ioc[.]one - OSINT Cyber Threat Intelligence Database

HotPage: Story of a signed, vulnerable, ad-injecting driver

Tags

cmtmf-attack-pattern:

Application Layer Protocol Code Injection Data Manipulation Obfuscated Files Or Information Obtain Capabilities Process Injection

attack-pattern:

Data Models Application Layer Protocol - T1437 Asynchronous Procedure Call - T1055.004 Code Injection - T1540 Code Signing - T1553.002 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Data Manipulation - T1641 Data Manipulation - T1565 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Dynamic-Link Library Injection - T1055.001 Embedded Payloads - T1027.009 Encrypted Channel - T1521 Encrypted Channel - T1573 File Deletion - T1070.004 File Deletion - T1630.002 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Hooking - T1617 Ip Addresses - T1590.005 Kernelcallbacktable - T1574.013 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Obtain Capabilities - T1588 Process Injection - T1631 Python - T1059.006 Search Engines - T1593.002 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software - T1592.002 Software Packing - T1027.002 Software Packing - T1406.002 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Services - T1569 Web Protocols - T1071.001 Web Protocols - T1437.001 Transmitted Data Manipulation - T1493 Transmitted Data Manipulation - T1565.002 Vulnerabilities - T1588.006 Transmitted Data Manipulation - T1641.001 Standard Application Layer Protocol - T1071 Man In The Browser - T1185 Code Signing - T1116 Deobfuscate/Decode Files Or Information - T1140 File Deletion - T1107 Hooking - T1179 Hypervisor - T1062 Indicator Removal On Host - T1070 Obfuscated Files Or Information - T1027 Process Injection - T1055 Service Execution - T1035 Software Packing - T1045 System Owner/User Discovery - T1033 User Execution - T1204 Hooking User Execution

Show in Graph

Common Information

Type	Value
UUID	465a53bf-b3dc-465f-86b6-d275566c0d6c
Fingerprint	9d04d953e837b2c5
Analysis status	DONE
Considered CTI value	1
Text language
Published	July 18, 2024, midnight
Added to db	Aug. 30, 2024, 11:41 p.m.
Last updated	Nov. 17, 2024, 6:49 p.m.
Headline	HotPage: Story of a signed, vulnerable, ad-injecting driver
Title	HotPage: Story of a signed, vulnerable, ad-injecting driver
Detected Hints/Tags/Attributes	136/2/26

Source URLs

	Redirection	Url
Details	Source	https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/

URL Provider

Details	Provider	Source level domain
Details	welivesecurity.com	www.welivesecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	33	✔	WeLiveSecurity	https://blog.eset.com/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	mail.io
Details	Domain	1	dwadsafe.com
Details	Domain	1	www.dwadsafe.com
Details	Domain	1	www.hao774.com
Details	Domain	4	2345.com
Details	Domain	1	www.5zy.cn
Details	Domain	114	eset.com
Details	Domain	1	nnijs-f-9-9-1.nycpqx.top
Details	Domain	1	tmrr-s-f-9-9-1.vosdzxhbv.top
Details	Email	1	dwadsafe@mail.io
Details	Email	69	threatintel@eset.com
Details	File	1	hotpage.exe
Details	File	1	reg.html
Details	File	82	kernelbase.dll
Details	File	9	msedge.dll
Details	sha1	1	744ffc3d8ece37898a0559b62cc9f814006a1218
Details	sha1	1	941f0d2d4589fb8adf224c8969f74633267b2561
Details	IPv4	56	1.3.6.1
Details	IPv4	3	11.2.1.12
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	61.147.93.49
Details	IPv4	1	140.210.24.33
Details	IPv4	1	202.189.5.222
Details	Url	1	https://www.dwadsafe.com/login/reg.html
Details	Url	1	https://www.hao774.com/?90386
Details	Windows Registry Key	1	HKCU\Software\360chrome\Homepage