ioc[.]one - OSINT Cyber Threat Intelligence Database

TwoFace Webshell: Persistent Access Point for Lateral Movement

Tags

country:	Argentina Germany France Iran United States Of America
attack-pattern:	Data Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 File Deletion - T1070.004 File Deletion - T1630.002 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 File Deletion - T1107

Show in Graph

Common Information

Type	Value
UUID	7475e196-5183-4162-8c52-667b6834dc2d
Fingerprint	26899fd1212694d5
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 31, 2017, 2 a.m.
Added to db	Sept. 26, 2022, 9:33 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	TwoFace Webshell: Persistent Access Point for Lateral Movement
Title	TwoFace Webshell: Persistent Access Point for Lateral Movement
Detected Hints/Tags/Attributes	60/2/46

Source URLs

	Redirection	Url
Details	Source	https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/
Details	Source	https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com
Details	paloaltonetworks.com	researchcenter.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Domain	397	asp.net
Details	File	3	m64.exe
Details	File	1	c:\windows\temp\m64.exe
Details	File	1	c:\windows\temp\01.txt
Details	File	1	c:\windows\temp\exchange.aspx
Details	File	1	exchange.aspx
Details	File	4	global.aspx
Details	File	2	mom64.exe
Details	File	2	01.txt
Details	File	3	microsoftupdate.exe
Details	File	1	mic.txt
Details	File	1	c:\windows\temp\microsoftupdate.exe
Details	File	1	c:\windows\temp\mic.txt
Details	File	2127	cmd.exe
Details	File	1	kb45253-enu.exe
Details	File	1	kb76862-enu.exe
Details	md5	1	9A26A0E7B88940DAA84FC4D5E6C61AD0
Details	sha1	1	a2c9afd6adac242827adb00d76c20c491b2d2247
Details	sha1	1	6a0e681586988388d4a0690b6fb686715d92d069
Details	sha1	1	5e1c37bf3bd8a7567d46db63ed9b0aeed53e57fe
Details	sha1	1	37ada887553cf48715cc19131b8e661ac43718e9
Details	sha1	1	9789b5c0c13fb58c423bce5577873d413d9494be
Details	sha1	1	c56bc0d331a825fdea01c5437877d5e9e1cda2c4
Details	sha1	1	9f4e10484f4ceac34878d4f621a1ad8e580fd02a
Details	sha1	1	57dd9721f9837ebd24dea55a90a2a9e3e6ad6f1e
Details	sha1	1	19be2493b7cc2d43e8bf245b6faf2c747be6bae5
Details	sha1	1	26749c6b5308bb668eb954f4120607c2a9d620be
Details	sha256	1	ed684062f43d34834c4a87fdb68f4536568caf16c34a0ea451e6f25cf1532d51
Details	sha256	1	f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5
Details	sha256	1	9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813
Details	sha256	1	d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3
Details	sha256	1	bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef
Details	sha256	1	8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e
Details	sha256	1	8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b
Details	sha256	1	0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f
Details	sha256	2	54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f
Details	sha256	1	818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f
Details	sha256	1	fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113
Details	sha256	1	79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e
Details	sha256	1	e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68
Details	sha256	1	c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69
Details	sha256	1	e342d6bf07de1257e82f4ea19e9f08c9e11a43d9ad576cd799782f6e968914b8
Details	sha256	1	49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e
Details	sha256	1	f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0
Details	IPv4	4	4.2.2.4
Details	IPv6	3	::d