TA505: Variety in Use of ServHelper and FlawedAmmyy
Tags
country: Canada China Czechia Hungary India South Korea Saudi Arabia Oman Qatar Serbia Suriname Turkey Romania United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Hooking - T1617 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Msiexec - T1218.007 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Visual Basic - T1059.005 Tool - T1588.002 Hooking - T1179 Hooking
Show in Graph
Common Information
Type Value
UUID e9aad10f-6b0a-4ff6-abc1-087b9424e8f2
Fingerprint ae45099a8c2faa49
Analysis status DONE
Considered CTI value 0
Text language
Published Aug. 27, 2019, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 14, 2024, 2:04 p.m.
Headline TA505: Variety in Use of ServHelper and FlawedAmmyy
Title TA505: Variety in Use of ServHelper and FlawedAmmyy
Detected Hints/Tags/Attributes 95/3/49
Source URLs
Redirection Url
Details Source https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/
Details Source https://www.trendmicro.com/en_sg/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html
Details Source https://www.trendmicro.com/en_in/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html
Details Source https://www.trendmicro.com/en_nz/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html
URL Provider
Details Provider Source level domain
Details trendmicro.com www.trendmicro.com
Details trendmicro.com blog.trendmicro.com
Attributes
Details Type #Events CTI Value
Details Domain 372 
wscript.shell
Details Domain 2 
www.fedexdocs.top
Details Domain 2 
www.fedexdocs.icu
Details Domain 2 
senddocs.icu
Details File 14 
2.dat
Details File 18 
1.dat
Details File 1 
dllhots.exe
Details File 7 
wsus.exe
Details File 27 
c:\windows\system32\msiexec.exe
Details File 1 
99.msi
Details File 12 
c:\windows\notepad.exe
Details File 1 
c:\example.log
Details File 1 
used.msi
Details File 2 
555.msi
Details File 2 
fedex.doc
Details File 2 
stelar.exe
Details IPv4 2 
139.180.195.36
Details IPv4 2 
45.67.229.36
Details IPv4 2 
92.38.135.67
Details IPv4 2 
27.102.70.196
Details IPv4 1 
109.234.37.15
Details IPv4 1 
169.239.128.170
Details IPv4 2 
79.141.168.105
Details IPv4 2 
195.123.213.126
Details IPv4 3 
195.123.245.185
Details IPv4 2 
185.225.17.5
Details IPv4 2 
92.38.135.99
Details IPv4 2 
185.17.122.220
Details IPv4 2 
159.69.54.146
Details Url 1 
http://139.180.195.36/pm2.
Details Url 2 
http://45.67.229.36/p2
Details Url 2 
http://92.38.135.67/2.dat
Details Url 2 
http://27.102.70.196/1.dat
Details Url 1 
http://92.38.135.67
Details Url 1 
http://27.102.70.196
Details Url 1 
http://109.234.37.15:80/j1
Details Url 1 
http://169.239.128.170/j1.
Details Url 2 
http://195.123.245.185/r1
Details Url 2 
http://185.225.17.5/r1
Details Url 2 
http://185.225.17.5/2.dat
Details Url 2 
http://195.123.245.185/1.dat
Details Url 2 
http://195.123.245.185/km
Details Url 2 
http://185.225.17.5/km
Details Url 1 
http://92.38.135.99/99.msi
Details Url 2 
http://185.17.122.220/555.msi
Details Url 2 
http://159.69.54.146/555.msi
Details Url 2 
http://www.fedexdocs.top/fedex.doc
Details Url 2 
http://www.fedexdocs.icu/fedex.doc
Details Url 2 
https://senddocs.icu/stelar.exe