mirror of
https://github.com/Gi7w0rm/MalwareConfigLists
synced 2024-06-28 09:53:06 +00:00
100 lines
3.4 KiB
Plaintext
100 lines
3.4 KiB
Plaintext
Sandbox Analysis:
|
|
https://tria.ge/231209-1ya5lacce6
|
|
|
|
|
|
Initial URL:
|
|
|
|
hxxps://videocallgirl[.]top/alb/ (Careful, autodownload of malicious .zip)
|
|
|
|
downloads malicious .zip via:
|
|
hxxps://download-ai[.]top/Eseoa%20Onlyfans%20Leak%20(Photos%20&%20Videos)%20Eseoa-Onlyfans-Leak-1570E020C.zip?t=ONS_Bokyem
|
|
|
|
.zip file content:
|
|
- several .exe files posing as images.
|
|
- 1x .dll file called WDSync.dll (probably dll sideloading)
|
|
|
|
-> downloads and installs php.exe and additiaonal payloads via
|
|
|
|
videox-hamster[.]top
|
|
hxxp://videox-hamster[.]top/backup/Canon.exe
|
|
hxxp://videox-hamster[.]top/backup/CNQMUTIL.dll
|
|
|
|
reaches out to:
|
|
hxxps://api.ipify.org/
|
|
|
|
C2:
|
|
hxxps://10minions[.]top/api/rss
|
|
with initial data:
|
|
?a=update2&v=3.1.1&machine_id=[MachineID]&tag=L03&uname=[Base64 of (Windows Version, OSType, is workstation?, is server?, 64-Bit OS?, Windows Release ID, Windows Display Version, Windows Update Build Revision)]
|
|
|
|
Additional URLs contacted:
|
|
hxxp://albumphotography[.]top/version4.txt?ran=[NUM VALUE]
|
|
hxxp://albumphotography[.]top/im10025.json
|
|
hxxp://albumphotography[.]top/cm10044.json
|
|
hxxp://albumphotography[.]top/AviraLib/BouncyCastle.Crypto.dll
|
|
hxxp://albumphotography[.]top/AviraLib/EntityFramework.SqlServer.dll
|
|
hxxp://albumphotography[.]top/AviraLib/NAudio.dll
|
|
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.EF6.dll
|
|
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.Linq.dll
|
|
hxxp://albumphotography[.]top/AviraLib/x86/SQLite.Interop.dll
|
|
hxxp://albumphotography[.]top/extension_c.zip?ran=[NUM VALUE]
|
|
hxxp://albumphotography[.]top/AviraLib/EntityFramework.dll
|
|
hxxp://albumphotography[.]top/AviraLib/Ionic.Zip.dll
|
|
hxxp://albumphotography[.]top/AviraLib/Newtonsoft.Json.dll
|
|
hxxp://albumphotography[.]top/AviraLib/System.Data.SQLite.dll
|
|
hxxp://albumphotography[.]top/AviraLib/x64/SQLite.Interop.dll
|
|
hxxp://albumphotography[.]top/extensionl.zip?ran=[NUM VALUE]
|
|
|
|
Other potential C2s:
|
|
|
|
hxxp://sluter[.]top:8080/?udid=[unique ID]
|
|
hxxp://pa688[.]top:8080/?udid=[unique ID]
|
|
|
|
Then follows up with tons of requests to Facebook, Google and other services, likely in an attempt to identify, analyze and steal accounts. However there is also potential for AdFraud?
|
|
Among the opened links are
|
|
googleapis.com
|
|
googlevideo.com
|
|
play.google.com
|
|
ade.googlesyndication.com
|
|
yt3.ggpht.com
|
|
facebook.com
|
|
static.xx.fbcdn.net
|
|
|
|
##Additional URLs of this campaign via pivoting:
|
|
|
|
8videoabc[.]top/alb2/ (careful, autodownload of malicious .zip)
|
|
albumphotoshow[.]top/alb/ (careful, autodownload of malicious .zip)
|
|
albumpga[.]top/alb/ (careful, autodownload of malicious .zip)
|
|
hxxps://cdn.albumcallgirl[.]top/Yuka%20Mystic%20Ex-Wife%20Collection%20Full%20No%20Hide-15810002E.zip?t=ONS_Bokyem
|
|
leakonlyfan[.]top/fullnohide/
|
|
albumimages[.]top/alb/
|
|
x-albums[.]com/alb/
|
|
nctitds[.]top/album/
|
|
x-photos[.]net/alb/
|
|
xpictures[.]net/alb/
|
|
photography-hq[.]com/alb/
|
|
x-photobucket[.]top/album/
|
|
lydownload[.]net/app/
|
|
xphotos[.]net/alb/
|
|
sportydesktops[.]com/file/
|
|
office-2023[.]com/file/
|
|
www-x-videos[.]com/file/
|
|
chatgpt-premium[.]com/file/
|
|
videovip[.]org/vd/
|
|
x-album[.]com/alb/
|
|
myprivatephotoalbum[.]top/alb/
|
|
x-picture[.]net/alb/
|
|
movies-box[.]net/mv/
|
|
movies-cine[.]com/mv/
|
|
xphotos-album[.]com/alb/
|
|
pictures-album[.]com/alb/
|
|
image-albums[.]com/alb/
|
|
xpictures-albums[.]com/alb/
|
|
chaesik[.]com/file/
|
|
photoandfilms[.]com/alb/
|
|
kudaqq[.]com/file/
|
|
myafarisha[.]com/file/
|
|
best-pc-games[.]net/file/?t=dragon_ball_the_breakers
|
|
globalsalestore[.]com/products/
|
|
https://caklub.com/file/?t=over-night-girl
|