威胁情报 | DarkHotel APT 组织 Observer 木马攻击分析
Tags
| attack-pattern: | Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | 1d9470c5-ee43-48ef-8670-2262450d7ef0 |
| Fingerprint | 13edf86427f4f497 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 20, 2024, midnight |
| Added to db | Sept. 10, 2024, 4:53 p.m. |
| Last updated | Nov. 12, 2024, 7:58 a.m. |
| Headline | 威胁情报 | DarkHotel APT 组织 Observer 木马攻击分析 |
| Title | 威胁情报 | DarkHotel APT 组织 Observer 木马攻击分析 |
| Detected Hints/Tags/Attributes | 6/1/39 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Redirection | https://cn-sec.com/?p=3151071 |
| Details | Source | https://cn-sec.com/archives/3151071.html |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 483 | ✔ | CN-SEC 中文网 | https://cn-sec.com/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 78 | bitbucket.org |
|
| Details | Domain | 14 | statcounter.com |
|
| Details | File | 2 | 滥用合法的windows的照片库查看器组件shimgvw.dll |
|
| Details | File | 2 | 从远程服务器上下载文件zetaq.txt |
|
| Details | File | 3 | 滥用合法系统程序pcalua.exe |
|
| Details | File | 2 | 利用该com组件执行securebootuefi.dat |
|
| Details | File | 2 | securebootuefi.dat |
|
| Details | File | 2 | 在securebootuefi.dat |
|
| Details | File | 2 | %userprofile%appdatalocalmicrosoftwindowsshellsample.tmp |
|
| Details | File | 2 | 将sample.tmp |
|
| Details | File | 2 | %userprofile%appdatalocalmicrosoftwindowsshellservice.dat |
|
| Details | File | 3 | 从远程服务器上下载文件eqlist.txt |
|
| Details | File | 3 | 和mylink.tmp |
|
| Details | File | 1 | 其中eqlist.txt |
|
| Details | File | 3 | mylink.tmp |
|
| Details | File | 3 | da分别重命名为crypt86.dat |
|
| Details | File | 4 | 和profapii.dat |
|
| Details | File | 3 | 利用该com组件执行crypt86.dat |
|
| Details | File | 3 | crypt86.dat |
|
| Details | File | 2 | 的主要功能是下载数据并使用profapii.dat |
|
| Details | File | 4 | 2.cab |
|
| Details | File | 2 | profapii.dat |
|
| Details | File | 3 | 例如类型3种的crypt86.dat |
|
| Details | md5 | 2 | 8620a8a3f75b8b63766bd0f489f33d6a |
|
| Details | md5 | 2 | dd2f326bac70baca94eb655bdfae175d |
|
| Details | md5 | 2 | 445a84e3216da14b73dbe52aeb63e710 |
|
| Details | md5 | 2 | 030a68e321dec0e77b4698fccc5d54db |
|
| Details | md5 | 2 | 18fdde4bf8d3a369514b0bc8ddcf35dc |
|
| Details | md5 | 2 | ccf49ea51585ae38fb510b0fa52aec08 |
|
| Details | md5 | 2 | 7e20f52d4e7074663d9f9a252b59a2d6 |
|
| Details | IPv4 | 7 | 2.2.1.1 |
|
| Details | IPv4 | 8 | 2.2.3.1 |
|
| Details | IPv4 | 6 | 2.2.3.2 |
|
| Details | Pdb | 2 | 0_dll1.pdb |
|
| Details | Threat Actor Identifier - APT-Q | 15 | APT-Q-12 |
|
| Details | Url | 2 | https://bitbucket.org/whekacjj/whekacjj/downloads |
|
| Details | Url | 2 | https://c.statcounter.com/12959673/0/7901c79c/1 |
|
| Details | Url | 2 | http://82.xx/list/2.cab |
|
| Details | Url | 5 | https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office |