ioc[.]one - OSINT Cyber Threat Intelligence Database

攻击武器再升级：Donot组织利用伪造签名样本的攻击活动分析

Tags

Show in Graph

Common Information

Type	Value
UUID	64aa2849-cf52-47da-82a0-814ee76153d0
Fingerprint	f5b90c75fca067be
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 12, 2020, 8:33 a.m.
Added to db	Sept. 26, 2022, 9:33 a.m.
Last updated	Oct. 30, 2024, 5:20 a.m.
Headline	攻击武器再升级：Donot组织利用伪造签名样本的攻击活动分析
Title	攻击武器再升级：Donot组织利用伪造签名样本的攻击活动分析
Detected Hints/Tags/Attributes	6/0/27

Source URLs

	Redirection	Url
Details	Source	https://mp.weixin.qq.com/s/3Pa3hiuZyQBspDzH0kGSHw

URL Provider

Details	Provider	Source level domain
Details	qq.com	mp.weixin.qq.com

Attributes

Details	Type	#Events	Value
Details	Domain	3	soundvista.club
Details	File	3	notification.xls
Details	File	1	winuser获取恶意代码保存为adsl.dll
Details	File	1	并利用rundll32.exe
Details	File	1	启动adsl.dll
Details	File	1	adsl.dll
Details	File	1	下载执行的adsl.dll
Details	File	1	将硬编码的命令写入%appdata%test.bat
Details	File	15	test.bat
Details	File	1	将下载保存的njjujkyu命名为apic.dll
Details	File	2	通过rundll32.exe
Details	File	1	同时创建了名为syst-start的计划任务用以运行prodot.exe
Details	File	3	apic.dll
Details	File	1	%userprofile%\inf\boost\ooo\prodot.exe
Details	File	3	prodot.exe
Details	File	1	携带着与downloader模块adsl.dll
Details	File	4	wuaupdt.exe
Details	md5	1	add9de02b97d815ae8ae6ce5228d2ff0
Details	md5	1	f915e60a23fc64a79ff2f2d802c31660
Details	md5	1	6915d07bc56223086267b98e5fb85951
Details	md5	1	3c06c07415668cac4a67dfe54aa4ee29
Details	md5	1	06A62E4F4A870F9DA01039716673EB9D
Details	md5	1	407a684a0e3a1c804213c7faa9b686dd
Details	sha1	1	85af455d48459b2f941a7282b058c4e819ad7d30
Details	Url	1	http://soundvista.club/winuser获取恶意代码保存为adsl.dll，并利用rundll32.exe启动adsl.dll调用其导出函数ajn54ty
Details	Url	1	http://soundvista.club/sessionrequest
Details	Url	1	https://ti.qianxin.com/blog/articles/donot-apt-group-recent-attacks-on-neighboring-countries-and-regions