Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for April 10th, 2017

OpISIS C2’s and Malware?

leave a comment »

I was bored again and let my fingers do the walking on ThreatCrowd with some interesting results. Did you all know that you could put words into that search engine and come up with malware hits? So, in the case of my word searches I decided to look for Arabi words that have meaning to Da’esh and the jihadi set with some interesting results. In the case of the word “jihad” I came up with the following hits:

The hits there show you the attendant hashes of malware alleged to be connected to those domains as C2’s (Command and Control) systems. When you click on them you get the Maltego maps and all of the data concerning them so you can see where everything pivots to and what other servers may be involved with it. Using this method I ran into a set of results for Balabindi, which is the same malware as seen in the recent attack on the Amaq Da’esh site that was hacked and served malware out to about 600 people (claimed) by stats from the link shortener used to propagate it.

 

The Balabindi though is all sourcing from one domain address: isisisiisisiisis.ddns.net

Balabindi malware set and variants

MSI pivot on Balabindi

The searches that I ran showed that there were concerted efforts with Balabindi using dynDNS sites (jihad101.no-ip.biz and others) as command and controls for the Balabindi variants used against jihadists in the past and they continue today. There is even a minecraft server (jihad.serveminecraft.net) that may also be involved as well. Of course it is funny ha ha to name these servers jihadihacker and other names to poke at the jihobbyists but it is kinda bad OPSEC really in my book. So either these are OpISIS or someone is having a bit of a joke, but the malware in the case of jihad100.no-ip.biz is just “server.exe” and basically like the rest of the samples I was seeing was a RAT, so I can see how these are just being used to pwn these jihadi’s and harvest their real data, that is if they are stupid enough to run “server.exe” on their box.

Malware from jihadi100.no-ip.biz

Malware from jihadi100.no-ip.biz VT of same malware sample

Generally I am seeing the same kinds of attacks with older off the shelf malware that may get past some old AV or work on people who have no AV at all but nothing so far has stood out as exotic so I am thinking this is the Anon’s doing their thing, or trying to… At the least it was interesting to find the function on ThreatCrowd and leverage it. I think I will plink away at it some more using Russian words next for shits and giggles.. Or.. OOOH maybe Korean huh?

I guess the last thing I would say on all of this is that the Anon’s may have had some success with these attacks and maybe passed on some info to the right people but generally I am not impressed with the op’s against Da’esh as a whole. Taking down the jihobbyist sites may be splashy for the tabloids but the reality of it is that these sites like Amaq are just for the lowest of fruit users online wanking off to jihad. Sure, some could maybe go full “lone wolf nutbag” and try something but generally the real players got off the boards years ago because they were just for skidz and wannabe’s. Most of the real shit happens in closed sites that are below the radar and of course on chat systems like Telegram and others where they can talk with some crypto and not be hassled by some poor php site that gets popped every other day and taken offline.

Meh.

IOC’s:

https://www.threatcrowd.org/domain.php?domain=al-aren.com
https://www.threatcrowd.org/email.php?email=janeverno@gmail.com
https://www.threatcrowd.org/ip.php?ip=167.114.156.214

Threatcrowd for word jihad: https://www.threatcrowd.org/searchTwo.php?data=jihad
jihadhack1.no-ip.biz
jihadhacker.no-ip.biz
jihadijohn.no-ip.org
jihad1.ddns.net
jihad0812929.ddns.net
jihadhacker711.no-ip.biz
jihad059.ddns.net
jihad.serveminecraft.net
MD5=9d69109e7ceff7fa05966ba7e08e4d6d

