ioc[.]one - OSINT Cyber Threat Intelligence Database

Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Mandiant

Tags

cmtmf-attack-pattern:	Obfuscated Files Or Information Process Injection
country:	Afghanistan Albania Armenia Azerbaijan Belarus Belgium Venezuela Malaysia Canada Croatia Sao Tome And Principe El Salvador Estonia Ethiopia Faroe Islands Germany Georgia India Indonesia Iran Pakistan Kazakhstan Kenya Norway Sweden Thailand Kyrgyzstan Laos Latvia Lithuania North Macedonia Malta Sierra Leone Slovenia South Africa Tajikistan Trinidad And Tobago Turkey Uzbekistan Russia Slovakia Vietnam Togo Tokelau Turkmenistan Ukraine United States Of America U.S. Virgin Islands
attack-pattern:	Data Model Software Discovery - T1418 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 File And Directory Discovery - T1420 Hidden Window - T1564.003 Install Digital Certificate - T1608.003 System Network Configuration Discovery - T1422 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 Powershell - T1059.001 Process Injection - T1631 Social Media - T1593.001 Software Discovery - T1518 Software Packing - T1027.002 Software Packing - T1406.002 System Checks - T1633.001 System Checks - T1497.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Virtualization/Sandbox Evasion - T1633 Create Account - T1136 File And Directory Discovery - T1083 Hidden Window - T1143 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Process Injection - T1055 Software Packing - T1045 System Network Configuration Discovery - T1016

Show in Graph

Common Information

Type	Value
UUID	a8d775a7-86b5-49d9-ab9b-faf345586219
Fingerprint	979e76bfb29ebee4
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 29, 2021, midnight
Added to db	Nov. 9, 2023, 12:23 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Title	Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again \| Mandiant
Detected Hints/Tags/Attributes	165/3/108

Source URLs

	Redirection	Url
Details	Source	https://www.mandiant.com/resources/blog/sabbath-ransomware-affiliate

URL Provider

Details	Provider	Source level domain
Details	mandiant.com	www.mandiant.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	330	✔	Threat Intelligence	https://www.mandiant.com/resources/blog/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	110	exploit.in
Details	Domain	1	markettc.biz
Details	Domain	1	sun9-23.userapi.com
Details	Domain	1	aequuira1aedeezais5i.probes.space
Details	Domain	1	jeithe7eijeefohch3qu.probes.site
Details	Domain	1	datatransferdc.com
Details	Domain	1	farhadl.com
Details	Domain	1	probes.space
Details	Domain	1	tinysidney.com
Details	Domain	1	helpgoldr.com
Details	Domain	1	frankir.com
Details	Domain	1	greentuks.com
Details	Domain	1	aimee0febai5phoht2ti.probes.website
Details	Domain	1	cofeeloveers.com
Details	Domain	1	doratir.com
Details	Domain	1	gordonzon.com
Details	Domain	1	probes.site
Details	Domain	1	probes.website
Details	File	1	kitten.gif
Details	File	1	abj70jghfvk.jpg
Details	md5	1	6bd1a3849bb9d5f9ac5b4f4049081334
Details	md5	1	38667bc3ad2dcef35a5f343a5073e3f2
Details	md5	1	ef3363dfe2515b826584ab53c4bb7812
Details	md5	1	f1b2f83aa08b8f6f01cac6bf686786d2
Details	md5	1	e94089ff2e0b93ce38076cca370cf8cc
Details	md5	1	ac76d6c5c223688edf2d53745036d594
Details	md5	1	64da229042dffddf5bb30a4a1d8b1f1e
Details	md5	1	1789f6177300d503289c482910f223d9
Details	md5	1	dbfa3eb08d858d5bbb0cc72f497192b0
Details	md5	1	79c6c4329a36df20a6abf67b01352b20
Details	md5	1	6ae156c0a1900b6ff2c903a950d50dce
Details	md5	1	b0333d840e136326a2bd612fcf73fff0
Details	md5	1	7669f00b467e2990be182584b341c0e8
Details	md5	1	60aec56cb2262ae46fc39c45fc814711
Details	md5	1	f7e7201325892dcc287c60a0748edb16
Details	md5	1	c4a369880e3e5c3dc42ebf8cdacc9d6c
Details	md5	1	98f2b23eb265d73a05b2cce17d53eba4
Details	md5	1	aa2a14e1819f4b1cc685801e07186b0d
Details	md5	1	61bbe1c1b2aa40c0d8aa7e00c2c4f7b6
Details	md5	1	0b6757090d9ebc8d497e71b177acf256
Details	sha1	1	3357fd8d5a253b7d84101e902480bf2dd2f7773c
Details	sha1	1	366390c3cd829d1172f02e564d35cfb2c667e9fc
Details	sha1	1	a0928456f12e909ec03eadce449bc80f120bfbf8
Details	sha1	1	dc3c26f305648a12484c17d6166397a002a93707
Details	sha1	1	5972b873977912adf06203b61685f32a6ccb9eee
Details	sha1	1	3dc46fa5ebc87e8adcb6eaa0b407574506c957bb
Details	sha1	1	5c3f297bab8a5e93aac91a9df920c54bee2c836d
Details	sha1	1	182e9d1026c63503aadb78bbc3788b7ba2cdb69a
Details	sha1	1	fc7b3d8beab604cf47203f4f9a2aa8594bd54fb7
Details	sha1	1	7b178842e1b53f163f869d9da3da32032fe29abb
Details	sha1	1	8467b4f784156f2e508a3fed0ef0b6ddcf330c0d
Details	sha1	1	2eaa91f38461d708ee6e94ec2f738f3cdfb229b7
Details	sha1	1	bb22515f2e8e4d5660dc8565869d966502a0123e
Details	sha1	1	35f02a778ea7504331ddd025f0d927e0773ffd31
Details	sha1	1	037889e6d714c7ff6341bdb8a8bebbddc21fc36e
Details	sha1	1	41cc9afc79aaee60f6436192c6582907e41d89f7
Details	sha1	1	22cf10ec5047a86a49c1819c4943290321a29918
Details	sha1	1	101930bbec76ee4a147117cdfcb56aa2208a579d
Details	sha1	1	6eff4b7b5ccf92eb0f134591237fe1db7c71826a
Details	sha1	1	25b175a71906e354a24003803574c4420f02a82f
Details	sha256	1	da92878c314307a5e5c9df687ec19a402d93126b3818e5fb6b7241ab375d1e12
Details	sha256	1	0fb410b9a4d32a473b2ee28d4dc5e19a64524e107b980fc1ce8de2ad0dcc3302
Details	sha256	1	298662f3fed24d757634a022c16f4124919b653f8bf7717e4f7a5b7d741729c0
Details	sha256	1	afd61168c1fae6841faa3860dca0e5839f1b7a3169184a1c04de5a9b88adfe5d
Details	sha256	1	a053408747e9b32721d25c00351c4ce9286208e8714780416f18cbe2536672a9
Details	sha256	1	b2ffd7d83e004308a97355a18529fe3528dcbbd7901fb28aaad9d46194469947
Details	sha256	1	e302a958856208adeab4ab3cd6d2991e644798fabd57bb187a0aede314a4baa0
