Kaspersky_Lab_crouching_yeti_appendixes_eng_final

More documents

Recommendations

Info

12 FILES CREATED: \TMPprovider0XX.dll (versions
13 Control Panel\International\ sCountry Country sLanguage Language Control Panel\International\Geo\ Nation Not connected Dial-up LAN Connection InetInfo CurrentIP - Removable - Fixed - Remote - CDROM - Ramdisk Drive http\shell\open\command .exe DefaultBrowser ListProcess data64 HARDWARE\DESCRIPTION\System BiosReg Desktop MyDocs ProgFiles CONNECT google.com:80 HTTP/1.0 Proxy-Authorization:Basic google.com GET / HTTP/1.1 Host: google.com (ver 025) Phalanx-3d.ServerAgent.dll “d:\Workspace\PhalangX 3D\Src\Build\Release\Phalanx-3d.ServerAgent.pdb” (ver 029 & 030) 5265882854508EFCF958F979E4 (ver 024, 029 - 038) &v1= TLP: Green For any inquire please contact intelreports@kaspersky.com
Page 1 and 2: Crouching Yeti — Appendixes Kaspe
Page 3 and 4: 3 I. Appendix 1: Indicators of comp
Page 5 and 6: 5 II. Appendix 2: Havex loader - de
Page 7 and 8: 7 030: 309276719429789193750028F978
Page 9 and 10: 9 Decoded RSA 1024 bit key: 0000000
Page 11: 11 • Running Processes • Proxy
Page 15 and 16: 15 version 029 3x1 version 030 3x1
Page 17 and 18: 17 CLSID: UserType: VerIndProgID:
Page 19 and 20: 19 Config in stored in resource WRT
Page 21 and 22: 21 compiled: Thu, 02 Feb 2012 09:50
Page 23 and 24: 23 the RSAeuro library. They recomp
Page 25 and 26: 25 N parameter in one sample: The E
Page 27 and 28: 27 Havex sample details by version
Page 29 and 30: 29 Compiled: Mon, 07 Nov 2011 09:40
Page 31 and 32: 31 SHA-256: 8d343be0ea83597f041f9cb
Page 33 and 34: 33 SHA-256: 0f4046be5de15727e8ac786
Page 35 and 36: 35 Compiled: Tue, 10 Jan 2012 14:04
Page 37 and 38: 37 SHA-256: 72ff91b3f36ccf07e3daf67
Page 39 and 40: 39 Compiled: C2 URLs: Mon, 12 Mar 2
Page 41 and 42: 41 Compiled: Fri, 26 Oct 2012 10:12
Page 43 and 44: 43 www.idweb.ru/assets/modules/docm
Page 45 and 46: 45 C2 URLs: www.pc-service-fm.de/mo
Page 47 and 48: 47 III. Appendix 3: The Sysmain bac
Page 49 and 50: 49 antibioticsdrugstore.com/err/log
Page 51 and 52: 51 The path to this file is saved i
Page 53 and 54: 53 • “dll”: load dll sent fro
Page 55 and 56: 55 index.cgi/?loc=258 • Get systi
Page 57 and 58: 57 V. Appendix 5: The ClientX backd
Page 59 and 60: 59 public string[] servers; public
Page 61 and 62: 61 Once it is done filling the prSe
Page 63 and 64:
63 5.5.3 TIM The TIM command is res
Page 65 and 66:
65 VI. Appendix 6: Karagany backdoo
Page 67 and 68:
67 • Xfrost • Killklg List of s
Page 69 and 70:
69 Main Features: * Full Screen Cap
Page 71 and 72:
71 VII. Appendix 7: C&C Analysis Th
Page 73 and 74:
73 VIII. Appendix 8: Victim identif
Page 75 and 76:
75 Victim 24 Areas of activity: rec
Page 77 and 78:
77 Victim 49 Telecommunications and
Page 79 and 80:
79 Victim 75 University in Taiwan.
Page 81 and 82:
81 IX. Appendix 9: Hashes Havex, Sy
Page 83 and 84:
83 c66525285707daff30fce5d79eb1bdf3
Page 85 and 86:
85 ClientX: 66ab3a26ffe5d9fb72083dc
Page 87 and 88:
87 data\sydmain.dll”,AGTwLoad eWo
Page 89 and 90:
89 Path: %TEMP%\qln.dbx Size: 2 Des
Page 91 and 92:
91 SHA-256: e94b97716d354a21dcff365
Page 93 and 94:
93 After the strcat call values sma
Page 95 and 96:
95 And when decoded, the contents o
Page 97 and 98:
97 kool.jar ¦ fcswzHCx.class, 330
Page 99 and 100:
99 The encoding algo was a simple a
Page 101 and 102:
101 The decoded strings here: TLP:
Page 103 and 104:
103 f0.appendChild(document.createE
Page 105 and 106:
105 10.5. Related Targeted Software
Page 107 and 108:
107 the relevant code is called in
Page 109 and 110:
109 Exploit URL roxsuite.com/compon
Page 111 and 112:
111 Compromised Referrer Referrer P
Page 113 and 114:
113 Compromised Referrer Referrer P
Page 115 and 116:
115 XII. Appendix 12: Previous and
show all

Kaspersky_Lab_crouching_yeti_appendixes_eng_final

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?