FROM SHAMOON TO STONEDRILL
Common Information
| Type | Value |
|---|---|
| UUID | c5b8b470-22e7-40ad-a196-a6fcc8728f4f |
| Fingerprint | 6248f98ce5c3c83d0331c8fc4f87f22da43cc5aff3818b16d7de30680f966a4a |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 20, 2017, 9:18 a.m. |
| Added to db | March 10, 2024, 1:58 a.m. |
| Last updated | Oct. 1, 2024, 2:36 p.m. |
| Headline | FROM SHAMOON TO STONEDRILL |
| Title | FROM SHAMOON TO STONEDRILL |
| Detected Hints/Tags/Attributes | 150/3/120 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 338 | kaspersky.com |
|
| Details | Domain | 3 | key8854321.pub |
|
| Details | Domain | 1 | www.eservic.com |
|
| Details | Domain | 3 | www.chromup.com |
|
| Details | Domain | 1 | www.chrome-up.date |
|
| Details | Domain | 3 | service1.chrome-up.date |
|
| Details | Domain | 3 | service.chrome-up.date |
|
| Details | Domain | 1 | webmaster.serveirc.com |
|
| Details | Domain | 3 | www.securityupdated.com |
|
| Details | Domain | 1 | www.actdire.com |
|
| Details | 147 | intelreports@kaspersky.com |
||
| Details | File | 2 | ntertmgr32.exe |
|
| Details | File | 4 | ntssrvr32.exe |
|
| Details | File | 748 | kernel32.dll |
|
| Details | File | 3 | ntssrvr64.exe |
|
| Details | File | 2127 | cmd.exe |
|
| Details | File | 1 | c:\windows\system32\ntssrvr64.exe |
|
| Details | File | 165 | csrss.exe |
|
| Details | File | 3 | netinit.exe |
|
| Details | File | 2 | c:\windows\temp\key8854321.pub |
|
| Details | File | 2 | caclsrv.exe |
|
| Details | File | 2 | dvdquery.exe |
|
| Details | File | 2 | msinit.exe |
|
| Details | File | 2 | sigver.exe |
|
| Details | File | 2 | wcscript.exe |
|
| Details | File | 3 | certutl.exe |
|
| Details | File | 4 | event.exe |
|
| Details | File | 2 | ntfrsutil.exe |
|
| Details | File | 3 | routeman.exe |
|
| Details | File | 2 | ntnw.exe |
|
| Details | File | 13 | clean.exe |
|
| Details | File | 2 | findfile.exe |
|
| Details | File | 3 | ntdsutl.exe |
|
| Details | File | 2 | rrasrv.exe |
|
| Details | File | 2 | netx.exe |
|
| Details | File | 2 | ctrl.exe |
|
| Details | File | 3 | gpget.exe |
|
| Details | File | 6 | power.exe |
|
| Details | File | 2 | sacses.exe |
|
| Details | File | 2 | fsutl.exe |
|
| Details | File | 2 | dfrag.exe |
|
| Details | File | 2 | ipsecure.exe |
|
| Details | File | 2 | rdsadmin.exe |
|
| Details | File | 2 | sfmsc.exe |
|
| Details | File | 9 | extract.exe |
|
| Details | File | 2 | dnslookup.exe |
|
| Details | File | 2 | iissrv.exe |
|
| Details | File | 2 | regsys.exe |
|
| Details | File | 2 | smbinit.exe |
|
| Details | File | 20 | page.php |
|
| Details | File | 1 | %temp%\temp\filer%rnddigits%.exe |
|
| Details | File | 5 | drdisk.sys |
|
| Details | File | 1 | launchwinapp.exe |
|
| Details | File | 263 | iexplore.exe |
|
| Details | File | 1 | %temp%\c-dlt-c-org-t.vbs |
|
| Details | File | 1 | %temp%\c-dlt-c-trsh-t.tmp |
|
| Details | File | 1 | %temp%\c-pdc-c-cpy-t.vbs |
|
| Details | File | 1 | %selected_name%.exe |
|
| Details | File | 1 | c-pdc-c-cpy-t.vbs |
|
| Details | File | 30 | c:\windows\system32\wscript.exe |
|
| Details | File | 4 | t.vbs |
|
| Details | File | 1 | c-pdi-c-cpy-t.vbs |
|
| Details | File | 1 | c:\programdata\internetexplorer\%selected_name%stp.exe |
|
| Details | File | 1 | fileinfo.txt |
|
| Details | File | 1 | %temp%\bd891.tmp |
|
| Details | File | 1 | bd891.tmp |
|
| Details | File | 1 | c-dlt-c-trsh-t.tmp |
|
| Details | File | 1 | c-trsh-t.tmp |
|
| Details | File | 1 | c:\programdata\internetexplorer\fileinfostp.txt |
|
| Details | File | 1 | fileinfostp.txt |
|
| Details | File | 1 | c:\programdata\chrome\fileinfo.txt |
|
| Details | File | 1 | %temp%\c-strt-c-up-t.bat |
|
| Details | File | 1 | check_exist.php |
|
| Details | File | 1 | %temp%\test.tmp |
|
| Details | File | 1 | dled-c-cpy-t.vbs |
|
| Details | File | 1 | pt.exe |
|
| Details | File | 1 | uptd-c-cpy-t.vbs |
|
| Details | File | 1 | c-up-c-dt-t.bat |
|
| Details | File | 1 | c-un-c-instl-t.bat |
|
| Details | File | 1 | %temp%\c-un-c-instl-t.bat |
|
| Details | md5 | 1 | 6dd571b84470ad9caad30a6a6acf491e |
|
| Details | md5 | 1 | 2cd0a5f1e9bcce6807e57ec8477d222a |
|
| Details | md5 | 2 | c843046e54b755ec63ccb09d0a689674 |
|
| Details | md5 | 3 | d01781f1246fd1b64e09170bd6600fe1 |
|
| Details | md5 | 1 | ac3c25534c076623192b9381f926ba0d |
|
| Details | md5 | 1 | 5446f46d89124462ae7aca4fce420423 |
|
| Details | md5 | 1 | 8fbe990c2d493f58a2afa2b746e49c86 |
|
| Details | md5 | 1 | 5bac4381c00044d7f4e4cbfd368ba03b |
|
| Details | md5 | 2 | ac4d91e919a3ef210a59acab0dbb9ab5 |
|
| Details | md5 | 1 | 1493d342e7a36553c56b2adea150949e |
|
| Details | md5 | 1 | 42f883d029b47f9d490a427091da3f5d |
|
| Details | md5 | 3 | 0ccc9ec82f1d44c243329014b82d3125 |
|
| Details | md5 | 1 | 697c515a46484be4f9597cb4f39b2959 |
|
| Details | md5 | 1 | e3a82d1db3ae8b189d2e1e0a22d6c82f |
|
| Details | md5 | 1 | 7946788b175e299415ad9059da03b1b2 |
|
| Details | md5 | 1 | 8405aa3d86a22301ae62057d818b6b68 |
|
| Details | md5 | 1 | 940cee0d5985960b4ed265a859a7c169 |
|
| Details | md5 | 1 | b4ddab362a20578dc6ca0bc8cc8ab986 |
|
| Details | md5 | 1 | baa9862b027abd61b3e19941e40b1b2d |
|
| Details | sha256 | 5 | 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b |
|
| Details | sha256 | 5 | 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 |
|
| Details | sha256 | 4 | 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 |
|
| Details | sha256 | 4 | 772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5 |
|
| Details | sha256 | 5 | 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd |
|
| Details | sha256 | 7 | c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a |
|
| Details | sha256 | 4 | 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6 |
|
| Details | sha256 | 1 | eaee62a8238189e8607b24c463a84c83c2331a43b034484972e4b302bd3634d9 |
|
| Details | sha256 | 3 | 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260 |
|
| Details | sha256 | 3 | bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc |
|
| Details | sha256 | 1 | 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db |
|
| Details | sha256 | 1 | 105ee777ad31a58301310719b49c7b6a7e957823e4dabbfeaa6a14e313008c1b |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 198 | 1.1.1.1 |
|
| Details | IPv4 | 109 | 1.0.0.0 |
|
| Details | Url | 1 | http://server/category/page.php?shinu=w74k9 |
|
| Details | Url | 1 | http://www.eservic.com |
|
| Details | Windows Registry Key | 2 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies |
|
| Details | Windows Registry Key | 112 | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
| Details | Windows Registry Key | 6 | HKCU\SOFTWARE\Microsoft |
|
| Details | Yara rule | 1 | rule StoneDrill_main_sub {
meta:
author = "Kaspersky Lab"
description = "Rule to detect StoneDrill (decrypted) samples"
hash = "d01781f1246fd1b64e09170bd6600fe1"
hash = "ac3c25534c076623192b9381f926ba0d"
version = "1.0"
strings:
$code = { B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF 30 8F 44 24 ?? 8B ?? 24 [1-4] 2B ?? 24 [6] F7 ?1 [5-12] 00 }
condition:
uint16(0) == 0x5A4D and $code and filesize < 5000000
} |