ioc[.]one - OSINT Cyber Threat Intelligence Database

Andariel evolves to target South Korea with ransomware

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Application Layer Protocol Command And Scripting Interpreter Compromise Infrastructure Masquerading Obfuscated Files Or Information System Network Connections Discovery
country:	South Korea
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Acquire Infrastructure - T1583 Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Compromise Infrastructure - T1584 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Javascript - T1059.007 System Network Connections Discovery - T1421 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Rundll32 - T1218.011 Screen Capture - T1513 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Checks - T1633.001 System Checks - T1497.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Virtual Private Server - T1583.003 Web Services - T1583.006 Virtual Private Server - T1584.003 Web Services - T1584.006 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Exfiltration Over Command And Control Channel - T1041 Masquerading - T1036 Mshta - T1170 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Rundll32 - T1085 Screen Capture - T1113 Spearphishing Attachment - T1193 System Network Connections Discovery - T1049 User Execution - T1204 Masquerading Screen Capture Spearphishing Attachment User Execution

Show in Graph

Common Information

Type	Value
UUID	4c54b6b9-518d-45da-b0b0-49c9feea4008
Fingerprint	ac2a8992adafadb0
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 15, 2021, 12:40 p.m.
Added to db	Sept. 11, 2022, 12:33 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Andariel evolves to target South Korea with ransomware
Title	Andariel evolves to target South Korea with ransomware
Detected Hints/Tags/Attributes	135/4/126

Source URLs

	Redirection	Url
Details	Source	https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

