Analysis of Ramsay components of Darkhotel's infiltration and isolation network - Programmer Sought
Tags
| cmtmf-attack-pattern: | Code Injection |
| country: | China North Korea India Japan |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Direct Code Injection - T1540 Hardware - T1592.001 Powershell - T1059.001 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Powershell - T1086 Screen Capture - T1113 Scripting - T1064 Screen Capture Scripting |
Common Information
| Type | Value |
|---|---|
| UUID | c35b7d7c-6863-4ba7-ae4b-9d61feb390bd |
| Fingerprint | b59f891bc4bc03c1 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 1, 2022, midnight |
| Added to db | Sept. 26, 2022, 9:32 a.m. |
| Last updated | Nov. 17, 2024, 6:49 p.m. |
| Headline | UNKNOWN |
| Title | Analysis of Ramsay components of Darkhotel's infiltration and isolation network - Programmer Sought |
| Detected Hints/Tags/Attributes | 116/4/90 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.programmersought.com/article/62493896999/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 21 | cve-2017-0147 |
|
| Details | CVE | 269 | cve-2017-0199 |
|
| Details | CVE | 63 | cve-2017-8570 |
|
| Details | Domain | 2 | find-image.com |
|
| Details | Domain | 2 | win-api-essentials.com |
|
| Details | Domain | 2 | service.email-126.net |
|
| Details | Domain | 58 | ti.qianxin.com |
|
| Details | Domain | 14 | www.antiy.com |
|
| Details | Domain | 2 | service-security-manager.com |
|
| Details | File | 2 | bindsvc.exe |
|
| Details | File | 12 | msfte.dll |
|
| Details | File | 2 | searchsystemhost.exe |
|
| Details | File | 2 | %appdata%\\microsoft\\word\\winword.vbs |
|
| Details | File | 2 | hyon.exe |
|
| Details | File | 2 | bon.exe |
|
| Details | File | 2 | cover.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 2 | %appdata%\\microsoft\\usersetting\\version.ini |
|
| Details | File | 2 | hfile.sys |
|
| Details | File | 2 | netmgr_%d.dll |
|
| Details | File | 2 | accept.docx |
|
| Details | File | 7 | afchunk.rtf |
|
| Details | File | 2 | %allusersprofile%\slmgr.vbs |
|
| Details | File | 11 | slmgr.vbs |
|
| Details | File | 5 | image1.jpeg |
|
| Details | File | 5 | name.exe |
|
| Details | File | 2 | agreement.rar |
|
| Details | File | 31 | image.php |
|
| Details | File | 2 | svupdate32.exe |
|
| Details | File | 2 | msrvc32.exe |
|
| Details | File | 3 | v2.php |
|
| Details | File | 5 | open.php |
|
| Details | File | 1 | netwiz.exe |
|
| Details | File | 2 | 21270.php |
|
| Details | File | 2 | 6126.php |
|
| Details | File | 4 | 20190930.html |
|
| Details | md5 | 2 | eea409bbefee23eb475e4161f06d529a |
|
| Details | md5 | 2 | 03BD34A9BA4890F37AC8FED78FEAC199 |
|
| Details | md5 | 2 | 07858D5562766D8239A7C961FEEA087C |
|
| Details | md5 | 2 | 08943BB237926DD1376D799A4AFE797D |
|
| Details | md5 | 2 | 0B04998EEB9FB22429A04E3D0E134548 |
|
| Details | md5 | 2 | 186B2E42DE0D2E58D070313BD6730243 |
|
| Details | md5 | 2 | 1F3606DDA801A6B7E6BD7CC0E8994241 |
|
| Details | md5 | 2 | 25877AA787B213C67854A08452CDFC5B |
|
| Details | md5 | 2 | 3439318CEDCF37C1BF5FE6D49DDBB2CB |
|
| Details | md5 | 2 | 359D2D301455A95F8A2655965B386278 |
|
| Details | md5 | 2 | 3654C3FA86F19D253E4C70BDF5F3D158 |
|
| Details | md5 | 2 | 3E805824F80BBA35AC06EAFC80C6B6AD |
|
| Details | md5 | 2 | 4A52DB18E3618F79983F0CB1DD83F34A |
|
| Details | md5 | 2 | 4FA4C81A7D1B945B36403DC95943F01E |
|
| Details | md5 | 2 | 52E32DE77509DCB406DA3B81FB9055D7 |
|
| Details | md5 | 2 | 53984EF18C965B49EEB3686460AD540B |
|
| Details | md5 | 2 | 5D0FAA109DCFDA31AC2D493631E606C2 |
|
| Details | md5 | 2 | 5F564A755100D63B9C6374DABD1E5321 |
|
| Details | md5 | 2 | 615A0F818DC0DED2F138D6B3B2DFD6E5 |
|
| Details | md5 | 2 | 6E47F8BE989792800C019BC24DFB1A25 |
|
| Details | md5 | 2 | 74805C5477DA842EB0798B95324F3A65 |
|
| Details | md5 | 2 | 7A5503B148E3A1D88BA9E07D95166159 |
|
| Details | md5 | 2 | 7E4572DB796E27848D23EA5D1E8604AA |
|
| Details | md5 | 2 | 8413AB4D5A950F81B40CEEBC3F1E7273 |
|
| Details | md5 | 2 | 8AA069860D591119AF2859856AD5F063 |
|
| Details | md5 | 2 | B2B51A85BDAD70FF19534CD013C07F24 |
|
| Details | md5 | 2 | BB72720BC4583C6C4C3CAA883A7DEC95 |
|
| Details | md5 | 2 | C2ADF8BF8D8E4409A4725D0334ED8AA6 |
|
| Details | md5 | 2 | CC4503B59BABD2E07CF278FF11CE99C7 |
|
| Details | md5 | 2 | CF133C06180F130C471C95B3A4EBD7A5 |
|
| Details | md5 | 2 | D0EAD87212B0573447F573639DA49FF8 |
|
| Details | md5 | 2 | EEA409BBEFEE23EB475E4161F06D529A |
|
| Details | md5 | 2 | F028D23CB4EA2C5DCF0A2B6BCAADA0C0 |
|
| Details | md5 | 2 | A211C80068304FB4A9ACD7AB13720D55 |
|
| Details | md5 | 2 | AA6BB52BD5E3D8B21C113E5AB1A240EA |
|
| Details | md5 | 2 | C803D412A5E86FA8DE111B77F2A14523 |
|
| Details | md5 | 2 | DC0222F1E0868C3612A93BA2D83B99BE |
|
| Details | md5 | 2 | E48B89715BF5E4C55EB5A1FED67865D9 |
|
| Details | md5 | 2 | E61BA12C33DB1696715401D8FD0BAAE9 |
|
| Details | md5 | 2 | F17D7098BDE0B29441BFCD797812CF88 |
|
| Details | md5 | 2 | FF5D43B210545F931AE80A847D1789BB |
|
| Details | IPv4 | 27 | 192.168.1.3 |
|
| Details | IPv4 | 7 | 192.168.1.4 |
|
| Details | Threat Actor Identifier - APT-C | 24 | APT-C-06 |
|
| Details | Threat Actor Identifier by Tencent | 3 | T-APT-02 |
|
| Details | Url | 1 | http://find-image.com/img/image.php?k=f84hfhfehuifqe&test=base64 |
|
| Details | Url | 1 | http://win-api-essentials.com/package/v2.php?im=000c29a414b2&fg=u&inf=base64 |
|
| Details | Url | 2 | http://win-api-essentials.com/package/v2.php?im=000c29a414b2&fg=d |
|
| Details | Url | 2 | http://service.email-126.net/box/open.php?se=000c29a414b2&fg=d |
|
| Details | Url | 1 | http://service-security-manager.com/c50c9f6c-a306-41d0-8d24-bf0c3a5f4a0e/21270.php?vol=honeycomb&q=4znzctta2j24&guid=native |
|
| Details | Url | 1 | http://game-service.org/584e3411-14a7-41f4-ba1d-e203609b0471/6126.php?vol=honeycomb&q=4znzctta2j24&guid=local |
|
| Details | Url | 2 | https://ti.qianxin.com/blog/articles/analysis-of-darkhotel |
|
| Details | Url | 4 | https://www.antiy.com/response/20190930.html |
|
| Details | Windows Registry Key | 2 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\slmgr |