APT-C-35(肚脑虫)组织针对南亚某制造公司的攻击活动分析 | CTF导航
Tags
Common Information
| Type | Value |
|---|---|
| UUID | ef600d3b-bd41-4602-91dd-9e4bba595396 |
| Fingerprint | 332b0c15dc7266a9 |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | July 18, 2024, midnight |
| Added to db | Oct. 15, 2024, 11:38 p.m. |
| Last updated | Nov. 15, 2024, 11:42 a.m. |
| Headline | APT-C-35(肚脑虫)组织针对南亚某制造公司的攻击活动分析 |
| Title | APT-C-35(肚脑虫)组织针对南亚某制造公司的攻击活动分析 | CTF导航 |
| Detected Hints/Tags/Attributes | 5/0/40 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.ctfiot.com/210064.html |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 426 | ✔ | CTF导航 | https://www.ctfiot.com/feed | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | updatecentral.com |
|
| Details | Domain | 3 | office-updatecentral.com |
|
| Details | Domain | 2 | regionserverbackup.info |
|
| Details | File | 2 | payables.doc |
|
| Details | File | 1 | c:\users\user\appdata\local\temp\winlst.dll |
|
| Details | File | 1 | 接着修复winlst.dll |
|
| Details | File | 1 | 并显示调用winlst.dll |
|
| Details | File | 1 | 加载的winlst.dll |
|
| Details | File | 2 | winlst.dll |
|
| Details | File | 1 | 样本执行后首先会判断域名regionserverbackup.inf |
|
| Details | File | 1 | 执行的程序仍然为winlst.dll |
|
| Details | File | 1 | 当通过计划任务利用rundll32.exe |
|
| Details | File | 1 | 执行winlst.dll |
|
| Details | File | 1 | 首先会删除临时目录下的原始的winlst.dll |
|
| Details | File | 2 | regionserverbackup.inf |
|
| Details | File | 23 | payload.dll |
|
| Details | File | 1 | timelines.doc |
|
| Details | File | 1 | 再修复通过rtf释放在temp目录下ztnu9wps.dll |
|
| Details | File | 1 | 下载伪装文件保存到temp目录下document.doc |
|
| Details | File | 1 | %roaming%wingui.dll |
|
| Details | File | 2 | restrict.php |
|
| Details | md5 | 2 | bd2b06d17faabc2b916ba89f56f7e200 |
|
| Details | md5 | 2 | a9630f7c64dd3147284b7230e2b76aa2 |
|
| Details | md5 | 2 | e96e2ed88e2f2fb80d02e7cd99a1420d |
|
| Details | md5 | 2 | 9656246f97e1a18c5e4bf1afcd139c79 |
|
| Details | md5 | 2 | ea6f3e8c2fa7c995a607224038b7f63a |
|
| Details | md5 | 2 | d7e9217c2bcf1e8519458cca63f2b69f |
|
| Details | md5 | 2 | c2f88dc91c44b18b036f536f0844a709 |
|
| Details | Threat Actor Identifier - APT-C | 102 | APT-C-35 |
|
| Details | Url | 1 | http://office-updatecentral.com/eigenvalue/odyssey/froth/imminently/intervene获取第二阶段shellcode |
|
| Details | Url | 1 | http://office-updatecentral.com/eigenvalue/odyssey/froth/imminently/creep”下载载荷,将其存放在“c:\users\user\appdata\local\temp\winlst.dll”,接着修复winlst.dll的dos头,以保证后续能正常运行。最后使用loadlibrary函数加载该模块,并显示调用winlst.dll的integratecheck函数 |
|
| Details | Url | 1 | https://regionserverbackup.info |
|
| Details | Url | 1 | http://example.com/payload.dll |
|
| Details | Url | 2 | http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls |
|
| Details | Url | 2 | http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/exacerbating |
|
| Details | Url | 1 | http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/canto”下载伪装文件保存到temp目录下document.doc并打开 |
|
| Details | Url | 2 | http://office-updatecentral.com/eigenvalue/odyssey/froth/imminently/empower |
|
| Details | Url | 2 | http://office-updatecentral.com/eigenvalue/odyssey/froth/imminently/relaxations |
|
| Details | Url | 2 | https://regionserverbackup.info/wall/restrict.php |
|
| Details | Url | 2 | http://office-updatecentral.com/eigenvalue/odyssey/froth/imminently/intervene |