Any user of El Jefe can run this script by putting it inside the eljefe/webapp/scripts folder. Of course, if you get a hit, you can examine the machines that were infected much more closely in the GUI itself.
Happy "Hunting" :)
---CUT HERE---
import sys import os if "." not in sys.path: sys.path.append(".") if "../" not in sys.path: sys.path.append("../") if "../../" not in sys.path: sys.path.append("../../") os.environ["DJANGO_SETTINGS_MODULE"] = "webapp.settings" from home.models import binaries evil_md5 = [ '14712103ddf9f6e77fa5c9a3288bd5ee', 'e8eaec1f021a564b82b824af1dbe6c4d', '3fde1bbf3330e0bd0952077a390cef72', '2751e4b50a08eb11a84d03f8eb580a4e', 'e8eaec1f021a564b82b824af1dbe6c4d', '520cd9ee4395ee85ccbe073a00649602', 'acbf2d1f8a419528814b2efa9284ea8b', 'a6b2ac3ee683be6fbbbab0fa12d88f73', '966953034b7d7501906d8b4cd3f90f6b', '4b26441166f23bcced22cc0f8588b3dd', 'cf4a8212034fb2335dc069382fba1fb1', '050fbef5c814b2981fa61b7fc6820cbd', '0A566B1616C8AFEEF214372B1A0580C7', '0EECD17C6C215B358B7B872B74BFD800', '4541E850A228EB69FD0F0E924624B245', '94C4EF91DFCD0C53A96FDC387F9F9C35', 'B4AC366E24204D821376653279CBAD86', 'E8D6B4DADB96DDB58775E6C85B10B6CC', '0a566b1616c8afeef214372b1a0580c7', '94c4ef91dfcd0c53a96fdc387f9f9c35', 'e8d6b4dadb96ddb58775e6c85b10b6cc', 'b4ac366e24204d821376653279cbad86', '4541e850a228eb69fd0f0e924624b245', '0eecd17c6c215b358b7b872b74bfd800', '9749d38ae9b9ddd81b50aad679ee87ec', '3d83b077d32c422d6c7016b5083b9fc2', 'C9A31EA148232B201FE7CB7DB5C75F5E', '9749d38ae9b9ddd81b50aad679ee87ec', '4c804ef67168e90da2c3da58b60c3d16', '856a13fcae0407d83499fc9c3dd791ba', '92aa68425401ffedcfba4235584ad487', 'c9a31ea148232b201fe7cb7db5c75f5e', 'f60968908f03372d586e71d87fe795cd', '3d83b077d32c422d6c7016b5083b9fc2', 'bdb562994724a35a1ec5b9e85b8e054f', '164aa9cd56d900341535551464af43b7', '66a7e49ef0ebf10fb54621861c6dbfff', 'dccffd4d2fc6a602bea8fdc1fa613dd4', 'a0a976215f619a33bf7f52e85539a513', 'a1d2a954388775513b3c7d95ab2c9067', '3B51F48378A26F664BF26B32496BD72A', '4c804ef67168e90da2c3da58b60c3d16', 'f5ee03fed0133bb06d4cc52b0232fec0', '9a9e77d2b7792fbbddcd7ce05a4eb26e', "107403e1259427355757b70b4d820997", "653e375d6455850fd76453dc5d713257", "c03ca7ea50a52e9e7d1f3ff17e68f7da", "45a7b2c4792803da5c79d61982e3ed38", "9fce104aab41e80236b073f4db54910d", "83b37e8df59051ee623da1c310fb4e8c", "8d80ba2dce3bd625babc25858b55375d", "af2b0ee182d9f48c293a80f762171d40", "4a9f5b4f549f43d4f96136c81a043631", "d4b3ef7b4d1c4b64c5146f02eab830a8", "ef460a40c5d399942ae32c23e63a8d10", "c80cd91848515b7973145a574440ca12", "9bc2aa9eb49c938eb47660b087654b9c", "75f0cda10d65f0865f92e9b7cd6a56de", "4e69bf01720ae8c13c48943d1f512d8e", "79fe76fc991a2f36e318c710e6684cca", "aa6fcf2594393784f4602f9d1d8cbaa0", "3af67c17dc76bcb7c7eb53b3e164a969", "e4bb017843c538cc821162a4ef64d833", "2684c847218745d2809d8c1c40588491", "7d6fe14a4817d1eae16b926cd6af00b4", "57090c92892406afe6207b6eefe44ce6", "a6fd9fc574c4a2b592c82892e5aff77d", "9daf29a0dd6eccec1093bef3fa3ec