Miniduke IOC

[authorizedsamurai]

I've only been playing with this stuff for a few weeks, so I'm sure I have a lot to learn.  But I'd like to share what I can.  This is an IOC for the Miniduke infection using information from public sources.

No warranties implied. :)  Comments, suggestions welcome.

<?xml version="1.0" encoding="us-ascii"?>

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="550e3f43-ce93-4bff-85ff-48f92e5eba93" last-modified="2013-03-05T16:53:41" xmlns="http://schemas.mandiant.com/2010/ioc">

  <short_description>Miniduke</short_description>

  <description>http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf
https://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor
http://blog.crysys.hu/2013/02/miniduke/</description>

  <authored_by>Megan</authored_by>

  <authored_date>2013-03-01T15:39:49</authored_date>

  <links />

  <definition>

    <Indicator operator="OR" id="1ff9aa6d-beac-40a0-98d2-79dbb69af2ab">

      <IndicatorItem id="416a5304-a103-4d3d-a1f8-d2b030628980" condition="contains">

        <Context document="Network" search="Network/DNS" type="mir" />

        <Content type="string">news.grouptumblr.com</Content>

      </IndicatorItem>

      <IndicatorItem id="df2e8643-52a3-460e-b9eb-6d1a208d14d7" condition="contains">

        <Context document="Network" search="Network/DNS" type="mir" />

        <Content type="string">arabooks.ch</Content>

      </IndicatorItem>

      <IndicatorItem id="a192d4fe-6b1b-46ec-8541-3d25b2e30d87" condition="contains">

        <Context document="Network" search="Network/DNS" type="mir" />

        <Content type="string">artas.org</Content>

      </IndicatorItem>

      <IndicatorItem id="c5876782-7bbd-4972-aef7-87585f535078" condition="contains">

        <Context document="Network" search="Network/DNS" type="mir" />

        <Content type="string">tsoftonline.com</Content>

      </IndicatorItem>

      <IndicatorItem id="4fdc8dbf-0155-4bc2-8540-291ba665d1ce" condition="contains">

        <Context document="Network" search="Network/DNS" type="mir" />

        <Content type="string">www.eamtm.com</Content>

      </IndicatorItem>

      <IndicatorItem id="46df2229-9bdc-4537-bd00-3931cb5191b4" condition="contains">

        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />

        <Content type="IP">194.38.160.153</Content>

      </IndicatorItem>

      <IndicatorItem id="e6891b81-5987-4d16-bc2c-28e4acd32b12" condition="contains">

        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />

        <Content type="IP">95.128.72.24</Content>

      </IndicatorItem>

      <IndicatorItem id="60e46772-b418-4c0d-aa21-bb200a7b8780" condition="contains">

        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />

        <Content type="IP">72.34.47.186</Content>

      </IndicatorItem>

      <IndicatorItem id="27d32bc2-68c8-4e2f-9dc7-8989aeb5f021" condition="contains">

        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />

        <Content type="IP">188.40.99.143</Content>

      </IndicatorItem>

      <IndicatorItem id="fe121446-e048-4d48-9477-0c17dfd4fa42" condition="contains">

        <Context document="ProcessItem" search="ProcessItem/name" type="mir" />

        <Content type="string">rundll.exe</Content>

      </IndicatorItem>

      <IndicatorItem id="f8e72ce1-f829-4f79-8080-e976a8978664" condition="contains">

        <Context document="FileItem" search="FileItem/FileName" type="mir" />

        <Content type="string">.gif.dec</Content>

      </IndicatorItem>

      <IndicatorItem id="4484658b-72c4-46c3-8391-35088cb6276c" condition="contains">

        <Context document="FileItem" search="FileItem/FileName" type="mir" />

        <Content type="string">.gif_dec</Content>

      </IndicatorItem>

      <Indicator operator="AND" id="b6421da4-5400-4b49-aa69-9659cdbbceae">

        <IndicatorItem id="3a1d9cdb-fb03-4bac-b3bd-5d4c5bdc4277" condition="is">

          <Context document="Network" search="Network/DNS" type="mir" />

          <Content type="string">www.google.com</Content>

        </IndicatorItem>

        <IndicatorItem id="25ee869f-1a75-4b9e-bd3c-a655bf83a674" condition="contains">

          <Context document="Network" search="Network/DNS" type="mir" />

          <Content type="string">twitter.com</Content>

        </IndicatorItem>

        <IndicatorItem id="be903434-db55-4485-b7f2-1a4188130d9d" condition="contains">

          <Context document="Network" search="Network/DNS" type="mir" />

          <Content type="string">www.geoiptool.com</Content>

        </IndicatorItem>

      </Indicator>

      <Indicator operator="AND" id="7972054d-2658-44d3-822e-b73b6724b8d6">

        <IndicatorItem id="98dd75a7-df18-411f-980c-a3699171dbab" condition="contains">

          <Context document="FileItem" search="FileItem/FullPath" type="mir" />

          <Content type="string">Local Settings</Content>

        </IndicatorItem>

        <IndicatorItem id="7b33d952-6dfe-4c23-b4aa-04111bff0810" condition="contains">

          <Context document="FileItem" search="FileItem/FileName" type="mir" />

          <Content type="string">update.cmd</Content>

        </IndicatorItem>

      </Indicator>

      <Indicator operator="AND" id="346bfb16-8a97-4a0f-ba0a-2b4662a93425">

        <IndicatorItem id="4e9fbb72-4f0c-43ce-8cee-b401daa676d2" condition="contains">

          <Context document="FileItem" search="FileItem/FullPath" type="mir" />

          <Content type="string">All Users</Content>

        </IndicatorItem>

        <IndicatorItem id="743b0ee4-f5fd-4c58-a385-55462d90af63" condition="contains">

          <Context document="FileItem" search="FileItem/FileName" type="mir" />

          <Content type="string">base.cat</Content>

        </IndicatorItem>

      </Indicator>

    </Indicator>

  </definition>

</ioc>

[Tom U. @c_APT_ure]

Thanks for sharing this.

One suggestion would be to attach the *.ioc file instead of copy/paste XML in the mail body.

Another suggestion would be to use the pseudo-IOC notation also used on this site ( http://ioc.forensicartifacts.com/ ) to show or discuss IOCs so it's easier understandable.

Sorry, I haven't really looked at the IOC itself, and don't take this as criticism, just suggestions ;-)

Keep going and also consider sharing your IOCs on the site above. (if you can make them public -- which on this list it kinda is)

Cheers,
Tom

On Tue, Mar 5, 2013 at 6:02 PM, authorizedsamurai <authoriz...@gmail.com> wrote:

I've only been playing with this stuff for a few weeks, so I'm sure I have a lot to learn.  But I'd like to share what I can.  This is an IOC for the Miniduke infection using information from public sources.

No warranties implied. :)  Comments, suggestions welcome.

<?xml version="1.0" encoding="us-ascii"?>

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="550e3f43-ce93-4bff-85ff-48f92e5eba93" last-modified="2013-03-05T16:53:41" xmlns="http://schemas.mandiant.com/2010/ioc">

  <short_description>Miniduke</short_description>

  <description>http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf
https://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor
http://blog.crysys.hu/2013/02/miniduke/</description>

  <authored_by>Megan</authored_by>

  <authored_date>2013-03-01T15:39:49</authored_date>

  <links />

  <definition>

    <Indicator operator="OR" id="1ff9aa6d-beac-40a0-98d2-79dbb69af2ab">

[removed]

    </Indicator>

  </definition>

</ioc>

--
You received this message because you are subscribed to the Google Groups "OpenIOC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openioc+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Devon Kerr]

Good job!

One thing I'd suggest is adding the MD5s for these files - filename and path tend to be non-unique indicator terms where something like an MD5 is very unique.  I'd add those in under the parent OR.  

There's also some inconsistency regarding the use of "is" versus "contains".  Within the first AND block there are three DNS cache items and the first is represented using "is" while the others are represented using "contains".  If multiple hostnames are possible you could address that using 'Network DNS contains "domain.tld"' since that will encompass "host1.domain.tld", "host2.domain.tld", etc.  If the actual cache entry was "twitter.com" either "is" or "contains" would work, but it makes me ask whether "www.google.com" was the specific cache item and whether using "contains google.com" might be slightly more forgiving.

Perhaps look at the PE info from the binaries if you have them available - that information can often make some really great indicator material.

[authorizedsamurai]

I couldn't get the attachment to work, but I'll try again next time I have something to post.  Noscript doesn't always play nice with google applications.