起底Frosted DDoS攻击团伙
Common Information
Type Value
UUID e2c8ed5c-d723-434d-9e66-1382bbcbda60
Fingerprint 38801e50165f19ec
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 13, 2020, midnight
Added to db June 20, 2023, 12:31 p.m.
Last updated Dec. 21, 2024, 12:45 a.m.
Headline 起底Frosted DDoS攻击团伙
Title 起底Frosted DDoS攻击团伙
Detected Hints/Tags/Attributes 32/1/30
RSS Feed
Attributes
Details Type #Events CTI Value
Details CVE 84
cve-2017-17215
Details CVE 48
cve-2021-22205
Details CVE 85
cve-2014-8361
Details Domain 1
nomiddleman.ddns.net
Details Domain 36
schemas.xmlsoap.org
Details Domain 1
real.sh
Details File 36
schemas.xml
Details File 7
picsdesc.xml
Details md5 4
88645cefb1f9ede0e336e3569d75ee30
Details md5 4
3612f843a42db38f48f59d2a3597e19c
Details md5 1
1F972A1CE378A6BD1320523D9A7E5707
Details md5 1
6714908C334E2A324AAC93E9886F9660
Details md5 1
742D719FA396FA41442BB8B6285FCD64
Details md5 1
47024197FAF8C15A5C606A65D2205104
Details IPv4 1
37.44.238.182
Details IPv4 1
37.44.238.191
Details IPv4 1
193.35.18.220
Details IPv4 1
5.252.177.118
Details IPv4 1
178.63.167.41
Details Url 1
http://nomiddleman.ddns.net/nips
Details Url 1
http://nomiddleman.ddns.net/bob
Details Url 1
http://nomiddleman.ddns.net/forearm4
Details Url 28
http://schemas.xmlsoap.org/soap/envelope
Details Url 11
http://schemas.xmlsoap.org/soap/encoding
Details Url 1
http://37.44.238.182/gpon
Details Url 1
http://37.44.238.182/real.sh
Details Url 1
http://37.44.238.182/bins/kirin.x86
Details Url 1
http://37.44.238.191/roof
Details Yara rule 1
rule Mirai_Fro {
	meta:
		author = "WPeace"
	strings:
		$elf = "\x7FELF"
		$onlinePack = "Device Connected"
		$commandStr_0 = "NOOOOOOOOOOOOOOOOOOOO"
		$commandStr_1 = "KPAC"
		$commandStr_2 = "DAVE"
		$commandStr_3 = "NFODROP"
		$commandStr_4 = "STOP"
	condition:
		all of them
}
Details Yara rule 1
rule Gafgyt_Fro {
	meta:
		author = "WPeace"
	strings:
		$elf = "\x7FELF"
		$authorStr = "FrostedFlakes666"
		$onlinePack = "Kansen shita"
		$commandStr_0 = "CMD"
		$commandStr_1 = "CREG"
		$commandStr_2 = "KPAC"
		$commandStr_3 = "GETPUBLICIP"
	condition:
		all of them
}