search

jacobsoo / ThreatHunting

This is just my personal compilation of APT malware from whitepaper releases, documents and malware samples from my personal research.
31 stars 5 forks source link

Vietnam #1

Open vysecurity opened 5 years ago

vysecurity commented 5 years ago

https://github.com/jacobsoo/ThreatHunting/blob/master/Vietnam/1bc5a02963497fc74e265f11d809cd179fd46852b762e732f736ced12cad9077.md

Using default safebrowsing malleable profile for C2.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Spawn and inject in: rundll32.exe Example GET URI: /safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2 Example POST URI: /safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4 Headers:

It "may" use DNS C2, configured DNS idle response to 0.0.0.0. DNS Sleep is 0. HTTP Sleep is 5 seconds.

Pipename: msagent_*

vysecurity commented 5 years ago

Got bored and thought I'd pitch in.

vysecurity commented 5 years ago

That said, they tend to use free dynamic DNS services quite often.

vysecurity commented 5 years ago

More related: https://www.virustotal.com/gui/file/1cc3f2296f5cd9207f6c84fa9de26dcdbff0b16e49accb0f8dd670ee8d32dd50/community

jacobsoo commented 5 years ago

Thanks sir. added your information to it.