攻击武器再升级:Donot组织利用伪造签名样本的攻击活动分析
Tags
Common Information
Type | Value |
---|---|
UUID | 8cd93a21-64b6-4bbf-bb51-692b0e6161a2 |
Fingerprint | db8309340ec167fe |
Analysis status | IN_PROGRESS |
Considered CTI value | 0 |
Text language | |
Published | Oct. 29, 2020, midnight |
Added to db | Dec. 20, 2024, 7:18 p.m. |
Last updated | Dec. 21, 2024, 3:06 a.m. |
Headline | 攻击武器再升级:Donot组织利用伪造签名样本的攻击活动分析 |
Title | 攻击武器再升级:Donot组织利用伪造签名样本的攻击活动分析 |
Detected Hints/Tags/Attributes | 7/0/36 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://www.secrss.com/articles/26616 |
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 32 | sandbox.ti.qianxin.com |
|
Details | Domain | 4 | soundvista.club |
|
Details | Domain | 1 | equest.resolverequest.live |
|
Details | Domain | 7 | firm.tplinkupdates.space |
|
Details | Domain | 6752 | 163.com |
|
Details | File | 4 | notification.xls |
|
Details | File | 2 | winuser获取恶意代码保存为adsl.dll |
|
Details | File | 2 | 并利用rundll32.exe |
|
Details | File | 2 | 启动adsl.dll |
|
Details | File | 2 | adsl.dll |
|
Details | File | 2 | 下载执行的adsl.dll |
|
Details | File | 2 | 将硬编码的命令写入%appdata%test.bat |
|
Details | File | 19 | test.bat |
|
Details | File | 2 | 将下载保存的njjujkyu命名为apic.dll |
|
Details | File | 3 | 通过rundll32.exe |
|
Details | File | 2 | 同时创建了名为syst-start的计划任务用以运行prodot.exe |
|
Details | File | 4 | apic.dll |
|
Details | File | 2 | %userprofile%\inf\boost\ooo\prodot.exe |
|
Details | File | 4 | prodot.exe |
|
Details | File | 2 | 携带着与downloader模块adsl.dll |
|
Details | File | 8 | wuaupdt.exe |
|
Details | md5 | 3 | add9de02b97d815ae8ae6ce5228d2ff0 |
|
Details | md5 | 2 | f915e60a23fc64a79ff2f2d802c31660 |
|
Details | md5 | 2 | 6915d07bc56223086267b98e5fb85951 |
|
Details | md5 | 2 | 3c06c07415668cac4a67dfe54aa4ee29 |
|
Details | md5 | 2 | 06A62E4F4A870F9DA01039716673EB9D |
|
Details | md5 | 2 | 407a684a0e3a1c804213c7faa9b686dd |
|
Details | md5 | 1 | 38db0a9fb072f8aff34d77229cf498af |
|
Details | md5 | 1 | ba6a046e809b9a5ec79ab2fbfdc83d73 |
|
Details | md5 | 1 | 15499add5ce8f373854df643062ea91a |
|
Details | md5 | 1 | 68cc4603260646b8d6163a32ce9d81eb |
|
Details | sha1 | 2 | 85af455d48459b2f941a7282b058c4e819ad7d30 |
|
Details | Url | 9 | https://sandbox.ti.qianxin.com |
|
Details | Url | 2 | http://soundvista.club/winuser获取恶意代码保存为adsl.dll,并利用rundll32.exe启动adsl.dll调用其导出函数ajn54ty |
|
Details | Url | 2 | http://soundvista.club/sessionrequest |
|
Details | Url | 3 | https://ti.qianxin.com/blog/articles/donot-apt-group-recent-attacks-on-neighboring-countries-and-regions |