forensic-artifacts 20161022-1 / usr / share / artifacts / kaspersky_careto.yaml

This file is indexed.

/usr/share/artifacts/kaspersky_careto.yaml is in forensic-artifacts 20161022-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
# Artifacts from the Kaspersky Careto report.

name: KasperskyCaretoDarwinFiles
doc: Darwin Careto IOCs.
sources:
- type: FILE
  attributes:
    paths:
      - /Applications/.DS_Store.app/**10
      - /Library/LaunchAgents/com.apple.launchport.plist
supported_os: [Darwin]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
name: KasperskyCaretoIndicators
doc: Kaspersky Careto Indicators.
sources:
- type: ARTIFACT_GROUP
  attributes:
    names:
      - KasperskyCaretoWindowsFiles
      - KasperskyCaretoWindowsRegKeys
      - KasperskyCaretoDarwinFiles
supported_os: [Windows, Darwin]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
name: KasperskyCaretoWindowsFiles
doc: Windows Careto IOCs.
sources:
- type: FILE
  attributes:
    paths:
      - '%%environ_systemroot%%\System32\objframe.dll'
      - '%%environ_systemroot%%\System32\shlink32.dll'
      - '%%environ_systemroot%%\System32\shlink64.dll'
      - '%%environ_systemroot%%\System32\cdllait32.dll'
      - '%%environ_systemroot%%\System32\cdllait64.dll'
      - '%%environ_systemroot%%\System32\cdlluninstallws32.dll'
      - '%%environ_systemroot%%\System32\cdlluninstallws64.dll'
      - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll'
      - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll'
      - '%%environ_systemroot%%\System32\c_50225.nls'
      - '%%environ_systemroot%%\System32\c_50227.nls'
      - '%%environ_systemroot%%\System32\c_50229.nls'
      - '%%environ_systemroot%%\System32\c_51932.nls'
      - '%%environ_systemroot%%\System32\c_51936.nls'
      - '%%environ_systemroot%%\System32\c_51949.nls'
      - '%%environ_systemroot%%\System32\c_51950.nls'
      - '%%environ_systemroot%%\System32\c_57002.nls'
      - '%%environ_systemroot%%\System32\c_57006.nls'
      - '%%environ_systemroot%%\System32\c_57008.nls'
      - '%%environ_systemroot%%\System32\c_57010.nls'
      - '%%environ_systemroot%%\System32\cdgext32.dll'
      - '%%environ_systemroot%%\System32\cfgbkmgrs.dll'
      - '%%environ_systemroot%%\System32\cfgmgr64.dll'
      - '%%environ_systemroot%%\System32\comsvrpcs.dll'
      - '%%environ_systemroot%%\System32\d3dx8_20.dll'
      - '%%environ_systemroot%%\System32\dllcomm.dll'
      - '%%environ_systemroot%%\System32\drivers\wmimgr.sys'
      - '%%environ_systemroot%%\System32\drvinfo.bin'
      - '%%environ_systemroot%%\System32\FCache.bin'
      - '%%environ_systemroot%%\System32\FFExtendedCommand.dll'
      - '%%environ_systemroot%%\System32\gpktcsp32.dll'
      - '%%environ_systemroot%%\System32\HPQueue.bin'
      - '%%environ_systemroot%%\System32\LPQueue.bin'
      - '%%environ_systemroot%%\System32\mdwmnsp.dll'
      - '%%environ_systemroot%%\System32\rpcdist.dll'
      - '%%environ_systemroot%%\System32\scsvrft.dll'
      - '%%environ_systemroot%%\System32\sdptbw.dll'
      - '%%environ_systemroot%%\System32\slbkbw.dll'
      - '%%environ_systemroot%%\System32\skypeie6plugin.dll'
      - '%%environ_systemroot%%\System32\wmspdmgr.dll'
      - '%%environ_systemroot%%\System32\mfcn30.dll'
      - '%%environ_systemroot%%\System32\siiw9x.dll'
      - '%%environ_systemroot%%\System32\nmwcdlog.dll'
      - '%%environ_systemroot%%\System32\WifiScan.dll'
      - '%%environ_systemroot%%\System32\awview32.dll'
      - '%%environ_systemroot%%\System32\awcodc32.dll'
      - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp'
      - '%%users.temp%%\~DF23BF45A473C42B56.tmp'
      - '%%users.temp%%\~DFA0528CD81300F372.tmp'
      - '%%users.temp%%\~DF8471938479DA49221.tmp'
      - '%%users.appdata%%\microsoft\c_27803.nls'
      - '%%users.appdata%%\microsoft\objframe.dll'
      - '%%users.appdata%%\microsoft\shmgr.dll'
supported_os: [Windows]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
name: KasperskyCaretoWindowsRegKeys
doc: Windows Careto IOCs.
sources:
- type: REGISTRY_VALUE
  attributes:
    key_value_pairs:
    - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'}
    - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'}
    - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'}
    - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'}
    - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}', value: 'InprocServer32'}
    - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}', value: 'InprocServer32'}
supported_os: [Windows]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']

APT Browse - Built by Thomas Orozco.