Network | IP Address | Project | Status | Date | Reason |
---|---|---|---|---|---|
192.169.0.0/24 | 192.168.0.255 | Default | On-Hold | 01JAN1970 | This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB. |
192.169.0.0/24 | 192.168.0.1 | Default | Released | 01JAN1970 | This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB. |
10.2.4.0/24 | 10.2.4.18 | BLUEBOX | Released | 18AUG2019 | Processes: logger.bin Installed Directory: /bin/log/ Network Connections: none observed Hash: deaf1b926d6cd166bdffd5d723409c832c7aef3a2 Final Assessment: The observed process, logger.bin, is known malware that functions as a local keylogger. The logger records keystrokes by capturing input as it comes from the keyboard and saves the data in the /bin/log/data text file and sends the data to an IP and port specified in logger.conf in the /bin/log/ directory once daily. Because the data is captured at the keyboard and not at system level, it is unable to log remote credentials or commands. Operator Recommendation: This target should be released as the malware has no way to identify our access or actions. As the malware is not well hidden, its presence also indicates low administrator oversight. Continue to monitor if it is running for changes in administrator attentiveness. Operator also recommends capturing /bin/log/data when accessing this host. |
10.123.169.0/24 | 10.123.169.30 | BLUEBOX | On-Hold | 20AUG2019 | Processes: mscore1ib.exe 808 0 17,520 K mslibterm.exe 1715 0 35,680 K Registry: HKLM\Software\Freeform Installed Directory: C:\Program Files\MSCoreLibrary\ Network Connections: TCP 10.123.169.30:4327 52.43.89.11:443 ESTABLISHED 1715 Service/Persistence: SERVICE_NAME: msderplib DISPLAY_NAME: Microsoft Core Library addons TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING Hash: fead1b926d6ea166daffd5c56106b328c77e240f Final Assessment: This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs. Operator Recommendation: This target should be released from hold and Ops can continue on target as long as no technique used interacts with any browser on the system. |
10.168.169.0/24 | 10.168.169.30 | BLUEBOX | On-Hold | 20AUG2019 | Processes: mscore1ib.exe 808 0 17,520 K mslibterm.exe 1715 0 35,680 K Registry: HKLM\Software\Freeform Installed Directory: C:\Program Files\MSCoreLibrary\ Network Connections: TCP 10.168.169.30:4327 52.43.89.11:443 ESTABLISHED 1715 Service/Persistence: SERVICE_NAME: msderplib DISPLAY_NAME: Microsoft Core Library addons TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING Hash: fead1b926d6ea166daffd5c56106b328c77e240f Final Assessment: This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs. Operator Recommendation: This target should be released from hold and Ops can continue on target as long as no technique used interacts with any browser on the system. |
Home Guidelines Academic Integrity Daily Read
© Haxor Publishing, 2009