From f1549d1869b6e02bbb95f687dd97974dfede377a Mon Sep 17 00:00:00 2001
From: ESET Research <github@eset.com>
Date: Tue, 16 Jun 2020 09:41:03 -0400
Subject: [PATCH] Added IoCs for In(ter)ception

---
 interception/README.adoc    | 124 ++++++++++++++++++++++++++++++++++++
 interception/samples.md5    |   8 +++
 interception/samples.sha1   |   8 +++
 interception/samples.sha256 |   8 +++
 4 files changed, 148 insertions(+)
 create mode 100644 interception/README.adoc
 create mode 100644 interception/samples.md5
 create mode 100644 interception/samples.sha1
 create mode 100644 interception/samples.sha256

diff --git a/interception/README.adoc b/interception/README.adoc
new file mode 100644
index 0000000..a3c6da1
--- /dev/null
+++ b/interception/README.adoc
@@ -0,0 +1,124 @@
+= Operation In(ter)ception -- Indicators of Compromise
+
+For details about Operation In(ter)ception, read the summary
+https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/[blog post]
+and research paper,
+https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf[Operation
+In(ter)ception: Targeted attacks against European aerospace and military
+companies], on https://www.welivesecurity.com[WeLiveSecurity].
+
+== ESET detection name
+
+Win32/Interception.A
+
+== Host based indicators
+
+=== SHA-1 hashes
+
+----
+B1199EE7AFB1F348D42BEF1CAED7E405A7631B1B
+286C01EAB255DA32B7F36CE9814DA3999E17F40D
+0C63F318EDEAEDC7D7AF28304A61A0DF71699F89
+373EC71B31F803298F06B7EDED059BC1E7C6D70B
+AE130A678D76C44171799C0750FEFD5DB43A9DE4
+FB38C71DD02C3926F9A1C146A13A66579D3F88D2
+8690930299D83FE65A9C3C5CD1D7F509A79D8E71
+D07B19373293369C55CC6E7E0D4CF6CFE32542DF
+----
+
+=== Files and folders
+
+----
+C:\Intel\IntelR.lor
+C:\Intel\IntelV.cgi
+C:\Intel\crtutl.exe
+C:\NVIDIA\nvc.exe
+C:\NVIDIA\nve.exe
+C:\NVIDIA\nvd.exe
+C:\NVIDIA\nve.cgr
+C:\NVIDIA\nve.lom
+C:\NVIDIA\nve.cgt
+C:\NVIDIA\nve.loe
+C:\NVIDIA\nve.cgy
+C:\NVIDIA\nve.lop
+C:\NVIDIA\nve.cgb
+C:\NVIDIA\ctutl.exe
+C:\NVIDIA\ctrutl.exe
+C:\NVidia\NvDaemon.exe
+C:\ProgramData\Skype\Skype.exe
+C:\ProgramData\Mozilla\fx.rmb
+C:\ProgramData\DellTPad\ApMsgApp.exe
+C:\ProgramData\DellTPad\DellTPadRepair.exe
+C:\ProgramData\DellTPad\DellTPadMobile.exe
+C:\ProgramData\DVDStudio\DVDTools.exe
+C:\ProgramData\DVDStudio\DVDStudioSync.exe
+C:\Users\<USER>\AppData\Local\Temp\~pwshld3.dat
+C:\Users\<USER>\AppData\Local\Microsoft\OneDrive\OneDrive.exe
+C:\Users\<USER>\AppData\Local\Microsoft\oneDrive\oneDriveSync.exe
+C:\Users\<USER>\AppData\Local\IconCache.db7
+C:\Users\<USER>\AppData\Local\NTUSER45F7.POL
+----
+
+== Network indicators
+
+----
+https://cwjamaica[.]biz/images/logo.png
+https://sbsserv.camdvr[.]org/top.swf
+https://km.wu.ac[.]th/image/office.jpg
+https://safebrowsing.gleeze[.]com/welcome1.png
+http://safebrowsing.gleeze[.]com/header.png
+https://safebrowsing.gleeze[.]com/header.png
+http://205.210.162[.]36/start.html
+http://205.210.162[.]36/www2default/css1/style.xsl
+https://www2.markham[.]ca/css1/Mar.xsl
+https://www2.markham[.]ca/css1/style.swf
+https://www2.markham[.]ca/css1/style.jpg
+https://www2.markham[.]ca/css1/style.xsl
+https://www2.markham[.]ca/css1/style.css
+https://www2.markham[.]ca/view_center.asp
+https://www2.markham[.]ca/css/first.css
+https://www2.markham[.]ca/first.jpeg
+https://www2.markham[.]ca/politicia.asp
+https://www2.markham[.]ca/taxing-churc.asp
+https://www2.markham[.]ca/exports-to-Turkey.asp
+https://www2.markham[.]ca/Climate.asp
+https://www2.markham[.]ca/discoveries.asp
+https://www2.markham[.]ca/pay-talks-fai.asp
+https://www2.markham[.]ca/Nouvelles.asp
+https://www2.markham[.]ca/News.asp
+https://www2.markham[.]ca/Noticias.asp
+https://www2.markham[.]ca/EU-nominee.asp
+https://www2.markham[.]ca/Business.asp
+https://www2.markham[.]ca/Culture.asp
+https://www2.markham[.]ca/Life-Work.asp
+https://www2.markham[.]ca/Comercio.asp
+https://www2.markham[.]ca/Links.asp
+https://www2.markham[.]ca/churc.asp
+https://www2.markham[.]ca/products.asp
+https://www2.markham[.]ca/exports.asp
+https://online.verzatec[.]com/banner.asp
+https://nic.mywire[.]org/view.asp
+https://chuta[.]jp/jtool/dic.css
+https://chuta[.]jp/jtool/dic.png
+https://chuta[.]jp/jtool/politicia.asp
+https://chuta[.]jp/jtool/taxing-churc.asp
+https://chuta[.]jp/jtool/exports-to-Turkey.asp
+https://chuta[.]jp/jtool/Climate.asp
+https://chuta[.]jp/jtool/discoveries.asp
+https://chuta[.]jp/jtool/pay-talks-fai.asp
+https://chuta[.]jp/jtool/Nouvelles.asp
+https://chuta[.]jp/jtool/News.asp
+https://chuta[.]jp/jtool/Noticias.asp
+https://chuta[.]jp/jtool/EU-nominee.asp
+https://chuta[.]jp/jtool/Business.asp
+https://chuta[.]jp/jtool/Culture.asp
+https://chuta[.]jp/jtool/Life-Work.asp
+https://chuta[.]jp/jtool/Comercio.asp
+https://chuta[.]jp/jtool/Links.asp
+https://chuta[.]jp/jtool/churc.asp
+https://chuta[.]jp/jtool/products.asp
+https://chuta[.]jp/jtool/exports.asp
+https://comnet.aev[.]com/wik.xsl
+http://servicediscovery.kozow[.]com
+https://w3.casacam[.]net
+----
diff --git a/interception/samples.md5 b/interception/samples.md5
new file mode 100644
index 0000000..9a3ebe4
--- /dev/null
+++ b/interception/samples.md5
@@ -0,0 +1,8 @@
+922acc98cff5377fb58c7babdcb9b1af
+74a8f57a9b8df4cbf1dc79f6ae1fbe05
+5ea378474295858c6b01ee342fc99228
+5619f2a5b06c945f7a31cfe741517e1e
+f9f60d2758a061f2897813723a6b892e
+21c6e9478beca6f413213f080ab7c091
+f5a295c37ddf9664239f0e30003d31c0
+851a4f13928a5edb3859a21a8041908e
diff --git a/interception/samples.sha1 b/interception/samples.sha1
new file mode 100644
index 0000000..fe9cfdc
--- /dev/null
+++ b/interception/samples.sha1
@@ -0,0 +1,8 @@
+ae130a678d76c44171799c0750fefd5db43a9de4
+286c01eab255da32b7f36ce9814da3999e17f40d
+fb38c71dd02c3926f9a1c146a13a66579d3f88d2
+b1199ee7afb1f348d42bef1caed7e405a7631b1b
+0c63f318edeaedc7d7af28304a61a0df71699f89
+d07b19373293369c55cc6e7e0d4cf6cfe32542df
+8690930299d83fe65a9c3c5cd1d7f509a79d8e71
+373ec71b31f803298f06b7eded059bc1e7c6d70b
diff --git a/interception/samples.sha256 b/interception/samples.sha256
new file mode 100644
index 0000000..db14605
--- /dev/null
+++ b/interception/samples.sha256
@@ -0,0 +1,8 @@
+149066503652dc0f01a9418e39c187a3bd42b92db0baaee45fc00d5780e522e8
+d0cbdc854a29058b9004dd94d8f797fe789787b6c485c0901bfda2a1ef8e7960
+5c7bb5dec82060a71e3a032e5841ee04d0629516ce423752e97a1ccfa684d8a5
+c418472505deb7f754af1c8b835b9febbdfb3794459bf8fd03851cb8b6d96e21
+a0c470007222480de7c462e5894f45ecb298f2dc17b8ac5f04c09e3831e38911
+65c739d78ce0ac2a2de0065d62e5a9a07183c47c7f0dab9bc07a255cd4711f4d
+d307d51d62674856c216f4de99e5d6d5efc0e31a10dbbf111e8310f6dae1dc43
+33d2b141b17e6e04da11b2a75ca2dab74de19c1fb7be5065e839f540d267bdca