{ "type": "URL", "indicator": "https://yzs.qqdg.ml/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://yzs.qqdg.ml/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3585203337, "indicator": "https://yzs.qqdg.ml/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558c481715409563073cb79", "name": "Fraud Services", "description": "http://kramtechnology.com/, fraud services, network, rat, trojan, phishing, malvertizing, malware hosting, scanning host, archives browser events.", "modified": "2023-12-18T05:05:36.760000", "created": "2023-11-18T14:04:48.923000", "tags": [ "methodpost", "dropped", "contacted", "ssl certificate", "whois record", "zva8k4ghshhpcb5", "contacted urls", "q0gpyr1balpdgpo", "historical ssl", "page dow", "blacklist http", "cisco umbrella", "site", "alexa top", "safe site", "million", "paypal", "team phishing", "malicious url", "alexa", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "malware", "united", "passive dns", "scan endpoints", "all search", "otx octoseek", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "twitter", "log id", "gmtn", "sectigo rsa", "secure server", "tls web", "salford", "sectigo limited", "ocsp", "false", "california", "british virgin", "locality", "d3 a5", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14816, "FileHash-MD5": 41, "FileHash-SHA1": 33, "FileHash-SHA256": 5158, "domain": 3758, "hostname": 2961, "email": 4, "SSLCertFingerprint": 3, "CVE": 3 }, "indicator_count": 26777, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f16ce668c75c5ec1148e7b", "name": "http://vinyldevicepop.com", "description": "The Falcon Sandbox malware analysis service is available to download, view and download all the data on the Falcon website, including the full report on how to identify and identify the malware and tactics behind the attack.", "modified": "2023-03-21T00:02:57.765000", "created": "2023-02-19T00:27:18.058000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "sha256", "sha1", "temp", "entropy", "suspicious", "hybrid", "close", "click", "ransomware", "february", "general", "strings" ], "references": [ "https://hybrid-analysis.com/sample/a575cf06662eb0972d9d0e5286382ca909ac3d4db893153ac13242e626304b1f/63f0cc25c94909360712d453" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 38, "domain": 10, "FileHash-SHA256": 62, "FileHash-MD5": 50, "FileHash-SHA1": 49 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63dc196ce1e419aca95e3a87", "name": "#039;http://147.75.3.myip.cloud.infn.it/' TS=100/100 is xip.io", "description": "", "modified": "2023-03-04T00:03:25.234000", "created": "2023-02-02T20:13:32.980000", "tags": [ "vxstream", "trojan", "apt", "runtime data", "ansi", "runtime process", "sha256", "unicode", "localappdata", "date", "entropy", "close", "click", "ransomware" ], "references": [ "https://hybrid-analysis.com/sample/172ffc5c288f7a241eac43d0d98143d91bc45fb17fce1c0788b4caf462a124d1/63dbfcceab5f780bd5536d3c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 41, "domain": 9, "FileHash-SHA256": 84, "FileHash-MD5": 61, "FileHash-SHA1": 60 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1186 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63994429139dc965346ecad6", "name": "think of it like supply chain but using consumer infrastructure instead of corp data", "description": "[object Object", "modified": "2023-01-13T00:01:55.237000", "created": "2022-12-14T03:34:01.804000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "temp", "sha256", "sha1", "hybrid", "close", "click", "hosts", "ransomware", "general", "strings", "suspicious", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 576, "hostname": 282, "domain": 51, "FileHash-SHA256": 85, "FileHash-MD5": 51, "FileHash-SHA1": 50, "email": 2 }, "indicator_count": 1097, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "636a217526898c071749bd0a", "name": "https://ws.batch.com/a/1.15.2/tr/598066D72A5454EC66758407DF4A1", "description": "", "modified": "2022-12-08T09:02:19.931000", "created": "2022-11-08T09:29:25.441000", "tags": [ "runtime data", "size", "runtime process", "copy md5", "copy sha1", "copy sha256", "sha1", "ansi", "seen", "sha256", "strings", "hybrid", "general", "click", "hosts" ], "references": [ "This website uses cookies to enhance your browsing experience. Please note that by continuing to use this site you consent to the terms of our Data Protection Policy. ACCEPT Logo Sandbox Quick Scans File Collections Resources Request Info More no specific threat AV Detection: Marked as clean Link Twitter E-Mail https://ws.batch.com/a/1.15.2/tr/598066D72A5454EC66758407DF4A14 This