ioc[.]one - OSINT Cyber Threat Intelligence Database

Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs

Tags

cmtmf-attack-pattern:	Application Layer Protocol Command And Scripting Interpreter Masquerading Obfuscated Files Or Information
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Model Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Custom Method - T1560.003 Command And Scripting Interpreter - T1623 Domains - T1583.001 Domains - T1584.001 Dynamic Dns - T1311 Dynamic Dns - T1333 Exfiltration Over C2 Channel - T1646 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Files And Directories - T1564.001 Hide Artifacts - T1628 Hide Artifacts - T1564 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Ingress Tool Transfer - T1544 Local Data Staging - T1074.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Python - T1059.006 Reflective Code Loading - T1620 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Packing - T1027.002 Software Packing - T1406.002 Unix Shell - T1059.004 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Unix Shell - T1623.001 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Connection Proxy - T1090 Deobfuscate/Decode Files Or Information - T1140 Exfiltration Over Command And Control Channel - T1041 Fallback Channels - T1008 File And Directory Discovery - T1083 File Deletion - T1107 Hidden Files And Directories - T1158 Indicator Removal On Host - T1070 Remote File Copy - T1105 Login Item - T1162 Masquerading - T1036 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Software Packing - T1045 System Information Discovery - T1082 User Execution - T1204 Masquerading User Execution

Show in Graph

Common Information

Type	Value
UUID	9dc3d64a-f1f9-4c73-935d-a36518c841b0
Fingerprint	b1121c116cb705d7
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 1, 2023, midnight
Added to db	Nov. 19, 2023, 6:17 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	Elastic catches DPRK passing out KANDYKORN
Title	Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs
Detected Hints/Tags/Attributes	126/3/44

Source URLs

	Redirection	Url
Details	Source	https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
Details	Source	https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn?ultron=esl:_threat_research%2Bdata_breach_updates&blade=twitter&hulk=social&utm_content=11686905080&linkId=245208259

URL Provider

Details	Provider	Source level domain
Details	elastic.co	www.elastic.co

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	163	✔	—	https://media.cert.europa.eu/rss?type=category&id=Malware&language=en&duplicates=false	2024-08-30 22:08
Details	306	✔	Elastic Security Labs	https://www.elastic.co/security-labs/rss/feed.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	15	watcher.py
Details	Domain	11	testspeed.py
Details	Domain	9	bridges.zip
Details	Domain	88	main.py
Details	Domain	3	tp-globa.xyz
Details	Domain	359	com.apple
Details	Domain	3	discord.app
Details	Domain	194	drive.google.com
Details	Domain	1	pesnam.publicvm.com
Details	Domain	1	bitscrunnch.linkpc.net
Details	Domain	1	jobintro.linkpc.net
Details	Domain	1	jobdescription.linkpc.net
Details	Domain	1	docsenddata.linkpc.net
Details	Domain	1	docsendinfo.linkpc.net
Details	Domain	1	datasend.linkpc.net
Details	Domain	1	exodus.linkpc.net
Details	Domain	1	bitscrunnch.run.place
Details	Domain	1	coupang-networks.pics
Details	Domain	1	group.pro-tokyo.top
Details	Domain	4127	github.com
Details	Domain	55	process.name
Details	Domain	32	file.name
Details	Domain	5	dll.name
Details	Domain	110	www.reddit.com
Details	File	15	watcher.py
Details	File	10	testspeed.py
Details	File	9	bridges.zip
Details	File	76	main.py
Details	File	4	macos.tmp
Details	File	1	pesnam.pub
Details	File	1	effective_process.exe
Details	File	49	process.exe
Details	sha1	1	5555494485b460f1e2343dffaef9b94d01136320
Details	sha256	3	2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1
Details	sha256	3	3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940
Details	sha256	3	927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6
Details	IPv4	5	23.254.226.90
Details	IPv4	3	192.119.64.43
Details	Url	1	https://drive.google.com/file/d1kw5nq8mzccug6mp4qtkywlt3hizzhnil2
Details	Url	1	https://github.com/prtof
Details	Url	1	https://github.com/wokurks
Details	Url	1	http://tp-globa.xyz//odhlca1mlup/lz5rzpxwsh/7yzkyqi43s/fp7savdx6c/bfc
Details	Url	1	https://www.reddit.com/r/hacking/comments/15b4uti/comment/jtprebt
Details	Url	1	https://www.reddit.com/r/pihole/comments/15d11do/malware_project_mimics_pihole/jtzmpqh