ioc[.]one - OSINT Cyber Threat Intelligence Database

美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析 - 腾讯云开发者社区-腾讯云

Tags

attack-pattern:

Data Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Rundll32 - T1218.011 Software - T1592.002 Rundll32 - T1085

Show in Graph

Common Information

Type	Value
UUID	e2ae9d13-f470-43b9-8bef-a62861646eb5
Fingerprint	d9b8a7b16f91e7c9
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 3, 2020, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline
Title	美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析 - 腾讯云开发者社区-腾讯云
Detected Hints/Tags/Attributes	21/1/253

Source URLs

	Redirection	Url
Details	Source	https://cloud.tencent.com/developer/article/1738806

URL Provider

Details	Provider	Source level domain
Details	tencent.com	cloud.tencent.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	6ee9ffa1.space
Details	Domain	1	f7e0ae1b.space
Details	Domain	1	80e79e8d.space
Details	Domain	1	1058831c.space
Details	Domain	1	675fb38a.space
Details	Domain	1	310860a4.space
Details	Domain	1	460f5032.space
Details	Domain	1	df060188.space
Details	Domain	1	a801311e.space
Details	Domain	1	3665a4bd.space
Details	Domain	1	4162942b.space
Details	Domain	1	d86bc591.space
Details	Domain	1	af6cf507.space
Details	Domain	1	3fd3e896.space
Details	Domain	1	48d4d800.space
Details	Domain	23	www.intezer.com
Details	Domain	24	researchcenter.paloaltonetworks.com
Details	Domain	41	www.freebuf.com
Details	Domain	17	datetime.datetime.now
Details	File	1	c:\\users\\sam\\appdata\\local\\temp\\upxuppos\\fwupdate.tmp
Details	File	1	c:\\users\\sam\\appdata\\local\\temp\\fwupdate.tmp
Details	File	1	fwupdate.tmp
Details	File	2	deviceflows.dat
Details	File	1	本次生成的是authfwsnapin.dll
Details	File	2	authfwsnapin.dll
Details	File	1018	rundll32.exe
Details	File	185	shell32.dll
Details	File	1	在dll中main函数内再利用rundll32.exe
Details	File	1	使用rundll32.exe
Details	File	3	dfserv.exe
Details	File	1	查询进程dfserv.exe
Details	File	49	config.xml
Details	File	1	写入数字id于config.xml
Details	File	1	tempupd6.exe
Details	File	1	向临时目录下写tempupd6.exe
Details	File	1	sig.tmp
Details	File	1	dom.tmp
Details	File	1	将更新下载的木马存在临时目录下的tempupd6.exe
Details	File	1	gtsdci32.tmp
Details	File	1	释放的自解压文档ezupdate.tmp
Details	File	1	ezupdate.tmp
Details	File	1	其中包含一个.bmp
Details	File	1	一个.dll
Details	File	1	conf3234.dll
Details	File	1	在conf3234.dll
Details	File	1	自启的方式依然是利用rundll32调用shell32.dll
Details	File	1	%temp%\ezupdate.tmp
Details	File	1	%temp%\tmp1375\conf3234.dll
Details	File	1	%temp%\tmp1375\61dk5u6tjdl.bmp
Details	File	1	%appdata%\fwupdate.tmp
Details	File	1	%appdata%\tmp6073\conf4389.dll
Details	File	1	%appdata%\config.xml
Details	File	1	%temp%\gtsdci32.tmp
Details	File	1	%appdata%\sig.tmp
Details	File	1	%appdata%\dom.tmp
Details	File	1	%temp%\tempupd6.exe
Details	File	1	%temp%\sduchxll.tmp
Details	File	1	105726.html
Details	File	1	date.iso
Details	File	36	datetime.dat
Details	md5	1	2C111A27D0D9D48E9470264B4C16B472
Details	md5	1	d497e0332e88341bd5ddbaa326cab977
Details	md5	1	4381a0c76f2bff772063e6cc6a1ac876
Details	md5	1	DC14F029EFA635D5922012904E162808
Details	md5	1	8b8e286f64a4635e12d6d728a5669d51
Details	md5	1	916e3d4c5835380c99efa802ddb4436d
