ioc[.]one - OSINT Cyber Threat Intelligence Database

Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats

Show in Graph

Common Information

Type	Value
UUID	2c2b8b98-47d7-44c2-a4fc-86fdeac21bee
Fingerprint	3e99a554232bc0bc27ff6c422ee3d93079479cb0be3eb7fecc486aee4f0c55c1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 20, 2020, 2:09 p.m.
Added to db	April 14, 2024, 10:57 a.m.
Last updated	Aug. 30, 2024, 10:53 p.m.
Headline	Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats
Title	Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats
Detected Hints/Tags/Attributes	183/2/191

Source URLs

	Redirection	Url
Details	Source	https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	documents.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	Domain	245	shutterstock.com
Details	Domain	1	metech.co
Details	Domain	1	acrordrdcupd1901220034.msp.id
Details	Domain	1	ransom.win32.phobos.sm
Details	Domain	29	sendspace.com
Details	Domain	1	de.youporn.com
Details	Domain	20	www.sendspace.com
Details	Domain	34	system.data
Details	Domain	1	trojan.ps1.credsteal.sm
Details	Domain	3	afsasdfa33.xyz
Details	Domain	1	minergate.net
Details	Domain	604	www.trendmicro.com
Details	Domain	29	www.cnet.com
Details	Domain	27	apnews.com
Details	Domain	177	blog.trendmicro.com
Details	Domain	1	molo.ch
Details	Domain	4127	github.com
Details	Domain	5	jon.oberheide.org
Details	Domain	1	www.zeek.org
Details	Domain	1	intelstack.com
Details	Domain	12	suricata-ids.org
Details	Domain	1	www.pyinstaller.org
Details	Domain	10	www.aldeid.com
Details	Domain	43	pypi.org
Details	Domain	1	ransom.win32.crysis.sm
Details	Domain	19	www.hybrid-analysis.com
Details	Domain	21	letsencrypt.org
Details	Domain	1	www.scada.sl
Details	Domain	38	blogs.cisco.com
Details	File	20	host.exe
Details	File	1	1btc.exe
Details	File	17	everything.exe
Details	File	21	ns.exe
Details	File	1	1bitc.exe
Details	File	1	backups.rar
Details	File	61	1.bat
Details	File	1	pc_h32.exe
Details	File	1	pc_h64.exe
Details	File	1	tmx64.exe
Details	File	1	asfasf.exe
Details	File	9	backup.bat
Details	File	1	disable_defen.bat
Details	File	6	mimikatz_trunk.zip
Details	File	1	ph_exec.exe
Details	File	1	pscan24.exe
Details	File	1	services.bat
Details	File	1	haha.bat
Details	File	3	nsis.exe
Details	File	57	system.dll
Details	File	51	system.dat
Details	File	10	sqlite.dll
Details	File	1	ak.tmp
Details	File	1	ak_1.tmp
Details	File	1	config.tmp
Details	File	2	installer.ps1
Details	File	38	trojan.ps1
Details	File	1	migwiz.tmp
Details	File	1	migwiz_1.tmp
Details	File	1	rdpclip.tmp
Details	File	1	rfxvmt64.tmp
Details	File	1	termsvc.tmp
Details	File	1	termsvc_1.tmp
Details	File	1	ak.bin
Details	File	1	ak_1.bin
Details	File	13	config.bin
Details	File	1	migwiz.bin
Details	File	1	migwiz_1.bin
Details	File	1	rdpclip.bin
Details	File	30	rdpclip.exe
Details	File	1	rfxvmt64.bin
Details	File	5	rfxvmt.dll
Details	File	1	termsvc.bin
Details	File	1	termsvc_1.bin
Details	File	2	c:\windows\temp\cookies.txt
Details	File	1	c:\windows\temp\tokens.txt
Details	File	1	c:\windows\temp\logins.txt
Details	File	2	c:\windows\temp\logins_read.txt
Details	File	27	www.py
Details	File	1	plcscan.html
Details	File	1	s7scan-to-replace-plcscan.html
Details	Github username	2	brendangregg
Details	Github username	3	sweetsoftware
Details	md5	1	e316bd63f21a4fd181b3fb4a8dd7a5ba
Details	md5	1	f47e3555461472f23ab4766e4d5b6f6f
Details	md5	1	d260e335a6abc31b860e569a720a5446
Details	sha1	1	ddf8c065d45c734b5b58e770e4f1ea086a293f19
Details	sha1	1	c8107e5c5e20349a39d32f424668139a36e6cfd0
Details	sha1	1	629c9649ced38fd815124221b80c9d9c59a85e74
Details	sha1	1	ef1418e3fcdcca4410014948116a28fa47e74fe2
Details	sha1	1	8ecff105db88464edf548b542a7837e92e56fcbe
Details	sha1	1	f628f11e39d2ce90e49de8774df40a248a6abcff
Details	sha1	1	c4e2953509e9a47d9ee0ecfa8c886328d700ed7e
Details	sha1	1	d373052c6f7492e0dd5f2c705bac6b5afe7ffc24
Details	sha1	1	5ce6f58f46dc8ab89fd8bfc994dabb50316e7202
Details	sha1	1	75ba2e4bfb47feed72deed2bed9b2ef698e3253f
Details	sha1	1	86f599090aa2c7c1df65dccccf00e1818e72246a
Details	sha1	1	c17f4d57deb93050d094e5a09d2f9e58abc252f9
Details	sha1	1	ebabab9c5b723df0fde7fe02dc22145e39ba0502
Details	sha1	1	2be826b4864f86c37592a2e908638873b5ff093c
Details	sha1	1	47dfbbbce8170891ddfbdcdd4e6a24d465d847e1
