APT dustsquad
伸向中亚地区的触手——DustSquad APT组织针对乌兹别克斯坦的活动分析
匿名用户 2019-12-08 12:43:55 1383人浏览

                                             封面.jpg

完整报告于

伸向中亚地区的触手——DustSquad APT组织针对乌兹别克斯坦的活动分析

流程图如下:

             Image


样本Hash 文件名称
98b1c326572110a4c88c6741575910c2 исправленный вариан_18.11.2019г.rar
62fb5aa21f62e92586829520078c2561 исправленный вариан_18.11.2019г.exe
bbb701630f30c5c85cebbc953b98ff38 Java7.exe

 

C2:

http[:]//cookiesqueen[.]com/innovative.php

http[:]//poisonfight[.]com/idea.php

 

URL:

http[:]//poisonfight[.]com/idea.php?check=c558838690881fa7f75807cfa94b3713

http[:]//poisonfight[.]com/idea.php?servers=c558838690881fa7f75807cfa94b3713

http[:]//poisonfight[.]com/idea.php?servers=c558838690881fa7f75807cfa94b3713

http[:]//poisonfight[.]com/idea.php?query=c558838690881fa7f75807cfa94b3713

 

执行命令:

WMIC.execomputersystem get name /format:list

WMIC.exeos get installdate /format:list

WMIC.exepath CIM_LogicalDiskBasedOnPartition get Antecedent,Dependent

WMIC.exepath win32_physicalmedia where tag="\\\\.\\PHYSICALDRIVE0" getserialnumber /format:list

 

释放文件:

{自启动文件夹}/Java7.exe

%AppData%\.settings.ini

%userprofile%\Desktop\èñïðàâëåííûéâàðèàíò_18.11.2019ã.doc

%Temp%\{随机字符}


小弟的公众号

欢迎各位dalao表哥关注

域名(2) 威胁情报数目 子域名 历史指向ip 相关样本 微步标签 < 1/1 >
匿名用户 2019-12-12 15:42:53 回复
++