Details	md5	1	BE11401B723EC4F20BE8D65C04A8003E
Details	md5	1	1a46bd6385feae53a6b8aed758e16556
Details	Url	1	https://www.intezer.com/blog/research/prince-of-persia-the-sands-of-foudre
Details	Url	1	https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre
Details	Url	1	http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over
Details	Url	1	http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks
Details	Url	1	https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks
Details	Url	1	https://www.freebuf.com/articles/network/105726.html
Details	Windows Registry Key	11	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Details	Windows Registry Key	2	HKEY_CURRENT_USER\Software\temp
Details	Domain	4	dynu.net
Details	Domain	1	e00be33d.space
Details	Domain	1	db54a845.space
Details	Domain	1	425df9ff.space
Details	Domain	1	355ac969.space
Details	Domain	1	ab3e5cca.space
Details	Domain	1	dc396c5c.space
Details	Domain	1	45303de6.space
Details	Domain	1	32370d70.space
Details	Domain	1	a28810e1.space
Details	Domain	1	d58f2077.space
Details	Domain	1	f2b63e96.space
Details	Domain	1	85b10e00.space
Details	Domain	1	1cb85fba.space
Details	Domain	1	6bbf6f2c.space
Details	Domain	1	f5dbfa8f.space
Details	Domain	1	82dcca19.space
Details	Domain	1	1bd59ba3.space
Details	Domain	1	6cd2ab35.space
Details	Domain	1	fc6db6a4.space
Details	Domain	1	7e6f769e.space
Details	Domain	1	94153e82.space
Details	Domain	1	0d1c6f38.space
Details	Domain	1	7a1b5fae.space
Details	Domain	1	e47fca0d.space
Details	Domain	1	9378fa9b.space
Details	Domain	1	0a71ab21.space
Details	Domain	1	7d769bb7.space
Details	Domain	1	edc98626.space
Details	Domain	1	9aceb6b0.space
Details	Domain	1	f7f92813.space
Details	Domain	1	80fe1885.space
Details	Domain	1	19f7493f.space
Details	Domain	1	6ef079a9.space
Details	Domain	1	f094ec0a.space
Details	Domain	1	8793dc9c.space
Details	Domain	1	1e9a8d26.space
Details	Domain	1	699dbdb0.space
Details	Domain	1	f922a021.space
Details	Domain	1	08aa2c3f.space
Details	Domain	1	35b268a6.space
Details	Domain	1	acbb391c.space
Details	Domain	1	dbbc098a.space
Details	Domain	1	45d89c29.space
Details	Domain	1	32dfacbf.space
Details	Domain	1	abd6fd05.space
Details	Domain	1	dcd1cd93.space
Details	Domain	1	4c6ed002.space
Details	Domain	1	3b69e094.space
Details	Domain	1	cb5b6b94.space
Details	Domain	1	bc5c5b02.space
Details	Domain	1	25550ab8.space
Details	Domain	1	52523a2e.space
Details	Domain	1	cc36af8d.space
Details	Domain	1	bb319f1b.space
Details	Domain	1	2238cea1.space
Details	Domain	1	553ffe37.space
Details	Domain	1	c580e3a6.space
Details	Domain	1	91a37d85.space
Details	Domain	1	1e9f3b65.space
Details	Domain	1	87966adf.space
Details	Domain	1	f0915a49.space
Details	Domain	1	6ef5cfea.space
Details	Domain	1	19f2ff7c.space
Details	Domain	1	80fbaec6.space
Details	Domain	1	f7fc9e50.space
Details	Domain	1	674383c1.space
Details	Domain	1	1044b357.space
Details	Domain	1	c91dd5cd.space
Details	Domain	1	be1ae55b.space
Details	Domain	1	2713b4e1.space
Details	Domain	1	50148477.space
Details	Domain	1	ce7011d4.space
Details	Domain	1	b9772142.space
Details	Domain	1	207e70f8.space
Details	Domain	1	5779406e.space
Details	Domain	1	c7c65dff.space
Details	Domain	1	e6a44d13.space
