Create potential_ducktail.txt
This commit is contained in:
parent
b60aca2f36
commit
ed8a58db14
|
@ -0,0 +1,61 @@
|
|||
Initial URL:
|
||||
|
||||
hxxps://videocallgirl[.]top/alb/ (Careful, autodownload of malicious .zip)
|
||||
|
||||
downloads malicious .zip via:
|
||||
hxxps://download-ai[.]top/Eseoa%20Onlyfans%20Leak%20(Photos%20&%20Videos)%20Eseoa-Onlyfans-Leak-1570E020C.zip?t=ONS_Bokyem
|
||||
|
||||
.zip file content:
|
||||
- several .exe files posing as images.
|
||||
- 1x .dll file called WDSync.dll (probably dll sideloading)
|
||||
|
||||
-> downloads and installs php.exe and additiaonal payloads via
|
||||
|
||||
videox-hamster[.]top
|
||||
hxxp://videox-hamster[.]top/backup/Canon.exe
|
||||
hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll
|
||||
|
||||
reaches out to:
|
||||
hxxps://api.ipify.org/
|
||||
|
||||
C2:
|
||||
hxxps://10minions[.]top/api/rss
|
||||
with initial data:
|
||||
?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)]
|
||||
|
||||
Additional URLs contacted:
|
||||
hxxp://albumphotography[.]top/version4.txt?ran=[NUM VALUE]
|
||||
hxxp://albumphotography[.]top/im10025.json
|
||||
hxxp://albumphotography[.]top/cm10044.json
|
||||
hxxp://albumphotography[.]top/AviraLib/BouncyCastle.Crypto.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/EntityFramework.SqlServer.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/NAudio.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.EF6.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.Linq.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/x86/SQLite.Interop.dll
|
||||
hxxp://albumphotography[.]top/extension_c.zip?ran=[NUM VALUE]
|
||||
hxxp://albumphotography[.]top/AviraLib/EntityFramework.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/Ionic.Zip.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/Newtonsoft.Json.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.dll
|
||||
hxxp://albumphotography[.]top/AviraLib/x64/SQLite.Interop.dll
|
||||
hxxp://albumphotography[.]top/extensionl.zip?ran=[NUM VALUE]
|
||||
|
||||
Other potential C2s:
|
||||
|
||||
hxxp://sluter[.]top:8080/?udid=[unique ID]
|
||||
hxxp://pa688[.]top:8080/?udid=[unique ID]
|
||||
|
||||
Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud?
|
||||
Among the opened links are
|
||||
googleapis.com
|
||||
googlevideo.com
|
||||
play.google.com
|
||||
ade.googlesyndication.com
|
||||
yt3.ggpht.com
|
||||
facebook.com
|
||||
static.xx.fbcdn.net
|
||||
|
||||
Additional URLs of this campaign via pivoting:
|
||||
8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip)
|
||||
albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip)
|
Loading…
Reference in New Issue