ioc[.]one - OSINT Cyber Threat Intelligence Database

PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater | Deep Instinct

Tags

cmtmf-attack-pattern:	Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter
country:	Israel
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Files And Directories - T1564.001 Hidden Window - T1564.003 Hide Artifacts - T1628 Hide Artifacts - T1564 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Non-Standard Encoding - T1132.002 Powershell - T1059.001 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Data Encoding - T1132 File Deletion - T1107 Hidden Files And Directories - T1158 Hidden Window - T1143 Indicator Removal On Host - T1070 Remote File Copy - T1105 Modify Registry - T1112 Powershell - T1086 Registry Run Keys / Start Folder - T1060

Show in Graph

Common Information

Type	Value
UUID	0543b511-ba0b-4a2c-bfb0-4d2e3c0084d6
Fingerprint	e74899d1e0d3a0b9
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 29, 2023, 4 p.m.
Added to db	Aug. 13, 2023, 2:55 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
Title	PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater \| Deep Instinct
Detected Hints/Tags/Attributes	110/4/98

Source URLs

	Redirection	Url
Details	Source	https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater

URL Provider

Details	Provider	Source level domain
Details	deepinstinct.com	www.deepinstinct.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	301	✔	Deep Instinct Blog: Breaking News and Updates	https://www.deepinstinct.com/blog/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	140	cve-2023-27350
Details	Domain	22	config.py
Details	Domain	88	main.py
Details	Domain	1	webserver.py
Details	Domain	1	commandline.py
Details	Domain	2	downloader.sb
Details	Domain	1	6nc110821hdb.co
Details	Domain	1	6nc051221a.co
Details	Domain	1	6nc051221c.co
Details	Domain	1	6nc060821.co
Details	Domain	1	6nc220721.co
Details	Domain	1	6nc051221b.co
Details	Domain	1	6nc110821hda.co
Details	Domain	1	am1211.iransos.me
Details	Domain	1	v6.zip
Details	Domain	2	edc1.6nc051221c.co
Details	Domain	2	pru2.6nc110821hdb.co
Details	Domain	2	nno1.6nc060821.co
Details	Domain	2	nno3.6nc060821.co
Details	Domain	2	kwd1.6nc220721.co
Details	Domain	2	kwd2.6nc220721.co
Details	Domain	2	kwd3.6nc220721.co
Details	Domain	2	qjk1.6nc051221c.co
Details	Domain	3	qjk2.6nc051221c.co
Details	Domain	2	qjk3.6nc051221c.co
Details	Domain	2	tes2.6nc051221a.co
Details	Domain	2	pru1.6nc110821hdb.co
Details	File	1	phonyc2_v6.zip
Details	File	1	please_run_once.py
Details	File	22	config.py
Details	File	76	main.py
Details	File	1	webserver.py
Details	File	1	commandline.py
Details	File	4	c:\programdata\db.sql
Details	File	4	db.ps1
Details	File	4	c:\programdata\db.ps1
Details	File	13	db.sql
Details	File	1	persist_payload_2022.ps1
Details	File	11	utils.js
Details	File	1	c:\intel\utils\ directory at startup create the directory c:\intel\utils\ if it does not exist change the current directory to c:\intel\utils\ decode a base64 blob and write it into utils.js
Details	File	3	data.sql
Details	File	1	eh.msi
Details	File	1	9b22685e-f173-4feb-95a4-c63daaf40c58.html
Details	File	1	c:\intel\utils\utils.js
Details	File	1	562a2ffe-a45a-4318-864b-5942fbd0a859.aspx
Details	File	1	c:\programdata attrib +h c:\programdata\db.sql
Details	File	1	v6.zip
Details	sha256	2	7cb0cc6800772e240a12d1b87f9b7561412f44f01f6bb38829e84acbc8353b9c
Details	sha256	2	5ca26988b37e8998e803a95e4e7e3102fed16e99353d040a5b22aa7e07438fea
Details	sha256	2	1c95496da95ccb39d73dbbdf9088b57347f2c91cf79271ed4fe1e5da3e0e542a
Details	sha256	2	2f14ce9e4e8b1808393ad090289b5fa287269a878bbb406b6930a6c575d1f736
Details	sha256	2	b4b3c3ee293046e2f670026a253dc39e863037b9474774ead6757fe27b0b63c1
Details	sha256	2	b38d036bbe2d902724db04123c87aeea663c8ac4c877145ce8610618d8e6571f
Details	IPv4	3	87.236.212.22
Details	IPv4	2	137.74.131.30
Details	IPv4	5	178.32.30.3
Details	IPv4	3	91.121.240.104
Details	IPv4	4	194.61.121.86
Details	IPv4	4	45.86.230.20
Details	IPv4	4	46.249.35.243
Details	IPv4	2	164.132.237.79
Details	IPv4	4	51.255.19.178
Details	IPv4	1	51.255.19.179
Details	IPv4	2	164.132.237.64
Details	IPv4	2	195.20.17.44
Details	IPv4	1	195.20.17.0
Details	IPv4	1	195.20.17.183
Details	IPv4	1	172.16.162.1
Details	IPv4	2	45.159.248.244
Details	IPv4	2	137.74.131.24
Details	IPv4	2	185.254.37.173
Details	IPv4	2	91.235.234.130
Details	IPv4	2	157.90.153.60
Details	IPv4	2	157.90.152.26
Details	IPv4	2	65.21.183.238
Details	IPv4	2	45.132.75.101
Details	IPv4	2	103.73.65.129
Details	IPv4	2	103.73.65.225
Details	IPv4	2	103.73.65.244
Details	IPv4	2	103.73.65.246
Details	IPv4	2	103.73.65.253
Details	IPv4	3	137.74.131.16
Details	IPv4	4	137.74.131.18
Details	IPv4	2	137.74.131.25
Details	IPv4	2	164.132.237.67
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	40	T1132.002
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	94	T1564.001
Details	MITRE ATT&CK Techniques	66	T1564.003
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	550	T1112
Details	Url	1	http://46.249.35.243:443/9b22685e-f173-4feb-95a4-c63daaf40c58.html?x9gftrd6oze=x9gftrd6oz
Details	Url	1	http://172.16.162.1:1337/562a2ffe-a45a-4318-864b-5942fbd0a859.aspx?ly6ede1ktne=ly6ede1ktne
Details	Windows Registry Key	16	HKLM\Software
Details	Windows Registry Key	48	HKLM\Software\Microsoft\Windows\CurrentVersion\Run