mwilkes-ssc
commented
3 years ago Based on the number of entries (1,221), the file IOCs/domains.txt is the C2 domains from https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354
Closed certrik closed 3 years ago
mwilkes-ssc
commented
3 years ago Based on the number of entries (1,221), the file IOCs/domains.txt is the C2 domains from https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354
mwilkes-ssc
commented
3 years ago The .pcap file shows 152 DNS queries, which seem to come from that list of domains. This could just be a list of domains to see if the device is in some kind of sandboxed environment based on the responses received.
cadosecurity
commented
3 years ago Hi - Yes that's correct its from the config. I think I actually pulled them from a Hatching Triage sandbox report but its the same config.
If you see a connection to these domains on your network, it would make sense to investigate.
I've been told that these domains aren't used for command and control per se but I'm not a REvil expert. I've sinkholed a domain and I'm seeing the incoming patterns from the MS report - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Sodinokibi&ThreatID=2147741179
Communicates with C2 server After encrypting the files, this ransomware generates random URLs for the domains listed in the configuration file. It uses these URLs to establish a connection with the attacker’s command-and-control (C2) server and transfers the encrypted data along with the encryption keys to the server.
Some of the URLs are listed below:
https://lorenacarnero[.] com/data/pictures/vvfhutgqqy.gif https://resortmtn[.] com/content/game/mnvn.gif https://haremnick[.] com/include/pictures/wdgltqgw.gif
Please clarifiy the role of the domains in
https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Domains.txt. Are these part of a C2 infrastructure or are those compromised domains, etc? Please clarify.