- Notifications
You must be signed in to change notification settings - Fork 9
Files
/
Pumpkin_Eclipse_IOCs.txt
Latest commit
106 lines (90 loc) · 6.06 KB
/
Pumpkin_Eclipse_IOCs.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
October 2023 Campaign
1st stage Payload Servers
38.54.27[.]204
104.233.210[.]119
104.233.210[.]118
107.148.88[.]123
Actor name:get_scrpc
sha1:21d9ae29551dcbe39de375bdf8ada5a47b0e2372
sha256:49c04e56dfb17ac16acddfcf9eff7ae82d70294a8ec70b6365ab43a07441badd
Actor Name:Get_strtriiusj
Name of disk:/usr/bin/bf2rdisc
sha1:6c6609264e9e4b365e1bd7df187f4405a1df3f02
sha256:8639bbb3ffe5fa51334c6ab4d45ae1647a29a97f061a9456991333ab166b52fd
Actor Name:get_fwuueicj
Name of disk:/usr/bin/usb2rci
Name of disk:/tmp/crrs
sha1:27dc61dd0bb9a53799ae29c6927f38d98ccdb27b
Sha256:00550d5c2ed14a445ae13cff8eff32ba7a7dd502d145481bcd18161cf1df540d
C2:hxxp://coreconf[.]net:8080/E2XRIEGSOAPU3Z5Q8
C2:hxxp://185.189.240[.]13:8080/E2XRIEGSOAPU3Z5Q8
Chalubo
hosting:hxxp://coreconf[.]net:8080/E2XRIEGSOAPU3Z5Q8/mips
Sha256:8f4b61975539dbfe903f448636a48168351018801f2581a63d97179c37cad979
C2:hxxp://185.189.240[.]13:8080/E2XRIEGSOAPU3Z5Q8/res.dat
Cmd.lua
Sha1:183fa84e35bb498efb4dfb05d2a4997cd66e2f0f
sha256:7a81bbb1f7055cd3f30db8bb2a104b969914ccd520cf85c24b25ba5b0c720206
Domains to DDoS from Lua Script
hxxp://denglujiechi666.oss-cn-chengdu.aliyuncs[.]com
hxxp://mmmmm999.oss-cn-chengdu.aliyuncs[.]com
hxxps://dh.id3cqcmgjcb[.]top
hxxps://www.v5002[.]cn
hxxps://mh.55dmh[.]com
hxxps://www.3smh[.com
hxxps://m.isanyin[.]com
hxxps://m.aiguoba[.]com
hxxps://cu6s[.]com
axon-stall.riddlecamera[.]net
lighten.medyamol[.]com.
Associated with ActionTec
services.banner_hashes=”sha256:d0643c777b0b24ca747f7dc79d3bdfbc04d3095ded760e6a54fa62bfa6945df3”
Chalubo Platform
Upstream Controller for Panels
103.140.187[.]149
Checkqazxsw1[.]com
Test certificate found on port 8853
Sha256:5b9405418b654c9418e514ae3420c72af58d418adefca43644bf2bf14d89cc5a
Chalubo Panels Active as of November 3rd displaying the certificate above:
['112[.]121[.]165[.]78', '216[.]118[.]241[.]202', '103[.]117[.]145[.]110', '185[.]189[.]240[.]21', '139[.]5[.]202[.]106', '103[.]117[.]146[.]219', '103[.]244[.]2[.]170', '112[.]121[.]165[.]76', '185[.]189[.]241[.]180', '103[.]117[.]145[.]106', '139[.]5[.]202[.]19', '180[.]178[.]46[.]242', '103[.]244[.]2[.]218', '103[.]117[.]146[.]218', '2[.]59[.]222[.]97', '103[.]117[.]145[.]107', '116[.]213[.]39[.]2', '141[.]193[.]159[.]11', '180[.]178[.]46[.]244', '103[.]84[.]84[.]251', '103[.]248[.]22[.]5', '2[.]59[.]223[.]144', '112[.]121[.]165[.]75', '216[.]118[.]241[.]206', '116[.]213[.]39[.]4', '216[.]118[.]241[.]203', '185[.]189[.]240[.]13', '103[.]117[.]147[.]66', '2[.]59[.]223[.]218', '116[.]213[.]39[.]3', '103[.]117[.]146[.]222', '185[.]189[.]241[.]246', '2[.]59[.]223[.]253', '45[.]116[.]160[.]154', '139[.]5[.]202[.]18', '104[.]233[.]167[.]62', '107[.]148[.]0[.]182', '103[.]117[.]145[.]109', '114[.]29[.]255[.]77', '216[.]118[.]241[.]204', '103[.]117[.]146[.]220', '45[.]116[.]160[.]115', '104[.]233[.]167[.]81', '2[.]59[.]222[.]35', '114[.]29[.]255[.]123', '116[.]213[.]39[.]5', '2[.]59[.]223[.]213', '2[.]59[.]222[.]146', '2[.]59[.]222[.]102', '112[.]121[.]165[.]77', '2[.]59[.]222[.]124', '45[.]116[.]160[.]62', '104[.]233[.]167[.]103', '180[.]178[.]46[.]245', '216[.]118[.]241[.]205', '104[.]233[.]167[.]63', '2[.]59[.]222[.]125', '45[.]116[.]160[.]100', '112[.]121[.]165[.]74', '45[.]116[.]160[.]105', '2[.]59[.]222[.]99', '104[.]233[.]167[.]82', '104[.]233[.]166[.]129', '103[.]84[.]84[.]250', '141[.]193[.]159[.]10', '116[.]213[.]39[.]6', '103[.]117[.]145[.]108', '2[.]59[.]223[.]226', '2[.]59[.]222[.]3', '104[.]233[.]166[.]194', '103[.]244[.]2[.]171', '180[.]178[.]46[.]243', '103[.]244[.]2[.]217', '103[.]117[.]147[.]67', '45[.]116[.]160[.]182', '103[.]248[.]22[.]16', '2[.]59[.]222[.]126', '180[.]178[.]46[.]246']
Historical Campaign - Reverse Chronological Order
July 2023 Campaign
1st Stage payload server:http://194.36.190[.]99:38291/as/crtarm3
sha1:a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12
Sha256: a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12
2nd stage C2 servers
http://sainnguatc.com:8080/ASUHALUMNABTC
http://91.211.88.6:8080/ASUHALUMNABTC
July 2021 Campaign
0c7c6926e854aac4dc4821be07f826157b576d0a217d74d5675d7b32eb78b50e creator-aarch64
967289406b0da030a93cefaa2644b109260565f5f767b95ce2a5d96d49c57bf2 creator-aarch64_be
d9322af52b941e76bec3d2596a1c1be47dffc4fb161656da2c7c45b3d492cfd8 creator-arm
f5894f0cc7d9da2f188b740bb0596206038d9dba430c7d2a145d7454d9f1b4db creator-armeb
b5fc0c265eb192b2a2d778e66d6f076e876eeacf57c3927e406b4e1b72152038 creator-i486
b2e2193e49ee1240be30f5040dbb5e2c973cdfb02c3ea88ef4ffeda884de28c2 creator-mips
59437e986acd685ad3ce48bf010efff22aa866c0fa066b0e64e510ecb026dd1a creator-mips-linux
117bd27a209d6350b10f5c8f8cf841755c253276460be8c7681f5357e07d2e0c creator-mips-rtl
619564061e62a6352f0ce1a06d2883d46eb69df16322b30e8a2a9c65e2d32f5f creator-mips64
bdef8e089ffa00794f40f14ad3cdb8f1629241a4ac313bef8fe3d38e08207e4c creator-mips64el
f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6 creator-mipsel
2a65fdd8c44a6b7191c09702d9f747471564346c465a42b9abbb4dfa1bc5f7fb creator-mipsel-linux
6be5b4bc461f1ba931bfe773df66bf5f8052626adbdf2b1156a06d0da2d8d3d1 creator-powerpc
9b929bcc182c39540767a9b8237a8436c82997c68d4d2ba710241387c39c27f5 creator-powerpc64
e5030083c101058f52394820420a372bf93bcac2d802902d4d4c91470c96b608 creator-powerpc64le
ed9511c16229f4bb41f461e90fff7964e79f2c2d27e7de2b107e4d003e9e0def creator-rtl
5fc8534d490312823a49e2a13afc8a7b6b026280c79db704465fddd8a1fdc376 creator-s390x
5621cdb8d07900a333d022a9696c1a6f7e45d6cfc713558c462a3ace7c4b426f creator-sh2
5b7874b18e8365e07624946a33518988aea4c72478a285a36047b4ba554a7576 creator-x86_64
2nd stage C2 servers
hxxp://nihiosuxnmo[.]com:8080/SASBCKXOWYALLCZXF;
hxxp://91.211.88.225:8080/SASBCKXOWYALLCZXF
http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat - 2023-07-09
http://d2h7pt7y3j9pry.cloudfront.net/sticker_res/3051/res.dat - 2023-10-11
http://xmsecu.net/00030695mcksiqq/res.dat
http://xmsecu100.net/23652xxxxx000008skcai/res.dat
http://xmsecu.io/00030678bbgstrjs/res.dat
http://xmsecu.io/c638020vkklkjjiu/res.dat
http://xmsecu.io/00030674uucyttsikk/res.dat
http://2.59.222.97/dldsc522dsdasd/res.dat
http://ammhdfgygb.com/dldsc522dsdasd/res.dat
http://secu100.com/23652xxxxx000008skcai/res.dat