ioc[.]one - OSINT Cyber Threat Intelligence Database

New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Exploit Public-Facing Application Masquerading Obfuscated Files Or Information Obtain Capabilities
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Command And Scripting Interpreter - T1623 Dll Side-Loading - T1574.002 Exfiltration Over C2 Channel - T1646 Exploit Public-Facing Application - T1377 File And Directory Discovery - T1420 Gather Victim Host Information - T1592 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Masquerading - T1655 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Obtain Capabilities - T1588 Powershell - T1059.001 Reflective Code Loading - T1620 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software Packing - T1027.002 Software Packing - T1406.002 System Services - T1569 Windows Command Shell - T1059.003 Tool - T1588.002 Command-Line Interface - T1059 Dll Side-Loading - T1073 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 File And Directory Discovery - T1083 Masquerading - T1036 Obfuscated Files Or Information - T1027 Powershell - T1086 Rootkit - T1014 Screen Capture - T1113 Service Execution - T1035 Software Packing - T1045 System Information Discovery - T1082 Exploit Public-Facing Application Masquerading Rootkit Screen Capture

Show in Graph

Common Information

Type	Value
UUID	2ebd4ecb-d017-41aa-b5b8-e244275d9c94
Fingerprint	ac19c46961347043
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 30, 2022, midnight
Added to db	Sept. 11, 2022, 12:32 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Title	New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Detected Hints/Tags/Attributes	115/3/100

Source URLs

	Redirection	Url
Details	Source	https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits

URL Provider

Details	Provider	Source level domain
Details	fortinet.com	www.fortinet.com

Attributes

Details	Type	#Events	Value
Details	Domain	3	gnisoft.com
Details	Domain	5	generic.ac
Details	Domain	1	vpn2.smi1egate.com
Details	Domain	1	svn1.smi1egate.com
Details	Domain	2	giga.gnisoft.com
Details	File	61	1.bat
Details	File	2	syn.exe
Details	File	37	1.dll
Details	File	6	p.txt
Details	File	1	%appdata%\newdev.dll
Details	File	4	newdev.dll
Details	File	2126	cmd.exe
Details	File	172	dllhost.exe
Details	File	1	%appdata%\syn.exe
Details	File	1	c:\windows\system32\drivers\crtsys.sys
Details	File	1	crtsys.sys
Details	File	1	qwerty.exe
Details	File	79	regedit.exe
Details	File	5	nsiproxy.sys
Details	File	1122	svchost.exe
Details	File	39	winmm.dll
Details	File	208	setup.exe
Details	File	1	111.php
Details	File	1	1dll.php
Details	File	1	syn.php
Details	sha1	1	ab3470a45ec0185ca1f31291f69282c4a188a46e
Details	sha1	1	10de515de5c970385cd946dfda334bc10a7b2d65
Details	sha1	1	eb231f08cce1de3e0b10b69d597b865a7ebac4b3
Details	sha1	1	9bcd82563c72e6f72adff76bd8c6940c6037516a
Details	sha1	1	2a89c5fd0c23b8af622f0e91939b486e9db7faef
Details	sha256	1	ece45c25d47ba362d542cd0427775e68396bbbd72fef39823826690b82216c69
Details	sha256	1	517c1baf108461c975e988f3e89d4e95a92a40bd1268cdac385951af791947ba
Details	sha256	1	a573a413cbb1694d985376788d42ab2b342e6ce94dd1599602b73f5cca695d8f
Details	sha256	1	9eeec764e77bec58d366c2efc3817ed56371e4b308e94ad04a6d6307f2e12eda
Details	sha256	1	d005a8cf301819a46ecbb1d1e5db0bf87951808d141ada5e13ffc4b68155a112
Details	sha256	1	69c69d71a7e334f8ef9d47e7b32d701a0ecd22ce79e0c11dabbc837c9e0fedc2
Details	sha256	1	dfd2409f2b0f403e82252b48a84ff4d7bc3ebc1392226a9a067adc4791a26ee7
Details	sha256	1	07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47
Details	sha256	1	c0a2a3708516a321ad2fd68400bef6a3b302af54d6533b5cce6c67b4e13b87d3
Details	sha256	1	f8b581393849be5fc4cea22a9ab6849295d9230a429822ceb4b8ee12b1d24683
Details	sha256	2	14930488158df5fca4cba80b1089f41dc296e19bebf41e2ff6e5b32770ac0f1e
Details	sha256	2	a9fa8e8609872cdcea241e3aab726b02b124c82de4c77ad3c3722d7c6b93b9b5
Details	sha256	2	e92d4e58dfae7c1aadeef42056d5e2e5002814ee3b9b5ab1a48229bf00f3ade6
Details	sha256	1	855449914f8ecd7371bf9e155f9a97969fee0655db5cf9418583e1d98f1adf14
Details	sha256	1	a5fd7e68970e79f1a5514630928fde1ef9f2da197a12a57049dece9c7451ed7b
Details	sha256	1	f5eb8949e39c8d3d70ff654a004bc8388eb0dd13ccb9d9958fd25aee47c1d3ae
Details	sha256	1	64255ff02e774588995b203d556c9fa9e2c22a978aec02ff7dea372983b47d38
Details	sha256	1	b598cb6ba7c99dcf6040f7073fe313e648db9dd2f6e71cba89790cc45c8c9026
Details	sha256	1	2d252c51a29f86032421df82524c6161c7a63876c4dc20faffa47929ec8a9d60
Details	sha256	1	2de6fb71c1d5ba0cd8d321546c04eaddddbf4a00ce4ef6ca6b7974a2a734a147
Details	sha256	1	bd5d730bd204abaddc8db55900f307ff62eaf71c0dc30cebad403f7ce2737b5c
Details	sha256	1	412464b25bf136c3780aff5a5a67d9390a0d6a6f852aea0957263fc41e266c8b
Details	sha256	1	0d096d983d013897dbe69f3dae54a5f2ada8090b886ab68b74aa18277de03052
Details	sha256	1	cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f
Details	sha256	1	a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc
Details	sha256	1	235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614
Details	sha256	1	e1a51320c982179affb26f417fbbba7e259f819a2721ab9eb0f6d665b6ea1625
Details	sha256	1	d1be98177f8ae2c64659396277e7d5c8b7dba662867697feb35282149e3f3cbb
Details	sha256	1	66c3dfcb2cc0dfb60e40115e08fc293276e915c2536de9ed6a374481279b852b
Details	sha256	1	73640e8984ad5e5d9a1fd3eee39ccb4cc695c9e3f109b2479296d973a5a494b6
Details	sha256	1	7777bd2bdeff2fd34a745c350659ee24e330b01bcd2ee56d801d5fc2aceb858c
Details	sha256	1	8bf4e301538805b98bdf09fb73e3e370276a252d132e712eae143ab58899763e
Details	sha256	1	18b2e1c52d0245824a5bac2182de38efb3f82399b573063703c0a64252a5c949
Details	sha256	1	d5c1a2ca8d544bedb0d1523db8eeb33f0b065966f451604ff4715f600994bc47
Details	sha256	1	0939b68af0c8ee28ed66e2d4f7ee6352c06bda336ccc43775fb6be31541c6057
Details	sha256	1	0595a719e7ffa77f17ac254134dba2c3e47d8c9c3968cda69c59c6b021421645
Details	sha256	1	7782fdc84772c6c5c505098707ced6a17e74311fd5c2e2622fbc629b4df1d798
Details	sha256	1	18751e47648e0713345552d47752209cbae50fac07895fc7dd1363bbb089a10b
Details	sha256	1	e4e4ff9ee61a1d42dbc1ddf9b87223393c5fbb5d3a3b849b4ea7a1ddf8acd87b
Details	sha256	1	395dbe0f7f90f0ad55e8fb894d19a7cc75305a3d7c159ac6a0929921726069c1
Details	sha256	1	befc197bceb3bd14f44d86ff41967f4e4c6412604ec67de481a5e226f8be0b37
Details	sha256	1	1c617fd9dfc068454e94a778f2baec389f534ce0faf786c7e24db7e10093e4fb
Details	sha256	1	bde7b9832a8b2ed6d33eb33dae7c5222581a0163c1672d348b0444b516690f09
Details	sha256	1	8b88fe32bd38c3415115592cc028ddaa66dbf3fe024352f9bd16aed60fd5da3e
Details	sha256	1	ba763935528bdb0cc6d998747a17ae92783e5e8451a16569bc053379b1263385
Details	sha256	1	9908cb217080085e3467f5cedeef26a10aaa13a1b0c6ce2825a0c4912811d584
Details	sha256	1	c6bcde5e8185fa9317c17156405c9e2c1f1887d165f81e31e24976411af95722
Details	sha256	1	3403923f1a151466a81c2c7a1fda617b7fbb43b1b8b0325e26e30ed06b6eb936
Details	IPv4	2	192.95.36.61
Details	IPv4	1	104.223.34.198
Details	IPv4	2	103.224.80.76
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	348	T1036
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	50	T1592
Details	MITRE ATT&CK Techniques	33	T1588.003
Details	MITRE ATT&CK Techniques	41	T1014
Details	MITRE ATT&CK Techniques	227	T1574.002
Details	MITRE ATT&CK Techniques	91	T1620
Details	MITRE ATT&CK Techniques	219	T1113
Details	Url	1	http://104.223.34.198/111.php
Details	Url	1	http://104.223.34.198/1dll.php
Details	Url	1	http://104.223.34.198/syn.php
Details	Url	1	http://104.223.34.198/p.txt