mirror of https://github.com/dirtbags/moth.git
123 lines
2.9 KiB
Plaintext
123 lines
2.9 KiB
Plaintext
The Story
|
|
-------
|
|
|
|
[start]
|
|
At approximately 8:05 AM US/Eastern,
|
|
an analyst at the Maine Energy Research Facility (MERF)
|
|
discovered anomalous traffic to an IP geolocated in the Macedonian Empire.
|
|
The analyst reported the traffic to IARC,
|
|
who requested packet captures.
|
|
Packet captures reveal port 79 (finger) TCP traffic,
|
|
which does not conform to the finger protocol.
|
|
The MERF analyst is investigating proxy logs to determine the internal origin of traffic.
|
|
Packet captures have been sent to the Cyber Response Team (CRT)
|
|
for deep analysis.
|
|
|
|
|
|
proto
|
|
-----
|
|
|
|
#20
|
|
|
|
"Garfield" protocol identified and decoded.
|
|
Decodes indicate additional IPs of interest:
|
|
10.48.12.16
|
|
10.82.173.211
|
|
New pcap to be sent to CRT for deep analysis.
|
|
|
|
#30
|
|
|
|
Further analysis of Garfield protocol indicates attackers interested in
|
|
primarily JPEG and MP3 files on local hard drive,
|
|
and network-attached OkiMate 10 color printers.
|
|
|
|
|
|
#40
|
|
|
|
List of transferred files indicates interest in pie- and cake-related images,
|
|
audio files of bird calls.
|
|
Password "ARBUCKLE" used for exfiltrated ZIP files.
|
|
|
|
advise addition of snort rule
|
|
{dsize:48; pcre:"^#~1..PDQ\008"; msg:"CRT Garfield"; sid:1663999; rev:00;}
|
|
|
|
|
|
#100
|
|
|
|
Second stage malware binary identified,
|
|
named "Odie".
|
|
18GB of Odie traffic found at MERF.
|
|
|
|
|
|
#1000
|
|
|
|
Odie protocol decoded.
|
|
Decodes indicate attackers interested in
|
|
primarily video files,
|
|
no indication of further infections.
|
|
|
|
|
|
#2000
|
|
|
|
Video files transferred are all of Maine wildlife,
|
|
mostly birds.
|
|
All attacker activity identified.
|
|
|
|
|
|
Kevin's Stuff
|
|
----------
|
|
|
|
Kevin has not yet told me what his stuff contains,
|
|
and probably never will,
|
|
so I'm making it all up.
|
|
|
|
|
|
Investigation at MERF has uncovered three internal machines as traffic origin.
|
|
These machines are being left online for observation,
|
|
|
|
Files from directory C:\Windows\System32\POOKY have been sent to IARC and CRT for further analysis.
|
|
|
|
Several ZIP files located in deleted filespace on infected machines.
|
|
|
|
Analysis of C:\Windows\System32\POOKY\system_wallpaper.jpg
|
|
reveals malware dropper.
|
|
|
|
MERF machines all contain the unique registry entry \HOST\UNREAL\LASAGNE_KEY = I_HATE_MONDAYS.
|
|
IARC has advised sites to search for this key.
|
|
|
|
Visited network file systems all pertain to wildlife photography.
|
|
|
|
ZIP files contain JPEG and MP3 files,
|
|
all photographs and recordings of birds.
|
|
|
|
|
|
|
|
rln's stuff
|
|
--------
|
|
|
|
rln has also not yet told me what his stuff contains,
|
|
and may not actually have any stuff.
|
|
If he does, this is what I'll say it is.
|
|
|
|
"Garfield" drops registry key \HOST\UNREAL\LASAGNE_KEY
|
|
|
|
"Garfield" malware contains C2 capability.
|
|
|
|
Reports all joystick input to web server at atlv.papillon.mcd,
|
|
recommend policy disabling joysticks at this time.
|
|
|
|
Registry key value I_HATE_MONDAYS indicates successful phone home
|
|
|
|
|
|
"Odie" malware contains C2 capability,
|
|
no registry keys.
|
|
|
|
Odie uses remote host jasex.binky.mcd
|
|
|
|
Odie Malware appears to use 16-byte key "NERMALpookyODIE"
|
|
|
|
Odie has directory walking search capability.
|
|
|
|
Odie has file transfer capability.
|
|
|