mirror of https://github.com/dirtbags/moth.git
assign tokens, create progressive story
This commit is contained in:
parent
8b3d8ec45c
commit
1e529abe23
|
@ -0,0 +1,17 @@
|
||||||
|
#! /bin/sh
|
||||||
|
|
||||||
|
# Give it your registration raw data on stdin
|
||||||
|
# It appends any new folks to tokens.txt
|
||||||
|
|
||||||
|
mktoken () {
|
||||||
|
dd if=/dev/urandom bs=4 count=1 2>/dev/null | hexdump | while read a b c; do
|
||||||
|
[ -n "$b" ] && echo $b$c
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
while IFS=' ' read name email org c1 c2; do
|
||||||
|
if ! grep -q "$email" tokens.txt; then
|
||||||
|
printf "%s " "$email" >> tokens.txt
|
||||||
|
mktoken >> tokens.txt
|
||||||
|
fi
|
||||||
|
done
|
|
@ -0,0 +1,122 @@
|
||||||
|
The Story
|
||||||
|
-------
|
||||||
|
|
||||||
|
[start]
|
||||||
|
At approximately 8:05 AM US/Eastern,
|
||||||
|
an analyst at the Maine Energy Research Facility (MERF)
|
||||||
|
discovered anomalous traffic to an IP geolocated in the Macedonian Empire.
|
||||||
|
The analyst reported the traffic to IARC,
|
||||||
|
who requested packet captures.
|
||||||
|
Packet captures reveal port 79 (finger) TCP traffic,
|
||||||
|
which does not conform to the finger protocol.
|
||||||
|
The MERF analyst is investigating proxy logs to determine the internal origin of traffic.
|
||||||
|
Packet captures have been sent to the Cyber Response Team (CRT)
|
||||||
|
for deep analysis.
|
||||||
|
|
||||||
|
|
||||||
|
proto
|
||||||
|
-----
|
||||||
|
|
||||||
|
#20
|
||||||
|
|
||||||
|
"Garfield" protocol identified and decoded.
|
||||||
|
Decodes indicate additional IPs of interest:
|
||||||
|
10.48.12.16
|
||||||
|
10.82.173.211
|
||||||
|
New pcap to be sent to CRT for deep analysis.
|
||||||
|
|
||||||
|
#30
|
||||||
|
|
||||||
|
Further analysis of Garfield protocol indicates attackers interested in
|
||||||
|
primarily JPEG and MP3 files on local hard drive,
|
||||||
|
and network-attached OkiMate 10 color printers.
|
||||||
|
|
||||||
|
|
||||||
|
#40
|
||||||
|
|
||||||
|
List of transferred files indicates interest in pie- and cake-related images,
|
||||||
|
audio files of bird calls.
|
||||||
|
Password "ARBUCKLE" used for exfiltrated ZIP files.
|
||||||
|
|
||||||
|
advise addition of snort rule
|
||||||
|
{dsize:48; pcre:"^#~1..PDQ\008"; msg:"CRT Garfield"; sid:1663999; rev:00;}
|
||||||
|
|
||||||
|
|
||||||
|
#100
|
||||||
|
|
||||||
|
Second stage malware binary identified,
|
||||||
|
named "Odie".
|
||||||
|
18GB of Odie traffic found at MERF.
|
||||||
|
|
||||||
|
|
||||||
|
#1000
|
||||||
|
|
||||||
|
Odie protocol decoded.
|
||||||
|
Decodes indicate attackers interested in
|
||||||
|
primarily video files,
|
||||||
|
no indication of further infections.
|
||||||
|
|
||||||
|
|
||||||
|
#2000
|
||||||
|
|
||||||
|
Video files transferred are all of Maine wildlife,
|
||||||
|
mostly birds.
|
||||||
|
All attacker activity identified.
|
||||||
|
|
||||||
|
|
||||||
|
Kevin's Stuff
|
||||||
|
----------
|
||||||
|
|
||||||
|
Kevin has not yet told me what his stuff contains,
|
||||||
|
and probably never will,
|
||||||
|
so I'm making it all up.
|
||||||
|
|
||||||
|
|
||||||
|
Investigation at MERF has uncovered three internal machines as traffic origin.
|
||||||
|
These machines are being left online for observation,
|
||||||
|
|
||||||
|
Files from directory C:\Windows\System32\POOKY have been sent to IARC and CRT for further analysis.
|
||||||
|
|
||||||
|
Several ZIP files located in deleted filespace on infected machines.
|
||||||
|
|
||||||
|
Analysis of C:\Windows\System32\POOKY\system_wallpaper.jpg
|
||||||
|
reveals malware dropper.
|
||||||
|
|
||||||
|
MERF machines all contain the unique registry entry \HOST\UNREAL\LASAGNE_KEY = I_HATE_MONDAYS.
|
||||||
|
IARC has advised sites to search for this key.
|
||||||
|
|
||||||
|
Visited network file systems all pertain to wildlife photography.
|
||||||
|
|
||||||
|
ZIP files contain JPEG and MP3 files,
|
||||||
|
all photographs and recordings of birds.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
rln's stuff
|
||||||
|
--------
|
||||||
|
|
||||||
|
rln has also not yet told me what his stuff contains,
|
||||||
|
and may not actually have any stuff.
|
||||||
|
If he does, this is what I'll say it is.
|
||||||
|
|
||||||
|
"Garfield" drops registry key \HOST\UNREAL\LASAGNE_KEY
|
||||||
|
|
||||||
|
"Garfield" malware contains C2 capability.
|
||||||
|
|
||||||
|
Reports all joystick input to web server at atlv.papillon.mcd,
|
||||||
|
recommend policy disabling joysticks at this time.
|
||||||
|
|
||||||
|
Registry key value I_HATE_MONDAYS indicates successful phone home
|
||||||
|
|
||||||
|
|
||||||
|
"Odie" malware contains C2 capability,
|
||||||
|
no registry keys.
|
||||||
|
|
||||||
|
Odie uses remote host jasex.binky.mcd
|
||||||
|
|
||||||
|
Odie Malware appears to use 16-byte key "NERMALpookyODIE"
|
||||||
|
|
||||||
|
Odie has directory walking search capability.
|
||||||
|
|
||||||
|
Odie has file transfer capability.
|
||||||
|
|
Loading…
Reference in New Issue