ioc[.]one - OSINT Cyber Threat Intelligence Database

Exposing EITest campaign – Malware Traffic Analysis

Tags

cmtmf-attack-pattern:	Code Injection
country:	China Japan
attack-pattern:	Data Direct Botnet - T1583.005 Botnet - T1584.005 Code Injection - T1540 Content Injection - T1659 Control Panel - T1218.002 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Regsvr32 - T1218.010 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Whois - T1596.002 Connection Proxy - T1090 Regsvr32 - T1117

Show in Graph

Common Information

Type	Value
UUID	2223bf6a-4769-4cf4-8fb1-8c1a27faf61a
Fingerprint	ae401951297626af
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 30, 2017, 2:22 p.m.
Added to db	Feb. 17, 2023, 9:32 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Malware Traffic Analysis
Title	Exposing EITest campaign – Malware Traffic Analysis
Detected Hints/Tags/Attributes	136/3/139

Source URLs

	Redirection	Url
Details	Source	https://blog.brillantit.com/exposing-eitest-campaign/

URL Provider

Details	Provider	Source level domain
Details	brillantit.com	blog.brillantit.com

Attributes

Details	Type	#Events	Value
Details	CVE	6	cve-2016-8870
Details	CVE	6	cve-2016-8869
Details	CVE	36	cve-2013-2551
Details	CVE	24	cve-2015-5122
Details	Domain	1	stat-dns.com
Details	Domain	1	54dfa1cb.com
Details	Domain	1	33db9538.com
Details	Domain	1	comstat-dns.com
Details	Domain	1	32f988f6.com
Details	Domain	1	e108dfcb.com
Details	Domain	1	8b238dd6.com
Details	Domain	1	10f89b8c.com
Details	Domain	4	todaynic.com
Details	Domain	4	window.chrome
Details	Domain	1	searchtopresults.com
Details	Domain	14	www.redacted.com
Details	Domain	2	domaina.com
Details	Domain	1	3x.xxx.xxx
Details	Domain	1	try.ciela.co
Details	Domain	1	lsbnfd.style
Details	Domain	1	brillantit.com
Details	Domain	1	try.ucr.news
Details	Domain	1	1gh.saveboston.today
Details	Domain	1	9507c4e8.com
Details	Domain	1	e5b57288.com
Details	Domain	1	bbc.wehbeconstruction.com
Details	Domain	1	con.pechemignon.co
Details	Domain	1	admin.furstoutountzi.com
Details	Domain	88	malware-traffic-analysis.net
Details	Domain	45	symantec.com
Details	Domain	97	virustotal.com
Details	Domain	13	hybrid-analysis.com
Details	File	13	help.php
Details	File	98	download.php
Details	File	27	file.php
Details	File	9	downloads.php
Details	File	3	chrome_font.exe
Details	File	1	font_update.exe
Details	File	4	new.php
Details	File	1	wp_config.php
Details	File	3	all.php
Details	File	1122	svchost.exe
Details	File	61	search.php
Details	File	1	blog.xml
Details	File	56	update.php
Details	File	18	go.php
Details	File	25	load.php
Details	File	49	info.php
Details	File	1	logo2.png
Details	File	1	logo3.png
Details	File	816	index.html
Details	File	3	files.php
Details	File	2125	cmd.exe
Details	File	459	regsvr32.exe
Details	File	1	tmpbeec.bmp
Details	File	13	data.php
Details	File	1204	index.php
Details	File	24	auth.php
Details	md5	1	54dfa1cb33db9538e5b572889507c4e8
Details	md5	1	32f988f6e108dfcb8b238dd610f89b8c
Details	sha256	1	5bb97e6104c9ad07c036b0d272ef1c35398df80819a29c13c81d34b0d97ca151
Details	sha256	1	eaed27690a84a533fae605ead2bc8f5c8ddb84a23d982c1008cfad7eba81e86c
Details	sha256	1	828d7fa5bfbd68958befb560c981c6629e686ab1af629526f20c1b7c5bf8897c
Details	sha256	1	dce27de4a77166f67a8876a1e7fb546a6d1613244daf95df591762e7787c7f44
Details	sha256	1	070e812ea048edd26a071ab9f5b3c6b1de20aa3becc573f3362f363dc5a18c69
Details	sha256	1	e5cb9d5e688e31ea08c4c83be2dd4c15ae4e4cd05c03ddf5215d46fe91596f38
Details	sha256	1	ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167
Details	sha256	1	ec50acd126410250a7cf3124d414fbf5ffd280129659ac89d28a7e9db09862c6
Details	sha256	1	f698f4f713e4db5c705e2ff57ed1e1a7aa288711abbf26a6117629cedc55fed7
Details	sha256	1	02354c75a9a81303234b4fcb2d60911105796ba6c287a0919ffc2675cb899ec6
Details	sha256	1	b3525033df83db1775cac63040cc8e5a763d5ac079bb86b0f5aca47b5bf4bb8d
Details	sha256	1	25450885bb86fcda7b1f8d80b227351d0a7a23c28b83155e06eafa72b0638955
Details	sha256	1	dfc1f57077bb69bf67ceea87999e45ccc64eeecf5e08ca99fedad4fc42bab816
Details	sha256	1	f188d41cd1736d2237b2a0406f72f10c59918b79bba61724d19ec3582236114e
Details	sha256	1	699b6736324a961888721bb70e896f440523fcf70ce3f74cdc8cb37ff98c20a7
Details	sha256	1	040427d522a1a1434f96895e6514884dc916b4fec385d25373366f33510de002
Details	sha256	1	b862b96bb213d42ea29157faabbeaef714b7611c70d80799387c2ddabf751c93
Details	sha256	1	b627823c75de90fc4f578f71dd0e8f8b18d7c7919fc9b26b6657c682c0eb607c
Details	sha256	1	46de827b9dc7feac0043616d25b4eaea291b3f5735a1728383e1998198a85aad
Details	sha256	1	28bda4bf96841c5734fc1dc9f7fe76724488a79cf177d3992c03eb88b8fdf36f
Details	sha256	1	9606691fd1cb19fcc8ba2736dde49f94c09172f3d9b48963133f4809558be75d
Details	sha256	1	c7151c5a1a27e4bedbf615005e747a6a05bf9c257eb9548c4894397779bf32d2
Details	sha256	1	84802dd73c5c39199254a14944005bd4573480f0e18086d58b9960380ba37a0b
Details	sha256	1	68c0f06255f6d28515b7a3b81e9444c36ea284d2edb29ee5ca93622f10d86cee
Details	sha256	1	dfe888cf3d5be1abd0185b285303934b7c8b679c5add995cc1799b04200c8c07
Details	sha256	1	d2933f0a01a7572883af8e779cd156130189cfdb5c2224a68515436829099143
Details	sha256	1	e2c8eb9907bdeeb12f8965be73883e25eaec19c89cf1feca1d6d1094587fe9e9
Details	sha256	1	7bfb33a0b61d5a8db7b633ddd84e7ee264fc4489d5d88d0b71adf2f30e2a3f57
Details	sha256	1	da4317f949b0f18418bbc8b4e7a407c46a2e7d5f0fca8bb5a8207b1235c4d3a0
Details	sha256	1	a50c9f984f39407074f0c984dd028d4ea2cce48c0bb6836a5bc7b3ffefe0fdbf
Details	sha256	1	1d544fb236e6d556477e2207a71121508f6654f3701387246fe8507a60d4e2f3
Details	sha256	1	22226a250d81fc9e82b4e2b807d5afea64dfe82693bf53ed196f8929083642bd
Details	sha256	1	f7b4b328ccd94627d7b9c249055274cc534342699e04e42ba6e8d645663db252
Details	sha256	1	f2a680740a82c5f11bf4ed12a741eec74f17be66ab27f09c1b2fd682ef4b6094
Details	sha256	1	4ec7edab4b02601a56aea26a138efb0eeeac17ae63de246dc64b364196917212
Details	sha256	1	b1d3d0601caa63349e80e5d30e6d6d0cd697eeb61dfc87be73e1d40db0dfe390
Details	sha256	1	5225120a277650c28c2ce1640c5b54aa29fbfc431d96f75dfa016fb9253463e7
Details	sha256	1	d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3
