Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2019-10-10
- #Malvertising -> #PurpleFoxFramework -> #Loader -> ExtenalScan 445/tcp & 1433/tcp
- [Exploit]
- CVE-2019-0752 & CVE-2019-0768 &CVE-2018-4878 & CVE-2018-8120 & CVE-2016-0099 & CVE-2015-1701 & CVE-2014-6332
- [Example Traffic]
- https://app.any.run/tasks/e2cc1cc9-7899-4290-bade-26365f438d01
- [Reference]
- https://blog.360totalsecurity.com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/
- https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/
- ===============================================================================================================
- Main object- "http://xml.auxml.com/log?action=click&key=2108-popcash-reklam-4-5b2d9f63-0084-42fb-bae6-5479b6d1f53f&strategy=254905&ts=1566046593256&token=c2e44ee64ddd8ca2795fae37b11d1776"
- url http://xml.auxml.com/log?action=click&key=2108-popcash-reklam-4-5b2d9f63-0084-42fb-bae6-5479b6d1f53f&strategy=254905&ts=1566046593256&token=c2e44ee64ddd8ca2795fae37b11d1776
- Dropped executable file
- sha256 C:\Users\admin\AppData\Local\Temp\Low\48ud3t-e.dll a1d011ba33e9340e6e00051505f811993cbfb4758c201e638565b3c2c3e9f4a3
- sha256 C:\Users\admin\AppData\Local\Temp\Low\xogig1_s.dll 50f96afff5ade776b4ce3a035698500b873ad37ac5376412be517d6961dc580b
- DNS requests
- domain xml.auxml.com
- domain intercambioseo.xyz
- domain tyasmi.xyz
- domain down.wuqjzc.xyz
- domain kzpqui.xyz
- Connections
- ip 3.229.175.6
- ip 104.24.118.130
- ip 104.28.16.73
- ip 104.24.120.59
- ip 104.28.17.73
- ip 104.24.117.183
- HTTP/HTTPS requests
- url http://xml.auxml.com/log?action=click&key=2108-popcash-reklam-4-5b2d9f63-0084-42fb-bae6-5479b6d1f53f&strategy=254905&ts=1566046593256&token=c2e44ee64ddd8ca2795fae37b11d1776
- url http://tyasmi.xyz/
- url http://intercambioseo.xyz/
- url http://kzpqui.xyz/1.swf
- url http://kzpqui.xyz/1.htm
- url http://kzpqui.xyz/2.swf
- url http://kzpqui.xyz/
- url http://kzpqui.xyz/cdn-cgi/apps/head/xGpmLMHiaqCy-agu1ud6fHqKiTo.js
- url http://down.wuqjzc.xyz/pe.jpg
- url http://down.wuqjzc.xyz/ps001.jpg
- url http://down.wuqjzc.xyz/1808164.jpg
- url http://down.wuqjzc.xyz/1603264.jpg
- url http://down.wuqjzc.xyz/1505164.jpg
Add Comment
Please, Sign In to add comment