mirror of https://github.com/dirtbags/moth.git
assign tokens, create progressive story
This commit is contained in:
parent
8b3d8ec45c
commit
1e529abe23
|
@ -0,0 +1,17 @@
|
|||
#! /bin/sh
|
||||
|
||||
# Give it your registration raw data on stdin
|
||||
# It appends any new folks to tokens.txt
|
||||
|
||||
mktoken () {
|
||||
dd if=/dev/urandom bs=4 count=1 2>/dev/null | hexdump | while read a b c; do
|
||||
[ -n "$b" ] && echo $b$c
|
||||
done
|
||||
}
|
||||
|
||||
while IFS=' ' read name email org c1 c2; do
|
||||
if ! grep -q "$email" tokens.txt; then
|
||||
printf "%s " "$email" >> tokens.txt
|
||||
mktoken >> tokens.txt
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,122 @@
|
|||
The Story
|
||||
-------
|
||||
|
||||
[start]
|
||||
At approximately 8:05 AM US/Eastern,
|
||||
an analyst at the Maine Energy Research Facility (MERF)
|
||||
discovered anomalous traffic to an IP geolocated in the Macedonian Empire.
|
||||
The analyst reported the traffic to IARC,
|
||||
who requested packet captures.
|
||||
Packet captures reveal port 79 (finger) TCP traffic,
|
||||
which does not conform to the finger protocol.
|
||||
The MERF analyst is investigating proxy logs to determine the internal origin of traffic.
|
||||
Packet captures have been sent to the Cyber Response Team (CRT)
|
||||
for deep analysis.
|
||||
|
||||
|
||||
proto
|
||||
-----
|
||||
|
||||
#20
|
||||
|
||||
"Garfield" protocol identified and decoded.
|
||||
Decodes indicate additional IPs of interest:
|
||||
10.48.12.16
|
||||
10.82.173.211
|
||||
New pcap to be sent to CRT for deep analysis.
|
||||
|
||||
#30
|
||||
|
||||
Further analysis of Garfield protocol indicates attackers interested in
|
||||
primarily JPEG and MP3 files on local hard drive,
|
||||
and network-attached OkiMate 10 color printers.
|
||||
|
||||
|
||||
#40
|
||||
|
||||
List of transferred files indicates interest in pie- and cake-related images,
|
||||
audio files of bird calls.
|
||||
Password "ARBUCKLE" used for exfiltrated ZIP files.
|
||||
|
||||
advise addition of snort rule
|
||||
{dsize:48; pcre:"^#~1..PDQ\008"; msg:"CRT Garfield"; sid:1663999; rev:00;}
|
||||
|
||||
|
||||
#100
|
||||
|
||||
Second stage malware binary identified,
|
||||
named "Odie".
|
||||
18GB of Odie traffic found at MERF.
|
||||
|
||||
|
||||
#1000
|
||||
|
||||
Odie protocol decoded.
|
||||
Decodes indicate attackers interested in
|
||||
primarily video files,
|
||||
no indication of further infections.
|
||||
|
||||
|
||||
#2000
|
||||
|
||||
Video files transferred are all of Maine wildlife,
|
||||
mostly birds.
|
||||
All attacker activity identified.
|
||||
|
||||
|
||||
Kevin's Stuff
|
||||
----------
|
||||
|
||||
Kevin has not yet told me what his stuff contains,
|
||||
and probably never will,
|
||||
so I'm making it all up.
|
||||
|
||||
|
||||
Investigation at MERF has uncovered three internal machines as traffic origin.
|
||||
These machines are being left online for observation,
|
||||
|
||||
Files from directory C:\Windows\System32\POOKY have been sent to IARC and CRT for further analysis.
|
||||
|
||||
Several ZIP files located in deleted filespace on infected machines.
|
||||
|
||||
Analysis of C:\Windows\System32\POOKY\system_wallpaper.jpg
|
||||
reveals malware dropper.
|
||||
|
||||
MERF machines all contain the unique registry entry \HOST\UNREAL\LASAGNE_KEY = I_HATE_MONDAYS.
|
||||
IARC has advised sites to search for this key.
|
||||
|
||||
Visited network file systems all pertain to wildlife photography.
|
||||
|
||||
ZIP files contain JPEG and MP3 files,
|
||||
all photographs and recordings of birds.
|
||||
|
||||
|
||||
|
||||
rln's stuff
|
||||
--------
|
||||
|
||||
rln has also not yet told me what his stuff contains,
|
||||
and may not actually have any stuff.
|
||||
If he does, this is what I'll say it is.
|
||||
|
||||
"Garfield" drops registry key \HOST\UNREAL\LASAGNE_KEY
|
||||
|
||||
"Garfield" malware contains C2 capability.
|
||||
|
||||
Reports all joystick input to web server at atlv.papillon.mcd,
|
||||
recommend policy disabling joysticks at this time.
|
||||
|
||||
Registry key value I_HATE_MONDAYS indicates successful phone home
|
||||
|
||||
|
||||
"Odie" malware contains C2 capability,
|
||||
no registry keys.
|
||||
|
||||
Odie uses remote host jasex.binky.mcd
|
||||
|
||||
Odie Malware appears to use 16-byte key "NERMALpookyODIE"
|
||||
|
||||
Odie has directory walking search capability.
|
||||
|
||||
Odie has file transfer capability.
|
||||
|
Loading…
Reference in New Issue