Mirrors
/
Gi7w0rm-MalwareConfigLists
mirror of https://github.com/Gi7w0rm/MalwareConfigLists
10
0
Fork 0
Code Issues Releases Wiki Activity
Gi7w0rm-MalwareConfigLists/Unknown/potential_ducktail.txt

100 lines
3.4 KiB
Plaintext
Raw Permalink Blame History

Sandbox Analysis:
https://tria.ge/231209-1ya5lacce6
Initial URL:
hxxps://videocallgirl[.]top/alb/ (Careful, autodownload of malicious .zip)
downloads malicious .zip via:
hxxps://download-ai[.]top/Eseoa%20Onlyfans%20Leak%20(Photos%20&%20Videos)%20Eseoa-Onlyfans-Leak-1570E020C.zip?t=ONS_Bokyem
.zip file content:
- several .exe files posing as images.
- 1x .dll file called WDSync.dll (probably dll sideloading)
-> downloads and installs php.exe and additiaonal payloads via
videox-hamster[.]top
hxxp://videox-hamster[.]top/backup/Canon.exe
hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll
reaches out to:
hxxps://api.ipify.org/
C2:
hxxps://10minions[.]top/api/rss
with initial data:
?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)]
Additional URLs contacted:
hxxp://albumphotography[.]top/version4.txt?ran=[NUM VALUE]
hxxp://albumphotography[.]top/im10025.json
hxxp://albumphotography[.]top/cm10044.json
hxxp://albumphotography[.]top/AviraLib/BouncyCastle.Crypto.dll
hxxp://albumphotography[.]top/AviraLib/EntityFramework.SqlServer.dll
hxxp://albumphotography[.]top/AviraLib/NAudio.dll
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.EF6.dll
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.Linq.dll
hxxp://albumphotography[.]top/AviraLib/x86/SQLite.Interop.dll
hxxp://albumphotography[.]top/extension_c.zip?ran=[NUM VALUE]
hxxp://albumphotography[.]top/AviraLib/EntityFramework.dll
hxxp://albumphotography[.]top/AviraLib/Ionic.Zip.dll
hxxp://albumphotography[.]top/AviraLib/Newtonsoft.Json.dll
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.dll
hxxp://albumphotography[.]top/AviraLib/x64/SQLite.Interop.dll
hxxp://albumphotography[.]top/extensionl.zip?ran=[NUM VALUE]
Other potential C2s:
hxxp://sluter[.]top:8080/?udid=[unique ID]
hxxp://pa688[.]top:8080/?udid=[unique ID]
Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud?
Among the opened links are
googleapis.com
googlevideo.com
play.google.com
ade.googlesyndication.com
yt3.ggpht.com
facebook.com
static.xx.fbcdn.net
##Additional URLs of this campaign via pivoting:
8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip)
albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip)
albumpga[.]top/alb/ (careful, autodownload of malicious .zip)
hxxps://cdn.albumcallgirl[.]top/Yuka%20Mystic%20Ex-Wife%20Collection%20Full%20No%20Hide-15810002E.zip?t=ONS_Bokyem
leakonlyfan[.]top/fullnohide/
albumimages[.]top/alb/
x-albums[.]com/alb/
nctitds[.]top/album/
x-photos[.]net/alb/
xpictures[.]net/alb/
photography-hq[.]com/alb/
x-photobucket[.]top/album/
lydownload[.]net/app/
xphotos[.]net/alb/
sportydesktops[.]com/file/
office-2023[.]com/file/
www-x-videos[.]com/file/
chatgpt-premium[.]com/file/
videovip[.]org/vd/
x-album[.]com/alb/
myprivatephotoalbum[.]top/alb/
x-picture[.]net/alb/
movies-box[.]net/mv/
movies-cine[.]com/mv/
xphotos-album[.]com/alb/
pictures-album[.]com/alb/
image-albums[.]com/alb/
xpictures-albums[.]com/alb/
chaesik[.]com/file/
photoandfilms[.]com/alb/
kudaqq[.]com/file/
myafarisha[.]com/file/
best-pc-games[.]net/file/?t=dragon_ball_the_breakers
globalsalestore[.]com/products/
https://caklub.com/file/?t=over-night-girl
Reference in New Issue View Git Blame Copy Permalink