Network | IP Address | Project | Status | Date | Reason |
---|---|---|---|---|---|
192.169.0.0/24 | 192.168.0.255 | Default | On-Hold | 01JAN1970 | This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB. |
192.169.0.0/24 | 192.168.0.1 | Default | Released | 01JAN1970 | This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB. |
10.2.4.0/24 | 10.2.4.18 | BLUEBOX | Released | 18AUG2019 | Processes: logger.bin Installed Directory: /bin/log/ Network Connections: none observed Hash: deaf1b926d6cd166bdffd5d723409c832c7aef3a2 Final Assessment: The observed process, logger.bin, is known malware that functions as a local keylogger. The logger records keystrokes by capturing input as it comes from the keyboard and saves the data in the /bin/log/data text file and sends the data to an IP and port specified in logger.conf in the /bin/log/ directory once daily. Because the data is captured at the keyboard and not at system level, it is unable to log remote credentials or commands. Operator Recommendation: This target should be released as the malware has no way to identify our access or actions. As the malware is not well hidden, its presence also indicates low administrator oversight. Continue to monitor if it is running for changes in administrator attentiveness. Operator also recommends capturing /bin/log/data when accessing this host. |
10.123.169.0/24 | 10.123.169.30 | BLUEBOX | On-Hold | 20AUG2019 | Processes: mscore1ib.exe 808 0 17,520 K mslibterm.exe 1715 0 35,680 K Registry: HKLM\Software\Freeform Installed Directory: C:\Program Files\MSCoreLibrary\ Network Connections: TCP 10.123.169.30:4327 52.43.89.11:443 ESTABLISHED 1715 Service/Persistence: SERVICE_NAME: msderplib DISPLAY_NAME: Microsoft Core Library addons TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING Hash: fead1b926d6ea166daffd5c56106b328c77e240f Final Assessment: This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs. Operator Recommendation: This target should be released from hold and Ops can continue on target as long as no technique used interacts with any browser on the system. |
10.168.169.0/24 | 10.168.169.30 | BLUEBOX | On-Hold | 20AUG2019 | Processes: mscore1ib.exe 808 0 17,520 K mslibterm.exe 1715 0 35,680 K Registry: HKLM\Software\Freeform Installed Directory: C:\Program Files\MSCoreLibrary\ Network Connections: TCP 10.168.169.30:4327 52.43.89.11:443 ESTABLISHED 1715 Service/Persistence: SERVICE_NAME: msderplib DISPLAY_NAME: Microsoft Core Library addons TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING Hash: fead1b926d6ea166daffd5c56106b328c77e240f Final Assessment: This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs. Operator Recommendation: This target should be released from hold and Ops can continue on target as long as no technique used interacts with any browser on the system. |
10.20.169.0/24 | 10.20.169.122 | BLUEBOX | Released | 25MAY2019 | Network Connections: TCP 10.123.169.30:4327 192.168.0.11:443 ESTABLISHED 1910TCP 10.123.169.30:4327 192.168.0.11:443 ESTABLISHED 2015Admin very active on device. Will run checks while first logging in and then logging off. Admin is unaware of Operator presence on device, will check with analysts to see if they see anything in collect that says otherwise. It was determined through analysts that it was the Admin's day off. Operator conducted checks to see when the Admin was off. Once Admin had left target, Operator conducted survey to see what the Admin had ran on device. Nothing that indicated that the Admin suspected/has knowledge of our operations within their network.Final Assessment:Give them the stick team. Project and target are releasedOperator Recommendation:Recomend that this project be released from hold and target be released from hold. Admin doesnt know of our presence, and we have zero equity on device. Operator needs to be aware of when the Admin logins and wait until they log off before continuing with operations. Admin is only on for lenghts of 20 to 30 minutes before logging out |
10.97.182.0/24 | 10.97.182.65 | BLUEBOX | On-Hold | 03SEP2019 | Processes: netconmon.exe 1904 0 18,630 K Registry: HKLM\Software\SAFENET Installed Directory: C:\Program Files\SAFENET\ Network Connections: TCP 10.97.182.65:9827 10.34.98.11:443 ESTABLISHED 1904 Service/Persistence: SERVICE_NAME: ntconmon DISPLAY_NAME: SafeNet Network Connection Monitor STATE: 4 RUNNING Hash: 6e4d1b906d3ea998daffda714106c928c9beff04 Final Assessment: This is a third party network monitoring application/service from SafeNet Technologies. It records in the C:\Program Files\SAFENET\conlog.txt and remotely logs all connection information and monitors for connections to known bad or suspicious IPs or ports. Connections are actively monitored and recoreded, but are requested from SafeNet servers on port 9827 on a recurring basis scheduled by the administrator. The default is daily at midnight. Because log submission schedules are stored remotely, we are unable to determine when the logs will be uploaded for review. Active use of the conlog.txt file by netconmon.exe prevents getting a read/write handle on the log file, and the operator cannot clean logs without using tools and techniques. Operator Recommendation: This target should remain on hold until it can be tested to see if any tools/rootkits can connect in a way that will not be observed by the software. Additional research into identifying the log submission schedule and means to overwrite logs are also recommended prior to release. |
© Haxor Publishing, 2009