API tools faq
paste
Bank_Security

Jointworm IOCs

Bank_Security
Sep 22nd, 2020
15,844
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.50 KB | None | 0 0
raw download clone embed print report
  1. Indicators of Compromise (IoCs)
  2. IoC Group Malware Identifier
  3. file_sha2:1820244e54dbb87ea21f6f1df15c3f255bfe3dd36db41fbf2f2e1f742a515063 Jointworm Alias: PhantomOCX
  4. file_sha2:1be727ebce44e5c669b2b08ad06e9d99c02490f8bb7f59dda81050947d99b77a Jointworm Alias: PhantomOCX
  5. file_sha2:30970d1144705a7a6cc874db67094fff19a0ed99a559f21e58a858fe5c1d01f8 Jointworm Alias:
  6. PhantomCoreAgent
  7. file_sha2:4c355d1e1a2a10135aa2e2848790355bfbab2d64eb5dd95d7278cd8c0ffbf470 Jointworm Alias: PhantomOCX
  8. file_sha2:a53e5b8da9a397fbf3623969333fb7c58e7690e8dbd0f485c1d7861e3e07fe37 Jointworm Alias: PhantomOCX
  9. file_sha2:fd50f667337214e27256a0a8053e321d54c61466dce61805bdf51ca47e89e567 Jointworm Alias: PhantomOCX
  10. file_sha2:aa386dc2f66e2527766f50f5dd75f023550725ea8afc68593a596c41620265bc Jointworm Alias:
  11. PhantomCoreAgent
  12. file_sha2:01c7c79f8fd6288c5dc3542d91d8dbb5de347fb1db5f043cd618e133f16ed38e Jointworm Alias:
  13. PhantomCoreAgent
  14. file_sha2:319db7d8aac0459e8e4eec3014c1e815531261e3779242936990560e553510fb Jointworm Alias:
  15. PhantomCoreAgent
  16. file_sha2:32247987e1584f28358fc22f489cb33779cbb13fb0321dd0d20e82364ad87969 Jointworm Alias: PhantomCoreA
  17. file_sha2:37341938ea37f1068f65994ec6b2ebe5fab794c4e29470c2acf70eda2636479b Jointworm Alias:
  18. PhantomCoreAgent
  19. file_sha2:386ab1c9d7f98f883b4d18c18bd4a7f51c0d1d62410563d967430d38304b38a3 Jointworm Alias:
  20. PhantomCoreAgent
  21. file_sha2:3d68be1d69127fb7a36b331820cd62a3e527453c46b3757265e45786c0bbaa03 Jointworm Alias:
  22. PhantomCoreAgent
  23. file_sha2:475e2dc5d05b2e58971ba7a6e8b198ea42b615d2ad49a21cf08a63987235c513 Jointworm Alias:
  24. PhantomCoreAgent
  25. file_sha2:4763827c007dd11556ef7ce4a2fc5bf7781f22a0e0a13715ecc831f99d115e61 Jointworm Alias:
  26. PhantomCoreAgent
  27. file_sha2:47d885b73d66d5078bc87828592d57722856adac806645a3d704721ab4c9216f Jointworm Alias:
  28. PhantomCoreAgent
  29. file_sha2:4f0f0cf6b78583649d220bcbb00a8c5ef4a7aa17ddafe936186f295aa6b90684 Jointworm Alias:
  30. PhantomCoreAgent
  31. file_sha2:55aaf4a22f6972386c4a8f1bb37a70d578b413e926ccc85ddd5b30297425b5ea Jointworm Alias:
  32. PhantomCoreAgent
  33. file_sha2:5fd74635411176e80f7b091e9cc3c8b17dd51ed742a9037543c1e0301e7b6227 Jointworm Alias:
  34. PhantomCoreAgent
  35. file_sha2:7cb1773a3c758067822a912cd8bf4e2d9f6a2d67ffcf587473002043ccbbc397 Jointworm Alias:
  36. PhantomCoreAgent
  37. file_sha2:7d901fe0d8e630dfaddc28377a22f865ada07fb0591f3e9970b48218c2364ff4 Jointworm Alias:
  38. PhantomCoreAgent
  39. file_sha2:8271fb0ee50b742b4740f01f5d89b411bb98a94a00cf045315508c54d2192774 Jointworm Alias:
  40. PhantomCoreAgent
  41.  
  42. IoC Group Malware Identifier
  43. file_sha2:8a73e6fc98e1864296684b9aa82a488590f3110efd5c6e47829642880fd1fc9c Jointworm Alias:
  44. PhantomCoreAgent
  45. file_sha2:9a37991aa448e8d77f2199f458cddafcd2a00472915f6da2d92fbc44e0da2ed3 Jointworm Alias:
  46. PhantomCoreAgent
  47. file_sha2:a52c0dc2680101e97e95b9d2f57a9379c79649eb0567c08ed16566dcc9a4f863 Jointworm Alias:
  48. PhantomCoreAgent
  49. file_sha2:a5bbb4f2ebc6dcc4156221970b84013e5bedd5f8348bcb577d34ed35c3226ca1 Jointworm Alias:
  50. PhantomCoreAgent
  51. file_sha2:b72762d8d8d9f61a6683831bc53889789e2d9b27e41cfcfdae2af75aeae9c936 Jointworm Alias:
  52. PhantomCoreAgent
  53. file_sha2:b987fd8c35dd9ea56c2d61b51cb167f9e25d79f09d1b49e0303c75c5db98467f Jointworm Alias:
  54. PhantomCoreAgent
  55. file_sha2:d420b1a4cb193d6d42ace3909c8fd4a5d2e7d54c4473cc12e849036414d96385 Jointworm Alias:
  56. PhantomCoreAgent
  57. file_sha2:da9b466a0fa3596a7b36402a84217c74c3e30cdfec974a3c8b5cef38d2b7f962 Jointworm Alias:
  58. PhantomCoreAgent
  59. file_sha2:eb1d25b99dc66764083f1b758237bc6092a945a46b5f94362cb3b71277c9b133 Jointworm Alias: PhantomOCX
  60. file_sha2:ff82029c20fbadafc66821abd4694b2aa77bf4a55f3226a0671c3e4cad2ce24c Jointworm Alias:
  61. PhantomCoreAgent
  62.  
  63. Network Indicators
  64. IoC Group Malware Identifier
  65. remote_ip:139.28.37.53 Jointworm Alias: PhantomC2
  66. remote_ip:185.62.190.89 Jointworm Alias: PhantomC2
  67. remote_ip:45.9.239.50 Jointworm Alias: PhantomC2
  68. url_domain:coinzre.website Jointworm Alias: PhantomC2
  69.  
  70. Appendix (ii)
  71. Top 20 MITRE ATT&CK® Techniques Seen on Top Financial Customers January 2019 – May 2020
  72. Tactic Technique Name Technique ID Technique URL
  73. Execution PowerShell T1086 https://attack.mitre.org/techniques/T1086
  74. Execution Windows Management Instrumentation T1047 https://attack.mitre.org/techniques/T1047
  75. Credential Access Credential Dumping T1003 https://attack.mitre.org/techniques/T1003
  76. Defense Evasion Obfuscated Files or Information T1027 https://attack.mitre.org/techniques/T1027
  77. Defense Evasion Process Injection T1055 https://attack.mitre.org/techniques/T1055
  78. Command and Control Remote File Copy T1105 https://attack.mitre.org/techniques/T1105
  79. Execution Mshta T1170 https://attack.mitre.org/techniques/T1170
  80. Defense Evasion Modify Registry T1112 https://attack.mitre.org/techniques/T1112
  81. Execution Service Execution T1035 https://attack.mitre.org/techniques/T1035
  82. Execution User Execution T1204 https://attack.mitre.org/techniques/T1204
  83. Discovery Security Software Discovery T1063 https://attack.mitre.org/techniques/T1063
  84. Execution Rundll32 T1085 https://attack.mitre.org/techniques/T1085
  85. Execution Trusted Developer Utilities T1127 https://attack.mitre.org/techniques/T1127
  86. Defense Evasion Regsvr32 T1117 https://attack.mitre.org/techniques/T1117
  87. Execution Scripting T1064 https://attack.mitre.org/techniques/T1064
  88. Defense Evasion Rundll32 T1085 https://attack.mitre.org/techniques/T1085
  89. Execution Regsvr32 T1117 https://attack.mitre.org/techniques/T1117
  90. Lateral Movement Remote File Copy T1105 https://attack.mitre.org/techniques/T1105
  91. Defense Evasion Deobfuscate/Decode Files or Information T1140 https://attack.mitre.org/techniques/T1140
  92. Credential Access Credentials in Files T1081 https://attack.mitre.org/techniques/T1081
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!