report is generated from a file or URL submitted to this webservice on November 7th 2022 20:48:50 (UTC) and actio" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 229, "hostname": 136, "domain": 58, "FileHash-SHA256": 367, "FileHash-MD5": 49, "FileHash-SHA1": 49 }, "indicator_count": 888, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "com.apple.mkb.internal", "httpd-default.conf", "nis.schema", "collective.ldif", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "pmi.schema", "ldap.conf", "netinfo.schema", "rc.netboot", "java.schema", "generic", "TLS_LICENSE", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "ntp_opendirectory.conf", "README", "main.cf.proto", "makedefs.out", "This website uses cookies to enhance your browsing experience. Please note that by continuing to use this site you consent to the terms of our Data Protection Policy. ACCEPT Logo Sandbox Quick Scans File Collections Resources Request Info More no specific threat AV Detection: Marked as clean Link Twitter E-Mail https://ws.batch.com/a/1.15.2/tr/598066D72A5454EC66758407DF4A14 This report is generated from a file or URL submitted to this webservice on November 7th 2022 20:48:50 (UTC) and actio", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "racoon.conf", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "cosine.ldif", "collective.schema", "nfs.conf", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "afpovertcp.cfg", "networks", "transport", "fmserver.schema", "audit_class", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "com.apple.coreduetd", "com.apple.mail", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "inetorgperson.ldif", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "com.apple.login.guest", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "access", "core.schema", "ppolicy.ldif", "Snort IDS alert for network traffic | Detected VMProtect packer", "com.apple.contacts.ContactsAutocomplete", "csh.login", "httpd.conf", "rc.common", "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "snmp.conf", "rtadvd.conf", "audit_warn", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "manpaths", "microsoft.std.schema", "duaconf.ldif", "csh.logout", "com.apple.networking.boringssl", "dyngroup.schema", "ppolicy.schema", "corba.schema", "#copyright #statements #malformed_copyright_statements", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "cups-files.conf.default", "httpd-manual.conf", "com.apple.xscertd.conf", "proxy-html.conf", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "asl.conf", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "com.apple.slapd.conf", "main.cf.default", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "misc.ldif", "rpc", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "krb5-kdc.schema", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "httpd-languages.conf", "newsyslog.conf", "gettytab", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "https://hybrid-analysis.com/sample/172ffc5c288f7a241eac43d0d98143d91bc45fb17fce1c0788b4caf462a124d1/63dbfcceab5f780bd5536d3c", "header_checks", "audit_control", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "auto_home", "bashrc", "samba.schema", "com.apple.iokit.power", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "https://hybrid-analysis.com/sample/a575cf06662eb0972d9d0e5286382ca909ac3d4db893153ac13242e626304b1f/63f0cc25c94909360712d453", "aliases", "com.apple.eventmonitor", "profile", "com.apple.mkb", "kern_loader.conf", "wifi.conf", "custom_header_checks", "apple.schema", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "com.apple.authd", "nis.ldif", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "protocols", "mail.rc", "ntp.conf", "openldap.ldif", "virtual", "locate.rc", "httpd-multilang-errordoc.conf", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "master.cf", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "cupsd.conf.O", "duaconf.schema", "magic", "hosts", "microsoft.schema", "postfix-files", "rmtab", "audit_event", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "php7.conf", "canonical", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "ftpusers", "com.apple.install", "java.ldif", "System process connects to network (likely due to code injection or