"海莲花"APT组织2019年第一季度针对中国的攻击活动技术揭秘
Tags
| attack-pattern: | Direct Dns - T1071.004 Dns - T1590.002 Mshta - T1218.005 Regsvr32 - T1218.010 Software - T1592.002 Connection Proxy - T1090 Mshta - T1170 Regsvr32 - T1117 |
Common Information
| Type | Value |
|---|---|
| UUID | bf5cff66-610b-4e2b-8b9d-a27d4aaa62c9 |
| Fingerprint | e15d1a35831a5916 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 21, 2022, midnight |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 13, 2024, 6:18 p.m. |
| Headline | "海莲花"APT组织2019年第一季度针对中国的攻击活动技术揭秘 |
| Title | "海莲花"APT组织2019年第一季度针对中国的攻击活动技术揭秘 |
| Detected Hints/Tags/Attributes | 24/1/156 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 31 | cve-2018-20250 |
|
| Details | Domain | 1 | api.baidu-json.com |
|
| Details | Domain | 1 | cloud.360cn.info |
|
| Details | Domain | 1 | dns.chinanews.network |
|
| Details | Domain | 1 | aliexpresscn.net |
|
| Details | Domain | 1 | chinaport.org |
|
| Details | Domain | 1 | officewps.net |
|
| Details | Domain | 3 | dominikmagoffin.com |
|
| Details | Domain | 4 | ristineho.com |
|
| Details | Domain | 1 | 360cn.info |
|
| Details | Domain | 1 | support.erryarks.com |
|
| Details | Domain | 1 | ry5n4xmosxjwk2zj.onion.to |
|
| Details | Domain | 1 | chrome.audreybourgeois.com |
|
| Details | Domain | 1 | endpoint.sanmercusa.com |
|
| Details | Domain | 1 | smtp.ckbeaudrysanger.xyz |
|
| Details | Domain | 1 | business.echinalogistics.com |
|
| Details | Domain | 1 | cloud.reneark.com |
|
| Details | Domain | 1 | dev.arthards.com |
|
| Details | Domain | 1 | en.pixelperfectworld.com |
|
| Details | Domain | 1 | proc.cesarda.com |
|
| Details | Domain | 1 | rand.allardse.com |
|
| Details | Domain | 1 | utc.loutier.com |
|
| Details | Domain | 1 | news.exandre.com |
|
| Details | Domain | 1 | cctv.avidsonec.com |
|
| Details | Domain | 1 | school.obertamy.com |
|
| Details | Domain | 1 | order.dianpingsh.com |
|
| Details | Domain | 1 | hk.cnnewspapers.com |
|
| Details | Domain | 1 | work.windown-office.com |
|
| Details | Domain | 1 | review.youtubeproject.com |
|
| Details | Domain | 1 | amazone.hopto.me |
|
| Details | Domain | 3 | api.blogdns.com |
|
| Details | Domain | 5 | syn.servebbs.com |
|
| Details | Domain | 1 | ijhlpkga.shawnabuddicom.com |
|
| Details | Domain | 1 | jhlpkga.wnabudditig.com |
|
| Details | Domain | 1 | ijhlpkga.angelinachilds.com |
|
| Details | Domain | 1 | ijhlokga.janaquiron.club |
|
| Details | Domain | 1 | ijhlokga.ustrali.club |
|
| Details | Domain | 1 | ijhlokga.cartierquibs.club |
|
| Details | Domain | 1 | dropbox.workisboring.com |
|
| Details | Domain | 1 | ijhlpkga.stellefaff.com |
|
| Details | Domain | 1 | ijhlpkga.avidillene.com |
|
| Details | Domain | 1 | ijjlekgc.oussain.com |
|
| Details | Domain | 1 | ijjlekgc.aryachter.com |
|
| Details | Domain | 1 | ijjlekgc.esboonemba.com |
|
| Details | Domain | 1 | jhlpkga.manongrover.com |
|
| Details | Domain | 4 | cortanasyn.com |
|
| Details | Domain | 1 | onedrive.servep2p.com |
|
| Details | Domain | 1 | stream.playnetflix.com |
|
| Details | Domain | 1 | syn.myvnc.com |
|
| Details | Domain | 1 | trust.zapto.org |
|
| Details | File | 11 | c:\windows\syswow64\mshta.exe |
|
| Details | File | 6 | news.html |
|
| Details | File | 1 | 7b95ffab-3a9c-494a-a584-9c48dc7aa6a7.tmp |
|
| Details | File | 1 | 7b95ffab-3a9c-494a-a584-9c48dc7aa6a7.exe |
|
| Details | File | 1 | 7b95ffab-3a9c-494a-a584-9c48dc7aa6a7.log |
|
| Details | File | 1 | 接着调用系统自带的odbcconf.exe |
|
| Details | File | 1 | 将7b95ffab-3a9c-494a-a584-9c48dc7aa6a7.tmp |
|
| Details | File | 1 | 最后调用taskkill.exe |
|
| Details | File | 1 | 结束mshta.exe |
|
| Details | File | 1 | 360cn.inf |
|
| Details | File | 1 | 加载恶意文件wwlib.dll |
|
| Details | File | 33 | wwlib.dll |
|
| Details | File | 1 | 释放360se.exe |
|
| Details | File | 15 | chrome_elf.dll |
|
| Details | File | 1 | pdf的文件默认打开程序设置为360se.exe |
|
| Details | File | 1 | 加载恶意的chrome_elf.dll |
|
| Details | File | 1 | cosja.png |
|
| Details | File | 1 | subi.png |
|
| Details | File | 1 | direct.jpg |
|
| Details | File | 1 | c:\windows\system32.ini |
|
| Details | File | 1 | 得到一个字符串wsc_proxy.exe |
|
| Details | File | 1 | 比较当前进程是否为wsc_proxy.exe |
|
| Details | File | 1 | 如果没读取成功就读取safemon.dll |
|
| Details | File | 1 | 如使用googleupdate.exe |
|
| Details | File | 1 | +goopdate.dll |
|
| Details | File | 1 | kugouupdate.exe |
|
| Details | File | 9 | adobeupdate.exe |
|
| Details | File | 1 | bounjour.exe |
|
| Details | File | 1 | 利用nbt.exe |
|
| Details | File | 48 | c:\\windows\\system32\\cmd.exe |
|
| Details | File | 6 | nbt.exe |
|
| Details | File | 1 | 35.exe |
|
| Details | File | 1 | 和mmc.exe |
|
| Details | File | 1 | 脚本名字如encode.js |
|
| Details | File | 1 | 360se.txt |
|
| Details | File | 1 | 360pluginupdater.js |
|
| Details | File | 1 | 360deepscanner.js |
|
| Details | File | 1 | 360tray.js |
|
| Details | File | 1 | 360pluginupdater.bat |
|
| Details | File | 1 | +360pluginupdater.js |
|
| Details | File | 1 | 的功能是输出加密脚本到360pluginupdater.dat |
|
| Details | File | 1 | 完成后将其重命名为360pluginupdater.js |
|
| Details | File | 1 | cctv.avi |
|
| Details | File | 1 | ijhlpkga.avi |
|
| Details | File | 1 | stream.pl |
|
| Details | md5 | 1 | 08c79ee3b84317dfc77fa681d9c36d0b |
|
| Details | md5 | 1 | 09718e52b99e4fa065b3785b700636f5 |
|
| Details | md5 | 1 | 0acae009a682a7f387018d29f896306a |
|
| Details | md5 | 1 | 0bf3d36a262e8369a76047badb1bf16c |
|
| Details | md5 | 1 | 0fdbe78e55decaa4218fe76761dac8ec |
|
| Details | md5 | 1 | 1791f8866911b75089dea8c58dcc489b |
|
| Details | md5 | 1 | 17f577dee657a3fb36a344a89a4478df |
|
| Details | md5 | 1 | 1888370a371ee204e90ae7e34dda1db7 |
|
| Details | md5 | 1 | 1a5ebdac6da78d76ca476313dc9e196e |
|
| Details | md5 | 1 | 1a62e7470da4e1f4bc48e10725fe136f |
|
| Details | md5 | 1 | 1a8a89d8d2622948fdc8ca3d062bfce7 |
|
| Details | md5 | 1 | 1d168cc54cf92d43721c835f21451604 |
|
| Details | md5 | 1 | 2ad1669efdc414dac5c86d7c590a776f |
|
| Details | md5 | 1 | 2b2d0d1d343e308cfa5718e037a31fa9 |
|
| Details | md5 | 1 | 30cb5b9da64c67fbbb7c6ce27e908a23 |
|
| Details | md5 | 1 | 3662e7a249e328ee7a0b59fe2f9f8d78 |
|
| Details | md5 | 1 | 3868c9cbdea9efc4c4c7ac75e38de927 |
|
| Details | md5 | 1 | 3bf58deea42e33685de969e198e6785c |
|
| Details | md5 | 1 | 420dc368bc923eb1f33ccaf7ee1960a2 |
|
| Details | md5 | 1 | 43fefedf2157e2cad8369b6180d53fb5 |
|
| Details | md5 | 1 | 45e040c69227de0060c0b834d1c65087 |
|
| Details | md5 | 1 | 4ecf3caa71a60b06515a33957bd7f000 |
|
| Details | md5 | 1 | 570c11b09e6b6e1a124ba76efc687996 |
|
| Details | md5 | 1 | 5f0248f1774db062fb3a41fe66f3cc57 |
|
| Details | md5 | 1 | 67ca6e3ffdea9b410e35744f688ebf05 |
|
| Details | md5 | 1 | 777717f35225bf1798feb9a8d960ce8f |
|
| Details | md5 | 1 | 866ce3a3b2baf3749bd1e384fe03c056 |
|
| Details | md5 | 1 | 8d88098f5d7574ee3a42be8606c0049a |
|
| Details | md5 | 1 | a2e734049ebf03f81e020f152fd971fe |
|
| Details | md5 | 1 | a480f139952fdbb112f017e37a131779 |
|
| Details | md5 | 1 | a7c7b68ab26c10e56a85fc09b8c2e497 |
|
| Details | md5 | 1 | af7ae3d627b6caa1020c57c3b743a7af |
|
| Details | md5 | 1 | b104798a1f1c04c75e1c4d573020feb7 |
|
| Details | md5 | 1 | b8fd59347e969a7e0f070b4e66d8e99d |
|
| Details | md5 | 1 | bbf25d126b57d19f7ac6084ebb275a74 |
|
| Details | md5 | 1 | bf46c88f69f07e3beffea3bcd04a9d8a |
|
| Details | md5 | 1 | cf14c49caee94268a48ce36a734877db |
|
| Details | md5 | 1 | d3e63ae4dc88b220f0ea2420e7add2d0 |
|
| Details | md5 | 1 | d793fbce034bdb77c6ed634b1eee8b83 |
|
| Details | md5 | 1 | d83af78e34dcb096fb52172a962a2caf |
|
| Details | md5 | 1 | da18e7a10c2f5fb9d6806c739cef640c |
|
| Details | md5 | 1 | dac22ff2a2b83a0c2fe98cedebbab17c |
|
| Details | md5 | 1 | dd6ffad33699e3281c8ba455906262d7 |
|
| Details | md5 | 1 | e1d4fd754d71ffac12638e2ec16bce01 |
|
| Details | md5 | 1 | e256d96e5b57b0cb398d41c1524b8362 |
|
| Details | md5 | 1 | e55b12b454d69ad78d8d4a9c4b495bb5 |
|
| Details | md5 | 1 | e8e4712447c18df2d7ffe77db334ea62 |
|
| Details | md5 | 1 | eb8fdb022a3ef3e788a3cb061a10a03c |
|
| Details | md5 | 1 | f7892f9641bd0325889a410b43318bf7 |
|
| Details | IPv4 | 1 | 210.72.156.203 |
|
| Details | IPv4 | 11 | 192.168.1.105 |
|
| Details | IPv4 | 2 | 192.168.1.83 |
|
| Details | IPv4 | 3 | 192.168.1.183 |
|
| Details | IPv4 | 1 | 192.3.24.224 |
|
| Details | IPv4 | 1 | 46.183.219.178 |
|
| Details | Pdb | 1 | e:\priv\framework\code\tools\exe2js\loader\obj\release\loader.pdb |
|
| Details | Url | 1 | http://api.baidu-json.com/feed/news.html |
|
| Details | Url | 1 | https://officewps.net/cosja.png |
|
| Details | Url | 1 | https://dominikmagoffin.com/subi.png |
|
| Details | Url | 1 | https://ristineho.com/direct.jpg |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\AccessVBOM |