Authored By:
Zourick
Description:
Basic host based indicators found in reports.
Reports:
http://www.crysys.hu/skywiper/skywiper.pdf
https://www.securelist.com/en/blog?weblogid=208193538
Indicators:
OR
File MD5 is bb5441af1e1741fca600e9c433cb1550
File MD5 is d53b39fb50841ff163f6e9cfd8b52c2e
File MD5 is bdc9e04388bda8527b398a8c34667e18
File MD5 is c9e00c9d94d1a790d5923b050b0bd741
File MD5 is 296e04abb00ea5f18ba021c34e486746
File MD5 is 5ad73d2e4e33bb84155ee4b35fbefc2b
File MD5 is dcf8dab7e0fc7a3eaf6368e05b3505c5
File MD5 is 06a84ad28bbc9365eb9e08c697555154
File MD5 is ec992e35e794947a17804451f2a8857e
File MD5 is 296e04abb00ea5f18ba021c34e486746
File MD5 is b604c68cd46f8839979da49bb2818c36
File Name contains ~DEB93D.tmp
File Full Path contains windows\system32\mssecmgr.ocx
AND
Registry KeyPath contains SYSTEM\CurrentControlSet\Control\Lsa\Autenthication\
OR
Registry Value contains mssecmgr.ocx
Registry Value contains authpack.ocx
Download:
a385732f-71cc-4035-a0c5-c671e78d1fb0.ioc