Mirrors
/
Gi7w0rm-MalwareConfigLists
mirror of https://github.com/Gi7w0rm/MalwareConfigLists
10
0
Fork 0
Code Issues Releases Wiki Activity

Create potential_ducktail.txt

This commit is contained in:
Gi7w0rm 2023-12-10 12:36:08 +01:00 committed by GitHub
parent b60aca2f36
commit ed8a58db14
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Unknown/potential_ducktail.txt Normal file
View File

@ -0,0 +1,61 @@
Initial URL:
hxxps://videocallgirl[.]top/alb/ (Careful, autodownload of malicious .zip)
downloads malicious .zip via:
hxxps://download-ai[.]top/Eseoa%20Onlyfans%20Leak%20(Photos%20&%20Videos)%20Eseoa-Onlyfans-Leak-1570E020C.zip?t=ONS_Bokyem
.zip file content:
- several .exe files posing as images.
- 1x .dll file called WDSync.dll (probably dll sideloading)
-> downloads and installs php.exe and additiaonal payloads via
videox-hamster[.]top
hxxp://videox-hamster[.]top/backup/Canon.exe
hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll
reaches out to:
hxxps://api.ipify.org/
C2:
hxxps://10minions[.]top/api/rss
with initial data:
?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)]
Additional URLs contacted:
hxxp://albumphotography[.]top/version4.txt?ran=[NUM VALUE]
hxxp://albumphotography[.]top/im10025.json
hxxp://albumphotography[.]top/cm10044.json
hxxp://albumphotography[.]top/AviraLib/BouncyCastle.Crypto.dll
hxxp://albumphotography[.]top/AviraLib/EntityFramework.SqlServer.dll
hxxp://albumphotography[.]top/AviraLib/NAudio.dll
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.EF6.dll
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.Linq.dll
hxxp://albumphotography[.]top/AviraLib/x86/SQLite.Interop.dll
hxxp://albumphotography[.]top/extension_c.zip?ran=[NUM VALUE]
hxxp://albumphotography[.]top/AviraLib/EntityFramework.dll
hxxp://albumphotography[.]top/AviraLib/Ionic.Zip.dll
hxxp://albumphotography[.]top/AviraLib/Newtonsoft.Json.dll
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.dll
hxxp://albumphotography[.]top/AviraLib/x64/SQLite.Interop.dll
hxxp://albumphotography[.]top/extensionl.zip?ran=[NUM VALUE]
Other potential C2s:
hxxp://sluter[.]top:8080/?udid=[unique ID]
hxxp://pa688[.]top:8080/?udid=[unique ID]
Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud?
Among the opened links are
googleapis.com
googlevideo.com
play.google.com
ade.googlesyndication.com
yt3.ggpht.com
facebook.com
static.xx.fbcdn.net
Additional URLs of this campaign via pivoting:
8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip)
albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip)