ioc[.]one - OSINT Cyber Threat Intelligence Database

利用MSIX安装包传播恶意软件攻击样本的详细分析 | CTF导航

Tags

Show in Graph

Common Information

Type	Value
UUID	05f44615-0f0f-4134-a50d-6e682672328f
Fingerprint	fbad83cbbe54da36
Analysis status	DONE
Considered CTI value	-2
Text language
Published	Oct. 1, 2024, midnight
Added to db	Oct. 28, 2024, 2:11 a.m.
Last updated	Nov. 16, 2024, 11:18 a.m.
Headline	利用MSIX安装包传播恶意软件攻击样本的详细分析
Title	利用MSIX安装包传播恶意软件攻击样本的详细分析 \| CTF导航
Detected Hints/Tags/Attributes	5/0/27

Source URLs

	Redirection	Url
Details	Source	https://www.ctfiot.com/211941.html

URL Provider

Details	Provider	Source level domain
Details	ctfiot.com	www.ctfiot.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	426	✔	CTF导航	https://www.ctfiot.com/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	83	xz.aliyun.com
Details	File	8	1.msi
Details	File	2	会调用执行startingscriptwrapper.ps1
Details	File	2	然后执行refresh.ps1
Details	File	2	首先msix安装包会更改应用程序的入口点appxmanifest.xml
Details	File	2	然后调用执行startingscriptwrapper.ps1
Details	File	2	读取config.json
Details	File	3	8.config
Details	File	2	调用执行refresh.ps1
Details	File	2	refresh.ps1
Details	File	2	查看config.json
Details	File	2	该msix安装包会调用目录下的new_raw.ps1
Details	File	2	并通过gpg.exe
Details	File	2	启动vboxsvc.exe
Details	File	2	利用白+黑技术加载同目录下的tedutil.dll
Details	File	2	恶意模块读取tsunami.avi
Details	File	2	通过loadlibrary加载系统pla.dll
Details	File	2	将pla.dll
Details	File	3	修改pla.dll
Details	File	2	将恶意代码写入到pla.txt
Details	File	2	还原pla.txt
Details	File	2	跳转到pla.txt
Details	File	4	启动cmd.exe
Details	File	2	覆盖pla.dll
Details	File	1	c:\users\administrator\appdata\roaming\verge\wallets\ c:\users\administrator\appdata\roaming\exodus\exodus.wallet
Details	Url	1	https://xz.aliyun.com/t/14111先知社区
Details	Url	2	https://xz.aliyun.com/t/14111