Added IoCs for Ramsay.

Author: eset-research

ramsay/README.adoc

@@ -0,0 +1,67 @@
+= Ramsay
+
+For a description of Ramsay, please see the article on
+https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/[WeLiveSecurity].
+
+== MISP event
+
+link:misp-ramsay.json[MISP event]
+
+== ESET detection names
+
+- Win32/Exploit.CVE-2017-11882.H
+- Win32/HackTool.UACMe.T
+- Win32/HideProc.M
+- Win32/Ramsay.A
+- Win32/Ramsay.B
+- Win32/Ramsay.C
+- Win32/TrojanDropper.Agent.SHM
+- Win32/TrojanDropper.Agent.SHN
+- Win64/HackTool.Inject.A
+- Win64/Ramsay.C
+
+== Host based indicators
+=== SHA-1 hashes
+
+----
+19bf019fc0bf44828378f008332430a080871274
+3849e01bff610d155a3153c897bb662f5527c04c
+3bb205698e89955b4bd07a8a7de3fc75f1cb5cde
+50eb291fc37fe05f9e55140b98b68d77bd61149e
+5a5738e2ec8af9f5400952be923e55a5780a8c55
+5c482bb8623329d4764492ff78b4fbc673b2ef23
+62d2cc1f6eedba2f35a55beb96cd59a0a6c66880
+7d85b163d19942bb8d047793ff78ea728da19870
+87ef7bf00fe6aa928c111c472e2472d2cb047eae
+ae722a90098d1c95829480e056ef8fd4a98eedd7
+baa20ce99089fc35179802a0cc1149f929bdf0fa
+bd8d0143ec75ef4c369f341c2786facbd9f73256
+bd97b31998e9d673661ea5697fe436efe026cba1
+e7987627200d542bb30d6f2386997f668b8a928c
+eb69b45faf3be0135f44293bc95f06dad73bc562
+f74d86b6e9bd105ab65f2af10d60c4074b8044c9
+f79da0d8bb1267f9906fad1111bd929a41b18c03
+----
+
+=== Ramsay filenames
+
+----
+%APPDATA%\Microsoft\UserSetting
+%APPDATA%\Microsoft\UserSetting\MediaCache
+%ALLUSERSPROFILE%\NetCache\
+%ALLUSERSPROFILE%\MediaCache
+%WINDIR%\System32\wimsvc.exe
+%WINDIR%\System32\drivers\hfile.sys
+%WINDIR%\System32\Identities\bindsvc.exe
+%WINDIR%\System32\Identities\wideshut.exe
+%WINDIR%\System32\msfte.dll
+%WINDIR%\System32\oci.dll
+7z920.exe
+dpnom.dll
+netwiz.exe
+racfg.exe
+lmsch.exe
+slmgr.vbs
+sharp.exe
+byinfo.exe
+----