Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- IQY and PowerShell Abused by Spam Campaign to Infect Users in Japan with BEBLOH and URSNIF Banking Trojan
- Indicators of Compromise (IoCs)
- First wave (August 6):
- Detection Names SHA256s Description
- TROJ_MALIQY.E e9202586bd09cf9457025de2db62622b8d231de0f1ecc5d64ee71909c4c9c3a2 .IQY File attachment which will query the targeted URL hxxp://jiglid[.]com/sc4?
- TROJ_DLOADR.AUSUMV fe89c50f242f54c09a4a8de3f3c3fd813e6dc41af59cf21ab669b05efedfd0c8 Queried command line script to execute PowerShell in order to download another file from hxxp://jiglid[.]com/sc4-2.dat
- TROJ_DLOADR.AUSUMV c5d706f09a79bde59257fab77c5406fba89d10efdb9e4941a8b3c1677da1c878 PowerShell script to check if infected machine’s IP address is from Japan, then proceeds to downloading payload from hxxp://jiglid[.]com/ms.xlsx
- TSPY_BEBLOH.YMNPV 5533187aeae5b20d0628496f2ee671704bc806b16f4ce8b92468e9db3343957b Final payload: BEBLOH
- TSPY_URSNIF.TIBAIDO 9e6535f7cda29e64af7711347271776cbe1242f33c745c61b5320c84eda5bc7e Final payload: URSNIF
- Second wave (August 8):
- Detection Names SHA256s Description
- TROJ_MALIQY.F b52bf37f47e7991f26b3ecc679d9fc78037f950cbd63ac220ab06b5d5cf5dcfd .IQY File attachment which will query the targeted URL hxxp://jiglid[.]com/exel
- TROJ_POWLOAD.TIAOEIG 70f3bda067b9c3519c909da0b0fda85fcd45f84093f416520972d5b1387c5894 Queried command line script to execute PowerShell in order to download another file from hxxp://jiglid[.]com/version
- TROJ_POWLOAD.TIAOEIG 8e7e90ca9812222ed762e6f6db677361aa0db526eca54b2a09fb1cfa41eed63f Non-obfuscated PowerShell script to check if infected machine’s IP address is from Japan, then proceed to downloading payload from hxxp://jiglid[.]com/JP
- TROJ_POWLOAD.THHOIAH 0323da8293f583e42fd14ad7e997bb3ecc0a508fef9d486314f4d1a1d5c65f58 Obfuscated PowerShell script to check if infected machine’s IP address is from Japan, then proceed to downloading payload from hxxp://jiglid[.]com/JP
- TSPY_URSNIF.TIBAIDO 87f0e03c2bb71d7fd620f5693700fca08eefe8f42803051a9d1c4f90e0c5fd57 Final Payload: URSNIF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement