ioc[.]one - OSINT Cyber Threat Intelligence Database

How WellMess malware has been used to target COVID-19 vaccines

Tags

cmtmf-attack-pattern:	Application Layer Protocol
country:	Canada
attack-pattern:	Data Application Layer Protocol - T1437 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Dns - T1071.004 Dns - T1590.002 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Ip Addresses - T1590.005 Junk Data - T1001.001 Malware - T1587.001 Malware - T1588.001 Native Api - T1575 Non-Standard Encoding - T1132.002 Non-Standard Port - T1509 Non-Standard Port - T1571 Powershell - T1059.001 Protocol Impersonation - T1001.003 Server - T1583.004 Server - T1584.004 Standard Encoding - T1132.001 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Standard Application Layer Protocol - T1071 Data Encoding - T1132 Data Obfuscation - T1001 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	9a56dfec-534c-4138-983a-e90bd39bba2e
Fingerprint	9d2d750109bb0693
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 16, 2020, midnight
Added to db	Sept. 11, 2022, 12:35 p.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	How WellMess malware has been used to target COVID-19 vaccines
Title	How WellMess malware has been used to target COVID-19 vaccines
Detected Hints/Tags/Attributes	80/3/131

Source URLs

	Redirection	Url
Details	Source	https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html

URL Provider

Details	Provider	Source level domain
Details	pwc.co.uk	www.pwc.co.uk

Attributes

Details	Type	#Events	Value
Details	Domain	5	botlib.work
Details	Domain	26	www.lac.co.jp
Details	Domain	71	blogs.jpcert.or.jp
Details	Domain	4127	github.com
Details	Domain	30	www.iso.org
Details	Domain	360	attack.mitre.org
Details	File	26	os.exe
Details	File	1	20180614_cecreport_vol3.pdf
Details	File	8	malware-wellmes-9b78.html
Details	File	1	wellmess_cookie_decode.py
Details	File	33	www.iso
Details	File	2	iso-3166-country-codes.html
Details	Github username	23	jpcertcc
Details	md5	1	efda5178286678794b40987e66e686ce
Details	md5	4	3a9cdd8a5cbc3ab10ad64c4bb641b41f
Details	md5	1	969310a9775070c314377a9a4a665686
Details	md5	1	6fd56f2df05a77bdfd3265a4d1f2abac
Details	md5	1	98fe909510c79b21e740fec32fb6b1a0
Details	md5	4	01d322dcac438d2bb6bce2bae8d613cb
Details	md5	1	30247645638ff6d314c83044c831cdc4
Details	md5	1	e58b8de07372b9913ca2fbd3b103bb8f
Details	md5	1	429be60f0e444f4d9ba1255e88093721
Details	md5	1	a9485f3ecf7f35ba16a680a03d17c9ee
Details	md5	1	11796e9e5567954ffe6eb9049f29acb2
Details	md5	1	dc146f77caaaea3deae053d9dc5a82d2
Details	md5	1	18427cdcb5729a194954f0a6b5c0835a
Details	md5	1	ee6420f6bccd3eb9510211c020129c0c
Details	sha1	1	04169cc11e4d21fc63eefc120fe815b05bd08abf
Details	sha1	1	123f62a04a007c1ad81b9686ff27445b51054d4b
Details	sha1	1	ecde28e1b879e5a80630d2450b489dfa09c23ea7
Details	sha1	2	8830e9d90c508adf9053e9803c64375bc9b5161a
Details	sha1	1	51379e74f85ede610cdc5aaf250fee4cdac5e3b0
Details	sha1	1	553a38610bb554aac55aa6d00d926470d8c82698
Details	sha1	1	6ce0a07fdd4a6a774a7e3eae6f97f49868921fe3
Details	sha1	1	4807990b68d873c78d00d2be605c1b0ac24d09ee
Details	sha1	1	d10ca5474f723d83bbf3b3307d58c545d2be5dfc
Details	sha1	1	e212fa4384420c18beec83c3f1c8259481a63efa
Details	sha1	1	a2f9959767b6696e85f0aabae87632f539717884
Details	sha1	1	a8e60df51c30106a7d1b0170cbb0a9ca7e167ca7
Details	sha1	2	e45f89c923d0361ce8f9c64a63031860a76b2d10
Details	sha1	1	1e784e2f800ba32edee3159c03616c70fc68dc5b
Details	sha256	5	0322c4c2d511f73ab55bf3f43b1b0f152188d7146cc67ff497ad275d9dd1c20f
Details	sha256	5	2daba469f50cd1b77481e605aeae0f28bf14cedfcd8e4369193e5e04c523bc38
Details	sha256	5	2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41