Details	sha256	1	8ddb23c90cb4133b4624127a1db75335a51e90d557c01e996ce33fe23f638e71
Details	sha256	1	1bbb11e526141af7bafb5d4db3671b1a01bb277fda047920995c1f2a4cb6654c
Details	sha256	1	1cd586852d2c06b0f7209c7a4da8f3d0de794f92e97b7c4405ad71c859dc2f50
Details	sha256	1	79b47780382f54ca039ad248d8241e42a7ed6b1e4b75af836890e4e46c0f8737
Details	sha256	1	f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
Details	sha256	1	3edb237aeee6efad6f21f0f2c2037ec0f9f817197432de9759b0a772a4c8f311
Details	sha256	1	a4891cc85802833d9a89e2522a42a7e3c8dc6de1d2bbed5945497ee4006c8ddb
Details	sha256	1	756ed760cbf4b35054c78a75009f748f0f6cd5eb2cbd44bb3a2d964da3c419cf
Details	sha256	1	87cdcbc55aed4267f47a913b17f4bc697634bf633659c639f87a4dbf00f853c1
Details	sha256	1	a8741f6f400c7fedfbdc7a298ab4a636be42d379eb4ecc3cccd81eadca09f8d0
Details	sha256	1	5a6b7569c2b8e91f5bd8a67322af384cfad5ddaf3ea9de271093a0879b88c438
Details	sha256	1	f883f7d7c068b6f1eb62804591d748c28c584fbfb769628d9567c22aa00f26f6
Details	sha256	1	e25f2284fc6e80011587bf95829d8ff30ecae06a2d2bbe494d8af3bd05f9e43f
Details	IPv4	1	45.79.55.129
Details	IPv4	1	45.146.166.24
Details	IPv4	1	45.147.230.221
Details	IPv4	1	45.141.84.182
Details	IPv4	1	45.147.230.137
Details	Mandiant Uncategorized Groups	1	UNC2190
Details	MITRE ATT&CK Techniques	245	T1016
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	185	T1518
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	160	T1027.002
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	66	T1564.003
Details	MITRE ATT&CK Techniques	86	T1136
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	26	T1587.003
Details	MITRE ATT&CK Techniques	17	T1608.003
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	Url	1	https://markettc.biz/gifs/zsoczxu-x-5d3zhv2zzkgc8shhygcymwpbrcs_mrv_szxywaaspw7fftcz66twq_utdp5edls
Details	Url	1	https://sun9-23.userapi.com/g4jvdzdefldiplnn1-jkmgq2unf2keiv54om5g/abj70jghfvk.jpg
Details	Yara rule	1	rule FE_Hunting_THEMIDA_strings_FEBeta { meta: author = "Mandiant" date_created = "2021-10-26" date_modified = "2021-10-26" md5 = "7669f00b467e2990be182584b341c0e8" rev = 2 sid = 415583 strings: $themida = ".themida" nocase condition: uint16(0) == 0x5A4D and filesize < 20MB and (@themida[1] < 1024) }
Details	Yara rule	1	rule FE_Ransomware_Win64_ROLLCOAST_1 { meta: author = "Mandiant" date_created = "2020-07-15" date_modified = "2020-07-15" md5 = "45882426ecddb032981fd6c299b3cc47" rev = 2 strings: $sb1 = { 48 8D [5] 48 8D ?? 24 ?? E8 [4-32] B? 30 00 00 00 [8-64] 25 FF F9 FF FF 0F BA E8 0B } $sb2 = { FF D? 85 C0 0F 84 [4] 48 8D [2-16] 83 E8 06 0F 84 [4] 83 E8 08 0F 84 [4] 83 E8 0F } $sb3 = { 41 B8 C5 02 00 00 0F 10 00 0F 10 48 10 0F 11 02 0F 10 40 20 0F 11 4A 10 0F 10 48 30 0F 11 42 20 0F 10 40 40 0F 11 4A 30 0F 11 42 40 89 4A 50 0F B6 48 54 88 4A 54 33 D2 49 8B C9 8B C2 48 8D 49 01 83 E0 0F FF C2 42 0F B6 84 08 [2] 00 00 30 41 FF 49 83 E8 01 75 E3 } $sb4 = { FF 15 [4] 05 E7 FB FF FF 83 F8 2B } $ss1 = "\x00Program Files\\" wide $ss2 = "\x00Program Files (x86)\\" wide $ss3 = "\x00.[\x00" $ss4 = "\x00].\x00" condition: (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them and (#ss1 > 5) and (#ss2 > 5) }
Details	Yara rule	1	rule FE_Ransomware_Win_ROLLCOAST_1 { meta: author = "Mandiant" date_created = "2020-07-15" date_modified = "2020-07-15" md5 = "45882426ecddb032981fd6c299b3cc47" rev = 2 strings: $s2 = "\x00lolz\x00" wide $s3 = "\x00Start encryption of %s\x0a\x0a\x00" wide $s4 = "\x00Finished encryption of %s\x0a\x0a\x00" wide $s5 = "\x00FOUND DEVICE: \x0a\x00" wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them }