SEO Poisoning to Domain Control: The Gootloader Saga Continues
Tags
cmtmf-attack-pattern: Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Model Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Hidden Window - T1564.003 Javascript - T1059.007 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Pass The Hash - T1550.002 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Remote Desktop Protocol - T1021.001 Scheduled Task - T1053.005 Seo Poisoning - T1608.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Windows Remote Management - T1021.006 Tool - T1588.002 Connection Proxy - T1090 Credential Dumping - T1003 Hidden Window - T1143 Pass The Hash - T1075 Powershell - T1086 Process Injection - T1055 Remote Desktop Protocol - T1076 Remote Services - T1021 Scheduled Task - T1053 Windows Remote Management - T1028
Show in Graph
Common Information
Type Value
UUID b503da79-cc34-47d4-b70e-92948b76f70b
Fingerprint a413a7d5298a98c4
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 26, 2024, 12:39 a.m.
Added to db Aug. 31, 2024, 8:40 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline SEO Poisoning to Domain Control: The Gootloader Saga Continues
Title SEO Poisoning to Domain Control: The Gootloader Saga Continues
Detected Hints/Tags/Attributes 128/3/94
Source URLs
Redirection Url
Details Source https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
URL Provider
Details Provider Source level domain
Details thedfirreport.com thedfirreport.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 249 The DFIR Report https://thedfirreport.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
blog.lilianpraskova.cz
Details Domain 2 
gootloaderautojsdecode.py
Details Domain 23 
www.cobaltstrike.com
Details Domain 4127 
github.com
Details Domain 6 
www.advanced-ip-scanner.com
Details Domain 20 
1768.py
Details Domain 1 
hrclubphilippines.com
Details Domain 1 
mediacratia.ru
Details Domain 1 
daraltanweer.com
Details Domain 1 
ukrainians.today
Details Domain 1 
my-little-kitchen.com
Details Domain 1 
montages.no
Details Domain 1 
pocketofpreschool.com
Details Domain 1 
sitmeanssit.com
Details Domain 1 
artmodel.com.ua
Details Domain 10 
detection.fyi
Details Domain 9 
sigmasearchengine.com
Details File 1 
management.js
Details File 1122 
svchost.exe
Details File 376 
wscript.exe
Details File 155 
cscript.exe
Details File 1208 
powershell.exe
Details File 2 
gootloaderautojsdecode.py
Details File 172 
dllhost.exe
Details File 7 
payload.txt
Details File 17 
1768.py
Details File 218 
min.js
Details File 9 
%windir%\\syswow64\\dllhost.exe
Details File 9 
%windir%\\sysnative\\dllhost.exe
Details File 1 
s5.ps1
Details File 35 
xmlrpc.php
Details File 1 
implied_employment_agreement_70159.zip
Details File 1 
24230.js
Details File 1 
payload1.dll
Details File 4 
payload2.exe
Details File 1 
e544944.exe
Details File 1 
5d78365.exe
Details File 1 
dae50de.exe
Details File 1 
a4a2ea4.exe
Details File 76 
netsh.exe
Details Github username 18 
ghostpack
Details Github username 19 
the-dfir-report
Details md5 23 
72a589da586844d7f0818ce684948eea
Details md5 15 
f176ba63b4d68e576b5ba345bec2c7b7
Details md5 1 
fb6e4f75763fad6d0e7fe85a563b0c24
Details md5 1 
deb24dfaf8178fda2d070aba9134a30c
Details md5 1 
4f4ee823a8c7e2511f05b3ea633c0d2c
Details md5 1 
25b38e45df3cd215386077850c59be07
Details md5 1 
1b8b4f05058ac39091b99cc153ab00c0
Details md5 1 
f769cb73317421c290832777c9e14f92
Details md5 1 
49145e436aa571021bb1c7b727f8b049
Details md5 1 
9f9c7b2c8f245e62a08bf5f8a3eb3498
Details md5 1 
a617e6687ab5d747c530b930bb4a3209
Details md5 1 
e9fc0203d1dea15dff56a285d0f86b62
Details sha1 1 
7e8543f2bc09bf320510fde5e34e32065339d9d2
Details sha1 1 
ecc0b26106703e129fb1e2ec132c373870c2e7b6
Details sha1 1 
877515fecc14ed193167e8a20c6b9a684a74564d
Details sha1 1 
a88a28c73aa42956c9f9d12585a8de63d4a00e47
Details sha1 1 
e0b568a3e35257cd30b0c42727c3529cef13b081
Details sha1 1 
f043898fc9db6985c4ad8bb84669c081cdaa8e6f
Details sha1 1 
3cf851eb09c934cafe9b98d4706f903dff804b0c
Details sha1 1 
d53e550b54c08606e19965a9f74bbaa7063e10f1
Details sha1 1 
72076af2ce8df6f8b1121c38f3c3db043c540369
Details sha256 1 
873dd1dcdfcbe9826b274c5880f5be81a878ee93715fbb18a654d9dba61c5dfc
Details sha256 1 
f94048917ac75709452040754bb3d1a0aff919f7c2b4b42c5163c7bdb1fbf346
Details sha256 1 
ecc7f13c3f0f8d4775e05715810b0164c52b7bd233e4a2e4f5a37769becb0092
Details sha256 1 
68dd1a2da732d56b0618f8581502fcf209b1c828c97d05f239c98d55bb78b562
Details sha256 1 
831955bd05186381a8f15539a41f48166873eab3feb55fb1104202e4152bd507
Details sha256 1 
40c40495434bf987b04f0742c3e9201189675d87a042aa72abbd0084c3de66d8
Details sha256 1 
aad75498679aada9ee2179a8824291e3b4781d5683c2fa5b3ec92267ce4a4a33
Details sha256 1 
be3222219f029b47120390b2b1ad46ae86287e64a1f7228d6b2ffd89345a889e
Details sha256 1 
792a95234b01c256019b16a242b9487b99e98ed8a955eaecf1e44b0141aa12f4
Details IPv4 1 
46.28.105.94
Details IPv4 1441 
127.0.0.1
Details IPv4 1 
91.215.85.143
Details IPv4 2 
91.92.136.20
Details Url 1 
https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem
Details Url 2 
https://www.cobaltstrike.com/blog/windows-access-tokens-and-alternate-credentials
Details Url 2 
https://github.com/ghostpack/restrictedadmin
Details Url 2 
https://www.advanced-ip-scanner.com
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-wtsgetactiveconsolesessionid#return
Details Url 1 
http://127.0.0.1:12210
Details Url 1 
https://hrclubphilippines.com/xmlrpc.php
Details Url 1 
https://mediacratia.ru/xmlrpc.php
Details Url 1 
https://daraltanweer.com/xmlrpc.php
Details Url 1 
https://ukrainians.today/xmlrpc.php
Details Url 1 
https://my-little-kitchen.com/xmlrpc.php
Details Url 1 
https://montages.no/xmlrpc.php
Details Url 1 
https://pocketofpreschool.com/xmlrpc.php
Details Url 1 
http://blog.lilianpraskova.cz/xmlrpc.php
Details Url 1 
https://sitmeanssit.com/xmlrpc.php
Details Url 1 
http://artmodel.com.ua/xmlrpc.php
Details Url 1 
https://github.com/the-dfir-report/yara-rules/blob/main/19530/19530.yar
Details Windows Registry Key 1 
HKLM\SYSTEM\CurrrentControlSet\Control\Terminal