2019/10/10 Purple Fox Framework

1. 2019-10-10
2. #Malvertising -> #PurpleFoxFramework -> #Loader -> ExtenalScan 445/tcp & 1433/tcp
3.  
4. [Exploit]
5. CVE-2019-0752 & CVE-2019-0768 &CVE-2018-4878 & CVE-2018-8120 & CVE-2016-0099 & CVE-2015-1701 & CVE-2014-6332
6.  
7. [Example Traffic]
8. https://app.any.run/tasks/e2cc1cc9-7899-4290-bade-26365f438d01
9.  
10. [Reference]
11. https://blog.360totalsecurity.com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/
12. https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/
13.  
14. ===============================================================================================================
15. Main object- "http://xml.auxml.com/log?action=click&key=2108-popcash-reklam-4-5b2d9f63-0084-42fb-bae6-5479b6d1f53f&strategy=254905&ts=1566046593256&token=c2e44ee64ddd8ca2795fae37b11d1776"
16. url http://xml.auxml.com/log?action=click&key=2108-popcash-reklam-4-5b2d9f63-0084-42fb-bae6-5479b6d1f53f&strategy=254905&ts=1566046593256&token=c2e44ee64ddd8ca2795fae37b11d1776
17. Dropped executable file
18. sha256 C:\Users\admin\AppData\Local\Temp\Low\48ud3t-e.dll a1d011ba33e9340e6e00051505f811993cbfb4758c201e638565b3c2c3e9f4a3
19. sha256 C:\Users\admin\AppData\Local\Temp\Low\xogig1_s.dll 50f96afff5ade776b4ce3a035698500b873ad37ac5376412be517d6961dc580b
20. DNS requests
21. domain xml.auxml.com
22. domain intercambioseo.xyz
23. domain tyasmi.xyz
24. domain down.wuqjzc.xyz
25. domain kzpqui.xyz
26. Connections
27. ip 3.229.175.6
28. ip 104.24.118.130
29. ip 104.28.16.73
30. ip 104.24.120.59
31. ip 104.28.17.73
32. ip 104.24.117.183
33. HTTP/HTTPS requests
34. url http://xml.auxml.com/log?action=click&key=2108-popcash-reklam-4-5b2d9f63-0084-42fb-bae6-5479b6d1f53f&strategy=254905&ts=1566046593256&token=c2e44ee64ddd8ca2795fae37b11d1776
35. url http://tyasmi.xyz/
36. url http://intercambioseo.xyz/
37. url http://kzpqui.xyz/1.swf
38. url http://kzpqui.xyz/1.htm
39. url http://kzpqui.xyz/2.swf
40. url http://kzpqui.xyz/
41. url http://kzpqui.xyz/cdn-cgi/apps/head/xGpmLMHiaqCy-agu1ud6fHqKiTo.js
42. url http://down.wuqjzc.xyz/pe.jpg
43. url http://down.wuqjzc.xyz/ps001.jpg
44. url http://down.wuqjzc.xyz/1808164.jpg
45. url http://down.wuqjzc.xyz/1603264.jpg
46. url http://down.wuqjzc.xyz/1505164.jpg