Forensic Analysis of Anti-Forensic Activities
Tags
| attack-pattern: | Data Hide Artifacts - T1628 Hide Artifacts - T1564 Rundll32 - T1218.011 Tool - T1588.002 Rundll32 - T1085 |
Common Information
| Type | Value |
|---|---|
| UUID | c71a4151-8503-478d-8f50-868e43ce6649 |
| Fingerprint | 3618993b5aa00e40 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Sept. 28, 2016, 6:18 p.m. |
| Added to db | Jan. 18, 2023, 7:48 p.m. |
| Last updated | Nov. 18, 2024, 1:38 a.m. |
| Headline | DFIR and Threat Hunting |
| Title | Forensic Analysis of Anti-Forensic Activities |
| Detected Hints/Tags/Attributes | 36/1/11 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 1 | qggya123.exe |
|
| Details | File | 306 | services.exe |
|
| Details | File | 1 | add.exe |
|
| Details | File | 2127 | cmd.exe |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 1 | sioctl.sys |
|
| Details | IPv4 | 1 | 112.101.64.179 |
|
| Details | IPv4 | 1 | 112.101.64.219 |
|
| Details | IPv4 | 1 | 112.101.64.209 |
|
| Details | Pdb | 1 | c:\\add\\add\\sys\\objchk_win7_x86\\i386\\sioctl.pdb |
|
| Details | Yara rule | 1 | rule add {
strings:
$a = "p_remoteIP = 0x"
$b = "p_localIP = 0x"
$c = "p_addrInfo = 0x"
$d = "InetAddr = 0x"
$e = "size of endpoint = 0x"
$f = "FILE pointer = 0x"
$g = " /tcpCon "
$h = "Bytes allocated for fake Proc = "
$i = "EPROC pool pointer = 0x"
$j = "qggya123.exe"
$k = "add.exe" wide
$l = "c:\\add\\add\\sys\\objchk_win7_x86\\i386\\sioctl.pdb"
$m = "sioctl.sys"
$n = "\\private"
condition:
any of them
} |