IoC (TT Malware Log)

Malware の IoC(Indicator)情報

◆注意◆ マルウェア解析専析家向けサイト

     FQDN, URL,IPアドレス等はそのまま掲載しています


** Caution ** Malware expert site

                    FQDN, URL, IP address etc. are posted as they are

Moose

【インディケータ情報】

■ハッシュ情報(MD5) - Moose -

10e2f7dd4b2bb4ac9ab2b0d136f48e5dc9acc451
095ee85aa648de4e557fc243de17d4f00ab2091f
bfc2a99450977dc7ba2ec0879fb17c612e248ece
54041ce90b04698465b866ed169ddf4a269e1e76
d648c405507ad62ddb3faa1dd37f659f3676cacf
85c3439b6773241d11cda78f0ecfea4c07e55fd2
216014dba6f1a636c44530fbce06c598d3cf7fa1
4bffc0ebfe8c373f387eb01a7c5e2835ec8e8757
dd7e8211336aa02851f6c67690e2301b9c84bb26

(以上は ESET の情報: 引用元は https://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf )

■URL

77.247.177.36:81
93.190.140.221:80
85.159.237.107:81
85.159.237.108:81
77.247.177.87:81

(以上は ESET の情報: 引用元は https://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf )

■IPアドレス

27.124.41.11
27.124.41.31
27.124.41.31
27.124.41.33
27.124.41.33
27.124.41.52
27.124.41.52
42.119.173.138
77.247.177.31
77.247.177.36
77.247.178.177
79.176.26.142
82.146.63.15
85.159.237.107
85.159.237.108
85.159.237.111
85.159.237.111
93.190.139.123
93.190.139.147
93.190.140.221
93.190.142.113
93.190.143.60
103.238.216.21
103.238.216.216
103.238.216.217
103.238.216.218
103.238.216.22
103.238.216.23
103.238.216.24
103.238.216.25
103.238.216.26
103.238.216.28
103.238.216.29
103.238.216.30
103.238.216.31
109.201.148.136
109.201.148.201
109.201.148.241
109.236.86.18
109.236.89.208
192.126.184.234
207.244.67.193
217.23.12.124
217.23.2.249
217.23.2.251
217.23.2.252
217.23.2.253
217.23.2.30
217.23.2.47
217.23.2.48
217.23.2.49
217.23.2.52
217.23.2.79
217.23.7.133
217.23.7.211

(以上は ESET の情報: 引用元は https://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf )


【Yara Rule】

// Linux/Moose yara rules
// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These yara rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2015-2016, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
private rule is_elf
{
strings:
$header = { 7F 45 4C 46 }

condition:
$header at 0
}

rule moose_1
{
meta:
Author = "Thomas Dupuy"
Date = "2015/04/21"
Description = "Linux/Moose malware"
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
Source = "https://github.com/eset/malware-ioc/"
Contact = "github@eset.com"
License = "BSD 2-Clause"

strings:
$s0 = "Status: OK"
$s1 = "--scrypt"
$s2 = "stratum+tcp://"
$s3 = "cmd.so"
$s4 = "/Challenge"
$s7 = "processor"
$s9 = "cpu model"
$s21 = "password is wrong"
$s22 = "password:"
$s23 = "uthentication failed"
$s24 = "sh"
$s25 = "ps"
$s26 = "echo -n -e "
$s27 = "chmod"
$s28 = "elan2"
$s29 = "elan3"
$s30 = "chmod: not found"
$s31 = "cat /proc/cpuinfo"
$s32 = "/proc/%s/cmdline"
$s33 = "kill %s"

condition:
is_elf and all of them
}

rule moose_2
{
meta:
Author = "Thomas Dupuy"
Date = "2016/10/02"
Description = "Linux/Moose malware active since September 2015"
Reference = "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/"
Contact = "github@eset.com"
License = "BSD 2-Clause"

strings:
$s1 = "Modules are loaded"
$s2 = "--scrypt"
$s3 = "http://"
$s4 = "https://"
$s5 = "processor "
$s6 = "cpu model "
$s7 = "Host: www.challpok.cn"
$s8 = "Cookie: PHPSESSID=%s; nhash=%s; chash=%s"
$s9 = "fail!"
$s10 = "H3lL0WoRlD"
$s11 = "crondd"
$s12 = "cat /proc/cpuinfo"
$s13 = "Set-Cookie: PHPSESSID="
$s14 = "Set-Cookie: LP="
$s15 = "Set-Cookie: WL="
$s16 = "Set-Cookie: CP="
$s17 = "Loading modules..."
$s18 = "-nobg"

condition:
is_elf and 5 of them
}

(以上は ESET の情報: 引用元は https://github.com/eset/malware-ioc/blob/master/moose/linux-moose.yar )




【資料】

◆Dissecting Linux/Moose (ESET, 2015/05)
http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf