游荡于中巴两国的魅影——响尾蛇(SideWinder) APT组织针对巴基斯坦最近的活动以及2019年该组织的活动总结
Tags
| attack-pattern: | Dns - T1071.004 Dns - T1590.002 Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | 307a871f-e387-47c9-8a78-ec1434072362 |
| Fingerprint | aa16296057c125c3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 21, 2022, midnight |
| Added to db | April 15, 2023, 12:58 p.m. |
| Last updated | Nov. 17, 2024, 5:55 p.m. |
| Headline | 游荡于中巴两国的魅影——响尾蛇(SideWinder) APT组织针对巴基斯坦最近的活动以及2019年该组织的活动总结 |
| Title | 游荡于中巴两国的魅影——响尾蛇(SideWinder) APT组织针对巴基斯坦最近的活动以及2019年该组织的活动总结 |
| Detected Hints/Tags/Attributes | 21/1/164 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/CZrdslzEs4iwlaTzJH7Ubg |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 375 | cve-2017-11882 |
|
| Details | Domain | 2 | www.sd1-bin.net |
|
| Details | Domain | 4 | reawk.net |
|
| Details | Domain | 2 | cdn-in.net |
|
| Details | Domain | 2 | msftupdate.srv-cdn.com |
|
| Details | Domain | 4 | www.google.com.d-dns.co |
|
| Details | Domain | 3 | webserv-redir.net |
|
| Details | Domain | 2 | pmo.cdn-load.net |
|
| Details | Domain | 4 | fb-dn.net |
|
| Details | Domain | 3 | cdn-edge.net |
|
| Details | Domain | 3 | ap12.ms-update-server.net |
|
| Details | Domain | 3 | s2.cdn-edge.net |
|
| Details | Domain | 2 | s12.cdn-apn.net |
|
| Details | Domain | 3 | cdn-do.net |
|
| Details | Domain | 3 | cdn-list.net |
|
| Details | Domain | 2 | sd1-bin.net |
|
| Details | Domain | 4 | ap1-acl.net |
|
| Details | Domain | 7 | it.rising.com.cn |
|
| Details | Domain | 20 | www.antiy.cn |
|
| Details | Domain | 41 | www.freebuf.com |
|
| Details | File | 1 | 其主要驱动是mshta.exe |
|
| Details | File | 3 | advocate.docx |
|
| Details | File | 17 | file.rtf |
|
| Details | File | 1 | 再次释放duser.dll |
|
| Details | File | 1 | 并拷贝rekeywiz.exe |
|
| Details | File | 1 | 并执行rekeywiz.exe |
|
| Details | File | 1 | 带起duser.dll |
|
| Details | File | 33 | duser.dll |
|
| Details | File | 1 | 打开advocate.docx |
|
| Details | File | 2 | stinstaller.dll |
|
| Details | File | 2 | c:\windows\syswow64\rekeywiz.exe |
|
| Details | File | 1 | c:\programdata\dnsfiles\rekeywiz.exe |
|
| Details | File | 1 | c:\programdata\dnsfiles\duser.dll |
|
| Details | File | 1 | xxx.tmp |
|
| Details | File | 1 | c:\ c:\programdata\dnsfiles\xxx.tmp |
|
| Details | File | 13 | rekeywiz.exe |
|
| Details | File | 1 | 利用rekeywiz.exe |
|
| Details | File | 1 | 选取.tmp |
|
| Details | File | 4 | systemapp.dll |
|
| Details | File | 1 | 样本所使用的都是write.exe |
|
| Details | File | 1 | 与propsys.dll |
|
| Details | File | 1 | 其中propsys.dll |
|
| Details | File | 1 | 该组织通过使用mshta.exe |
|
| Details | File | 3 | linkzip.dll |
|
| Details | File | 1 | 下载下一阶段的hta文件并用mshta.exe |
|
| Details | File | 1 | mydoc.docx |
|
| Details | File | 1 | 内存加载的dll为prebothta.dll |
|
| Details | File | 8 | cmdl32.exe |
|
| Details | File | 5 | cmpbk32.dll |
|
| Details | File | 19 | credwiz.exe |
|
| Details | File | 21 | write.exe |
|
| Details | File | 17 | propsys.dll |
|
| Details | File | 1 | 在2018年的活动中主要使用cmdl32.exe |
|
| Details | File | 2 | +cmpbk32.dll |
|
| Details | File | 1 | 与credwiz.exe |
|
| Details | File | 2 | +duser.dll |
|
| Details | File | 1 | 在2019年的活动中新增加了wrte.exe |
|
| Details | File | 1 | +propsys.dll |
|
| Details | File | 1 | 与rekeywiz.exe |
|
| Details | File | 2 | 与duser.dll |
|
| Details | File | 1 | 不过其主要是通过使用mshta.exe |
|
| Details | File | 2 | 19639.html |
|
| Details | File | 1 | 20190508.html |
|
| Details | File | 1 | 196788.html |
|
| Details | File | 1 | 19658.html |
|
| Details | File | 1 | 19655.html |
|
| Details | md5 | 1 | 9b1d0537d0734f1ddb53c5567f5d7ab5 |
|
| Details | md5 | 1 | 3ee30a5cac2bef034767e159865683df |
|
| Details | md5 | 1 | 4513f65bdf6976e93aa31b7a37dbb8b6 |
|
| Details | md5 | 1 | ff9d14b83f358a7a5be77af45a10d5a2 |
|
| Details | md5 | 1 | 6162005b9ae5d4a8070bfe5f560b0912 |
|
| Details | md5 | 1 | D2522E45C0B0D83DDDD3FCC51862D48C |
|
| Details | md5 | 1 | 1FE3D9722DB28C2F3291FF176B989C46 |
|
| Details | md5 | 1 | 444438F4CE76156CEC1788392F887DA6 |
|
| Details | md5 | 1 | 3CD725172384297732222EF9C8F74ADC |
|
| Details | md5 | 1 | C0F15436912D8A63DBB7150D95E6A4EE |
|
| Details | md5 | 1 | C986635C40764F10BCEBE280B05EFE8C |
|
| Details | md5 | 1 | D1C3FA000154DBCCD6E5485A10550A29 |
|
| Details | md5 | 1 | B956496C28306C906FDDF08DED1CDF65 |
|
| Details | md5 | 1 | A1CA53EFDA160B31EBF07D8553586264 |
|
| Details | md5 | 1 | 204860CE22C81C6D9DE763C09E989A20 |
|
| Details | md5 | 1 | DE7F526D4F60B59BB1626770F329F984 |
|
| Details | md5 | 1 | 2CB633375A5965F86360E761363D9F2F |
|
| Details | md5 | 1 | 5CD406E886BD9444ADEE4E8B62AA56CC |
|
| Details | md5 | 1 | 358450E19D38DB77C236F45881DCEBEF |
|
| Details | md5 | 1 | 29325CDBDE5E0CF60D277AA2D9BA4537 |
|
| Details | md5 | 1 | 836419A7A4675D51D006D4CB9102AF9C |
|
| Details | md5 | 1 | 16E561159EE145008635C52A931B26C8 |
|
| Details | md5 | 1 | 21CC890116ADCF092D5A112716B6A55F |
|
| Details | md5 | 1 | 62606C6CFF3867A582F9B31B018DFEA5 |
|
| Details | md5 | 1 | 52FA30AC4EDC4C973A0A84F2E93F2432 |
|
| Details | md5 | 1 | CE53ED2A093BBD788D49491851BABFFD |
|
| Details | md5 | 1 | 737F3AD2C727C7B42268BCACD00F8C66 |
|
| Details | md5 | 1 | 2D9655C659970145AB3F2D74BB411C5D |
|
| Details | md5 | 1 | 032D584F6C01CC184BF07CDEC713E74D |
|
| Details | md5 | 1 | FB362FE18C3A0A150754A7A1AB068F1E |
|
| Details | md5 | 1 | 423194B0243870E8C82B35E5298AD7D7 |
|
| Details | md5 | 1 | 81F9EB617A2176FF0E561E34EF9FF503 |
|
| Details | md5 | 1 | 7E23C62A81D2BFB90EF73047E170DEA8 |
|
| Details | md5 | 1 | 58B5A823C2D3812A66BBF4A1EBC497D3 |
|
| Details | md5 | 1 | 5E98EA66670FA34BF67054FB8A41979C |
|
| Details | md5 | 1 | 8DA5206BACACD5C8B316C910E214257F |
|
| Details | md5 | 1 | 65F66BC372EA1F372A8735E9862095DA |
|
| Details | md5 | 1 | 361DFD8F299DD80546BCE71D156BC78E |
|
| Details | md5 | 1 | 1B11A5DD12BB6EC1A0655836D97F9DD7 |
|
| Details | md5 | 1 | 9B1D0537D0734F1DDB53C5567F5D7AB5 |
|
| Details | md5 | 1 | 3EE30A5CAC2BEF034767E159865683DF |
|
| Details | md5 | 1 | 4513F65BDF6976E93AA31B7A37DBB8B6 |
|
| Details | md5 | 1 | FF9D14B83F358A7A5BE77AF45A10D5A2 |
|
| Details | sha1 | 1 | e127a783870701cdd20a7fc750cad4dae775d362 |
|
| Details | sha1 | 1 | c29a1fd54f9f961211e9cd987f90bd8eb0932e45 |
|
| Details | sha1 | 1 | 73ae6cd3913bcfb11d9e84770f532f2490ddef6c |
|
| Details | sha1 | 1 | 612b239ce0ebaf6de6ee8eff1fb2fa2f3831ebd2 |
|
| Details | sha1 | 1 | b4928e4c3a8787e0461e2e78138091134c7f719a |
|
| Details | sha256 | 2 | f1cdd47f7a2502902d15adf3ac79c0f86348ba09f4a482ab9108ad98258edb55 |
|
| Details | sha256 | 1 | f08ccc040c8d8db60f30a6d1026aa6523e97c6cf52b1b30f083a830a0a65a3a9 |
|
| Details | sha256 | 1 | 054a029b378b8bbf5ea3f814a737e9c3b43e124995d05d7dac45a87502bf2f62 |
|
| Details | sha256 | 1 | 920197f502875461186a9d9fbf5a108f7c13677bbdeae129fbc3f535ace27a6f |
|
| Details | sha256 | 1 | d8aa512b03a5fc451f9b7bc181d842936798d5facf1b20a2d91d8fdd82aa28b7 |
|
| Details | Threat Actor Identifier by Tencent | 27 | T-APT-04 |
|
| Details | Url | 1 | https://www.sd1-bin.net/images/2b717e98/-1/12571/4c7947ec/main.file.rtf |
|
| Details | Url | 1 | https://reawk.net/202/oazbrgt9az6rhlmsewsofykwni7feebxdgvnvwzp/-1/12571/10255afc |
|
| Details | Url | 1 | http://cdn-in.net/includes/b7199e61/-1/7384/35955a61/final |
|
| Details | Url | 1 | http://cdn-in.net/plugins/-1/7384/true/true |
|
| Details | Url | 2 | https://msftupdate.srv-cdn.com/cdne/plds/zoxr4yr5kv.hta |
|
| Details | Url | 2 | https://msftupdate.srv-cdn.com/fin.hta |
|
| Details | Url | 3 | http://www.google.com.d-dns.co/includes/686a0ea5/-1/1223/da897db0/final.hta |
|
| Details | Url | 2 | http://webserv-redir.net/includes/b7199e61/-1/5272/fdbfcfc1/final |
|
| Details | Url | 2 | http://pmo.cdn-load.net/cgi/5ed0655734/-1/1078/d70cc726/file.hta |
|
| Details | Url | 3 | http://fb-dn.net/disrt/fin.hta |
|
| Details | Url | 2 | http://cdn-edge.net/checkout.php |
|
| Details | Url | 2 | http://cdn-edge.net/cart.php |
|
| Details | Url | 2 | http://cdn-edge.net/amount.php |
|
| Details | Url | 3 | http://ap12.ms-update-server.net/checkout.php |
|
| Details | Url | 3 | http://ap12.ms-update-server.net/cart.php |
|
| Details | Url | 3 | http://ap12.ms-update-server.net/amount.php |
|
| Details | Url | 3 | http://s2.cdn-edge.net/checkout.php |
|
| Details | Url | 3 | http://s2.cdn-edge.net/cart.phpb |
|
| Details | Url | 3 | http://s2.cdn-edge.net/amount.php |
|
| Details | Url | 2 | http://webserv-redir.net/plugins/-1/5272/true/true |
|
| Details | Url | 2 | http://webserv-redir.net/plugins/-1/5272/true/true/done |
|
| Details | Url | 2 | http://s12.cdn-apn.net/checkout.php |
|
| Details | Url | 2 | http://s12.cdn-apn.net/cart.php |
|
| Details | Url | 2 | http://s12.cdn-apn.net/amount.php |
|
| Details | Url | 2 | http://cdn-do.net/plugins/-1/7340/true/true |
|
| Details | Url | 2 | http://cdn-list.net/komjg2xsthl3prhxnb6xt6wo967b1n5ugf7sfibc/-1/7340/b729d30c/css |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/1 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/2 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/3 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/v4.0.30319 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/4 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/5 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/6 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/7 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/8 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/9 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css/10 |
|
| Details | Url | 1 | http://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/134/7e711ada/res/css |
|
| Details | Url | 1 | https://cdn-list.net/1sdymurbdafpgst3gv13u8jca6qovi4i2fa1zsct/-1/7384/43e2a8fa/css |
|
| Details | Url | 2 | http://it.rising.com.cn/dongtai/19639.html |
|
| Details | Url | 1 | https://www.antiy.cn/research/notice&report/research_report/20190508.html |
|
| Details | Url | 1 | https://www.freebuf.com/articles/network/196788.html |
|
| Details | Url | 1 | http://it.rising.com.cn/dongtai/19658.html |
|
| Details | Url | 1 | http://it.rising.com.cn/dongtai/19655.html |