https://github.com/fox-it/cryptophp
CryptoPHP Indicators of Compromise
https://github.com/fox-it/cryptophp
Last synced: 12 months ago
JSON representation
CryptoPHP Indicators of Compromise
- Host: GitHub
- URL: https://github.com/fox-it/cryptophp
- Owner: fox-it
- Created: 2014-11-20T09:49:45.000Z (over 11 years ago)
- Default Branch: master
- Last Pushed: 2014-12-03T11:42:08.000Z (over 11 years ago)
- Last Synced: 2025-06-08T01:11:24.292Z (about 1 year ago)
- Language: Python
- Size: 249 KB
- Stars: 129
- Watchers: 36
- Forks: 49
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
CryptoPHP Indicators of Compromise
==================================
This repository contains the indicators of compromise for the CryptoPHP backdoor.
The whitepaper regarding CryptoPHP can be found here:
* http://blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/
### Available IOCs
| filename | description |
|-----------------------------------------------|----------------------------------------------------------------------------------------------------------|
| *[file_hashes.csv](file_hashes.csv)* | Contains the MD5 and SHA1 hashes of the different versions of the backdoor and when they were first seen |
| *[domains.txt](domains.txt)* | Contains the C2 domains used by the backdoor |
| *[ips.txt](ips.txt)* | Contains the C2 ip addresses used by the backdoor |
| *[email_addresses.txt](email_addresses.txt)* | Contains the email addresses used as backup communication by the backdoor |
### Available scripts
We created some Python scripts to help administrators identify CryptoPHP:
[https://github.com/fox-it/cryptophp/tree/master/scripts](https://github.com/fox-it/cryptophp/tree/master/scripts)