Skip to content
Branch: master
Find file History
Latest commit ccdb4ae May 29, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md Update README.md May 29, 2019
common_passwords.txt first commit May 22, 2019
common_usernames.txt first commit May 22, 2019
detect_nansh0u.ps1 first commit May 22, 2019
file_names.txt first commit May 22, 2019
hashes.txt first commit May 22, 2019
ip_addresses.md first commit May 22, 2019
mining_pools_domains.md Update and rename mining_pools_domains.txt to mining_pools_domains.md May 27, 2019
turtlecoin_wallet.txt first commit May 22, 2019

README.md

Nansh0u Campaign IoCs 🐢

This repository contains a list of IoCs for the Nansh0u campaign.

Repository Contents

  • The lists of common usernames and passowrds used to break into MSSQL servers
  • Names of files dropped as part of the attacks
  • MD5 hashes of the payloads downloaded as part of the attacks
  • IP addresses of both attackers and connect-backs
  • Domains of mining pools connected-to by the miner malware
  • The attacker's TRTLCoin aallet address
  • a Powershell script made by Guardicore to detect residues of the Nansh0u campaign on a Windows machine

Detection Script - detect_nansh0u.ps1

Running the Script

Open a PowerShell command prompt and run

.\detect_nansh0u.ps1

The script detects traces of the campaign's attacks:

  1. Payload files in c:\ProgramData\
  2. Registry run-keys
  3. The driver SA6482

If the machine has any such residues, the output will contain the sentence

Evidence for Nansh0u campaign has been found on this host.

In such case, you should:

  • remove traces of the attack from C:\ProgramData\
  • remove the malicious driver
  • terminate the miner process
You can’t perform that action at this time.