ioc[.]one - OSINT Cyber Threat Intelligence Database

Shamoon 2: Return of the Disttrack Wiper

Tags

country:	Argentina Iran Saudi Arabia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Credentials - T1589.001 Data Destruction - T1662 Data Destruction - T1485 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Brute Force - T1110 Scheduled Task - T1053 Data Destruction

Show in Graph

Common Information

Type	Value
UUID	385f565d-75ce-4ed5-9ed5-8ab32fa81d1a
Fingerprint	a505b95a252b8381
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 30, 2016, 3:20 p.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 12, 2024, 11:37 p.m.
Headline	Shamoon 2: Return of the Disttrack Wiper
Title	Shamoon 2: Return of the Disttrack Wiper
Detected Hints/Tags/Attributes	65/3/17

Source URLs

	Redirection	Url
Details	Source	http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
Details	Source	http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412
Details	Source	https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com
Details	paloaltonetworks.com	researchcenter.paloaltonetworks.com

Attributes

Details	Type	#Events	CTI	Value
Details	File	165		csrss.exe
Details	File	4		ntssrvr32.exe
Details	File	3		netinit.exe
Details	File	20		page.php
Details	File	2		c:\windows\system32\drivers\drdisk.sys
Details	File	5		drdisk.sys
Details	sha256	4		4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6
Details	sha256	5		47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34
Details	sha256	5		394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b
Details	sha256	4		772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5
Details	sha256	4		61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842
Details	sha256	7		c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
Details	sha256	5		128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd
Details	sha256	3		5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a
Details	IPv4	198		1.1.1.1
Details	Windows Registry Key	1		HKLM\SYSTEM\CurrentControlSet\Control\FirmwareBootDevice
Details	Windows Registry Key	1		HKLM\SYSTEM\CurrentControlSet\Control\SystemBootDevice