/usr/share/artifacts/kaspersky_careto.yaml is in forensic-artifacts 20161022-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 | # Artifacts from the Kaspersky Careto report.
name: KasperskyCaretoDarwinFiles
doc: Darwin Careto IOCs.
sources:
- type: FILE
attributes:
paths:
- /Applications/.DS_Store.app/**10
- /Library/LaunchAgents/com.apple.launchport.plist
supported_os: [Darwin]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
name: KasperskyCaretoIndicators
doc: Kaspersky Careto Indicators.
sources:
- type: ARTIFACT_GROUP
attributes:
names:
- KasperskyCaretoWindowsFiles
- KasperskyCaretoWindowsRegKeys
- KasperskyCaretoDarwinFiles
supported_os: [Windows, Darwin]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
name: KasperskyCaretoWindowsFiles
doc: Windows Careto IOCs.
sources:
- type: FILE
attributes:
paths:
- '%%environ_systemroot%%\System32\objframe.dll'
- '%%environ_systemroot%%\System32\shlink32.dll'
- '%%environ_systemroot%%\System32\shlink64.dll'
- '%%environ_systemroot%%\System32\cdllait32.dll'
- '%%environ_systemroot%%\System32\cdllait64.dll'
- '%%environ_systemroot%%\System32\cdlluninstallws32.dll'
- '%%environ_systemroot%%\System32\cdlluninstallws64.dll'
- '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll'
- '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll'
- '%%environ_systemroot%%\System32\c_50225.nls'
- '%%environ_systemroot%%\System32\c_50227.nls'
- '%%environ_systemroot%%\System32\c_50229.nls'
- '%%environ_systemroot%%\System32\c_51932.nls'
- '%%environ_systemroot%%\System32\c_51936.nls'
- '%%environ_systemroot%%\System32\c_51949.nls'
- '%%environ_systemroot%%\System32\c_51950.nls'
- '%%environ_systemroot%%\System32\c_57002.nls'
- '%%environ_systemroot%%\System32\c_57006.nls'
- '%%environ_systemroot%%\System32\c_57008.nls'
- '%%environ_systemroot%%\System32\c_57010.nls'
- '%%environ_systemroot%%\System32\cdgext32.dll'
- '%%environ_systemroot%%\System32\cfgbkmgrs.dll'
- '%%environ_systemroot%%\System32\cfgmgr64.dll'
- '%%environ_systemroot%%\System32\comsvrpcs.dll'
- '%%environ_systemroot%%\System32\d3dx8_20.dll'
- '%%environ_systemroot%%\System32\dllcomm.dll'
- '%%environ_systemroot%%\System32\drivers\wmimgr.sys'
- '%%environ_systemroot%%\System32\drvinfo.bin'
- '%%environ_systemroot%%\System32\FCache.bin'
- '%%environ_systemroot%%\System32\FFExtendedCommand.dll'
- '%%environ_systemroot%%\System32\gpktcsp32.dll'
- '%%environ_systemroot%%\System32\HPQueue.bin'
- '%%environ_systemroot%%\System32\LPQueue.bin'
- '%%environ_systemroot%%\System32\mdwmnsp.dll'
- '%%environ_systemroot%%\System32\rpcdist.dll'
- '%%environ_systemroot%%\System32\scsvrft.dll'
- '%%environ_systemroot%%\System32\sdptbw.dll'
- '%%environ_systemroot%%\System32\slbkbw.dll'
- '%%environ_systemroot%%\System32\skypeie6plugin.dll'
- '%%environ_systemroot%%\System32\wmspdmgr.dll'
- '%%environ_systemroot%%\System32\mfcn30.dll'
- '%%environ_systemroot%%\System32\siiw9x.dll'
- '%%environ_systemroot%%\System32\nmwcdlog.dll'
- '%%environ_systemroot%%\System32\WifiScan.dll'
- '%%environ_systemroot%%\System32\awview32.dll'
- '%%environ_systemroot%%\System32\awcodc32.dll'
- '%%users.temp%%\~DF01AC74D8BE15EE01.tmp'
- '%%users.temp%%\~DF23BF45A473C42B56.tmp'
- '%%users.temp%%\~DFA0528CD81300F372.tmp'
- '%%users.temp%%\~DF8471938479DA49221.tmp'
- '%%users.appdata%%\microsoft\c_27803.nls'
- '%%users.appdata%%\microsoft\objframe.dll'
- '%%users.appdata%%\microsoft\shmgr.dll'
supported_os: [Windows]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
name: KasperskyCaretoWindowsRegKeys
doc: Windows Careto IOCs.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}', value: 'InprocServer32'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}', value: 'InprocServer32'}
supported_os: [Windows]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
|