The following list of indicators of compromise are related to W32.Beapy activity. Symantec attempts to ensure that all IoCs are unique to a given set of activity, however, it is possible that some of the following indicators are used by multiple different actors. In addition, the indicators are indicative of a threat, this means that they may not be definitive. Any instance of the indicators discovered on a computer, or network, should be investigated and confirmed prior to any action taken. Malware W32.Beapy is a network worm that spreads via SMB(TCP/445) or MS SQL(TCP/1433) and the MS17-010 SMB exploit vulnerability. W32.Beapy uses EternalBlue to compromise vulnerable computers. After a successful compromise, it initially runs a PowerShell script that acts as a Downloader to fetch the main W32.Beapy payload before attempting to spread: Downloader a27d17445c54f1cb5f5ebedc1af77fea2ae3af18e858a397cc9dd65a6f2ca8ea d098a239457a3ae86283e5b170b2387108917e9fb423268c1543fadef8f95a8d 986036e57bd5a56f1caefa1e06b37771f272a02e59be712594d7c92d7585222a W32.Beapy fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330 dc35308e8b090f95af14df11d9118f599ced03a5cf73648472d8d51c4622ed2e d9ffbd42cce41cdcd9e475fb42690f26ff4281797dd8339cc637c87fdf62d3dc d98d33d87754423aceafbe846ec92c62cc7653c6ef39d3e369b3997e00c82bee d937cbf43e95d87d7951408c3ca898079e411ee7a6c6f81e77cc4d516bf2b097 d3cece9e949d29e2ac916e0a53917a6096b1a979d0a8e1c0957437c6ad9f3355 c9cd98a3cbd6dcf515bb1f37594c48a3119feb0abe2e6b6f3d64b86bf88c13ab b04ddd60c0e93c2e365850e189402d21c38f7af01f5677413d35f586bfd717e9 a6dbe4a2cc94ced782a77c62b23ba274e0efb4e4ab7e2f02386c5e8f953f2d96 a3f72bf5dc10df758fc73235696190f307a73cbcfb67661bba30393d019e5fc0 Embedded modules W32.Beapy also contains additional PowerShell modules to assist in dumping credentials (Mimikatz). The set listed below has been seen in use by this actor, however it may also be used by other actors. Credential dumpers 3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41 7c402add8feffadc6f07881d201cb21bc4b39df98709917949533f6febd53b6e aed1d2da16810421c058febc39829da2a3be62124cca7149019a79441e698b83 e28b7c8b4fc37b0ef91f32bd856dd71599acd2f2071fcba4984cc331827c0e13 Coinminer fba31c575e4e9cd61d3a3e01a1847e95d1faca3d86bdf96d6e7d0c46fa076d8c Network W32.Beapy has been observed using the following network infrastructure. Legitimate services W32.Beapy uses the following legitimate services to obtain the external IP address of the infected machine: hxxp://ip.42.pl/raw hxxp://jsonip.com/ Command and control infrastructure Connects to the following C&C servers and sends confidential information such as hostname, MAC-address, operation system version, etc. 153.92.4.49 info.abbny.com 211.137.170.246 info.ackng.com 123.129.254.12 info.ackng.com 123.129.254.12 info.beahh.com 146.112.240.240 v.beahh.com 146.112.247.209 v.beahh.com 146.112.247.222 v.beahh.com 146.112.247.228 v.beahh.com 146.112.247.234 v.beahh.com 146.112.247.243 v.beahh.com 146.112.247.248 v.beahh.com 27.102.107.137 v.beahh.com 27.102.130.126 v.y6h.net