{ "type": "URL", "indicator": "https://base.yixun.com/iframejump.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://base.yixun.com/iframejump.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3921343409, "indicator": "https://base.yixun.com/iframejump.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6769c9335e6691b76d03c761", "name": "waketagat", "description": "", "modified": "2024-12-23T20:33:55.121000", "created": "2024-12-23T20:33:55.121000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1470, "domain": 31, "hostname": 472, "FileHash-SHA256": 63 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "481 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ce3eb4b4f1fc9eafb4b572", "name": "DDoS:Linux/Lightaidra | Mirai Botnet on US a State Computer", "description": "*Mirai Botnet on Colorado State computer. Im starting to wonder if potential problem cases are diverted to a botnet.\n1. Overlaps with a Colorado victim. Similar issues. I Recently became a senior in expensive Colorado, never compensated for workers compensation injury exacerbated when suddenly tossed a 60 lb weighted ball under care. Denied diagnoses of severe injury after toss. Complained, case closed, lawyers denied case after accepting case. Referred to JeffCo seeking assisted living resources. Was sent various packets with a variety of phone numbers, email addresses, etc. She keeps speaking to same man no matter what option chosen. Denied workforce training due to severity of injuries, No SSI or SSDI until years later. \n2. I can't pulse half of what I've researched without using multiple resources. No more 'contacted' made when new serious issues found. Pulses being modified. I rarely modify any pulse.", "modified": "2024-09-26T20:01:27.723000", "created": "2024-08-27T21:01:40.251000", "tags": [ "memcommit", "read c", "nospltezraxuf", "writeconsolea", "write", "CVE-2023-22518", "tesla", "ye ye", "incapril", "yed ye", "yet ye", "yexe ye", "security", "search", "function read", "dll read", "installer", "april", "copy", "win32", "template", "creation date", "servers", "passive dns", "urls", "name servers", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "date", "windows", "medium", "shellexecuteexw", "hash", "show", "writeconsolew", "entries", "displayname", "sddl", "service", "august", "malware", "url http", "http", "ip address", "related nids", "files location", "domain", "status", "nxdomain", "whitelisted", "certificate", "backdoor", "record value", "body", "as15133 verizon", "united", "unknown", "mtb aug", "gmt server", "ecacc sed5906", "ransom", "trojan", "high", "cname", "as8075", "ipv4", "files", "asn as55720", "date hash", "default", "delete", "yara detections", "msvisualcpp60", "related pulses", "rootkit", "as16276", "canada unknown", "pulses", "expiration date", "exploit", "showing", "aaaa", "france unknown", "mtb sep", "worm", "msil", "mirai", "as36081 state", "reverse dns", "port", "destination", "south korea", "taiwan as3462", "as4766 korea", "asnone", "japan as17676", "china as4134", "china as4837", "file samples", "files matching", "next", "copyright", "levelblue", "as20940", "as15169 google", "ave suite", "purpose p5", "country united", "code us", "as41231", "united kingdom", "ddos", "sha256", "filehash", "av detections", "location london", "great britain", "gnulinux apt", "yara rule", "ids detections", "top source", "address", "as23969", "thailand" ], "references": [ "In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us", "Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received", "Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo", "Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com", "Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA", "Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM", "Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us", "Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Overlaps: 4 others mailed information email address.", "Ransom:Win32/WannaCrypt.H", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147", "AS36081 State of Colorado General Government Computer", "Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Detections Executable and linking format (ELF) file download Over HTTP |", "FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209", "Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198", "Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com", "FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c", "Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us", "https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932", "https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK", "redirect.wuxs.icu", "https://a-a.redirector.navexglobal.com/navex_hosting/404.html", "https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Malware.Dxqo-6984072-0", "display_name": "Win.Malware.Dxqo-6984072-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Win32/Fynloski", "display_name": "Backdoor:Win32/Fynloski", "target": "/malware/Backdoor:Win32/Fynloski" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "TELPER:DDoS:Linux/Lightaidra", "display_name": "TELPER:DDoS:Linux/Lightaidra", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 675, "FileHash-SHA1": 664, "FileHash-SHA256": 3327, "URL": 2448, "domain": 656, "hostname": 1281, "email": 11 }, "indicator_count": 9064, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Detections Executable and linking format (ELF) file download Over HTTP |", "In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us", "Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo", "Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us", "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "Ransom: message.htm.com", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication", "https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "AS36081 State of Colorado General Government Computer", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198", "redirect.wuxs.icu", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received", "FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c", "Overlaps: 4 others mailed information email address.", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Ransom:Win32/WannaCrypt.H", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM", "https://a-a.redirector.navexglobal.com/navex_hosting/404.