Analysis of new Shamoon infections

[Wingman]

Reports suggested that a further 15 Shamoon incidents had been reported from public to private sector.

Spoiler: Indicator of Compromise

Domains:

• winappupdater.com
• update.winupdater.com
• // domain registered on 2016-11-25 by benyamin987@mail.com
• hash 146a112cb01cd4b8e06d36304f6bdf7b and bf4b07c7b4a4504c4192bd68476d63b5 were connecting to this site

Hashes:

• 146a112cb01cd4b8e06d36304f6bdf7b
• bf4b07c7b4a4504c4192bd68476d63b5
• a96d211795852b6b14e61327bbcc3473
• 1507A4FDF65952DFA439E32480F42CCF1460B96F

File locations & file names:

Collection of system information:
“%localappdata%\Microsoft\Windows\Tmp765643.txt” //where Tmp[6digits].txt is the syntax//

Filenames and locations:

• Microsoft\Windows\ccd
• Microsoft\Windows\ccd6.exe”
• Microsoft\Windows\ssc”
• Microsoft\Windows\tss.ps1″
• Microsoft\Windows\Tmp9932u1.bat”
• Microsoft\Windows\Tmp765643.txt”
• Microsoft\Windows\dp.ps1″
• Microsoft\Windows\ccd61.ps1
• Microsoft\Windows\dp.ps1″

Interesting strings in code-samples:

• F:\Projects\Bot Fresh\Release\Bot Fresh.pdb
• F:\Projects\Bot\Bot\Release\Ism.pdb
• G:\Projects\Bot\Bots\Bot5\Release\Ism.pdb

 

[Wave]

• F:\Projects\Bot Fresh\Release\Bot Fresh.pdb

• F:\Projects\Bot\Bot\Release\Ism.pdb

• G:\Projects\Bot\Bots\Bot5\Release\Ism.pdb

Visual Studio is popular.