Details	sha1	1	8b77e8888276c8ce99746a7c0d5ca3f93ea9dee8
Details	sha1	1	00a31ed29c06c06dde3433a5d6fa0a5dc941f13e
Details	sha1	1	f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
Details	sha1	1	42d5708ee9b662fae73e78f0fd0c5228090c3b40
Details	sha1	1	1775f9cb1829910dce7b412c2e7b1b701c23709e
Details	sha1	1	b5931a99036a9a874cb917b6992e7c4510f063c2
Details	sha1	1	e355b51cf1b98c5d9513ff0752b59e8ab09e93d4
Details	sha1	1	552c69ab13fbc4ed770b4bed69474fbf32ba6f4b
Details	sha1	1	d5d02092dd453185f94f5882ffa090a0358be774
Details	sha1	1	a2ca90c6b6efce5b85335b0cc3ecca07c024dcc0
Details	sha1	1	7da837d644123e3547464273756800f22b0ed034
Details	sha1	1	1885f2a4a58fb77c49763e09189aa3c1ec4eaa27
Details	sha1	1	4a6ab099aec72b4ca6b82db088e308d5542e1242
Details	sha1	1	e774f3e8379615eaffb7c998c743ec119aa7b481
Details	sha1	1	3192ad3118b8c1eb5ee46764920a7d9120ca02e1
Details	sha1	1	61a6b265bc612d97589dddd65e8d31cc9f0625ea
Details	sha1	1	91c24a33a616168604645aacc01f32c9beac92aa
Details	sha1	1	fd4552e078bcae7134a3008d3b342011d835b007
Details	sha1	1	554116aabd804663c24d8b3fa41cb72c00dc5b34
Details	sha1	1	306498e9a9f1c6b2813dad7cdcd8433139201794
Details	sha1	1	81d4ad81a92177c2116c5589609a9a08a5ccd0f2
Details	sha1	1	34dd125d42fdb33d2108896ff276cbfe71154cca
Details	sha1	1	8ffe80190f7662422bf6c5736a01ea26880b74a2
Details	sha256	3	f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
Details	IPv4	1	51.15.191.81
Details	IPv4	2	80.82.77.139
Details	IPv4	1	146.88.240.6
Details	IPv4	1	51.254.49.101
Details	IPv4	3	82.221.105.7
Details	IPv4	1	172.105.207.40
Details	IPv4	1	68.169.145.238
Details	IPv4	2	89.248.167.131
Details	IPv4	2	185.142.236.34
Details	IPv4	2	71.6.135.131
Details	IPv4	1	89.248.168.51
Details	IPv4	2	185.142.236.35
Details	IPv4	1	71.6.146.130
Details	IPv4	2	89.248.172.16
Details	IPv4	1	185.173.35.0
Details	IPv4	3	71.6.146.185
Details	IPv4	1	89.248.174.3
Details	IPv4	6	185.181.102.18
Details	IPv4	1	71.6.146.186
Details	IPv4	1	92.118.160.0
Details	IPv4	1	185.216.140.6
Details	IPv4	2	71.6.147.254
Details	IPv4	1	93.174.85.106
Details	IPv4	1	195.154.61.206
Details	IPv4	3	71.6.158.166
Details	IPv4	2	93.174.95.106
Details	IPv4	3	198.20.70.114
Details	IPv4	3	71.6.165.200
Details	IPv4	1	94.102.49.190
Details	IPv4	2	198.20.99.130
Details	IPv4	3	71.6.167.142
Details	IPv4	1	104.251.248.86
Details	IPv4	1	198.108.66.0
Details	IPv4	2	71.6.199.23
Details	IPv4	1	139.162.65.76
Details	IPv4	1	208.64.252.230
Details	IPv4	2	80.82.77.33
Details	IPv4	1	139.162.83.10
Details	IPv4	1	212.83.146.233
Details	IPv4	1	139.162.99.243
Details	Url	1	https://www.sendspace.com/file/fjtdsk
Details	Url	2	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/54/stuxnet-malware-targets-scada-systems.
Details	Url	2	https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/triton-
Details	Url	1	https://www.cnet.com/roadshow/news/wannacry-ransomware-causes-honda-plant-shutdown-in-japan/.
Details	Url	1	https://apnews.com/e316bd63f21a4fd181b3fb4a8dd7a5ba/take-down
Details	Url	1	https://blog.trendmicro.com/trendlabs-security-intelligence/whos-really-attacking-your-ics-
Details	Url	15	https://www.trendmicro.com/vinfo/us/security
Details	Url	3	https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-
Details	Url	1	https://molo.ch/.
Details	Url	1	https://github.com/brendangregg
Details	Url	1	https://jon.oberheide.org
Details	Url	1	https://www.zeek.org/.
Details	Url	1	https://intelstack.com/.
Details	Url	1	https://suricata-ids.org/.
Details	Url	1	http://www.pyinstaller.org/.
Details	Url	1	https://www.aldeid.com/wiki/pyinstxtractor.
Details	Url	1	https://pypi.org/project/uncompyle6/.
Details	Url	1	https://github.com/sweetsoftware
Details	Url	1	https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators.
Details	Url	1	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.crysis.sm
Details	Url	1	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/hacktool.win32.nettool.a
Details	Url	1	https://www.hybrid-analysis.com/sample/f47e3555461472f23ab4766e4d5b6f6f
Details	Url	1	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.phobos.sm
Details	Url	2	https://letsencrypt.org/.
Details	Url	1	http://www.scada.sl/2012/11/plcscan.html
Details	Url	1	http://www.scada.sl/2018/10/s7scan-to-replace-plcscan.html
Details	Url	1	https://blogs.cisco.com/security/talos/vulnerability-spotlight-multiple-