奇安信威胁情报中心
Common Information
Type Value
UUID 6d264935-7804-431b-938c-186d423b1a53
Fingerprint fddf9478bba2859e
Analysis status DONE
Considered CTI value 2
Text language
Published May 8, 2018, midnight
Added to db Dec. 19, 2024, 12:34 a.m.
Last updated Dec. 24, 2024, 2:02 a.m.
Headline UNKNOWN
Title 奇安信威胁情报中心
Detected Hints/Tags/Attributes 30/2/142
Attributes
Details Type #Events CTI Value
Details Domain 1
ld.com
Details Domain 3
00.com
Details Domain 1
orld.com
Details Domain 143
mail.com
Details Domain 1
e360.com
Details Domain 1
tea.com
Details Domain 1
afe.com
Details Domain 1
promotion.com
Details Domain 1
21.mooo.com
Details Domain 1
pages.com
Details Domain 1
ure-service.com
Details Domain 1
trv.com
Details Domain 1
measier.com
Details Domain 1
011100.com
Details Domain 1
co.net
Details Domain 1
stereo.net
Details Domain 1
updater.net
Details Domain 1
933.net
Details Domain 1
ngine.com
Details Domain 1
ftware.org
Details Domain 1
ndcheckers.com
Details Domain 1
ovie-contents.com
Details Domain 1
85475.net
Details Domain 4
service.com
Details Domain 1
vice365.com
Details Domain 1
ple-online.com
Details Domain 1
rv.com
Details Domain 1
motion.com
Details Domain 1
ervice.com
Details Domain 1
11100.com
Details Domain 1
reo.net
Details Domain 1
pdater.net
Details Domain 2
gine.com
Details Domain 1
ware.org
Details Domain 1
dcheckers.com
Details Domain 1
ie-contents.com
Details Domain 1
sstea.com
Details Domain 1
60.com
Details Domain 1
63-mail.com
Details Domain 1
60-safe.com
Details Domain 1
10.org
Details Domain 1
5475.net
Details Domain 1
ce365.com
Details Domain 2
world.com
Details Domain 1
1100.com
Details File 125
nuxt.js
Details File 4
letter.doc
Details File 2
%temp%\taskhost.exe
Details File 1
%temp%\chrome_frame_helper.dll
Details File 66
taskhost.exe
Details File 1
而chrome_frame_helper.dll
Details File 69
search.php
Details File 1
去混淆分析整理后的功能主要是绕过uac后去下载msfte.dll
Details File 1
下载ntwdblib.dll
Details File 1
通过cliconfg.exe
Details File 1
白利用加载ntwdblib.dll
Details File 1
来修改msfte.dll
Details File 1
实现msfte.dll
Details File 1
再运行sdclt.exe
Details File 1
uac后的powershell脚本会伪装useragent后去下载msfte.dll
Details File 1
和ntwdblib.dll
Details File 1
使用powershell-suite模块分别把temp目录下的msfte.dll
Details File 1
%windir%\system32\cliconfg.exe
Details File 1
文件会默认加载system32目录下的ntwdblib.dll
Details File 1
这样通过执行cliconfg.exe
Details File 1
来执行ntwdblib.dll
Details File 1
上传msfte.dll
Details File 1
最后将msfte.dll
Details File 1
确认mstfe.dll
Details File 6
ntwdblib.dll
Details File 1
mstfe.dll
Details File 1
这样mstfe.dll
Details File 14
msfte.dll
Details File 1
下载回来的msfte.dll
Details File 1
loadconfig函数会先判断同目录下有没有config.ini
Details File 100
config.php
Details File 1
更新config.ini
Details File 66
ctfmon.exe
Details File 1
wqstec.exe
Details File 1
ctfmon_donot.exe
Details File 1
dmext.dll
Details File 1
cryptcore.dll
Details File 1
aucodhw.dll
Details File 1
文件窃取.txt
Details File 1
sdihlp.dll
Details File 1
helpcst.dll
Details File 1
kbdlu.dll
Details File 8
metsrv.dll
Details File 2335
cmd.exe
Details File 5
通过cmd.exe
Details File 1
donot.exe
Details File 1
用于下载对应的metsrv.dll
Details File 11
searchfilterhost.exe
Details File 25
searchprotocolhost.exe
Details File 1
通过主模块retromain.dll
Details File 1
运行后会判断其进程是否为searchprotocolhost.exe
Details File 1
在分析的msfte.dll
Details File 3
wuauctl.exe
Details File 1
cala32.exe
Details File 19
1.ps1
Details File 1
retromain.dll
Details File 1
第二版的代码直接被拆分为现在的msfte.dll
Details File 1
reromain以及ntwdblib.dll
Details File 106
upload.php
Details File 2
front.php
Details File 9
userinfo.php
Details File 1
kill.php
Details File 49
profile.php
Details File 3
db.log
Details File 2
girl.jpg
Details File 1
0702.docx
Details File 8
service.php
Details File 1
face.php
Details File 1
pury.php
Details File 11
1.docx
Details File 1
mark.php
Details File 1
read11.php
Details File 1
dblog4.log
Details File 2
card.jpg
Details File 4
event.php
Details File 1
putty.php
Details File 13
hello.php
Details File 1
size.php
Details File 2
john.php
Details File 1
dblog5.log
Details File 1
dblog9.log
Details File 1
2016-01-19.rtf
Details File 1
genr.exe
Details File 1
clav.exe
Details File 11
order.php
Details File 1
v1.rtf
Details md5 1
83a24589431f191cdde110ef64c21568
Details md5 1
6075cbb9b522dc71a46cadd18a1afef4
Details md5 1
cba213e68cb6af25ae7303efb8629f14
Details md5 1
9badf32c51938cf61e7b37879a4fb349
Details Threat Actor Identifier - APT-C 28
APT-C-06
Details Url 1
http://ser******mail.com/in9/1.ps1
Details Url 1
http://serv**********-mail.com/in1/search.php
Details Url 1
http://serv**********-mail.com/in1/1.ps1
Details Url 1
http://serv**********-mail.com/in9/1.ps1
Details Url 1
http://serv**********-mail.com/in9/search.php
Details Url 1
http://1010********1100.com/strawberry322/config.php