← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BAIJIU: New Malware Abuses Popular Japanese Web Hosting Service
WHITE DarkHotel AlienVault 2017-05-12 Modified: 2017-07-22
41
IOCs
MEDIUM VOLUME
BAIJIU’s goal in this attack was to deploy a set of espionage tools through a downloader we call TYPHOON and a set of backdoors we call LIONROCK. Three distinctive elements of BAIJIU drew and held our attention: the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation.
TYPHOONBAIJIULIONROCKGeoCities
Indicators of Compromise (41)
All FileHash-SHA256 URL YARA
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 16486b17c635038d0ff0a035d5c0c89bbd62ca6d85b4161060c5bd05de69924e 2017-05-12
FileHash-SHA256 22092aefddda66776c344ee5a239ea988ed70a20176ce7977aff7debde61253b 2017-05-12
FileHash-SHA256 26108999e34af20b4f730e0a937435e2da108b6014a8f6c3b5d2c213499b0476 2017-05-12
FileHash-SHA256 2cc0dbe268f4184b167aff4089feaa8a3ee91eac6a25112c9498558e8bab193c 2017-05-12
FileHash-SHA256 30a3503394d5de2912eb27fcf0ae24fcbfa7d27a4a49a1e6ce7271db211ab207 2017-05-12
FileHash-SHA256 3d7fce51cbab9847bd4ab95ccd9db7cc6c096add99b6285639be5231ff6013c6 2017-05-12
FileHash-SHA256 422addad546c4418173751567d18a05b080285910c9199b544d6f08f15838a22 2017-05-12
FileHash-SHA256 4a3dba1be5634477b99b9940a7adebdf81c2746172aad5fd08e2366e19bb7a7f 2017-05-12
FileHash-SHA256 4fa44236abd43d0da4a46765eb1da5d070a06d0b2fc16e728dda729f31d9e55d 2017-05-12
FileHash-SHA256 62f4c97791109991904173c6d8ef6ffcd834a6944dff2395421fd504ebb6a631 2017-05-12
FileHash-SHA256 63499f7445158553c7b15484ccd18e4147dc7dc8205e6b62abc5f52071b1df9f 2017-05-12
FileHash-SHA256 6b0042fa0a599f0e4530806474f765f2896eeca69d9489eabb4ff9aac284acd8 2017-05-12
FileHash-SHA256 6b0c3e4980355687fc39e86e18dff9ddb323d2048a20eb2f253d884881b41f6c 2017-05-12
FileHash-SHA256 8608081e5d76b0eacfefa2c57de683655cb70fcfe22b222dbc6afeb7b8102226 2017-05-12
FileHash-SHA256 9ad91bd5860bd87e9823ee19c52515327c9230b4444fb91ad38821394b1b055a 2017-05-12
FileHash-SHA256 bdd24214a52f995a51e41f5061d2dfb02159abfd157de205c9359d5a9cab06a2 2017-05-12
FileHash-SHA256 c561fd9cc5e6eb10f17935eee88b841e125b1a08a6d500243ea5084629904183 2017-05-12
FileHash-SHA256 c72121a61ca608e57ccb8a17e6d2c8e621f5c51e9b701bdf38a4a673dcf3b077 2017-05-12
FileHash-SHA256 def1c8c557b33294e1334479a6a1840be21b1fcfe82ecd120e4a296fba78107b 2017-05-12
URL http://www.geocities.jp/akikoakagi1013/nomz32.tmp 2017-05-12
URL http://www.geocities.jp/akikoakagi1013/nomz64.tmp 2017-05-12
URL http://www.geocities.jp/coloseaer_0812/contab32.tmp 2017-05-12
URL http://www.geocities.jp/coloseaer_0812/contab64.tmp 2017-05-12
URL http://www.geocities.jp/coloseaer_0812/scnpst32.tmp 2017-05-12
URL http://www.geocities.jp/coloseaer_0812/scnpst64.tmp 2017-05-12
URL http://www.geocities.jp/hanakofukumoto/colinsta.txt 2017-05-12
URL http://www.geocities.jp/jjboard_01/contab32.tmp 2017-05-12
URL http://www.geocities.jp/jjboard_01/contab64.tmp 2017-05-12
URL http://www.geocities.jp/jjboard_01/scnpst32.tmp 2017-05-12
URL http://www.geocities.jp/jjboard_01/scnpst64.tmp 2017-05-12
URL http://www.geocities.jp/junkohagiwara3/readmesub.txt 2017-05-12
URL http://www.geocities.jp/lboard_01/nomz32.tmp 2017-05-12
URL http://www.geocities.jp/lboard_01/nomz64.tmp 2017-05-12
URL http://www.geocities.jp/murimakiyami/ps001/update_m.tmp 2017-05-12
URL http://www.geocities.jp/murimakiyami/ps001/update_s.tmp 2017-05-12
URL http://www.geocities.jp/pboard01/informab.txt 2017-05-12
URL http://www.geocities.jp/toedu01/informa.txt 2017-05-12
YARA 04cdd94fecc6ce9993498c9008faf15299db5f41 2017-07-22
YARA c36e0720e8dcde84c8d4d89aef2086145d835f02 2017-07-22
YARA 368d1790b0d3af35b4f13b08c4959ddb6cf874f0 2017-07-22
YARA 496c2a3470df875f41457508e38b215ca14eb34f 2017-07-22
References (1)
↗ https://www.cylance.com/en_us/blog/baijiu.html