Devil Bait
Common Information
| Type | Value |
|---|---|
| UUID | 7743f65e-72fe-4791-9e8d-bd41c79c8d12 |
| Fingerprint | 8a58e6e4144f362b578a2a08dfc0ed896fd8b72365f5bc3e5d32d88902fda7d8 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 9, 2023, 3:46 p.m. |
| Added to db | Nov. 6, 2024, 11:04 a.m. |
| Last updated | Nov. 6, 2024, 11:08 a.m. |
| Headline | Devil Bait |
| Title | Devil Bait |
| Detected Hints/Tags/Attributes | 75/3/49 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | www.hahae.co.kr |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 3 | xeoskin.co.kr |
|
| Details | Domain | 42 | co.kr |
|
| Details | Domain | 53 | ncsc.gov.uk |
|
| Details | 22 | ncscinfoleg@ncsc.gov.uk |
||
| Details | File | 1 | bo-ra.doc |
|
| Details | File | 1 | 체불확인원-김보라.doc |
|
| Details | File | 57 | data.txt |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | %appdata%\roaming\microsoft\office\version.xml |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 5 | version.xml |
|
| Details | File | 456 | mshta.exe |
|
| Details | File | 1 | %appdata%\microsoft\network\sr011.xml |
|
| Details | File | 2 | sr011.xml |
|
| Details | File | 226 | certutil.exe |
|
| Details | File | 2 | conv.xml |
|
| Details | File | 6 | cross.php |
|
| Details | File | 88 | 1.txt |
|
| Details | File | 24 | report.php |
|
| Details | File | 323 | winword.exe |
|
| Details | File | 1 | %appdata%\microsoft\office\version.xml |
|
| Details | File | 1 | %appdata%\microsoft\network\conv.xml |
|
| Details | File | 64 | list.php |
|
| Details | File | 29 | show.php |
|
| Details | File | 5 | '.xml |
|
| Details | md5 | 1 | 631ec884e194a04ac89ae7db34ee2cdc |
|
| Details | md5 | 1 | 26c27d19dfc1a3af9b856b1b2299cc5f |
|
| Details | sha1 | 1 | 0d686dae87f79713d7382c4976ed796caed5ca2b |
|
| Details | sha1 | 1 | f4c03d8d372e29a2409411271ead45742069b70e |
|
| Details | sha256 | 1 | fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b |
|
| Details | sha256 | 1 | a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 275 | T1053.005 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 422 | T1041 |
|
| Details | MITRE ATT&CK Techniques | 57 | T1036.004 |
|
| Details | Url | 1 | http://www.hahae.co.kr/new3/isaf/libs/php/suf.hta |
|
| Details | Url | 1 | http://xeoskin.co.kr/wp/wp-includes/simplepie/net/cross.php |
|
| Details | Url | 1 | http://www.hahae.co.kr/new3/isaf/libs/php/cross.php?op=1&dt=1 |
|
| Details | Url | 1 | http://www.hahae.co.kr/new3/isaf/libs/php/report.php |
|
| Details | Url | 1 | http://xeoskin.co.kr |
|
| Details | Windows Registry Key | 22 | HKCU\Software\Microsoft\Internet |
|
| Details | Windows Registry Key | 18 | HKCU\Software\Microsoft\Office |
|
| Details | Yara rule | 1 | rule DevilBait_vbscript_2 {
meta:
author = "NCSC"
description = "These strings appear in second stage VBScript used
by Devil Bait."
strings:
$ = "WScript.Shell" nocase
$ = "Scripting.FileSystemObject" nocase
$ = "MSXML2.ServerXMLHTTP.6.0" nocase
$ = "FolderExists" nocase
$ = "certutil" nocase
$ = "vbCrLf" nocase
$ = "expandenvironmentstrings" nocase
$ = "%appdata%" nocase
condition:
filesize < 20KB and all of them
} |
|
| Details | Yara rule | 1 | rule DevilBait_Maldoc {
meta:
author = "NCSC"
description = "These strings appear in the Devil Bait malicious
document."
strings:
$word = "MSWordDoc"
$ms_xml = "MSXML2.ServerXMLHTTP.6.0"
$ = { 53 65 6E 64 3A 45 78 65 63 75 74 65 28 [1-6] 2E 72 65 73 70 6F 6E 73 65 54 65 78 74 29 }
$ = "wscript.exe //e:vbscript"
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule DevilBait_C2 {
meta:
author = "NCSC"
description = "C2 and IoC strings found in Devil Bait second
stage vbscript."
strings:
$file_1 = "sr011.xml"
$must_func = "Roller"
$must_C2 = ".co.kr"
$c2_1 = "cross.php"
$c2_2 = "report.php"
$c2_3 = "list.php"
$c2_4 = "show.php"
condition:
$file_1 and any of ($must_*) and any of ($c2_*)
} |
|
| Details | Yara rule | 1 | rule DevilBait_vbscript_1 {
meta:
author = "NCSC"
description = "This rule identifies the first stage vbscript
written to disk e.g. version.xml."
strings:
$must_1 = "On Error Resume Next:Set"
$must_2 = "CreateObject(\"MSXML2.ServerXMLHTTP.6.0\"):"
$must_3 = ".Send:Execute("
$must_4 = "http"
$get = "GET"
$post = "POST"
condition:
filesize < 10KB and all of ($must*) and ($get or $post)
} |