-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt
146 lines (110 loc) · 6.42 KB
/
2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
2024-03-26 (TUESDAY): MALICIOUS GOOGLE AD LEADS TO MATANBUCHUS INFECTION WITH DANABOT
REFERENCES:
- https://www.linkedin.com/posts/unit42_malvertising-matanbuchus-danabot-activity-7178753900911480833-JlSx
- https://twitter.com/Unit42_Intel/status/1772988284571877807
DATE/TIME OF INFECTION RUN:
- Tuesday 2024-03-26 01:40 UTC
INFECTION CHAIN:
- malicious google ad --> fake money claim site treasurybanks[.]org --> fill out form and get download -->
downloaded zip archive --> victim double-clicks .js file in zip archive --> wscript.exe runs .js file -->
downloads & runs .msi file --> downloads and runs Matanbuchus --> downloads and runs Danabot -->
Both Matanbuchus and Danabot C2 continue
INDICATORS FOR BLOCKLIST:
- treasurybanks[.]org - fake unclaimed funds site
- bologna.sunproject[.]dev - domain hosting decoy PDF
- rome.sunproject[.]dev - domain hosting malicious MSI
- sweetapp[.]page - domain hosting Matanbuchus DLL
- gammaproject[.]dev - Matanbuchus C2
- torontoclub[.]vip - domain hosting Danabot EXE
- 34.168.202[.]91:443 - Danabot C2
- b5e059038a44325c0cf1b04831dc943946181d6ca0107421933a6697e8a27731 q-report-53394.zip
- 43aa76bec0e160c4e4a587e452b3303fa7ac72f08521bcbdcae2c370d669e451 q-report-60033.js
- 8b8e9a0de005d5ec4539a7db288d1553eacb2e7b64067cb88882d7047511a13c bLhLldebqq.msi
- 7832c515d7e0198d97733266c34b3ea207c4938fe8877301952ef2ec7efcb1ec Dad.dll (also: dad86.DLL)
- b82d24fe86378e237041a5a62fe679d43e949e7a1b5471fbf61b0cfa9c465db1 DLL, unknown file name
- 5f24b7934a1981d24700049056dca1be14a19db32779a97ca19766f218e47c0f uyegwfgefwg.exe
- f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe Hqeyair.dll
DETAILS:
EXAMPLE OF MALICIOUS GOOGLE AD:
- hxxps[:]//www.googleadservices[.]com/pagead/aclk?sa=L&
ai=DChcSEwjY8_qR2JCFAxU5bn8AHYnXBu4YABAAGgJvYQ&
ae=2&
gclid=EAIaIQobChMI2PP6kdiQhQMVOW5_AB2J1wbuEAAYASAAEgKLs_D_BwE&
ohost=www.google.com&
cid=CAASJeRoOAJ0_zKfdLVscQrBoEBG8c7vXlYST1ChsiV3NATg9v4nHcg&
sig=AOD64_1_94oePg6l1kMgeiCy4EKh1tLeog&q&adurl&
ved=2ahUKEwi-le-R2JCFAxXrJEQIHaWJCu0Q0Qx6BAgHEAE
LED TO FAKE UNCLAIMED FUNDS PAGE AT:
- hxxps[:]//www.treasurybanks[.]org/?utm_source=googleads&
utm_medium=cpc&
utm_campaign=peopletreasury&
gad_source=1&
gclid=EAIaIQobChMI2PP6kdiQhQMVOW5_AB2J1wbuEAAYASAAEgKLs_D_BwE
HTTPS TRAFFIC LEADING TO INITIAL ZIP DOWNLOAD:
- port 443 - www.treasurybanks[.]org - HTTPS traffic
- port 443 - get.treasurybanks[.]org - HTTPS traffic
TRAFFIC GENERATED WHEN WSCRIPT.EXE RUNS JS FILE FROM ZIP DOWNLOAD:
- port 443 - hxxps[:]//bologna.sunproject[.]dev/download/pdf <-- returned decoy PDF
- port 443 - hxxps[:]//rome.sunproject[.]dev/download/agent <-- returned MSI file
TRAFFIC GENERATED BY MSI FILE:
- port 443 - hxxps[:]//sweetapp[.]page/userinfo/useraccount.aspx <-- returned Matanbuchus DLL
- port 443 - hxxps[:]//gammaproject[.]dev/index.aspx <-- returned base64 text for another Matanbuchus DLL
C2 TRAFFIC FOR MATANBUCHUS:
- port 59619 - gammaproject[.]dev - POST /blogs/skinny/bleat/index.php
TRAFFIC FOR DANABOT INSTALLER EXE:
- port 443 - hxxps[:]//torontoclub[.]vip/uyegwfgefwg.exe
DANABOT C2 TRAFFIC:
- 34.168.202[.]91 port 443 - encoded/encrypted TCP straffic
MALWARE AND ARTIFACTS:
- SHA256 hash: b5e059038a44325c0cf1b04831dc943946181d6ca0107421933a6697e8a27731
- File size: 2,099,857 bytes
- File name: q-report-53394.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=store
- File description: Example of zip archive sent from fake site at treasurybanks[.]org.
- SHA256 hash: 43aa76bec0e160c4e4a587e452b3303fa7ac72f08521bcbdcae2c370d669e451
- File size: 1,797 bytes
- File name: q-report-60033.js
- File type: ASCII text, with very long lines (1028), with CRLF, LF line terminators
- File description: JavaScript file from zip archive, run by wscript.exe if victim double-clicks it.
- SHA256 hash: 6cf60c768a7377f7c4842c14c3c4d416480a7044a7a5a72b61ff142a796273ec <-- not malicious
- File size: 601,544 bytes
- File location: C:\Users\Admin\AppData\Local\Temp\TNheBOJElq.exe
- File description: Copy of C:\Windows\system32\curl.exe, not malicious.
- SHA256 hash: 8b8e9a0de005d5ec4539a7db288d1553eacb2e7b64067cb88882d7047511a13c
- File size: 1,835,008 bytes
- File location: hxxps[:]//rome.sunproject[.]dev/download/agent
- File location: C:\Users\[username]\AppData\Local\Temp\bLhLldebqq.msi
- File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer
- File description: MSI installer to install Matanbuchus
- SHA256 hash: 52801ace7e7f2cc9a15a5c988bed7deef998b44a86acdd95c557683e1e1835ef <-- not malicious
- File size: 258,482 bytes
- File location: hxxps[:]//bologna.sunproject[.]dev/download/pdf
- File location: C:\Users\[username]\Documents\QMQjaBdqIo.pdf
- File type: PDF document, version 2.0
- File description: Decoy PDF document used for this infection, not malicious.
- SHA256 hash: 7832c515d7e0198d97733266c34b3ea207c4938fe8877301952ef2ec7efcb1ec
- File size: 287,232 bytes
- File location: hxxps[:]//sweetapp[.]page/userinfo/useraccount.aspx
- File location: C:\Users\[username]\Favorites\Decline\dad86.DLL
- File location: C:\Users\[username]\Favorites\Intel64 Family 6 Model 165 Stepping 3, GenuineIntel\Dad.dll
- File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
- File description: 32-bit DLL for Matanbuchus
- Run method: msiexec.exe -z [path to file]
- Note: made persistent through scheduled task
- SHA256 hash: b82d24fe86378e237041a5a62fe679d43e949e7a1b5471fbf61b0cfa9c465db1
- File size: 517,120 bytes
- File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
- File description: Matanbuchus DLL created from base64 text retrieved by previous Matanbuchus DLL
- Note: Converted from base64 text returned from gammaproject[.]dev/index.aspx, then XOR the bytes with ASCII string FVh6M8Ze
- Run method: Unknown
- SHA256 hash: 5f24b7934a1981d24700049056dca1be14a19db32779a97ca19766f218e47c0f
- File size: 5,308,928 bytes
- File location: hxxps[:]//torontoclub[.]vip/uyegwfgefwg.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: 32-bit EXE to install Danabot, retreived by Matanbuchus-infected host.
- SHA256 hash: f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe
- File size: 10,721,792 bytes
- File location: C:\ProgramData\Hqeyair.dll
- File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- File description: Persistent 64-bit DLL for Danabot on an infected Windows host
- Run method: rundll32 [filename],start