Friday, June 12, 2015

Look for DUQU2 across all time and space!

If you are running El Jefe than you can just use the below script to test for any possible Duqu2 infections that have occured across your network for all time (assuming they didn't recompile specifically for you, which is very possible).

Any user of El Jefe can run this script by putting it inside the eljefe/webapp/scripts folder. Of course, if you get a hit, you can examine the machines that were infected much more closely in the GUI itself.

Happy "Hunting" :)







---CUT HERE---






import sys
import os

if "." not in sys.path: sys.path.append(".")
if "../" not in sys.path: sys.path.append("../")
if "../../" not in sys.path: sys.path.append("../../")
os.environ["DJANGO_SETTINGS_MODULE"] = "webapp.settings"

from home.models import binaries

evil_md5 = [
'14712103ddf9f6e77fa5c9a3288bd5ee',
'e8eaec1f021a564b82b824af1dbe6c4d',
'3fde1bbf3330e0bd0952077a390cef72',
'2751e4b50a08eb11a84d03f8eb580a4e',
'e8eaec1f021a564b82b824af1dbe6c4d',
'520cd9ee4395ee85ccbe073a00649602',
'acbf2d1f8a419528814b2efa9284ea8b',
'a6b2ac3ee683be6fbbbab0fa12d88f73',
'966953034b7d7501906d8b4cd3f90f6b',
'4b26441166f23bcced22cc0f8588b3dd',
'cf4a8212034fb2335dc069382fba1fb1',
'050fbef5c814b2981fa61b7fc6820cbd',
'0A566B1616C8AFEEF214372B1A0580C7',
'0EECD17C6C215B358B7B872B74BFD800',
'4541E850A228EB69FD0F0E924624B245',
'94C4EF91DFCD0C53A96FDC387F9F9C35',
'B4AC366E24204D821376653279CBAD86',
'E8D6B4DADB96DDB58775E6C85B10B6CC',
'0a566b1616c8afeef214372b1a0580c7',
'94c4ef91dfcd0c53a96fdc387f9f9c35',
'e8d6b4dadb96ddb58775e6c85b10b6cc',
'b4ac366e24204d821376653279cbad86',
'4541e850a228eb69fd0f0e924624b245',
'0eecd17c6c215b358b7b872b74bfd800',
'9749d38ae9b9ddd81b50aad679ee87ec',
'3d83b077d32c422d6c7016b5083b9fc2',
'C9A31EA148232B201FE7CB7DB5C75F5E',
'9749d38ae9b9ddd81b50aad679ee87ec',
'4c804ef67168e90da2c3da58b60c3d16',
'856a13fcae0407d83499fc9c3dd791ba',
'92aa68425401ffedcfba4235584ad487',
'c9a31ea148232b201fe7cb7db5c75f5e',
'f60968908f03372d586e71d87fe795cd',
'3d83b077d32c422d6c7016b5083b9fc2',
'bdb562994724a35a1ec5b9e85b8e054f',
'164aa9cd56d900341535551464af43b7',
'66a7e49ef0ebf10fb54621861c6dbfff',
'dccffd4d2fc6a602bea8fdc1fa613dd4',
'a0a976215f619a33bf7f52e85539a513',
'a1d2a954388775513b3c7d95ab2c9067',
'3B51F48378A26F664BF26B32496BD72A',
'4c804ef67168e90da2c3da58b60c3d16',
'f5ee03fed0133bb06d4cc52b0232fec0',
'9a9e77d2b7792fbbddcd7ce05a4eb26e',
"107403e1259427355757b70b4d820997",
"653e375d6455850fd76453dc5d713257",
"c03ca7ea50a52e9e7d1f3ff17e68f7da",
"45a7b2c4792803da5c79d61982e3ed38",
"9fce104aab41e80236b073f4db54910d",
"83b37e8df59051ee623da1c310fb4e8c",
"8d80ba2dce3bd625babc25858b55375d",
"af2b0ee182d9f48c293a80f762171d40",
"4a9f5b4f549f43d4f96136c81a043631",
"d4b3ef7b4d1c4b64c5146f02eab830a8",
"ef460a40c5d399942ae32c23e63a8d10",
"c80cd91848515b7973145a574440ca12",
"9bc2aa9eb49c938eb47660b087654b9c",
"75f0cda10d65f0865f92e9b7cd6a56de",
"4e69bf01720ae8c13c48943d1f512d8e",
"79fe76fc991a2f36e318c710e6684cca",
"aa6fcf2594393784f4602f9d1d8cbaa0",
"3af67c17dc76bcb7c7eb53b3e164a969",
"e4bb017843c538cc821162a4ef64d833",
