奇安信威胁情报中心
Tags
maec-delivery-vectors: | Watering Hole |
attack-pattern: | Powershell - T1059.001 Software - T1592.002 Powershell - T1086 |
Common Information
Type | Value |
---|---|
UUID | 6d264935-7804-431b-938c-186d423b1a53 |
Fingerprint | fddf9478bba2859e |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | May 8, 2018, midnight |
Added to db | Dec. 19, 2024, 12:34 a.m. |
Last updated | Dec. 24, 2024, 2:02 a.m. |
Headline | UNKNOWN |
Title | 奇安信威胁情报中心 |
Detected Hints/Tags/Attributes | 30/2/142 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://ti.qianxin.com/blog/articles/analysis-of-darkhotel/ |
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 1 | ld.com |
|
Details | Domain | 3 | 00.com |
|
Details | Domain | 1 | orld.com |
|
Details | Domain | 143 | mail.com |
|
Details | Domain | 1 | e360.com |
|
Details | Domain | 1 | tea.com |
|
Details | Domain | 1 | afe.com |
|
Details | Domain | 1 | promotion.com |
|
Details | Domain | 1 | 21.mooo.com |
|
Details | Domain | 1 | pages.com |
|
Details | Domain | 1 | ure-service.com |
|
Details | Domain | 1 | trv.com |
|
Details | Domain | 1 | measier.com |
|
Details | Domain | 1 | 011100.com |
|
Details | Domain | 1 | co.net |
|
Details | Domain | 1 | stereo.net |
|
Details | Domain | 1 | updater.net |
|
Details | Domain | 1 | 933.net |
|
Details | Domain | 1 | ngine.com |
|
Details | Domain | 1 | ftware.org |
|
Details | Domain | 1 | ndcheckers.com |
|
Details | Domain | 1 | ovie-contents.com |
|
Details | Domain | 1 | 85475.net |
|
Details | Domain | 4 | service.com |
|
Details | Domain | 1 | vice365.com |
|
Details | Domain | 1 | ple-online.com |
|
Details | Domain | 1 | rv.com |
|
Details | Domain | 1 | motion.com |
|
Details | Domain | 1 | ervice.com |
|
Details | Domain | 1 | 11100.com |
|
Details | Domain | 1 | reo.net |
|
Details | Domain | 1 | pdater.net |
|
Details | Domain | 2 | gine.com |
|
Details | Domain | 1 | ware.org |
|
Details | Domain | 1 | dcheckers.com |
|
Details | Domain | 1 | ie-contents.com |
|
Details | Domain | 1 | sstea.com |
|
Details | Domain | 1 | 60.com |
|
Details | Domain | 1 | 63-mail.com |
|
Details | Domain | 1 | 60-safe.com |
|
Details | Domain | 1 | 10.org |
|
Details | Domain | 1 | 5475.net |
|
Details | Domain | 1 | ce365.com |
|
Details | Domain | 2 | world.com |
|
Details | Domain | 1 | 1100.com |
|
Details | File | 125 | nuxt.js |
|
Details | File | 4 | letter.doc |
|
Details | File | 2 | %temp%\taskhost.exe |
|
Details | File | 1 | %temp%\chrome_frame_helper.dll |
|
Details | File | 66 | taskhost.exe |
|
Details | File | 1 | 而chrome_frame_helper.dll |
|
Details | File | 69 | search.php |
|
Details | File | 1 | 去混淆分析整理后的功能主要是绕过uac后去下载msfte.dll |
|
Details | File | 1 | 下载ntwdblib.dll |
|
Details | File | 1 | 通过cliconfg.exe |
|
Details | File | 1 | 白利用加载ntwdblib.dll |
|
Details | File | 1 | 来修改msfte.dll |
|
Details | File | 1 | 实现msfte.dll |
|
Details | File | 1 | 再运行sdclt.exe |
|
Details | File | 1 | uac后的powershell脚本会伪装useragent后去下载msfte.dll |
|
Details | File | 1 | 和ntwdblib.dll |
|
Details | File | 1 | 使用powershell-suite模块分别把temp目录下的msfte.dll |
|
Details | File | 1 | %windir%\system32\cliconfg.exe |
|
Details | File | 1 | 文件会默认加载system32目录下的ntwdblib.dll |
|
