ioc[.]one - OSINT Cyber Threat Intelligence Database

IISpy: A complex server‑side backdoor with anti‑forensic features | WeLiveSecurity

Tags

cmtmf-attack-pattern:	Application Layer Protocol Command And Scripting Interpreter Develop Capabilities Event Triggered Execution Exploit Public-Facing Application Obtain Capabilities
country:	Canada Netherlands
attack-pattern:	Data Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data From Local System - T1533 Develop Capabilities - T1587 Encrypted Channel - T1521 Encrypted Channel - T1573 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Exfiltration Over C2 Channel - T1646 Exploitation For Privilege Escalation - T1404 Exploit Public-Facing Application - T1377 Impersonation - T1656 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Malware - T1587.001 Malware - T1588.001 Obtain Capabilities - T1588 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software - T1592.002 Standard Encoding - T1132.001 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Services - T1569 Windows Command Shell - T1059.003 Timestomp - T1070.006 Web Protocols - T1071.001 Token Impersonation/Theft - T1134.001 Web Protocols - T1437.001 Windows Service - T1543.003 Tool - T1588.002 Access Token Manipulation - T1134 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Data Encoding - T1132 Data From Local System - T1005 Data Obfuscation - T1001 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Exploitation For Privilege Escalation - T1068 Indicator Removal On Host - T1070 Remote File Copy - T1105 Service Execution - T1035 Timestomp - T1099 Exploit Public-Facing Application Indicator Removal On Host

Show in Graph

Common Information

Type	Value
UUID	f2bb67d7-b827-43be-bf11-8852ad92850e
Fingerprint	b507bfd87523ae85
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 9, 2021, 11:30 a.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	IISpy: A complex server‑side backdoor with anti‑forensic features
Title	IISpy: A complex server‑side backdoor with anti‑forensic features \| WeLiveSecurity
Detected Hints/Tags/Attributes	114/3/27

Source URLs

	Redirection	Url
Details	Redirection	https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features
Details	Source	https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/

URL Provider

Details	Provider	Source level domain
Details	welivesecurity.com	www.welivesecurity.com

Attributes

Details	Type	#Events	Value
Details	Domain	114	eset.com
Details	Email	69	threatintel@eset.com
Details	File	3	cache.dll
Details	File	3	logging.dll
Details	File	4	%windir%\system32\inetsrv\config\applicationhost.config
Details	File	128	w3wp.exe
Details	sha1	2	22f8ca2eb3af377e913b6d06b5a3618d294e4331
Details	sha1	2	435e3795d934ea8c5c7f4bcfef2beee0e3c76a54
Details	sha1	2	ced7bc6e0f1a15465e61cfec87aaef98bd999e15
Details	sha256	2	da1f8be19d9122f6499d72b90299cab080e9d599c57e802cd667bf53ccc9eab2
Details	MITRE ATT&CK Techniques	96	T1587.001
Details	MITRE ATT&CK Techniques	59	T1588.002
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	43	T1546
Details	MITRE ATT&CK Techniques	208	T1068
Details	MITRE ATT&CK Techniques	44	T1134.001
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	93	T1070.006
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	75	T1001
Details	MITRE ATT&CK Techniques	99	T1132.001
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	422	T1041