Skip to content

Commit

Permalink
0.14.0 with UTF-8 output / French support by juju4
Browse files Browse the repository at this point in the history
  • Loading branch information
Neo23x0 committed Feb 15, 2016
1 parent 9c0781b commit c661259
Show file tree
Hide file tree
Showing 6 changed files with 20,716 additions and 20,644 deletions.
2 changes: 1 addition & 1 deletion iocs/filename-iocs.txt
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
# ProgramData\\Mail\\MailAg\\;80
# (Anwendungsdaten|Application Data|APPDATA)\\sydmain\.dll;80
# (TEMP|Temp)\\[^\\]+\.(xmd|yls)$;80
# (LOCAL SETTINGS\\Temp|Local Settings\\Temp|Local\\Temp)\\(word\.exe|winword\.exe);80
# (LOCAL SETTINGS\\Temp|Local Settings\\Temp|Local\\Temp)\\(word\.exe|winword\.exe)[^\.];80
#

# Ncat Example
Expand Down
18,756 changes: 9,391 additions & 9,365 deletions iocs/otx-c2-iocs.txt

Large diffs are not rendered by default.

110 changes: 55 additions & 55 deletions iocs/otx-filename-iocs.txt
Original file line number Diff line number Diff line change
@@ -1,55 +1,55 @@
\\this\.morning\.rar;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
\\this\.morning\.exe;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
C:\\Program Files\\Realtek\\AudRTx86\.dll;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
C:\\Program Files\\Realtek\\Rttr\.zip;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
C:\\Program Files\\Realtek\\rfmencrypt_secret\.key;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
%SystemRoot%\\Drivers\\\{1D24B7E2\-869D\-49D8\-B4EB\-1424B36C42B6\}\.sys;Newcomers in the Derusbi family http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
%Systemroot%\\web\\safemode\.html;Newcomers in the Derusbi family http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Statement_1973_1357257122414\.doc;Dridex Phishing Wave - Gina Harrowell Purchase Order XLS/DOC http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limi
\\ringcentral_msg\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\termination_letter\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\unpaid_logmein_invoice\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\lmi_billing_invoice\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\ringcentral_text_7093687357\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\Microsoft\\Netmeeting\\1328\-0013\\mstun32\.dll;FIREEYE: Office Encapsulated PostScript & Priv Escalation 0days https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html
\\infected\.exx;Shifu: New Banking Trojan Is Attacking 14 Japanese Banks https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking
%TEMP%\\AdobeARMM\.log;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
%TEMP%\\wlg\.dat;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
%TEMP%\\AdobeARM\.log;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
Message\.xlsb;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
C:\\windows\\tasks\\Components\.exe;Defending the White Elephant https://asert.arbornetworks.com/defending-the-white-elephant/ / http://pages.arb
PlanProposal\\new questionnaire\\Voter Plan Proposal;Defending the White Elephant https://asert.arbornetworks.com/defending-the-white-elephant/ / http://pages.arb
\\abiosdsk\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\adpu160\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\floppy\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\parclass\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\rio8drvx\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\ser8uart\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\usbclass\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\vidscfg\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\msrdc64\.dat;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\msdcsvc\.dat;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\SystemAudit\.Evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\SecurityAudit\.Evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\SystemLog\.evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\ApplicationLog\.evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\ime\\imesc5\\dicts\\pintlgbs\.imd;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\ime\\imesc5\\dicts\\pintlgbp\.imd;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\winhttpc\.dll;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\wshnetc\.dll;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\SysWow64\\wshnetc\.dll;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\svcstat\.exe;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\svcsstat\.exe;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%AppData%\\Local\\Temp\\bootloader\.dec;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
%AppData%\\Roaming\\warriors\.dat;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
/Users/Shared/start\.sh;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Resources/start\.sh;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Resources/FontMap1\.cfg;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Library/LaunchDaemons/com\.apple\.machook_damon\.plist;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Library/LaunchDaemons/com\.apple\. globalupdate\.plist;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/usr/bin/globalupdate;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/usr/local/machook/update/start\.sh;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Library/MobileSubstrate/DynamicLibraries/sfbase\.dylib;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
sfbase\.dylib;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/tmp/AddressBook\.sqlitedb;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/tmp/sms\.db;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
\\this\.morning\.rar;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
\\this\.morning\.exe;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
C:\\Program Files\\Realtek\\AudRTx86\.dll;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
C:\\Program Files\\Realtek\\Rttr\.zip;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
C:\\Program Files\\Realtek\\rfmencrypt_secret\.key;Operation Arid Viper Slithers Back into View https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-
%SystemRoot%\\Drivers\\\{1D24B7E2\-869D\-49D8\-B4EB\-1424B36C42B6\}\.sys;Newcomers in the Derusbi family http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
%Systemroot%\\web\\safemode\.html;Newcomers in the Derusbi family http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Statement_1973_1357257122414\.doc;Dridex Phishing Wave - Gina Harrowell Purchase Order XLS/DOC http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limi
\\ringcentral_msg\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\termination_letter\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\unpaid_logmein_invoice\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\lmi_billing_invoice\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\ringcentral_text_7093687357\.doc;Microsoft Word Intruder: Operation Pony Express https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to
\\Microsoft\\Netmeeting\\1328\-0013\\mstun32\.dll;FIREEYE: Office Encapsulated PostScript & Priv Escalation 0days https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html
\\infected\.exx;Shifu: New Banking Trojan Is Attacking 14 Japanese Banks https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking
%TEMP%\\AdobeARMM\.log;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
%TEMP%\\wlg\.dat;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
%TEMP%\\AdobeARM\.log;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
Message\.xlsb;The Kittens Strike Back https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-co
C:\\windows\\tasks\\Components\.exe;Defending the White Elephant https://asert.arbornetworks.com/defending-the-white-elephant/ / http://pages.arb
PlanProposal\\new questionnaire\\Voter Plan Proposal;Defending the White Elephant https://asert.arbornetworks.com/defending-the-white-elephant/ / http://pages.arb
\\abiosdsk\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\adpu160\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\floppy\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\parclass\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\rio8drvx\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\ser8uart\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\usbclass\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\vidscfg\.sys;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\msrdc64\.dat;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
\\msdcsvc\.dat;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\SystemAudit\.Evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\SecurityAudit\.Evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\SystemLog\.evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%System%\\config\\ApplicationLog\.evt;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\ime\\imesc5\\dicts\\pintlgbs\.imd;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\ime\\imesc5\\dicts\\pintlgbp\.imd;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\winhttpc\.dll;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\wshnetc\.dll;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\SysWow64\\wshnetc\.dll;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\svcstat\.exe;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%Windir%\\system32\\svcsstat\.exe;Regin - Further Investigations by Symantec Aug 2015 http://www.symantec.com/connect/blogs/regin-further-unravelling-mysteries-cybere
%AppData%\\Local\\Temp\\bootloader\.dec;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
%AppData%\\Roaming\\warriors\.dat;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
/Users/Shared/start\.sh;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Resources/start\.sh;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Resources/FontMap1\.cfg;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Library/LaunchDaemons/com\.apple\.machook_damon\.plist;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Library/LaunchDaemons/com\.apple\. globalupdate\.plist;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/usr/bin/globalupdate;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/usr/local/machook/update/start\.sh;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/Library/MobileSubstrate/DynamicLibraries/sfbase\.dylib;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
sfbase\.dylib;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/tmp/AddressBook\.sqlitedb;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
/tmp/sms\.db;OS X / Wirelurker (OS X) / dropped by start.sh / c2 domain / c2 hostname / v2 update url / initial
Loading

0 comments on commit c661259

Please sign in to comment.