URL Provider

Details	Provider	Source level domain
Details	securelist.com	securelist.com

Attributes

Details	Type	#Events	Value
Details	Domain	338	kaspersky.com
Details	Domain	3	image003.zip
Details	Domain	1	www.allamwith.com
Details	Domain	4	www.jinjinpig.co.kr
Details	Domain	1	adame.ypelec.co.kr
Details	Domain	2	www.conkorea.com
Details	Domain	396	protonmail.com
Details	Domain	2	ddjm.co.kr
Details	Domain	2	hivekorea.com
Details	Domain	5	mail.namusoft.kr
Details	Domain	2	mail.sisnet.co.kr
Details	Domain	5	snum.or.kr
Details	Domain	4	www.ddjm.co.kr
Details	Email	147	intelreports@kaspersky.com
Details	Email	1	sanjgold847@protonmail.com
Details	File	4	참가신청서양식.doc
Details	File	4	application.doc
Details	File	3	image003.png
Details	File	3	image003.zip
Details	File	456	mshta.exe
Details	File	2	winvoke.exe
Details	File	2	ezpdfwslauncher.exe
Details	File	2	skin.html
Details	File	263	iexplore.exe
Details	File	2126	cmd.exe
Details	File	83	sbiedll.dll
Details	File	21	api_log.dll
Details	File	19	dir_watch.dll
Details	File	1018	rundll32.exe
Details	File	13	member.php
Details	File	1	c:\temp\mshelp.exe
Details	File	1	3nc004.txt
Details	File	380	notepad.exe
Details	File	66	sqlwriter.exe
Details	File	1	juchmon.exe
Details	File	10	form.doc
Details	File	3	생활비지급.doc
Details	File	1	costs.doc
Details	File	1	test3.doc
Details	File	2	결의대회초안.doc
Details	File	3	conference.doc
Details	File	1	%public%\downloads\winvoke.exe
Details	File	1	%public%\libraries\appstore.exe
Details	File	1	%public%\libraries\algstore.exe
Details	File	1	%public%\iexplore.exe
Details	File	1	%public%\chrome.exe
Details	File	1	ixplore.exe
Details	File	1	%userprofile%\iexplore.exe
Details	File	1	%temp%\mshelp.exe
Details	md5	2	ed9aa858ba2c4671ca373496a4dd05d4
Details	md5	2	9758efcf96343d0ef83854860195c4b4
Details	md5	1	3703c22e33629abd440483e0f60abf79
Details	md5	4	71759cca8c700646b4976b19b9abd6fe
Details	md5	1	3ba4c71c6b087e6d06d668bb22a5b59a
Details	md5	3	d5e974a3386fc99d2932756ca165a451
Details	md5	3	f4d46629ca15313b94992f3798718df7
Details	md5	3	118cfa75e386ed45bec297f8865de671
Details	md5	3	53648bf8f0121130edb42c626d7c2fc4
Details	md5	3	1bb267c96ec2925f6ae3716d831671cf
Details	md5	3	0812ce08a75e5fc774a114436e88cd06
Details	md5	2	927f0a1090255bc724953e1f5a09a070
Details	md5	1	145735911e9c8bafa4c9c1d7397199fc
Details	md5	1	551c5b3595e9fc1081b5e1f10e3c1a59
Details	md5	2	f3fcb306cb93489f999e00a7ef63536b
Details	md5	3	0ecfa51cd4bf1a9841a07bdb5bfcd0ab
Details	md5	3	4d30612a928faf7643b14bd85d8433cc
Details	md5	2	df1e7a42c92ecb01290d896dca4e5faa
Details	md5	2	3b1b8702c4d3e2e194c4cc8f09a57d06
Details	md5	2	ef3a6978c7d454f9f6316f2d267f108d
Details	md5	2	33c2e887c3d337eeffbbd8745bfdfc8f
Details	md5	2	bf4a822f04193b953689e277a9e1f4f1
Details	md5	1	6e710f6f02fdde1e4adf06935a296fd8
Details	md5	2	38917e8aa02b58b09401383115ab549e
Details	md5	2	67220baf2a415876bee2d43c11f6e9ad
Details	md5	2	3bf9b83e00544ac383aaef795e3ded78
Details	md5	2	159ad2afcab80e83397388e495d215a5
Details	md5	1	21ec5f03aab696f0a239c6ea5e50c014
Details	md5	1	b5874eb1119327be51ae03adcbf4d3e0
Details	md5	2	8b378eabcec13c3c925cc7ca4d191f5f
Details	md5	2	5b387a9130e9b9782ca4c225c8e641b3
Details	md5	1	25c8e057864126e6648c34581e7b4f20
Details	md5	2	62eae43a36cbc4ed935d8df007f5650b
Details	md5	1	8d74112c97e98fef4c5d77200f34e4f2
Details	md5	1	b5648f5e115da778615dfd0dc772b647
Details	md5	2	eef723ff0b5c0b10d391955250f781b3
Details	md5	2	d1a99087fa3793fbc4d0adb26e87efce
Details	md5	2	d63bb2c5cd4cfbe8fabf1640b569db6a
Details	md5	2	fffad123bd6df76f94ffc9b384a067fc
Details	md5	2	abaeecd83a585ec0c5f1153199938e83
Details	md5	2	569246a3325effa11cb8ff362428ab2c
Details	md5	2	3b494133f1a673b2b04df4f4f996a25d
Details	md5	2	fc3c31bbdbeee99aba5f7a735fac7a7e
Details	md5	1	d96fcd2159643684f4573238f530d03b
Details	IPv4	2	23.229.111.197
Details	IPv4	2	198.55.119.112
Details	IPv4	2	45.58.112.77
Details	IPv4	2	185.208.158.208
Details	MITRE ATT&CK Techniques	14	T1584.006
Details	MITRE ATT&CK Techniques	62	T1583.003
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	93	T1059.007
Details	MITRE ATT&CK Techniques	183	T1036.005
Details	MITRE ATT&CK Techniques	26	T1027.003
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	119	T1049
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	159	T1095
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	472	T1486
Details	Url	1	http://www.jinjinpig.co.kr/anycss/skin.html
Details	Url	1	http://adame.ypelec.co.kr/customize/ypelec/images/skin.html
Details	Url	1	http://www.allamwith.com/home/css/skin.html
Details	Url	1	http://www.conkorea.com/cshop/skin/skin.html
Details	Url	1	http://ddjm.co.kr/bbs/icon/skin/skin.php
Details	Url	2	http://hivekorea.com/jdboard/member/list.php
Details	Url	4	http://mail.namusoft.kr/jsp/user/eam/board.jsp
Details	Url	2	http://mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
Details	Url	4	http://snum.or.kr/skin_img/skin.php
Details	Url	1	http://www.allamwith.com/home/mobile/list.php
Details	Url	1	http://www.conkorea.com/cshop/banner/list.php
Details	Url	4	http://www.ddjm.co.kr/bbs/icon/skin/skin.php
Details	Url	4	http://www.jinjinpig.co.kr/anyboard/skin/board.php