MD5 4984fd547065ddcd781b068c4493ead6 PwDump7.exe MD5 d1337b9e8bac0ee285492b89f895cadb svchost.exe MD5 20a6310b50d31b3da823ed00276e8a50 Ironically the RDP server the attackers used, RemoteMany3389.exe, is not flagged as malicious by AV detection. Apparently it's a legitimate tool...in China. :-) Building IOCs with Mandiant IOCe is in many ways straight forward for simple logic, you'll need to understand AND and OR substructures to build more complex logic branches. Figure 1 I'll be populating this further and sharing the full IOC file set for each of these samples upon request after Friday's shift. Tomorrow, I'll run Jake's dump file for svchost.exe through Volatility to see what we can further learn and use to create additional IOCs. |
Russ McRee 204 Posts ISC Handler Jul 16th 2014 |
Thread locked Subscribe |
Jul 16th 2014 7 years ago |
Russ... you really must practice controlling the dramatic display of your emotions.
Great info. Looking forward to more on what was discovered and learned. ![]() |
AlSitte 30 Posts |
Quote |
Jul 16th 2014 7 years ago |
Best. Shocked-Face. Ever.
|
Kaldek 12 Posts |
Quote |
Jul 17th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!