4f9", "45a416431dadda14361eff64fa52afde", "0c07e033975168de1ed461786a1bd4b7", "05cfbb2cef37ac1f3cded2a54663e0c4", "442d72f42e391c988e0fcda73488636a", "0e51ef79713229c6df6ed567214e4bcb", "ea05fd5e14bbb68be30d51d213f84f3d", "bcae43d8f2d4f5b67a84da218aeddd0e", "069701725a8fa9ab47a130e7e9879211", "6ab58775a586249dcc608efa47e5eabf", "9f5457c2514e3bcb61c4b6a14a507336", "941b051d857cdafb4c2d04f6246cd7ac", "d00fd4059c855d6c22a1d0a993d784af", "5ffbf53cc0fa2c61b1cd8d48a57d976a", "c81285c9763795df3b24ba1db002b352", "934d5d68f0632531844fcd9180fa65f2", "cee6703d62a6f334ecb9a43a2db904cd", "dd5013f4537e7dcf3579ab125bbb48e3", "4d8efdac702af5ff0c9edaad5401f567", "b507fac3b8b94f7b0c6aedafd3a72cbe", "d612393cda4228df8d43678171e273da", "9a11b52ceee6f2fb1fa7f4fb5fee3c49", "f4743b2df3c3e02dfbbd742475236033", "8d2421d5518c16e392fbe9e2ef88419d", "be04a3abec6f06761004053f13eed1b8", "e09bad51cf748abdc1913367770a7a83", "d5ce8c7456e444ef939a42be8e00a31c", "dbe43f68bfb0e670cdcb4ede143db1ef", "725b02ca7cfb061bfafccee3c15672c2", "cb5cf3dbcadc6bae90830a6735ac2419", "8f8054da6c80a2785d8c913ba1ea0a64", "24ca17f51e73037aeb708ae96a4a939f", "f624119e06773f4c88607f46fae3ebba", "6edf091a408c33d7e9dd1e0341a3e19e", "0d63aadacfdd57754b903af3a60627b8", "2d54a71c7d4cd203dbdfcecd7329fc23", "d1ec90731409c24c8fbdc5d1b39703bc", "147126b7328ac42b0bfd6470ef809360", "39b36b47e7afd8d7866ffe6466b2eb0a", "2cf6ee0a02b34d2257d92b4c1501d61e", "0d7156f407f57f92ba3aaa19bc3ef304", "9e2add724fbe409429bdb0e212cdcc5e", "f2e5987ab9db1c2f79a298636e1a87d2", "f3d2dfa10cf1c7fc07bc76be98c1c008", "52944779ddbbb31db9730b9971aeda06", "6f967c2029844a9ba85de9fcb2c02b62", "427168da8d933e125e43c50060d8ddd8", "4bc2f1fa6d3bd027157f8b74dcee1910", "2aedf87c810d05796cac4f8f92ffe9f0", "0a9c596cace74595abbc630600c16827", "5b64ea57526948dc9d2f9b59ead21181", "13eaed09d79557b95daf74c845f2b957", "8c52ffd05e83528cabae0ebd2e22b4f0", "c96b80c1faa5986e5185ca0f1eefe7e4", "de8eaa4b7960cc99b63eb0d4fef6b02b", "b2f46de730bdd975094890dbea10184c", "390d3abb7e34470a788b8972630d8583", "823431ce0530d924fb96d3ca72685b07", "f2c520cf776a69cf03bbfb4965de569f", "efb33147c3ba73e1dd0ce6665a3257e4", "9f430a2a8f74d37b5f488fb1eb001222", "7a3041f198e1678c77efb3e8d628b6dd", "2137d67f22aae1dc4b88f6d3269e991d", "fb367a128574cb35c29099ebcec4635c", "53a94a60f56591042c597b0078b127f9", "1f17e12478cbec4e602426e37ab850bc", "7b99589452f1852ec24d9a2320e18ddc", "8dc6da7c18a59775ecd6522b5a4300b3", "4623ac239145f8c8a1c4ab39f6bee2b0", "9b13e9893cd890c6ac58b094582c2f82", "01ee87ba582da9c38b1e9c27e97d9d2c", "6ca125f46d1b443eca20574dd8695fba", "9cf0bf3d7a4f9655205b3cc1a50fe1e7", ] binaries_hashes = set([b.binary_md5 for b in binaries.objects.all()]) filtered_hashes = list(set(evil_md5)) print 'Found %d binaries' % len(binaries_hashes) print 'Tesing against %d duqu md5 hashes' % len(filtered_hashes) for md5_hash in list(set(filtered_hashes)): if md5_hash in binaries_hashes: print 'Found hash %s' % md5_hash
No comments:
Post a Comment