ioc[.]one - OSINT Cyber Threat Intelligence Database

Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Email Account - T1087.003 Email Accounts - T1585.002 Email Accounts - T1586.002 Email Addresses - T1589.002 Ip Addresses - T1590.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002

Show in Graph

Common Information

Type	Value
UUID	c7254b8e-0127-4c3d-9143-7d99b520cf9e
Fingerprint	e8dfa91b1b969f85
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 20, 2018, 4 a.m.
Added to db	Sept. 26, 2022, 9:31 a.m.
Last updated	Oct. 30, 2024, 10:17 a.m.
Headline	Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Title	Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Detected Hints/Tags/Attributes	76/2/40

Source URLs

	Redirection	Url
Details	Source	https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
Details	Source	https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com
Details	paloaltonetworks.com	researchcenter.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Domain	36	schemas.openxmlformats.org
Details	Domain	1	wa.documents.open
Details	Domain	1	wa.application.run
Details	Domain	10	post.cz
Details	Domain	1	pop.seznam.cz
Details	Email	2	sahro.bella7@post.cz
Details	Email	2	trala.cosh2@post.cz
Details	Email	2	bishtr.cam47@post.cz
Details	Email	2	lobrek.chizh@post.cz
Details	Email	2	cervot.woprov@post.cz
Details	File	66	settings.xml
Details	File	2	office.dot
Details	File	1	temp.docm
Details	File	1	msdn.exe
Details	File	1	wa.doc
Details	File	2	filters.php
Details	File	1	%appdata%\roaming\audio\soundfix.exe
Details	File	1	books.php
Details	File	3	i.ini
Details	File	13	s.txt
Details	File	2	auddevc.txt
Details	File	4	l.txt
Details	File	4	r.bat
Details	File	1	wsslc.exe
Details	File	11	application.exe
Details	File	5	environment.sys
Details	sha256	2	2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f
Details	sha256	2	f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5
Details	sha256	2	6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a
Details	sha256	2	af77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392
Details	sha256	2	fc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d
Details	sha256	2	61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e
Details	IPv4	2	188.241.58.170
Details	IPv4	1	200.122.181.25
Details	Mandiant Temporary Group Assumption	1	TEMP.DOCM
Details	Url	15	http://schemas.openxmlformats.org/officedocument/2006/relationships/attachedtemplate
Details	Url	2	http://188.241.58.170/live/owa/office.dotm
Details	Url	2	http://188.241.58.170/local/s3/filters.php
Details	Url	1	https://200.122.181.25/catalog/products/books.php
Details	Windows Registry Key	31	HKCU\Software\Microsoft\Windows