Details | File | 1 | 这样通过执行cliconfg.exe |
|
Details | File | 1 | 来执行ntwdblib.dll |
|
Details | File | 1 | 上传msfte.dll |
|
Details | File | 1 | 最后将msfte.dll |
|
Details | File | 1 | 确认mstfe.dll |
|
Details | File | 6 | ntwdblib.dll |
|
Details | File | 1 | mstfe.dll |
|
Details | File | 1 | 这样mstfe.dll |
|
Details | File | 14 | msfte.dll |
|
Details | File | 1 | 下载回来的msfte.dll |
|
Details | File | 1 | loadconfig函数会先判断同目录下有没有config.ini |
|
Details | File | 100 | config.php |
|
Details | File | 1 | 更新config.ini |
|
Details | File | 66 | ctfmon.exe |
|
Details | File | 1 | wqstec.exe |
|
Details | File | 1 | ctfmon_donot.exe |
|
Details | File | 1 | dmext.dll |
|
Details | File | 1 | cryptcore.dll |
|
Details | File | 1 | aucodhw.dll |
|
Details | File | 1 | 文件窃取.txt |
|
Details | File | 1 | sdihlp.dll |
|
Details | File | 1 | helpcst.dll |
|
Details | File | 1 | kbdlu.dll |
|
Details | File | 8 | metsrv.dll |
|
Details | File | 2335 | cmd.exe |
|
Details | File | 5 | 通过cmd.exe |
|
Details | File | 1 | donot.exe |
|
Details | File | 1 | 用于下载对应的metsrv.dll |
|
Details | File | 11 | searchfilterhost.exe |
|
Details | File | 25 | searchprotocolhost.exe |
|
Details | File | 1 | 通过主模块retromain.dll |
|
Details | File | 1 | 运行后会判断其进程是否为searchprotocolhost.exe |
|
Details | File | 1 | 在分析的msfte.dll |
|
Details | File | 3 | wuauctl.exe |
|
Details | File | 1 | cala32.exe |
|
Details | File | 19 | 1.ps1 |
|
Details | File | 1 | retromain.dll |
|
Details | File | 1 | 第二版的代码直接被拆分为现在的msfte.dll |
|
Details | File | 1 | reromain以及ntwdblib.dll |
|
Details | File | 106 | upload.php |
|
Details | File | 2 | front.php |
|
Details | File | 9 | userinfo.php |
|
Details | File | 1 | kill.php |
|
Details | File | 49 | profile.php |
|
Details | File | 3 | db.log |
|
Details | File | 2 | girl.jpg |
|
Details | File | 1 | 0702.docx |
|
Details | File | 8 | service.php |
|
Details | File | 1 | face.php |
|
Details | File | 1 | pury.php |
|
Details | File | 11 | 1.docx |
|
Details | File | 1 | mark.php |
|
Details | File | 1 | read11.php |
|
Details | File | 1 | dblog4.log |
|
Details | File | 2 | card.jpg |
|
Details | File | 4 | event.php |
|
Details | File | 1 | putty.php |
|
Details | File | 13 | hello.php |
|
Details | File | 1 | size.php |
|
Details | File | 2 | john.php |
|
Details | File | 1 | dblog5.log |
|
Details | File | 1 | dblog9.log |
|
Details | File | 1 | 2016-01-19.rtf |
|
Details | File | 1 | genr.exe |
|
Details | File | 1 | clav.exe |
|
Details | File | 11 | order.php |
|
Details | File | 1 | v1.rtf |
|
Details | md5 | 1 | 83a24589431f191cdde110ef64c21568 |
|
Details | md5 | 1 | 6075cbb9b522dc71a46cadd18a1afef4 |
|
Details | md5 | 1 | cba213e68cb6af25ae7303efb8629f14 |
|
Details | md5 | 1 | 9badf32c51938cf61e7b37879a4fb349 |
|
Details | Threat Actor Identifier - APT-C | 28 | APT-C-06 |
|
Details | Url | 1 | http://ser******mail.com/in9/1.ps1 |
|
Details | Url | 1 | http://serv**********-mail.com/in1/search.php |
|
Details | Url | 1 | http://serv**********-mail.com/in1/1.ps1 |
|
Details | Url | 1 | http://serv**********-mail.com/in9/1.ps1 |
|
Details | Url | 1 | http://serv**********-mail.com/in9/search.php |
|
Details | Url | 1 | http://1010********1100.com/strawberry322/config.php |