MAR-10296782-1.v1 – SOREFANG | CISA
Tags
| country: | Australia |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Whois - T1596.002 |
Common Information
| Type | Value |
|---|---|
| UUID | b52409d0-31e7-49a8-8060-f893065cf2b9 |
| Fingerprint | a4983b43ec722483 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 16, 2020, midnight |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Malware Analysis Report (AR20-198A) |
| Title | MAR-10296782-1.v1 – SOREFANG | CISA |
| Detected Hints/Tags/Attributes | 85/3/100 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Autonomous System Number | 1 | AS136557 |
|
| Details | Domain | 145 | www.us-cert.gov |
|
| Details | Domain | 98 | www.ncsc.gov.uk |
|
| Details | Domain | 6 | botlib.post |
|
| Details | Domain | 73 | schemas.microsoft.com |
|
| Details | Domain | 5 | whois.apnic.net |
|
| Details | Domain | 1 | hostuniversal.com.au |
|
| Details | Domain | 1 | www.apnic.net |
|
| Details | Domain | 2 | generic.cf |
|
| Details | Domain | 52 | whois.arin.net |
|
| Details | Domain | 21 | www.iana.org |
|
| Details | Domain | 33 | datatracker.ietf.org |
|
| Details | Domain | 3 | rdap.arin.net |
|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 1 | abuse@hostuniversal.com.au |
||
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 4 | sangforud.exe |
|
| Details | File | 1 | sanforupd.exe |
|
| Details | File | 1 | sangforud.sum |
|
| Details | File | 61 | systeminfo.exe |
|
| Details | File | 51 | ipconfig.exe |
|
| Details | File | 2125 | cmd.exe |
|
| Details | File | 256 | net.exe |
|
| Details | File | 9 | hostname.exe |
|
| Details | File | 56 | tasklist.exe |
|
| Details | File | 62 | whoami.exe |
|
| Details | File | 1 | sangforudc.exe |
|
| Details | md5 | 3 | c5d5cb99291fa4b2a68b5ea3ff9d9f9a |
|
| Details | md5 | 3 | 4d38ac3319b167f6c8acb16b70297111 |
|
| Details | md5 | 3 | a32e1202257a2945bf0f878c58490af8 |
|
| Details | md5 | 3 | 861879f402fe3080ab058c0c88536be4 |
|
| Details | md5 | 3 | 2f9f4f2a9d438cdc944f79bdf44a18f8 |
|
| Details | md5 | 3 | ae7a46529a0f74fb83beeb1ab2c68c5c |
|
| Details | md5 | 3 | f18ced8772e9d1a640b8b4a731dfb6e0 |
|
| Details | md5 | 4 | 3a9cdd8a5cbc3ab10ad64c4bb641b41f |
|
| Details | md5 | 3 | 967fcf185634def5177f74b0f703bdc0 |
|
| Details | md5 | 4 | 01d322dcac438d2bb6bce2bae8d613cb |
|
| Details | md5 | 3 | 8777a9796565effa01b03cf1cea9d24d |
|
| Details | md5 | 3 | 507bb551bd7073f846760d8b357b7aa9 |
|
| Details | md5 | 1 | de67eebbdb41eb69bfdf6c23a6479582 |
|
| Details | md5 | 1 | 79b491fc5059891654fc228b26171f6d |
|
| Details | md5 | 1 | 471b9d4a35e5f8b569ae1ca6bc91aba1 |
|
| Details | md5 | 1 | d74b8d761debb3939c3878052199ffa2 |
|
| Details | md5 | 1 | 463a4a2ba2e9496201b711302c4e3008 |
|
| Details | md5 | 1 | 1f354d76203061bfdd5a53dae48d5435 |
|
| Details | md5 | 1 | e9edb21c8ad50896cd623d0172835e6d |
|
| Details | md5 | 1 | 1d7b5cd8dcec22299f23bb463562815a |
|
| Details | md5 | 1 | d4908a2e47ff25c44054f8e623426243 |
|
| Details | md5 | 1 | 7e061a180fa24eb5a318d6eae8797cc2 |
|
| Details | md5 | 1 | 2B6233EB3E872FF78988F4A8F3F6A3BA |
|
| Details | md5 | 1 | daf2da52475fd8981b19ec3c321a983c |
|
| Details | md5 | 1 | 1cd19b3151a670e3d1d2a24953392004 |
|
| Details | md5 | 1 | 98e91043bf45d10a621d72a2e3200ed0 |
|
| Details | md5 | 1 | aa6f1abb810df36035bc35cf27c68d59 |
|
| Details | md5 | 1 | c947f4e73cc3503e16ce6173df639c87 |
|
| Details | md5 | 1 | ec6c94b5135c0c75d0a8b7288b77cbae |
|
| Details | md5 | 1 | b744db87f1a59d6af2a5a37c0da519d1 |
|
| Details | md5 | 1 | a723dab3d5a36cc8ad0ef65a0d4cfb3d |
|
| Details | md5 | 1 | ed096fa6a0d25049398750d840d02748 |
|
| Details | md5 | 1 | 0f2de5a1546886f5cb9876d918d333bf |
|
| Details | md5 | 1 | 398a48e3a63f160340ba9720a3f13bc8 |
|
| Details | md5 | 1 | 6f25e38b602834c202db365468104061 |
|
| Details | md5 | 1 | 093889615fb3f28b9066f7dc93650099 |
|
| Details | md5 | 1 | d404cb13c9f033a5b71c2d31cf474e6f |
|
| Details | sha1 | 1 | a1b5d50fe87f9c69a0e4da447f8d56155ce59e47 |
|
| Details | sha1 | 1 | 152189b62c546d6297a7083778fba62dcec576be |
|
| Details | sha1 | 1 | 416df2d22338f412571cdaedb40ab33eb38977af |
|
| Details | sha256 | 7 | 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 |
|
| Details | sha256 | 8 | 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 |
|
| Details | sha256 | 7 | a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 |
|
| Details | sha256 | 8 | 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee |
|
| Details | sha256 | 7 | 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2 |
|
| Details | sha256 | 7 | e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09 |
|
| Details | sha256 | 7 | fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950 |
|
| Details | sha256 | 7 | 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a |
|
| Details | sha256 | 9 | 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb |
|
| Details | sha256 | 8 | 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494 |
|
| Details | sha256 | 7 | 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18 |
|
| Details | sha256 | 3 | 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 |
|
| Details | IPv4 | 6 | 103.216.221.19 |
|
| Details | IPv4 | 1 | 192.168.169.103 |
|
| Details | IPv4 | 1 | 7.6.0.100 |
|
| Details | IPv4 | 1 | 103.216.220.0 |
|
| Details | IPv4 | 1 | 103.216.223.255 |
|
| Details | IPv4 | 1 | 103.216.221.0 |
|
| Details | IPv4 | 124 | 192.168.0.0 |
|
| Details | IPv4 | 21 | 192.168.255.255 |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 5 | https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development |
|
| Details | Url | 19 | http://schemas.microsoft.com/windows/2004/02/mit/task |
|
| Details | Url | 1 | http://www.iana.org/abuse/answers |
|
| Details | Url | 1 | http://datatracker.ietf.org/doc/rfc1918 |
|
| Details | Url | 1 | https://rdap.arin.net/registry/ip/192.168.0.0 |
|
| Details | Url | 1 | https://rdap.arin.net/registry/entity/iana |
|
| Details | Url | 12 | https://www.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 3 | rule CISA_10296782_01 : trojan WELLMESS {
meta:
Author = "CISA Code & Media Analysis"
Date = "2020-07-06"
Last_Modified = "20200706_1017"
Actor = "n/a"
Category = "Trojan"
Family = "WellMess"
Description = "Detects WellMess implant and SangFor Exploit"
MD5_1 = "4d38ac3319b167f6c8acb16b70297111"
SHA256_1 = "7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee"
MD5_2 = "a32e1202257a2945bf0f878c58490af8"
SHA256_2 = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
MD5_3 = "861879f402fe3080ab058c0c88536be4"
SHA256_3 = "14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2"
MD5_4 = "2f9f4f2a9d438cdc944f79bdf44a18f8"
SHA256_4 = "e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09"
MD5_5 = "ae7a46529a0f74fb83beeb1ab2c68c5c"
SHA256_5 = "fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950"
MD5_6 = "f18ced8772e9d1a640b8b4a731dfb6e0"
SHA256_6 = "953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a"
MD5_7 = "3a9cdd8a5cbc3ab10ad64c4bb641b41f"
SHA256_7 = "5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb"
MD5_8 = "967fcf185634def5177f74b0f703bdc0"
SHA256_8 = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
MD5_9 = "c5d5cb99291fa4b2a68b5ea3ff9d9f9a"
SHA256_9 = "65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75"
MD5_10 = "01d322dcac438d2bb6bce2bae8d613cb"
SHA256_10 = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
MD5_11 = "8777a9796565effa01b03cf1cea9d24d"
SHA256_11 = "83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18"
MD5_12 = "507bb551bd7073f846760d8b357b7aa9"
SHA256_12 = "47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854"
strings:
$0 = "/home/ubuntu/GoProject/src/bot/botlib/chat.go"
$1 = "/home/ubuntu/GoProject/src/bot/botlib.Post"
$2 = "GoProject/src/bot/botlib.deleteFile"
$3 = "ubuntu/GoProject/src/bot/botlib.generateRandomString"
$4 = "GoProject/src/bot/botlib.AES_Decrypt"
$5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
$6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
$7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
$8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
$9 = "get_keyRC6"
$10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
$11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
$12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
$13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
$14 = "GoProject/src/bot/botlib.wellMess"
$15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
$16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
$17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
$18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
$19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
$20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
$21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
$22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
$23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
$24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
$25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
$26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
$27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
condition:
($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
} |