diff --git a/Unknown/potential_ducktail.txt b/Unknown/potential_ducktail.txt new file mode 100644 index 0000000..3497979 --- /dev/null +++ b/Unknown/potential_ducktail.txt @@ -0,0 +1,61 @@ +Initial URL: + +hxxps://videocallgirl[.]top/alb/ (Careful, autodownload of malicious .zip) + +downloads malicious .zip via: +hxxps://download-ai[.]top/Eseoa%20Onlyfans%20Leak%20(Photos%20&%20Videos)%20Eseoa-Onlyfans-Leak-1570E020C.zip?t=ONS_Bokyem + +.zip file content: +- several .exe files posing as images. +- 1x .dll file called WDSync.dll (probably dll sideloading) + +-> downloads and installs php.exe and additiaonal payloads via + +videox-hamster[.]top +hxxp://videox-hamster[.]top/backup/Canon.exe +hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll + +reaches out to: +hxxps://api.ipify.org/ + +C2: +hxxps://10minions[.]top/api/rss +with initial data: +?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)] + +Additional URLs contacted: +hxxp://albumphotography[.]top/version4.txt?ran=[NUM VALUE] +hxxp://albumphotography[.]top/im10025.json +hxxp://albumphotography[.]top/cm10044.json +hxxp://albumphotography[.]top/AviraLib/BouncyCastle.Crypto.dll +hxxp://albumphotography[.]top/AviraLib/EntityFramework.SqlServer.dll +hxxp://albumphotography[.]top/AviraLib/NAudio.dll +hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.EF6.dll +hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.Linq.dll +hxxp://albumphotography[.]top/AviraLib/x86/SQLite.Interop.dll +hxxp://albumphotography[.]top/extension_c.zip?ran=[NUM VALUE] +hxxp://albumphotography[.]top/AviraLib/EntityFramework.dll +hxxp://albumphotography[.]top/AviraLib/Ionic.Zip.dll +hxxp://albumphotography[.]top/AviraLib/Newtonsoft.Json.dll +hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.dll +hxxp://albumphotography[.]top/AviraLib/x64/SQLite.Interop.dll +hxxp://albumphotography[.]top/extensionl.zip?ran=[NUM VALUE] + +Other potential C2s: + +hxxp://sluter[.]top:8080/?udid=[unique ID] +hxxp://pa688[.]top:8080/?udid=[unique ID] + +Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud? +Among the opened links are +googleapis.com +googlevideo.com +play.google.com +ade.googlesyndication.com +yt3.ggpht.com +facebook.com +static.xx.fbcdn.net + +Additional URLs of this campaign via pivoting: +8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip) +albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip)