Find file History

README.adoc

Operation Potao Indicators of Compromise (IOC)

These IOCs were released as part of our research on Operation Potao. The full report is available here: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf

We have IOCs in the form of hashes, IP addresses, domain names, yara rules and IDS rules (snort). Hashes, IP addresses and domain names are documented here, the rest are in separate files inside this folder.

Caution
As soon as this information is public the malware authors will most likely update their technique and tools to evade detection and thwart analysis as they have done in the past. Consequently, be aware that any of the advice we give to identify or clean oneself might already be outdated.
Warning
These come with no warranties. They might not detect an infection and/or trigger false positives. Apply judgment.

If you find false-positives, have improved IOCs or find samples that do not match these IOCs please open an issue, provide a pull-request or contact us at: threatintel@eset.com.

Malware samples

The first version:

8839D3E213717B88A06FFC48827929891A10059E
5C52996D9F68BA6FD0DA4982F238EC1D279A7F9D
CE7F96B400ED51F7FAB465DEA26147984F2627BD
D88C7C1E465BEA7BF7377C08FBA3AAF77CBF485F
81EFB422ED2631C739CC690D0A9A5EAA07897531
18DDCD41DCCFBBD904347EA75BC9413FF6DC8786
E400E1DD983FD94E29345AABC77FADEB3F43C219
EB86615F539E35A8D3E4838949382D09743502BF
52E59CD4C864FBFC9902A144ED5E68C9DED45DEB
642BE4B2A87B47E77814744D154094392E413AB1

Debug versions:

BA35EDC3143AD021BB2490A3EB7B50C06F2EA40B
9D584DE2CCE6B654E62573938C2C824D7CC7D0EB
73A4A6864EF68C810C7C699ED51B759CF1C4ADFB
1B3437C06CF917920688B25DA0345749AA1A4A46

Droppers with decoy:

FBB399568E0A3B2E461A4EB3268ABDF07F3D5764
4D5E0808A03A75BFE8202E3A6D2920EDDBFC7774
BCC5A0CE0BCDFEA2FD1D64B5529EAC7309488273
F8BCDAD02DA2E0223F45F15DA4FBAB053E73CF6E
2CDD6AABB71FDB244BAA313EBBA13F06BCAD2612
9BE3800B49E84E0C014852977557F21BCDE2A775
4AC999A1C54AE6F54803023DC0FCF126CB77C854
59C07E5D69181E6C3AFA7593E26D33383722D6C5
E15834263F2A6CCAE07D106A71B99FE80A5F744B
A62E69EF1E4F4D48E2920572B9176AEDB0EEB1C6
900AD432B4CB2F2790FFEB0590B0A8348D9E60EB
856802E0BD4A774CFFFE5134D249508D89DCDA58
A655020D606CA180E056A5B2C2F72F94E985E9DB

Droppers from postal sites:

94BBF39FFF09B3A62A583C7D45A00B2492102DD7
F347DA9AAD52B717641AD3DD96925AB634CEB572
A4D685FCA8AFE9885DB75282516006F5BC56C098
CC9BDBE37CBAF0CC634076950FD32D9A377DE650
B0413EA5C5951C57EA7201DB8BB1D8C5EF42AA1E
0AE4E6E6FA1B1F8161A74525D4CB5A1808ABFAF4
EC0563CDE3FFAFF424B97D7EB692847132344127
639560488A75A9E3D35E4C0D9C4934295072DD89

USB-spreaders:

850C9F3B14F895AAA97A85AE147F07C9770FB4C7
BB0500A24853E404AD6CA708813F926B90B38468
71A5DA3CCB4347FE785C6BFFF7B741AF80B76091
7664C490160858EC8CFC8203F88D354AEA1CFE43
92A459E759320447E1FA7B0E48328AB2C20B2C64
BB7A089BAE3A4AF44FB9B053BB703239E03C036E
DB966220463DB87C2C51C19303B3A20F4577D632
37A3E77BFA6CA1AFBD0AF7661655815FB1D3DA83
181E9BCA23484156CAE005F421629DA56B5CC6B5
A96B3D31888D267D7488417AFE68671EB4F568BD
224A07F002E8DFB3F2B615B3FA71166CF1A61B6D
5D4724FBA02965916A15A50A6937CDB6AB609FDD
8BE74605D90ED762310241828340900D4B502358
5BE1AC1515DA2397A7C52A8B1DF384DD938FA714
56F6AC6197CE9CC774F72DF948B414EED576B6C3
F6F290A95D68373DA813782EF4723E39524D048B
48904399F7726B9ADF7F28C07B0599717F741B8B
791ECF11C04470E9EA881549AEBD1DDED3E4A5CA
E2B2B2C8FB1996F3A4A4E3CEE09028437A5284AE
5B30ECFD47988A77556FE6C0C0B950510052C91E
4EE82934F24E348696F1C813C24797618286A70C
B80A90B39FBA705F86676C5CC3E0DECA225D57FF
971A69547C5BC9B711A3BB6F6F2C5E3A46BF7B29
C1D8BE765ADCF76E5CCB2CF094191C0FEC4BF085
2531F40A1D9E50793D04D245FD6185AAEBCC54F4