Threatcrowd for word ISIS: https://www.threatcrowd.org/searchTwo.php?data=ISIS
isisisiisisiisis.ddns.net
MD5=22e2fa976906b4aac9509828e124c734 MD5=cf084279a857462e2cf96b053a7175af
https://www.threatcrowd.org/listMalware.php?antivirus=Password.Stealer
https://www.threatcrowd.org/listMalware.php?antivirus=Worm*Win32/Rebhip.A
https://www.threatcrowd.org/listMalware.php?page=716&antivirus=Back
https://www.threatcrowd.org/listMalware.php?page=949&antivirus=Back
https://www.threatcrowd.org/listMalware.php?page=1138&antivirus=W3

isisis12.no-ip.biz
Reference=Houdini/Dinihu/Jenxcus/H-worm Reference=http://cybertracker.malwarehunterteam.com/c2/ Reference=https://bartblaze.blogspot.com/2014/02/remediate-vbs-malware.html Reference=https://otx.alienvault.com/pulse/56e2dab5aef921042823dbca/

isis.ocn.ne.jp
MD5=2ecde55cc501d71803f0c57d668fa546

isis-paris.fr
MD5=797df4f92d18573ae98db61d4f8b0c89

isis-immo.com
MD5=797df4f92d18573ae98db61d4f8b0c89

isis.ie
MD5=797df4f92d18573ae98db61d4f8b0c89

isislove.zapto.org
MD5=764ecc97921c87de344bf98157e76e49 MD5=910dd000e8d8675348d94649c1ad9273

isishacker.ddns.net
MD5=be425683065595828801d5fe304826d1

isis94.no-ip.biz
MD5=fce1ef3b926f54a257896bd0adc09ecd

jihad100.no-ip.biz
MD5=11b45bfbbbd944ca9bf1f5f69628d055 MD5=1eb1a366dae694202235656f2f42aa9a MD5=7f209fa351a6792484fcc4d786a17ffd MD5=cd685e040b584909bd208e8fcad0c846

jihad1001.ddns.net
MD5=b31ac43984d38772f11a2ad1970e8e95 MD5=dc86dc3747a43f6bdda6abf36fa657d1

jihad101.no-ip.biz
MD5=2b2f4d554c493c7dfb9700baf50c9559

https://www.threatcrowd.org/domain.php?domain=jihad100.no-ip.biz
https://www.threatminer.org/domain.php?q=jihad100.no-ip.biz
https://www.threatcrowd.org/listMalware.php?page=95&antivirus=Backdoor.Bladabindi
https://www.threatcrowd.org/listMalware.php?antivirus=MSI
Hashes:
00271eee4b2cc6c591b31d0267bd3e1d
0258fb82ea0fad355826f9685a722fdd
00204b5cd771f38cdb12f77296f0e822
0128958f21527ed62fb8ebe1163b02a5
00bb0e9497e75a264d2160c8eb00620f
020d22addc989600255c92f0f63272dc
026c17ab578370253c9f798e23a365cb
0147b1139992081a6d5a0a6dfb12745a
02fc1b4f2314f5d011f76d757ddbf993
007bba0dd36ab190f8b594b9104dcc3e
005fad4aeaecb924553112e314f5a823
02d903c651cd7d284bd946a56123f508
01cf03c1da3b09d4d6b91430a5172bb9
00c18e20f7900e54aeff98c4ebb30191
00c9a4b108671d4bd4b67e5caf971f10
03b29a401511611a3bc61b39b1b147b5
043f38cd210d3abfea4fb124ffd016ec
0388edac9178997a41b0278ffcf8e042
01a240dafb6367a590a754c5e6a16de2
01a9e9a5ec760c0d0bd41a4bd4a3e10e
03ab0f14df1e1f648369914947ff530f
003776fd5668294fb56b8d15b9d48d00
0431311b5f024d6e66b90d59491f2563
03c7b3a07ad9806a20e949ddfa3f978e
0110bd2e29655e68cc51fca34e08b6fe
021118d45187f43dbe4d5ce848d29b0e
023144e95a77434be50c627fb9dd9407
028d360f8315a1f4203897d45715b207
039735d34e9b0dd5c9a2d38f58376a79

https://malwareconfig.com/config/7f209fa351a6792484fcc4d786a17ffd/

https://www.threatcrowd.org/domain.php?domain=jihad.serveminecraft.net
https://malwr.com/analysis/MzM2OTBkOGJmZjA4NDQ2YzkxODY0NGVkMWFiMDU1NjA/

https://www.threatcrowd.org/domain.php?domain=irhabi.no-ip.org

Written by Krypt3ia

2017/04/10 at 20:34

Posted in OpISIS