Details	Domain	1	07840a24.space
Details	Domain	1	9e8d5b9e.space
Details	Domain	1	e98a6b08.space
Details	Domain	1	77eefeab.space
Details	Domain	1	00e9ce3d.space
Details	Domain	1	99e09f87.space
Details	Domain	1	eee7af11.space
Details	Domain	1	7e58b280.space
Details	Domain	1	095f8216.space
Details	Domain	1	c8dfbffa.space
Details	Domain	1	bfd88f6c.space
Details	Domain	1	26d1ded6.space
Details	Domain	1	51d6ee40.space
Details	Domain	1	cfb27be3.space
Details	Domain	1	b8b54b75.space
Details	Domain	1	21bc1acf.space
Details	Domain	1	56bb2a59.space
Details	Domain	1	c60437c8.space
Details	Domain	1	761b5082.space
Details	Domain	1	801c16eb.space
Details	Domain	1	19154751.space
Details	Domain	1	6e1277c7.space
Details	Domain	1	f076e264.space
Details	Domain	1	8771d2f2.space
Details	Domain	1	1e788348.space
Details	Domain	1	697fb3de.space
Details	Domain	1	f9c0ae4f.space
Details	Domain	1	8ec79ed9.space
Details	Domain	1	c383f8c7.space
Details	Domain	1	b484c851.space
Details	Domain	1	2d8d99eb.space
Details	Domain	1	5a8aa97d.space
Details	Domain	1	c4ee3cde.space
Details	Domain	1	b3e90c48.space
Details	Domain	1	2ae05df2.space
Details	Domain	1	5de76d64.space
Details	Domain	1	cd5870f5.space
Details	Domain	1	035ade4d.space
Details	Domain	1	8bb28844.space
Details	Domain	1	12bbd9fe.space
Details	Domain	1	65bce968.space
Details	Domain	1	fbd87ccb.space
Details	Domain	1	8cdf4c5d.space
Details	Domain	1	15d61de7.space
Details	Domain	1	62d12d71.space
Details	Domain	1	f26e30e0.space
Details	Domain	1	85690076.space
Details	Domain	1	85e1e820.space
Details	Domain	1	f2e6d8b6.space
Details	Domain	1	6bef890c.space
Details	Domain	1	1ce8b99a.space
Details	Domain	1	828c2c39.space
Details	Domain	1	f58b1caf.space
Details	Domain	1	6c824d15.space
Details	Domain	1	1b857d83.space
Details	Domain	1	8b3a6012.space
Details	Domain	1	639d57a8.space
Details	Domain	1	5bb2593a.space
Details	Domain	1	c2bb0880.space
Details	Domain	1	b5bc3816.space
Details	Domain	1	2bd8adb5.space
Details	Domain	1	5cdf9d23.space
Details	Domain	1	c5d6cc99.space
Details	Domain	1	b2d1fc0f.space
Details	Domain	1	226ee19e.space
Details	Domain	1	5569d108.space
Details	Domain	1	328cb4ca.space
Details	Domain	1	458b845c.space
Details	Domain	1	dc82d5e6.space
Details	Domain	1	ab85e570.space
Details	Domain	1	35e170d3.space
Details	Domain	1	42e64045.space
Details	Domain	1	dbef11ff.space
Details	Domain	1	ace82169.space
Details	Domain	1	3c573cf8.space
Details	Domain	1	149a673e.space
Details	Domain	1	42a9687b.space
Details	Domain	1	dba039c1.space
Details	Domain	1	aca70957.space
Details	Domain	1	32c39cf4.space
Details	Domain	1	45c4ac62.space
Details	Domain	1	dccdfdd8.space
Details	Domain	1	abcacd4e.space
Details	Domain	1	3b75d0df.space
Details	Domain	1	4c72e049.space
Details	Domain	1	334edefd.space
Details	Domain	1	4449ee6b.space
Details	Domain	1	dd40bfd1.space
Details	Domain	1	aa478f47.space
Details	Domain	1	34231ae4.space
Details	Domain	1	43242a72.space
Details	Domain	1	da2d7bc8.space
Details	Domain	1	ad2a4b5e.space
Details	Domain	1	3d9556cf.space
Details	Domain	1	8d933684.space
Details	Domain	1	69843bb8.space
Details	Domain	1	f08d6a02.space
Details	Domain	1	878a5a94.space
Details	Domain	1	19eecf37.space