ioc[.]one - OSINT Cyber Threat Intelligence Database

UNKNOWN

Tags

Show in Graph

Common Information

Type	Value
UUID	4403ecd6-1431-45cc-967b-2c9f0a39bc18
Fingerprint	a3f1684f77cc2ff2
Analysis status	IN_PROGRESS
Considered CTI value	0
Text language
Published	None
Added to db	Dec. 19, 2024, 10:25 p.m.
Last updated	Dec. 22, 2024, 6:33 p.m.
Headline	UNKNOWN
Title	UNKNOWN
Detected Hints/Tags/Attributes	31/0/60

Source URLs

	Redirection	Url
Details	Source	https://www.secrss.com/articles/52241

URL Provider

Details	Provider	Source level domain
Details	secrss.com	www.secrss.com

Attributes

Details	Type	#Events	Value
Details	Domain	16	content.dropboxapi.com
Details	Domain	2	driveshoster.com
Details	Domain	4	disknxt.com
Details	Domain	4689	github.com
Details	Domain	201	readme.md
Details	Domain	6752	163.com
Details	File	1	电子邮件正文中的url会诱使受害目标在单击时下载一个.zip
Details	File	1	或.iso
Details	File	1	我们在被感染的系统中发现了名为oclean.dll
Details	File	1	这个dll文件是由一个合法的微软应用程序offcln.exe
Details	File	1	在执行offcln.exe
Details	File	1	时会在相同目录下加载oclean.dll
Details	File	1	mirrorkey会在相同目录下查找由微软签名的没有恶意代码的dll文件dwintl.dll
Details	File	3	dwintl.dll
Details	File	1	解密后的有效载荷是一个名为filetrandll.dll
Details	File	1	可以将文件的修改日期记录在.ini
Details	File	1	该.ini
Details	File	1	在这个案例中观察到的mirrorkey变种在被感染的系统中的文件名为gtn.dll
Details	File	1	这一次滥用了存在于相同目录中合法的谷歌应用程序googletoolbarnotifier.exe
Details	File	1	它搜索存在于同一目录中的espui.dll
Details	File	1	解密后的有效载荷是一个名为loadplgfromremote.dll
Details	File	1	%windir%\\syswow64\\cttune.exe
Details	File	1	%localappdata%\\nvidia\\cctune.exe
Details	File	5	gtn.dll
Details	File	1	%localappdata%\\nvidia\\dwrite.dll
Details	File	3	espui.dll
Details	File	1	%localappdata%\\nvidia\\espui.dll
Details	File	1	%windir%\\syswow64\\migration\\tabletextservicemig.dll
Details	File	1	%windir%\\syswow64\\migration\\msctfmig.dll
Details	File	1	%windir%\\syswow64\\migration\\wmimigrationplugin.dll
Details	File	1	%windir%\\syswow64\\migration\\imjpmig.dll
Details	File	1	%windir%\\syswow64\\migration\\imkmig.dll
Details	File	1	%windir%\\syswow64\\migration\\tssysprep.dll
Details	File	1	%windir%\\syswow64\\migration\\cosetup.dll
Details	File	47	msvcr100.dll
Details	File	1	但会加载同一个目录中的wwlib.dll
Details	File	1	加载的第一个dll文件是wwlib.dll
Details	File	1	用于加载同一个目录下的wordcnv.dll
Details	File	3	wordcnv.dll
Details	File	1	文件名分别为igfxxe.exe
Details	File	1	和igfx.dll
Details	File	1	%appdata%\\microsoft\\intel\\igfxxe.exe
Details	File	1	%appdata%\\microsoft\\intel\\igfx.dll
Details	File	1	需要查看igfxxe.exe
Details	File	3	igfxxe.exe
Details	File	1	是intel提供的合法应用程序gfxdownloadwrapper.exe
Details	File	1	命令行中的igfx.dll
Details	File	96	1.txt
Details	File	1	invitation-to-secret-event-uncovering-earth-yako-campaigns.html
Details	sha256	3	f38c367e6e4e7f6e20fa7a3ce0d8501277f5027f93e46761e72c36ec709f4304
Details	sha256	4	bdc15b09b78093a1a5503a1a7bfb487f7ef4ca2cb8b4d1d1bdf9a54cdc87fae4
Details	IPv4	3	45.32.13.214
Details	Mandiant Uncategorized Groups	109	UNC2452
Details	Threat Actor Identifier - APT	806	APT29
Details	Url	1	https://content.dropboxapi.com/2/files/upload时指定了一个dropbox
Details	Url	1	https://content.dropboxapi.com/2/files/upload发送http
Details	Url	1	https://content.dropboxapi.com/2/files/download发送http
Details	Url	3	https://github.com/lettermaker/topsuggestions/blob/main/readme.md
Details	Url	3	http://45.32.13.214/readme_v1.1.txt
Details	Url	1	https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html