From ef6ca3f57327eaf58991435514bd994f3777a343 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Wed, 25 Sep 2019 02:09:11 +0200 Subject: [PATCH] Update Malware analysis.md --- Indian/APT/Donot/17-09-19/Malware analysis.md | 70 +++++++++++++++++-- 1 file changed, 63 insertions(+), 7 deletions(-) diff --git a/Indian/APT/Donot/17-09-19/Malware analysis.md b/Indian/APT/Donot/17-09-19/Malware analysis.md index 57e19c2..005195c 100644 --- a/Indian/APT/Donot/17-09-19/Malware analysis.md +++ b/Indian/APT/Donot/17-09-19/Malware analysis.md @@ -135,13 +135,69 @@ | Indicator | Description| | ------------- |:-------------:| -||| -||Domain requested| -||IP requested| -||HTTP/HTTPS requests|| -||IP C2| -||Domain C2| -###### This can be exported as JSON format [Export in JSON]() +|86ccedaa93743e83787f53e09e376713.docx|36eb4d0e5f2435e6a01d10ac9e0b362e49de990ac841ba536f63d5be76e99794| +|d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.docx|d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7| +|01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx|01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae| +|pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775|17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775| +|A1719.docx|6b5d8a52ca5c9e90339c6c0f574dd5f6c4aaa63c88cf974d8caf6e3690259c14| +|57ecda52cfb12afa08e84fe86cd61a95.zip|557cdd4332765a5d223693f5c1e605bae17464919fd57f9a62a86e33cb07be7e| +|Scan0012.docx|5a19a1df087e0cc12e554b04dc383fb50b7c4a926ac34611acb43ab3cc4404e9| +|kb8989476.rtf|51dfa1d8c62598b0d03f77faa57887dcdeb0075216c35f5018609fbcb82c8672| +|C:\Windows\Tasks\wordfile.exe|9a3061631ff634d8f573b36c885e41f8d4508c53f372c858b8b484b1f928b49f| +|wine.exe|bb5d713e81f782fc1bbd636eb97689e2010e71f4219ef80b90d979a6045b345a| +|C:\Windows\Tasks\A64.dll|894bd1b82b451fd08d8ac3a3d4e8e248bbc1c153c557aebdfeaa7e1ffafef4d6| +|C:\Windows\Tasks\Serviceflow.exe|ecbaac40bd504defe4f5eaba468e53de10e99f4dca5d05790d26e3ee4e5ce37f| +|C:\Windows\Tasks\sinter.exe|6584b9e3849142d9c479ca58a0098636b556220e76b1ae1376f56dbdb80feb56| +|EFILE|b64691a3fff3b17eb1a169180f470bf1ea36c7793fe36e93ba8aad55fe4a5a83| +|DFILE|746b2a03a6413f97b66fc96c3e12204488f13f0c4b2255bee427b54291a9a639| +|DFILE-|ddc7d7cdc8ceb6a9c5cc776ccd7916cd4c16612aa54c5e0a9827303c6ab38eef| +|EFILE-|ed4a1c94b4e3b813ac352446aded7a7bbe1698cba436451a7d54b0bc55bf5b52| +|DOCS|322f48a07af27b22f9cd29f14abe390349262ac9db901759b03553fe0d71446e| +|DOCSN|c0a23116c1c7ced59ff8eae5ee96a48d436dd2e5b435a291003889d2ed9489e1| +|DOCSN-1|0ed911e6d672e8a830d13b2f62a06a74dd7bfff82a31cc8a5c169f2689c4255b| +|XLSS|365b35cff4e0314c6fa2bb5cd66d6040efba93b5857d5536bd6fea4d871afe33| +|XLSSN|cea33a195f791bb5db28d53b3a81dd407e107aa33a913475d07080df6167e7c6| +|XLSSN-1|f345c969b58aeda8e78743db529f3a0ff81ba227880bd90d46e47bf9a37b932b| +|en-content.com|Domain requested| +|bsodsupport.icu|Domain requested| +|cloud-storage-service.com|Domain requested| +|office360-pub.16mb.com|Domain requested| +|noitfication-office-client.890m.com|Domain requested| +|plug.msplugin.icu|Domain requested| +|mscheck.icu|Domain requested| +|sdn.host|Domain requested| +|178.62.186.233|IP requested| +|178.62.188.63|IP requested| +|156.67.222.128|IP requested| +|159.89.104.38|IP requested| +|157.230.213.81|IP requested| +|146.185.139.134|IP requested| +|http://en-content.com/SecurityM/EFILE|HTTP/HTTPS requests| +|http://en-content.com/SecurityM/DFILE|HTTP/HTTPS requests| +|http://en-content.com/SecurityM/DFILE-|HTTP/HTTPS requests| +|http://en-content.com/SecurityM/EFILE-|HTTP/HTTPS requests| +|http://en-content.com/SecurityM/LIN|HTTP/HTTPS requests| +|http://bsodsupport.icu/ScanSecurity/DOCS|HTTP/HTTPS requests| +|http://bsodsupport.icu/ScanSecurity/DOCSN|HTTP/HTTPS requests| +|http://bsodsupport.icu/ScanSecurity/DOCSN-1|HTTP/HTTPS requests| +|http://bsodsupport.icu/ScanSecurity/XLSS|HTTP/HTTPS requests| +|http://bsodsupport.icu/ScanSecurity/XLSSN|HTTP/HTTPS requests| +|http://bsodsupport.icu/ScanSecurity/XLSSN-1|HTTP/HTTPS requests| +|http://cloud-storage-service.com/pub/officex32x64/kb8989476|HTTP/HTTPS requests| +|http://noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|HTTP/HTTPS requests| +|http://plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|HTTP/HTTPS requests| +|http://mscheck.icu/SecurityScan/XLSS|HTTP/HTTPS requests| +|http://sdn.host/MicrosoftSecurityScan/11MVEM1X|HTTP/HTTPS requests| +|http://sdn.host/MicrosoftSecurityScan/FRSI080222F|HTTP/HTTPS requests| +|support.worldupdate.live|Doamin C2| +|account-support.site|Doamin C2| +|skillsnew.top|Doamin C2| +|mystrylust.pw|Doamin C2| +|216.170.126.139|IP C2| +|46.105.40.12|IP C2| +|82.196.7.221|IP C2| +|37.139.28.208|IP C2| +###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/IOC_Donot_25-09-19.json) ## Links ###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352)