Details	sha256	1	9f2f3a8156c10b6e0185ceb0b4da2a16ada79af54f072199e8cea42a09a873cd
Details	sha256	1	77e363849b0bff79a1ad10630dc539e46c07f9f375f86030e92b58e0a779a6be
Details	sha256	1	dca881295c30115e22995ac050fa85cc27a9605aac1846e3ae10e7a1279a2af1
Details	sha256	1	fc3b540ed642984aa11ba28d73691cf1b2e081045f3cd95bee023001c07c2c60
Details	sha256	1	37ce74a40d6127fe4125a2579c661e3e93bc2ac7fe6cd151c11b6a909a47b865
Details	sha256	1	1f3d7247e8cab2c31f27847c3cd15e2c2b616bf6cab37bb60f80797398106bd0
Details	sha256	1	6dfa91567f95a339086a48e22e944a5db81cf593357affe24c1848f39b32c058
Details	sha256	1	58d1136486fb9d7ec27f078a672b2e9e361361fd6fac56de38f4b0702380d1e7
Details	sha256	1	9f6d0490bd3068e7b8d4d378c9de1ebaaeab7320572af8859b6434e8138476ba
Details	sha256	1	4be0a8e8968f88dcf2d01e881f1996bbf1e246516a62e7e8df5250860df25a98
Details	sha256	1	3b434fec3ba0b83963c02c9d3eb494b33352b05190b11ef5802d62abced4f9ff
Details	sha256	1	b39dcc461afb0ab82674a2fcac545a4d9313375517a69298c1a7217025df1ad1
Details	sha256	1	567058b1d6e3c6d54f453687bb88b061eaeebfbf903f3dfd19ea48f80470c7b8
Details	sha256	1	732114325dea4c2aba8b913b836f640a530b69ec9db8cb09c0ea2e5d5d0b5833
Details	sha256	1	39e915e9a38856d6fa8cccb74dbccb9826d6bb1283768fa35e91338810d057d8
Details	sha256	1	1dbe1b4fad4fd325c3b49d45b86959269c99df5cbe2835ef9d15fffeb3997329
Details	sha256	1	aa15d105b4f9c7adf71579180aff88582adb5bbcdc7889ac7b66c1dc56654812
Details	sha256	1	aea0d6f54d01a22f413809e96e39e7828151b500522af790ab403f8e315b67dd
Details	IPv4	295	8.8.8.8
Details	IPv4	1	92.53.120.14
Details	IPv4	6	91.239.24.0
Details	IPv4	1	17.55.12.0
Details	IPv4	1	39.16.22.0
Details	IPv4	1	195.161.62.33
Details	IPv4	1	92.53.120.142
Details	IPv4	2	92.53.127.86
Details	IPv4	1	31.184.193.179
Details	Url	1	http://infectedgatewebsite.tld/help.php
Details	Url	1	http://infectedgatewebsite.tld/download.php
Details	Url	1	http://infectedgatewebsite.tld/file.php
Details	Url	1	http://infectedgatewebsite.tld/downloads.php
Details	Url	1	http://searchtopresults.com/search.php
Details	Url	1	http://domaina.com/help.php
Details	Url	1	http://domaina.com/file.php
Details	Url	1	http://gateserver.tld/logo2.png
Details	Url	1	http://try.ciela.co
Details	Url	1	http://1gh.saveboston.today/?q=znzqmvxcjwdqdorgmvresltemuzqa0kk2oh_76ayeoh9jht1vrtuskrttgwcel&br_fl=5079&oq=_v9_srflygbafl3boffffinywpavks8kusj0ognusa1j6kqra9zqtb9qlwu7jt&yus=amaya.106zb96.406q3n9f2&ct=amaya&tuif=2181&biw=amaya.120el117.406b8x4x8
Details	Url	1	http://1gh.saveboston.today/?tuif=5065&biw=seamonkey.78ug102.406b4v4x7&yus=seamonkey.100om104.406w6t1f8
Details	Url	1	http://try.ucr.news/?yus=amaya.92qd86.406w7y8z0&q=w3bqmvxcjx_qfybgmvldsknbnk_whvipxoyg9mildziqzgx_k7fdff-qov3ccgwr&br_fl=2060&oq=xff7jodxaaphjecdlqfiz99fwl8w9f_8iucgykoyhjft-rclmapm_6kljlb_mhj2&biw=amaya.108on110.406o6u2f1
Details	Url	1	http://try.ucr.news/?yus=microsoft_edge.113iw103.406s1a2b2&ct=microsoft_edge&biw=microsoft_edge.83of66.406v7f3c8
Details	Windows Registry Key	2	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE