Pulse Detail — Threat Intelligence

● 0 online

ANALYZING THREAT INTELLIGENCE

PULSE NAME

Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware

WHITE scoreblue 2024-08-12 Modified: 2024-10-12

5763

IOCs

HIGH VOLUME

↓ CSV ↓ JSON

network orgdnsref nethandle net174 net1740000 mcics swipp swipper jody alaska jody huffines verizon eva120 block id wirelessdatanetwork swipp9-arin united et exploit smbds ipc show search default asnone nids generic query service wannacry ransom malware copy dock write eternalblue recon suspicious realtek sdk miniigd upnp soap command exploit msie windows nt high binbusybox gafgyt execution mirai newremotehost mitm port destination newexternalport newprotocol newinternalport rf cum newenabled addpo addportmapping whois lookups city orgdnshandle stateprov loudoun county postalcode text javascript b file files file type json graph t1064 executes modify system process t1543 systemd service posts mitre att ta0002 command t1059 create ta0004 create ip traffic hashes file system libmultipath devftwdt101 devsda1 devsda2 files deleted e procselffd9 h devsda2 created binsh shell commands binsh binsh binsh c i lo p m0755 varrunsshd processes tree referrer pe resource cry kill formbook ransomworm wannacry kill switch dns password bypass account stealer hiddentear installer skynet get http memory pattern http requests request host cachecontrol response contentlength httponly samesitelax mofresourcename settingswpad registry keys hdaudiomofname acpimofresource mofresource registry kernel context runtime modules modules urls cloudflare domains ip detections country win32 exe mb pe mb graph summary pe32 executable ms windows intel ms visual win16 ne win32 dynamic link library vs98 info compiler products id sp6 build header intel name md5 type language contained r english yara rule et trojan domain http cape yara detections alerts logic status passive dns creation date scan endpoints all scoreblue hostname pulse submit url analysis date next as6167 verizon as22394 verizon showing entries aaaa cname asnone united whitelisted as20446 as8075 ipv4 unknown emails expiration date name servers aaaa nxdomain ireland unknown nxdomain soa nxdomain ns nxdomain a nxdomain as8068 united kingdom domain cve201717215 huawei remote huawei hg532 malware worm exploit none rce ate hash spyware adversary in the middle smugglers gambit hitmen hallrender sreredrum pegasus related brute force target tsara brashears brian sabey

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1031 T1045 T1053 T1060 T1129 T1143 T1158 T1027 T1003 T1059 T1064 T1071 T1082 T1083 T1095 T1518 T1543 T1571 T1140 T1055 T1185 T1557

MALWARE FAMILIES

DDoS:Linux/Gafgyt.YA!MTB Unix.Trojan.Mirai-7100807-0 ELF:Mirai-AHC\ [Trj] Sf:WNCryLdr-A\ [Trj] Ransom:Win32/WannaCrypt.H Win.Ransomware.WannaCry-6313787-0 Mirai

Indicators of Compromise (2 / 5763 total)

All FileHash-SHA256 CIDR URL email hostname FileHash-MD5 FileHash-SHA1 BitcoinAddress domain CVE

TYPE	INDICATOR	DESCRIPTION	CREATED
CIDR	174.192.0.0/11	—	2024-08-12
CIDR	174.192.0.0/10	—	2024-08-12

References (28)

↗ Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks ↗ Highlighted Text: The following text was observed as standard output, "[THEA-MALWARE]: Gimme Cum Pwease XD" ↗ Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e ↗ Antivirus Detections: ELF:Mirai-AHC\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB ↗ IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215) ↗ IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound ↗ Yara Detections: Mirai_Botnet_Malware ↗ High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc ↗ Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope ↗ Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1 ↗ ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1 ↗ Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth ↗ Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security ↗ Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth ↗ Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security ↗ https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth ↗ Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52 ↗ Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , ↗ Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0 ↗ Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http ↗ IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 ↗ IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response) ↗ IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ↗ IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ↗ IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010 ↗ IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) ↗ IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection ↗ Antivirus Detections Sf:WNCryLdr-A\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H