Other droppers:

D8837002A04F4C93CC3B857F6A42CED6C9F3B882
BA5AD566A28D7712E0A64899D4675C06139F3FF0
FF6F6DCBEDC24D22541013D2273C63B5F0F19FE9
76DA7B4ABC9B711AB1EF87B97C61DD895E508232
855CA024AFBA0DC09D336A0896318D5CC47F03A6
12240271E928979AB2347C29B5599D6AC7CD6B8E
A9CB079EF49CEE35BF68AC80534CBFB5FA443780
1B278A1A5E109F32B526660087AEA99FB8D89403
4332A5AD314616D9319C248D41C7D1A709124DB2
5BEA9423DB6D0500920578C12CB127CBAFDD125E

Plugins:

2341139A0BC4BB80F5EFCE63A97AA9B5E818E79D
8BD2C45DE1BA7A7FD27E43ABD35AE30E0D5E03BC
54FEDCDB0D0F47453DD65373378D037844E813D0
CC3ECFB822D09CBB37916D7087EB032C1EE81AEE
F1C9BC7B1D3FD3D9D96ECDE3A46DFC3C33BBCD2B
9654B6EA49B7FEC4F92683863D10C045764CCA86
526C3263F63F9470D08C6BA23E68F030E76CAAF3
E6D2EF05CEDCD4ABF1D8E3BCAF48B768EAC598D7
CEBAB498E6FB1A324C84BA267A7BF5D9DF1CF264
324B65C4291696D5C6C29B299C2849261F816A08
C96C29252E24B3EEC5A21C29F7D9D30198F89232
CDDDE7D44EFE12B7252EA300362CF5898BDC5013
84A70CDC24B68207F015D6308FE5AD13DDABB771

Fake TrueCrypt Setup:

82F48D7787BDE5B7DEC046CBEF99963EEEB821A7
9666AF44FAFC37E074B79455D347C2801218D9EA
C02878A69EFDE20F049BC380DAE10133C32E9CC9
7FBABEA446206991945FB4586AEE93B61AF1B341

Fake TrueCrypt extracted exe:

DCBD43CFE2F490A569E1C3DD6BCA6546074FD2A1
422B350371B3666A0BD0D56AEAAD5DEC6BD7C0D0
88D703ADDB26ACB7FBE35EC04D7B1AA6DE982241
86E3276B03F9B92B47D441BCFBB913C6C4263BFE

Domain names

truecryptrussia.ru
mntexpress.com
worldairpost.com
worldairpost.net
camprainbowgold.ru
poolwaterslide2011.ru

IP addresses

78.47.218.234
95.86.129.92
115.68.23.192
67.18.208.92
37.139.47.162
212.227.137.245
62.76.189.181
87.106.44.200
62.76.42.14
94.242.199.78
178.239.60.96
84.234.71.215
67.103.159.141
62.76.184.245
83.169.20.47
148.251.33.219
98.129.238.97
195.210.28.105
198.136.24.155
46.165.228.130
192.154.97.239
5.44.99.46
188.240.46.1
81.196.48.188
74.54.206.162
69.64.72.206
74.208.68.243
46.163.73.99
193.34.144.63
103.3.77.219
119.59.105.221
188.40.71.188
188.40.71.137
108.179.245.41
64.40.101.43
190.228.169.253
194.15.126.123
188.127.249.19

Detection (YARA)

In order to identify if a file or a set of files are related to this threat you can use the popular yara tool.

Using the .yar Yara rule in this repository you can recursively crawl a directory for an Operation Potao file with:

yara -r PotaoNew.yar directory/

If the command yields no output then no files were identified to be of that threat. Otherwise identified filenames are printed.

Further modifications made by the malware authors to evade detection will impact the usefulness of this Yara rule over time.

Detection (IDS)

Snort rules are available in potao.rules.

Additionally, the fine folks at Emerging Threats designed Snort and Suricata rules to detect Operation Potao and included them in their open ruleset. You can also find them in this repository: potao-et.rules