Details	sha256	5	b75a5be703d9ba3721d046db80f62886e10009b455fa5cdfd73ce78f9f53ec5a
Details	sha256	5	f3af394d9c3f68dff50b467340ca59a11a14a3d56361e6cffd1cf2312a7028ad
Details	sha256	6	8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8
Details	sha256	5	00654dd07721e7551641f90cba832e98c0acb030e2848e5efc0e1752c067ec07
Details	sha256	7	0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193
Details	sha256	6	bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d
Details	sha256	5	93e9383ae8ad2371d457fc4c1035157d887a84bbfe66fbbb3769c5637de59c75
Details	sha256	8	0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494
Details	sha256	6	4c8671411da91eb5967f408c2a6ff6baf25ff7c40c65ff45ee33b352a711bf9c
Details	sha256	9	5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb
Details	sha256	5	1fed2e1b077af08e73fb5ecffd2e5169d5289a825dcaf2d8742bb8030e487641
Details	IPv4	5	45.152.84.57
Details	IPv4	5	45.120.156.69
Details	IPv4	5	188.241.68.137
Details	IPv4	5	178.211.39.6
Details	IPv4	5	220.158.216.130
Details	IPv4	5	119.160.234.194
Details	IPv4	5	31.170.107.186
Details	IPv4	5	193.182.144.105
Details	IPv4	5	191.101.180.78
Details	IPv4	5	209.58.186.240
Details	IPv4	5	103.205.8.72
Details	IPv4	1	185.217.92.171
Details	IPv4	1	93.113.45.101
Details	IPv4	5	5.199.174.164
Details	IPv4	5	103.103.128.221
Details	IPv4	5	27.102.130.115
Details	IPv4	6	119.81.184.11
Details	IPv4	5	103.13.240.46
Details	IPv4	1	101.201.53.27
Details	IPv4	6	45.123.190.168
Details	IPv4	6	103.216.221.19
Details	IPv4	5	103.253.41.82
Details	IPv4	5	209.58.186.197
Details	IPv4	5	111.90.150.176
Details	IPv4	5	141.255.164.29
Details	IPv4	5	146.0.76.37
Details	IPv4	5	169.239.128.110
Details	IPv4	5	185.145.128.35
Details	IPv4	5	149.202.12.210
Details	IPv4	5	103.253.41.102
Details	IPv4	5	122.114.226.172
Details	IPv4	6	85.93.2.116
Details	IPv4	5	103.253.41.90
Details	IPv4	5	119.160.234.163
Details	IPv4	5	103.253.41.68
Details	IPv4	5	81.17.17.213
Details	IPv4	6	185.99.133.112
Details	IPv4	5	66.70.247.215
Details	IPv4	5	119.81.173.130
Details	IPv4	5	120.53.12.132
Details	IPv4	5	185.120.77.166
Details	IPv4	5	176.119.29.37
Details	IPv4	6	209.58.186.196
Details	IPv4	5	145.249.107.73
Details	IPv4	5	122.114.197.185
Details	IPv4	5	79.141.168.109
Details	IPv4	5	202.59.9.59
Details	IPv4	5	46.19.143.69
Details	IPv4	5	31.7.63.141
Details	IPv4	5	119.81.178.105
Details	IPv4	5	111.90.146.143
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	96	T1132
Details	MITRE ATT&CK Techniques	75	T1001
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	239	T1106
Details	MITRE ATT&CK Techniques	115	T1571
Details	Threat Actor Identifier - APT	665	APT29
Details	Url	1	http://45.152.84.57
Details	Url	1	https://45.152.84.57
Details	Url	1	https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf
Details	Url	8	https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html
Details	Url	1	https://github.com/jpcertcc/aa-tools/blob/master/wellmess_cookie_decode.py
Details	Url	2	https://www.iso.org/iso-3166-country-codes.html
Details	Url	4	https://attack.mitre.org/techniques/t1071/004
Details	Url	6	https://attack.mitre.org/techniques/t1071/001
Details	Url	6	https://attack.mitre.org/techniques/t1132/001
Details	Url	2	https://attack.mitre.org/techniques/t1132/002
Details	Url	2	https://attack.mitre.org/techniques/t1001/001
Details	Url	1	https://attack.mitre.org/techniques/t1001/003
Details	Url	7	https://attack.mitre.org/techniques/t1041
Details	Url	2	https://attack.mitre.org/techniques/t1573/001
Details	Url	4	https://attack.mitre.org/techniques/t1573/002
Details	Url	5	https://attack.mitre.org/techniques/t1106
Details	Url	1	https://attack.mitre.org/techniques/t1571