ThreatHunting icon indicating copy to clipboard operation
ThreatHunting copied to clipboard

Published 20 hours ago verified publisher icon jacobsoo

Vietnam

Open vysecurity opened this issue 6 years ago • 4 comments

https://github.com/jacobsoo/ThreatHunting/blob/master/Vietnam/1bc5a02963497fc74e265f11d809cd179fd46852b762e732f736ced12cad9077.md

Using default safebrowsing malleable profile for C2.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Spawn and inject in: rundll32.exe Example GET URI: /safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2 Example POST URI: /safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4 Headers:

  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-US,en;q=0.5
  • Accept-Encoding: gzip, deflate

It "may" use DNS C2, configured DNS idle response to 0.0.0.0. DNS Sleep is 0. HTTP Sleep is 5 seconds.

Pipename: msagent_*

vysecurity avatar Jun 21 '19 17:06 vysecurity

Got bored and thought I'd pitch in.

vysecurity avatar Jun 21 '19 17:06 vysecurity

That said, they tend to use free dynamic DNS services quite often.

vysecurity avatar Jun 21 '19 17:06 vysecurity

More related: https://www.virustotal.com/gui/file/1cc3f2296f5cd9207f6c84fa9de26dcdbff0b16e49accb0f8dd670ee8d32dd50/community

vysecurity avatar Jun 21 '19 17:06 vysecurity

Thanks sir. added your information to it.

jacobsoo avatar Jun 22 '19 04:06 jacobsoo