exploit)", "bashrc_Apple_Terminal", "misc.schema", "ldap.conf.default", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/", "csh.cshrc", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "apple_auxillary.schema", "httpd-dav.conf", "httpd-autoindex.conf", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "main.cf", "httpd-ssl.conf", "corba.ldif", "files.conf", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "cupsd.conf", "mpm.conf", "pmi.ldif", "dyngroup.ldif", "irbrc", "com.apple.performance", "com.apple.MessageTracer", "hosts.equiv", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430", "httpd-mpm.conf", "LICENSE", "mime.types", "autofs.conf", "find.codes", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "master.cf.default", "cupsd.conf.default", "group", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "com.apple.slapconfig.conf", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb", "httpd-vhosts.conf", "com.apple.cdscheduler", "snmp.conf.default", "core.ldif", "com.apple.screensharing.agent.launchd", "httpd-userdir.conf", "inetorgperson.schema", "auto_master", "man.conf", "AppleOpenLDAP.plist", "master.cf.proto", "relocated", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "bounce.cf.default", "cosine.schema", "cups-files.conf", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "dragonforce.io", "notify.conf", "openldap.schema", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "httpd-info.conf", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Alf:heraklezeval:backdoorlinux/mirai", "Zfaoz", "Trojandownloader:win32/bridge", "Webtoolbar", "Securiteinfo.com.trojan.generickd.32885218.16582.30886.dll", "Mediamagnet", "Pegasus - mob-s0005", "W32/witch.3fa0!tr", "Directoryindex", "Unruy", "Virus:dos/cyberwar_5300", "Wisdomeyes.16070401.9500", "Alf:hstr:trojanspy:msil/keylogger", "Allowoverride", "9002 rat", "Virus:dos/psmpc_386", "Trojan:win32/tiggre", "Ultra vnc", "Blacknet rat", "Backdoor:win32/espion", "Wacatac", "Maltiverse", "Pegasus for android - s0316", "Trojanspy", "Tel:trojanspy:win32/kedirat", "Trojan:win32/jakyllhyde", "Malaysia, truly asia", "Alf:heraklezeval:backdoor:linux/tsunami", "Pegasus for ios - s0289", "Trojanspy:ios/xcodeghost", "Alf:heraklezeval:backdoor:linux/mirai" ], "industries": [ "Media", "Energy", "Technology", "Telecommunications", "Human subjects", "Hospitality", "Lgbtq+ activists", "Ngo", "Semiconductor" ], "unique_indicators": 62862 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/qqdg.ml", "whois": "http://whois.domaintools.com/qqdg.ml", "domain": "qqdg.ml", "hostname": "yzs.qqdg.ml" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558c481715409563073cb79", "name": "Fraud Services", "description": "http://kramtechnology.com/, fraud services, network, rat, trojan, phishing, malvertizing, malware hosting, scanning host, archives browser events.", "modified": "2023-12-18T05:05:36.760000", "created": "2023-11-18T14:04:48.923000", "tags": [ "methodpost", "dropped", "contacted", "ssl certificate", "whois record", "zva8k4ghshhpcb5", "contacted urls", "q0gpyr1balpdgpo", "historical ssl", "page dow", "blacklist http", "cisco umbrella", "site", "alexa top", "safe site", "million", "paypal", "team phishing", "malicious url", "alexa", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "malware", "united", "passive dns", "scan endpoints", "all search", "otx octoseek", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "twitter", "log id", "gmtn", "sectigo rsa", "secure server", "tls web", "salford", "sectigo limited", "ocsp", "false", "california", "british virgin", "locality", "d3 a5", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14816, "FileHash-MD5": 41, "FileHash-SHA1": 33, "FileHash-SHA256": 5158, "domain": 3758, "hostname": 2961, "email": 4, "SSLCertFingerprint": 3, "CVE": 3 }, "indicator_count": 26777, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f16ce668c75c5ec1148e7b", "name": "http://vinyldevicepop.com", "description": "The Falcon Sandbox malware analysis service is available to download, view and download all the data on the Falcon website, including the full report on how to identify and identify the malware and tactics behind the attack.", "modified": "2023-03-21T00:02:57.765000", "created": "2023-02-19T00:27:18.058000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "sha256", "sha1", "temp", "entropy", "suspicious", "hybrid", "close", "click", "ransomware", "february", "general", "strings" ], "references": [ "https://hybrid-analysis.com/sample/a575cf06662eb0972d9d0e5286382ca909ac3d4db893153ac13242e626304b1f/63f0cc25c94909360712d453" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 38, "domain": 10, "FileHash-SHA256": 62, "FileHash-MD5": 50, "FileHash-SHA1": 49 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://yzs.qqdg.ml/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://yzs.qqdg.ml/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780414287.0625718 }