Pulse Detail — Threat Intelligence

PULSE NAME

Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware - Securonix

WHITE santravault1 2023-09-08 Modified: 2023-10-08

IOCs

MEDIUM VOLUME

↓ CSV ↓ JSON

Securonix Threat Labs has identified threat actors working as part of DB#JAMMER, a well tooled attack campaign targeting exposed Microsoft SQL databases and sending ransomware payloads to victims across the globe.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003 T1021 T1046 T1098 T1105 T1110 T1112 T1136 T1219 T1486 T1505 T1562 T1567 T1572 T1573 T1530 T1547 T1187 T1059

MALWARE FAMILIES

Cobalt Strike AnyDesk DB#JAMMER FreeWorld Mimic

Indicators of Compromise (40)

All URL CIDR FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext	—	2023-09-08
CIDR	127.0.0.0/8	—	2023-09-08
CIDR	169.254.0.0/16	—	2023-09-08
FileHash-MD5	84f8459d96860abfc96aa6f959576b26	MD5 of a3d865789d2bae26726b6169c4639161137aef72044a1c01647c521f09df2e16	2023-09-08
FileHash-MD5	ac34ba84a5054cd701efad5dd14645c9	MD5 of c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e	2023-09-08
FileHash-MD5	c44487ce1827ce26ac4699432d15b42a	MD5 of 4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405	2023-09-08
FileHash-MD5	dbf9675bd273e982ca5de58ac32de399	MD5 of 75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b	2023-09-08
FileHash-SHA1	5e6df45bdc8d4a5f711988672cc43643fb35a876	SHA1 of 75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b	2023-09-08
FileHash-SHA1	8434080fad778057a50607364fee8b481f0feef8	SHA1 of 4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405	2023-09-08
FileHash-SHA1	dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b	SHA1 of c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e	2023-09-08
FileHash-SHA1	f04bf7841ef6517476b9cd7af70762865f486235	SHA1 of a3d865789d2bae26726b6169c4639161137aef72044a1c01647c521f09df2e16	2023-09-08
FileHash-SHA256	08f827a63228d7bcd0d02dd131c1ae29bc1d9c3619be67ea99d8a62440be57ab	—	2023-09-08
FileHash-SHA256	0a2cfffb353b1f14dd696f8e86ea453c49fa3eb35f16e87ff13ecdf875206897	—	2023-09-08
FileHash-SHA256	11259f77f4e477cd066008fbfc7c31d5bbdc9ef708c4b255791ee380999a725c	—	2023-09-08
FileHash-SHA256	2ac044936a922455c80e93f76cc3e2ce539fdab1af65c0703b57177feb5326a6	—	2023-09-08
FileHash-SHA256	2b68fe68104359e1bc044db33b4e88b913e4f5be69da9fd6e87ea59a50311e6e	—	2023-09-08
FileHash-SHA256	2d27f57b4f193a563443acc7fe0cbf611f4ff0f1171fcbdf16c3ecef8f9dbedb	—	2023-09-08
FileHash-SHA256	42396ce27e22be8c2f0620ee61611d7f86dfe9543d2f2e2af3ef5e85613cee32	—	2023-09-08
FileHash-SHA256	4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405	—	2023-09-08
FileHash-SHA256	569e3b6eac58c4e694a000eb534b1f33508a8b5de8a7ad3749c24727cc878f4d	—	2023-09-08
FileHash-SHA256	68ed5f4b4eabd66190ae39b45fff0856fba4b3918b44a6d831a5b9120b48a1e9	—	2023-09-08
FileHash-SHA256	74cc7b9f881ca76ca5b7f7d1760e069731c0e438837e66e78aee0812122cb32d	—	2023-09-08
FileHash-SHA256	75975b0c890f804dab19f68d7072f8c04c5fe5162d2a4199448fc0e1ad03690b	—	2023-09-08
FileHash-SHA256	80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4	—	2023-09-08
FileHash-SHA256	867143a1c945e7006740422972f670055e83cc0a99b3fa71b14deababca927fe	—	2023-09-08
FileHash-SHA256	8937a510446ed36717bb8180e5e4665c0c5d5bc160046a31b28417c86fb1ba0f	—	2023-09-08
FileHash-SHA256	947afaa9cd9c97cabd531541107d9c16885c18df1ad56d97612ddbc628113ab5	—	2023-09-08
FileHash-SHA256	95a73b9fda6a1669e6467dcf3e0d92f964ede58789c65082e0b75adf8d774d66	—	2023-09-08
FileHash-SHA256	9d576cd022301e7b0c07f8640bdeb55e76fa2eb38f23e4b9e49e2cdba5f8422d	—	2023-09-08
FileHash-SHA256	a3d865789d2bae26726b6169c4639161137aef72044a1c01647c521f09df2e16	—	2023-09-08
FileHash-SHA256	bd1c3303d13cadf8bbd6200597e9d365ec3c05f1f48052cd47dcd69e77c94378	—	2023-09-08
FileHash-SHA256	bec3f75f638025a5fe3b8d278856fd273999c49ae7543c109205879b59afc4c3	—	2023-09-08
FileHash-SHA256	c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e	—	2023-09-08
FileHash-SHA256	cc54096fb8867ff6a4f5a5c7bb8cc795881375031eed2c93e815ec49db6f4bff	—	2023-09-08
FileHash-SHA256	cd5a2ec1a95d754ee5189bfee6e1f61c76a0a5ee8173da273e02f24a62faccfa	—	2023-09-08
FileHash-SHA256	e93f3c72a0d605ef0d81e2421cca19534147dba0dded2ee29048b7c2eb11b20a	—	2023-09-08
FileHash-SHA256	f9f6c453da12c8ff16415c9b696c2e7df95a46e9b07455cd129ce586b954870d	—	2023-09-08
FileHash-SHA256	fbc9ba3ba7387c38eb9832213b2d87cf5f9fc2ba557e6fdf23556665ca3ef44a	—	2023-09-08
domain	gelsd.com	—	2023-09-08
hostname	www.ired.team	—	2023-09-08

References (1)

↗ https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/