资产关联图
User Agents特征
隐藏的DDE域命令
相关url(顺便一提,火绒已经拦截了访问请求,弹出上网保护,很迅速,大力推荐)
hxxp://86.106.131.177:6500/zIZFh\
hxxp://86.106.131[.]177/link/GRAPH.EXE
hxxp://92.114.92[.]102:80/d
hxxp://220.158.216[.]127/MScertificate.exe & MScertificate.exe
报告地址
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
IOCs
Domain
supservermgr[.]com
URL
hxxp://supservermgr[.]com/sys/upd/pageupd.php
Zebrocy
d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc
cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df
25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8
115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03
f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1
5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2
dd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d
Koadic
abbad7acd50754f096fdc6551e728aa6054dcf8e55946f90a02b17db552471ca
User Agents
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)
Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko
Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
IPs
185.25.51[.]198
185.25.50[.]93
220.158.216[.]127
92.114.92[.]102
86.106.131[.]177
85.25.50[.]93
86.106.131[.]177
DDE Docs
85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5
8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff