- 1x .dll file called WDSync.dll (probably dll sideloading)
-> downloads and installs php.exe and additiaonal payloads via
videox-hamster[.]top
hxxp://videox-hamster[.]top/backup/Canon.exe
hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll
reaches out to:
hxxps://api.ipify.org/
C2:
hxxps://10minions[.]top/api/rss
with initial data:
?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)]
Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud?
Among the opened links are
googleapis.com
googlevideo.com
play.google.com
ade.googlesyndication.com
yt3.ggpht.com
facebook.com
static.xx.fbcdn.net
Additional URLs of this campaign via pivoting:
8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip)
albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip)