Aggah: How to run a botnet without renting a Server (for more than a year) - Yoroi
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 8d0e4634-0cd0-4405-9ede-d0c4dc4c0eee |
| Fingerprint | 2fc58836bdafc7c3 |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | Jan. 27, 2020, 7:09 p.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Aggah: How to run a botnet without renting a Server (for more than a year) |
| Title | Aggah: How to run a botnet without renting a Server (for more than a year) - Yoroi |
| Detected Hints/Tags/Attributes | 66/4/31 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 358 | pastebin.com |
|
| Details | Domain | 2 | ixsi.run |
|
| Details | Domain | 2 | nci.run |
|
| Details | Domain | 707 | google.com |
|
| Details | Domain | 1 | mvn.run |
|
| Details | Domain | 45 | paste.ee |
|
| Details | Domain | 1 | i9i9.run |
|
| Details | Domain | 1 | aste.ee |
|
| Details | Domain | 7 | fuckav.ru |
|
| Details | File | 1 | ll.reg |
|
| Details | File | 10 | 'calc.exe |
|
| Details | File | 82 | fre.php |
|
| Details | File | 47 | cmstp.exe |
|
| Details | sha256 | 1 | 77bbd615bc5b34ce007a82a7f365426fc1091ed7eeca3b3888d35b8242288184 |
|
| Details | sha256 | 1 | b8f6cad3723d1dd2219d02f930e5cda776c124387f19f3decd867495ce614eb7 |
|
| Details | sha256 | 1 | d0b5b98de820272474d86f1d8bfb9feef08eff95ea0f2968a13ab97ab1ab5b09 |
|
| Details | sha256 | 1 | 5081ca4672184aaa9e4afa22aec015b79038fcca7d7f8c0650727c541c3d884b |
|
| Details | sha256 | 1 | c76ad03fbc8f465dc0db25fe3fe127f8124623f52693120d54087090acc2ef3e |
|
| Details | sha256 | 1 | dc4a0f6a8ca0192b99a909ec577d2146c891cfdfb28afaa3a2dd6f6d25344cb7 |
|
| Details | sha256 | 1 | fd95e72fe145f78a013dc1fbf4fe626d7801de50021f036556d32eec6a116e87 |
|
| Details | sha256 | 1 | 33beb97e701f4d4fac36dc11bbe3eb5fc372a232586bcea3df1d7903dfe69f25 |
|
| Details | sha256 | 1 | 0a6c875978b37eaed5af710e584c55c01f07ee01070486980152d63300650aab |
|
| Details | IPv4 | 4 | 107.175.150.73 |
|
| Details | Url | 1 | https://paste.ee/r/zhs3s')|iex;[byte[]]$f=[microsoft.visualbasic.interaction |
|
| Details | Url | 1 | https://paste.ee/r/fk9yh').replace('*','0x')|iex;[vroombrooomkrooom]::kekedoyouloveme('calc.exe |
|
| Details | Url | 1 | http[://107.175.150.73/~giftioz/.cttr/fre.php |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pastemm |
|
| Details | Yara rule | 1 | rule YAKKA3_Campaign_Jan_20_PPA_Macro {
meta:
description = "Yara Rule for Yakka3 campaign macro PPA document"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-01-23"
tlp = "white"
category = "informational"
strings:
$a1 = { 1A 88 63 8D A9 78 43 FF }
$a2 = { 0D 1B 43 00 1B 44 00 FB 30 1C 33 }
$s1 = "Shell"
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule YAKKA3_Campaign_Jan_20_Injector_Module {
meta:
description = "Yara Rule for Yakka3 campaign Injector module"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-01-23"
tlp = "white"
category = "informational"
strings:
$s1 = "vroombrooomkrooom"
$s2 = "kekedoyouloveme"
$s3 = "WriteProcessMemory"
$a1 = { 00 ED 08 8C 05 31 00 ED 08 43 }
condition:
uint16(0) == 0x5A4D and all of them
} |
|
| Details | Yara rule | 1 | rule YAKKA3_Campaign_Jan_20_CMSTP_Bypass {
meta:
description = "Yara Rule for Yakka3 campaign CMSTP Bypass"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-01-23"
tlp = "white"
category = "informational"
strings:
$s1 = "cmstp.exe" ascii wide
$s2 = "CurrentVersion" ascii wide
$s3 = "INF" ascii wide
$a1 = { 0A 06 8E 69 2D 06 7E 18 }
condition:
uint16(0) == 0x5A4D and all of them
} |
|
| Details | Yara rule | 1 | rule YAKKA3_Campaign_Jan_20_LokiBOT_Payload {
meta:
description = "Yara Rule for Yakka3 campaign Loki bot Payload"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-01-23"
tlp = "white"
category = "informational"
strings:
$s1 = "Fuckav.ru" ascii wide
$s2 = "SOFTWARE" wide
condition:
uint16(0) == 0x5A4D and $s1 and #s2 > 10
} |