"2684c847218745d2809d8c1c40588491",
"7d6fe14a4817d1eae16b926cd6af00b4",
"57090c92892406afe6207b6eefe44ce6",
"a6fd9fc574c4a2b592c82892e5aff77d",
"9daf29a0dd6eccec1093bef3fa3ec4f9",
"45a416431dadda14361eff64fa52afde",
"0c07e033975168de1ed461786a1bd4b7",
"05cfbb2cef37ac1f3cded2a54663e0c4",
"442d72f42e391c988e0fcda73488636a",
"0e51ef79713229c6df6ed567214e4bcb",
"ea05fd5e14bbb68be30d51d213f84f3d",
"bcae43d8f2d4f5b67a84da218aeddd0e",
"069701725a8fa9ab47a130e7e9879211",
"6ab58775a586249dcc608efa47e5eabf",
"9f5457c2514e3bcb61c4b6a14a507336",
"941b051d857cdafb4c2d04f6246cd7ac",
"d00fd4059c855d6c22a1d0a993d784af",
"5ffbf53cc0fa2c61b1cd8d48a57d976a",
"c81285c9763795df3b24ba1db002b352",
"934d5d68f0632531844fcd9180fa65f2",
"cee6703d62a6f334ecb9a43a2db904cd",
"dd5013f4537e7dcf3579ab125bbb48e3",
"4d8efdac702af5ff0c9edaad5401f567",
"b507fac3b8b94f7b0c6aedafd3a72cbe",
"d612393cda4228df8d43678171e273da",
"9a11b52ceee6f2fb1fa7f4fb5fee3c49",
"f4743b2df3c3e02dfbbd742475236033",
"8d2421d5518c16e392fbe9e2ef88419d",
"be04a3abec6f06761004053f13eed1b8",
"e09bad51cf748abdc1913367770a7a83",
"d5ce8c7456e444ef939a42be8e00a31c",
"dbe43f68bfb0e670cdcb4ede143db1ef",
"725b02ca7cfb061bfafccee3c15672c2",
"cb5cf3dbcadc6bae90830a6735ac2419",
"8f8054da6c80a2785d8c913ba1ea0a64",
"24ca17f51e73037aeb708ae96a4a939f",
"f624119e06773f4c88607f46fae3ebba",
"6edf091a408c33d7e9dd1e0341a3e19e",
"0d63aadacfdd57754b903af3a60627b8",
"2d54a71c7d4cd203dbdfcecd7329fc23",
"d1ec90731409c24c8fbdc5d1b39703bc",
"147126b7328ac42b0bfd6470ef809360",
"39b36b47e7afd8d7866ffe6466b2eb0a",
"2cf6ee0a02b34d2257d92b4c1501d61e",
"0d7156f407f57f92ba3aaa19bc3ef304",
"9e2add724fbe409429bdb0e212cdcc5e",
"f2e5987ab9db1c2f79a298636e1a87d2",
"f3d2dfa10cf1c7fc07bc76be98c1c008",
"52944779ddbbb31db9730b9971aeda06",
"6f967c2029844a9ba85de9fcb2c02b62",
"427168da8d933e125e43c50060d8ddd8",
"4bc2f1fa6d3bd027157f8b74dcee1910",
"2aedf87c810d05796cac4f8f92ffe9f0",
"0a9c596cace74595abbc630600c16827",
"5b64ea57526948dc9d2f9b59ead21181",
"13eaed09d79557b95daf74c845f2b957",
"8c52ffd05e83528cabae0ebd2e22b4f0",
"c96b80c1faa5986e5185ca0f1eefe7e4",
"de8eaa4b7960cc99b63eb0d4fef6b02b",
"b2f46de730bdd975094890dbea10184c",
"390d3abb7e34470a788b8972630d8583",
"823431ce0530d924fb96d3ca72685b07",
"f2c520cf776a69cf03bbfb4965de569f",
"efb33147c3ba73e1dd0ce6665a3257e4",
"9f430a2a8f74d37b5f488fb1eb001222",
"7a3041f198e1678c77efb3e8d628b6dd",
"2137d67f22aae1dc4b88f6d3269e991d",
"fb367a128574cb35c29099ebcec4635c",
"53a94a60f56591042c597b0078b127f9",
"1f17e12478cbec4e602426e37ab850bc",
"7b99589452f1852ec24d9a2320e18ddc",
"8dc6da7c18a59775ecd6522b5a4300b3",
"4623ac239145f8c8a1c4ab39f6bee2b0",
"9b13e9893cd890c6ac58b094582c2f82",
"01ee87ba582da9c38b1e9c27e97d9d2c",
"6ca125f46d1b443eca20574dd8695fba",
"9cf0bf3d7a4f9655205b3cc1a50fe1e7",
]

binaries_hashes = set([b.binary_md5 for b in binaries.objects.all()])
filtered_hashes = list(set(evil_md5))
print 'Found %d binaries' % len(binaries_hashes)
print 'Tesing against %d duqu md5 hashes' % len(filtered_hashes)

for md5_hash in list(set(filtered_hashes)):
    if md5_hash in binaries_hashes:
        print 'Found hash %s' % md5_hash

No comments: