警惕:Kiteshield Packer正在被Linux黑灰产滥用
Tags
| attack-pattern: | Data Trap - T1546.005 Rootkit - T1014 Trap - T1154 Rootkit |
Common Information
| Type | Value |
|---|---|
| UUID | e17b07d7-3741-427e-bedf-58bf8f670c37 |
| Fingerprint | f41a3420ea0a52bc |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 28, 2024, midnight |
| Added to db | Aug. 31, 2024, 10:51 a.m. |
| Last updated | Nov. 17, 2024, 12:55 p.m. |
| Headline | 警惕:Kiteshield Packer正在被Linux黑灰产滥用 |
| Title | 警惕:Kiteshield Packer正在被Linux黑灰产滥用 |
| Detected Hints/Tags/Attributes | 20/1/22 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 420 | ✔ | 奇安信 X 实验室 | https://blog.xlab.qianxin.com/rss/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 24 | arc4.new |
|
| Details | Domain | 54 | re.search |
|
| Details | Domain | 41 | www.freebuf.com |
|
| Details | Domain | 14 | www.antiy.com |
|
| Details | File | 12 | re.dot |
|
| Details | File | 1 | 来源于s.jpg |
|
| Details | File | 2 | 401262.html |
|
| Details | File | 3 | darkmozzie.html |
|
| Details | md5 | 2 | 909c015d5602513a770508fa0b87bc6f |
|
| Details | md5 | 2 | 2c80808b38140f857dc8b2b106764dd8 |
|
| Details | md5 | 2 | f5623e4753f4742d388276eaee72dea6 |
|
| Details | md5 | 2 | 4afedf6fbf4ba95bbecc865d45479eaf |
|
| Details | md5 | 2 | 951fe6ce076aab5ca94da020a14a8e1c |
|
| Details | md5 | 2 | 4d79e1a1027e7713180102014fcfb3bf |
|
| Details | md5 | 2 | a42249e86867526c09d78c79ae26191d |
|
| Details | md5 | 2 | 57f7ffaa0333245f74e4ab68d708e14e |
|
| Details | md5 | 2 | 5ea33d0655cb5797183746c6a46df2e9 |
|
| Details | md5 | 2 | 7671585e770cf0c856b79855e6bdca2a |
|
| Details | md5 | 2 | 5c9887c51a0f633e3d2af54f788da525 |
|
| Details | Url | 2 | https://www.freebuf.com/articles/network/401262.html |
|
| Details | Url | 2 | https://www.antiy.com/response/darkmozzie.html |
|
| Details | Yara rule | 2 | import "elf"
rule kiteshield {
strings:
$loader_jmp = { 31 D2 31 C0 31 C9 31 F6 31 FF 31 ED 45 31 C0 45 31 C9 45 31 D2 45 31 DB 45 31 E4 45 31 ED 45 31 F6 45 31 FF 5B FF E3 }
$loader_s1 = { AC F4 F7 E9 E4 A7 AC EE A4 FF F9 EF FB E5 E2 }
$loader_s2 = { D7 F6 E4 E5 E2 FA D9 E3 EF B6 }
$loader_s3 = { AC F4 F7 E9 E4 A7 AC EE A4 FF F9 EF FB }
$loader_s4 = { CF C0 DA D6 D5 CD C5 C5 CA C8 }
$loader_s5 = { CF C0 DA C7 D2 CC C0 DE }
$loader_s6 = { CF C0 DA C2 C2 CA DC CD }
$loader_s7 = { B3 B5 B7 B5 B3 BD BF BD B3 B5 EC EC EC F4 F4 F4 }
condition:
$loader_jmp and all of ($loader_s*) and elf.type == elf.ET_EXEC and elf.machine == elf.EM_X86_64
} |