From ef6ca3f57327eaf58991435514bd994f3777a343 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Wed, 25 Sep 2019 02:09:11 +0200
Subject: [PATCH] Update Malware analysis.md
---
Indian/APT/Donot/17-09-19/Malware analysis.md | 70 +++++++++++++++++--
1 file changed, 63 insertions(+), 7 deletions(-)
diff --git a/Indian/APT/Donot/17-09-19/Malware analysis.md b/Indian/APT/Donot/17-09-19/Malware analysis.md
index 57e19c2..005195c 100644
--- a/Indian/APT/Donot/17-09-19/Malware analysis.md
+++ b/Indian/APT/Donot/17-09-19/Malware analysis.md
@@ -135,13 +135,69 @@
| Indicator | Description|
| ------------- |:-------------:|
-|||
-||Domain requested|
-||IP requested|
-||HTTP/HTTPS requests||
-||IP C2|
-||Domain C2|
-###### This can be exported as JSON format [Export in JSON]()
+|86ccedaa93743e83787f53e09e376713.docx|36eb4d0e5f2435e6a01d10ac9e0b362e49de990ac841ba536f63d5be76e99794|
+|d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.docx|d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7|
+|01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx|01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae|
+|pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775|17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775|
+|A1719.docx|6b5d8a52ca5c9e90339c6c0f574dd5f6c4aaa63c88cf974d8caf6e3690259c14|
+|57ecda52cfb12afa08e84fe86cd61a95.zip|557cdd4332765a5d223693f5c1e605bae17464919fd57f9a62a86e33cb07be7e|
+|Scan0012.docx|5a19a1df087e0cc12e554b04dc383fb50b7c4a926ac34611acb43ab3cc4404e9|
+|kb8989476.rtf|51dfa1d8c62598b0d03f77faa57887dcdeb0075216c35f5018609fbcb82c8672|
+|C:\Windows\Tasks\wordfile.exe|9a3061631ff634d8f573b36c885e41f8d4508c53f372c858b8b484b1f928b49f|
+|wine.exe|bb5d713e81f782fc1bbd636eb97689e2010e71f4219ef80b90d979a6045b345a|
+|C:\Windows\Tasks\A64.dll|894bd1b82b451fd08d8ac3a3d4e8e248bbc1c153c557aebdfeaa7e1ffafef4d6|
+|C:\Windows\Tasks\Serviceflow.exe|ecbaac40bd504defe4f5eaba468e53de10e99f4dca5d05790d26e3ee4e5ce37f|
+|C:\Windows\Tasks\sinter.exe|6584b9e3849142d9c479ca58a0098636b556220e76b1ae1376f56dbdb80feb56|
+|EFILE|b64691a3fff3b17eb1a169180f470bf1ea36c7793fe36e93ba8aad55fe4a5a83|
+|DFILE|746b2a03a6413f97b66fc96c3e12204488f13f0c4b2255bee427b54291a9a639|
+|DFILE-|ddc7d7cdc8ceb6a9c5cc776ccd7916cd4c16612aa54c5e0a9827303c6ab38eef|
+|EFILE-|ed4a1c94b4e3b813ac352446aded7a7bbe1698cba436451a7d54b0bc55bf5b52|
+|DOCS|322f48a07af27b22f9cd29f14abe390349262ac9db901759b03553fe0d71446e|
+|DOCSN|c0a23116c1c7ced59ff8eae5ee96a48d436dd2e5b435a291003889d2ed9489e1|
+|DOCSN-1|0ed911e6d672e8a830d13b2f62a06a74dd7bfff82a31cc8a5c169f2689c4255b|
+|XLSS|365b35cff4e0314c6fa2bb5cd66d6040efba93b5857d5536bd6fea4d871afe33|
+|XLSSN|cea33a195f791bb5db28d53b3a81dd407e107aa33a913475d07080df6167e7c6|
+|XLSSN-1|f345c969b58aeda8e78743db529f3a0ff81ba227880bd90d46e47bf9a37b932b|
+|en-content.com|Domain requested|
+|bsodsupport.icu|Domain requested|
+|cloud-storage-service.com|Domain requested|
+|office360-pub.16mb.com|Domain requested|
+|noitfication-office-client.890m.com|Domain requested|
+|plug.msplugin.icu|Domain requested|
+|mscheck.icu|Domain requested|
+|sdn.host|Domain requested|
+|178.62.186.233|IP requested|
+|178.62.188.63|IP requested|
+|156.67.222.128|IP requested|
+|159.89.104.38|IP requested|
+|157.230.213.81|IP requested|
+|146.185.139.134|IP requested|
+|http://en-content.com/SecurityM/EFILE|HTTP/HTTPS requests|
+|http://en-content.com/SecurityM/DFILE|HTTP/HTTPS requests|
+|http://en-content.com/SecurityM/DFILE-|HTTP/HTTPS requests|
+|http://en-content.com/SecurityM/EFILE-|HTTP/HTTPS requests|
+|http://en-content.com/SecurityM/LIN|HTTP/HTTPS requests|
+|http://bsodsupport.icu/ScanSecurity/DOCS|HTTP/HTTPS requests|
+|http://bsodsupport.icu/ScanSecurity/DOCSN|HTTP/HTTPS requests|
+|http://bsodsupport.icu/ScanSecurity/DOCSN-1|HTTP/HTTPS requests|
+|http://bsodsupport.icu/ScanSecurity/XLSS|HTTP/HTTPS requests|
+|http://bsodsupport.icu/ScanSecurity/XLSSN|HTTP/HTTPS requests|
+|http://bsodsupport.icu/ScanSecurity/XLSSN-1|HTTP/HTTPS requests|
+|http://cloud-storage-service.com/pub/officex32x64/kb8989476|HTTP/HTTPS requests|
+|http://noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|HTTP/HTTPS requests|
+|http://plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|HTTP/HTTPS requests|
+|http://mscheck.icu/SecurityScan/XLSS|HTTP/HTTPS requests|
+|http://sdn.host/MicrosoftSecurityScan/11MVEM1X|HTTP/HTTPS requests|
+|http://sdn.host/MicrosoftSecurityScan/FRSI080222F|HTTP/HTTPS requests|
+|support.worldupdate.live|Doamin C2|
+|account-support.site|Doamin C2|
+|skillsnew.top|Doamin C2|
+|mystrylust.pw|Doamin C2|
+|216.170.126.139|IP C2|
+|46.105.40.12|IP C2|
+|82.196.7.221|IP C2|
+|37.139.28.208|IP C2|
+###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/IOC_Donot_25-09-19.json)
## Links
###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352)