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.virus.pioneer-9111434-0", ", win.worm.pykspa-6057105-0", "Telper:ddos:linux/lightaidra", "Emotet", "Backdoor:win32/fynloski", "Pup/hacktool", "Ransom:win32/wannacrypt", "Mirai", "Alf:trojan:msil/agenttesla.km", "Win.trojan.cobaltstrike-9044898-1", "Backdoor.xtreme", "W32.aidetectmalware.cs", "Virus:win32/floxif.h", "Worm:win32/mofksys", "Win32:renos-ky\\ [trj]", "Worm:win32/pykspa.c", "Win.malware.dxqo-6984072-0" ], "industries": [ "Telecom" ], "unique_indicators": 17754 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/yixun.com", "whois": "http://whois.domaintools.com/yixun.com", "domain": "yixun.com", "hostname": "base.yixun.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6769c9335e6691b76d03c761", "name": "waketagat", "description": "", "modified": "2024-12-23T20:33:55.121000", "created": "2024-12-23T20:33:55.121000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1470, "domain": 31, "hostname": 472, "FileHash-SHA256": 63 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "481 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ce3eb4b4f1fc9eafb4b572", "name": "DDoS:Linux/Lightaidra | Mirai Botnet on US a State Computer", "description": "*Mirai Botnet on Colorado State computer. Im starting to wonder if potential problem cases are diverted to a botnet.\n1. Overlaps with a Colorado victim. Similar issues. I Recently became a senior in expensive Colorado, never compensated for workers compensation injury exacerbated when suddenly tossed a 60 lb weighted ball under care. Denied diagnoses of severe injury after toss. Complained, case closed, lawyers denied case after accepting case. Referred to JeffCo seeking assisted living resources. Was sent various packets with a variety of phone numbers, email addresses, etc. She keeps speaking to same man no matter what option chosen. Denied workforce training due to severity of injuries, No SSI or SSDI until years later. \n2. I can't pulse half of what I've researched without using multiple resources. No more 'contacted' made when new serious issues found. Pulses being modified. I rarely modify any pulse.", "modified": "2024-09-26T20:01:27.723000", "created": "2024-08-27T21:01:40.251000", "tags": [ "memcommit", "read c", "nospltezraxuf", "writeconsolea", "write", "CVE-2023-22518", "tesla", "ye ye", "incapril", "yed ye", "yet ye", "yexe ye", "security", "search", "function read", "dll read", "installer", "april", "copy", "win32", "template", "creation date", "servers", "passive dns", "urls", "name servers", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "date", "windows", "medium", "shellexecuteexw", "hash", "show", "writeconsolew", "entries", "displayname", "sddl", "service", "august", "malware", "url http", "http", "ip address", "related nids", "files location", "domain", "status", "nxdomain", "whitelisted", "certificate", "backdoor", "record value", "body", "as15133 verizon", "united", "unknown", "mtb aug", "gmt server", "ecacc sed5906", "ransom", "trojan", "high", "cname", "as8075", "ipv4", "files", "asn as55720", "date hash", "default", "delete", "yara detections", "msvisualcpp60", "related pulses", "rootkit", "as16276", "canada unknown", "pulses", "expiration date", "exploit", "showing", "aaaa", "france unknown", "mtb sep", "worm", "msil", "mirai", "as36081 state", "reverse dns", "port", "destination", "south korea", "taiwan as3462", "as4766 korea", "asnone", "japan as17676", "china as4134", "china as4837", "file samples", "files matching", "next", "copyright", "levelblue", "as20940", "as15169 google", "ave suite", "purpose p5", "country united", "code us", "as41231", "united kingdom", "ddos", "sha256", "filehash", "av detections", "location london", "great britain", "gnulinux apt", "yara rule", "ids detections", "top source", "address", "as23969", "thailand" ], "references": [ "In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us", "Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received", "Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo", "Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com", "Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA", "Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM", "Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us", "Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Overlaps: 4 others mailed information email address.", "Ransom:Win32/WannaCrypt.H", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147", "AS36081 State of Colorado General Government Computer", "Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Detections Executable and linking format (ELF) file download Over HTTP |", "FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209", "Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198", "Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com", "FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c", "Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us", "https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932", "https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK", "redirect.wuxs.icu", "https://a-a.redirector.navexglobal.com/navex_hosting/404.html", "https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Malware.Dxqo-6984072-0", "display_name": "Win.Malware.Dxqo-6984072-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Win32/Fynloski", "display_name": "Backdoor:Win32/Fynloski", "target": "/malware/Backdoor:Win32/Fynloski" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "TELPER:DDoS:Linux/Lightaidra", "display_name": "TELPER:DDoS:Linux/Lightaidra", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 675, "FileHash-SHA1": 664, "FileHash-SHA256": 3327, "URL": 2448, "domain": 656, "hostname": 1281, "email": 11 }, "indicator_count": 9064, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://base.yixun.com/iframejump.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://base.yixun.com/iframejump.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776627826.85017 }