API tools faq
paste
Advertisement
Bank_Security

IQY and PowerShell Abused by Spam Campaign to Infect Japan

Bank_Security
Aug 22nd, 2018
1,487
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.99 KB | None | 0 0
raw download clone embed print report
  1. IQY and PowerShell Abused by Spam Campaign to Infect Users in Japan with BEBLOH and URSNIF Banking Trojan
  2.  
  3. Indicators of Compromise (IoCs)
  4.  
  5. First wave (August 6):
  6.  
  7. Detection Names SHA256s Description
  8. TROJ_MALIQY.E e9202586bd09cf9457025de2db62622b8d231de0f1ecc5d64ee71909c4c9c3a2 .IQY File attachment which will query the targeted URL hxxp://jiglid[.]com/sc4?
  9. TROJ_DLOADR.AUSUMV fe89c50f242f54c09a4a8de3f3c3fd813e6dc41af59cf21ab669b05efedfd0c8 Queried command line script to execute PowerShell in order to download another file from hxxp://jiglid[.]com/sc4-2.dat
  10. TROJ_DLOADR.AUSUMV c5d706f09a79bde59257fab77c5406fba89d10efdb9e4941a8b3c1677da1c878 PowerShell script to check if infected machine’s IP address is from Japan, then proceeds to downloading payload from hxxp://jiglid[.]com/ms.xlsx
  11. TSPY_BEBLOH.YMNPV 5533187aeae5b20d0628496f2ee671704bc806b16f4ce8b92468e9db3343957b Final payload: BEBLOH
  12. TSPY_URSNIF.TIBAIDO 9e6535f7cda29e64af7711347271776cbe1242f33c745c61b5320c84eda5bc7e Final payload: URSNIF
  13. Second wave (August 8):
  14.  
  15. Detection Names SHA256s Description
  16. TROJ_MALIQY.F b52bf37f47e7991f26b3ecc679d9fc78037f950cbd63ac220ab06b5d5cf5dcfd .IQY File attachment which will query the targeted URL hxxp://jiglid[.]com/exel
  17. TROJ_POWLOAD.TIAOEIG 70f3bda067b9c3519c909da0b0fda85fcd45f84093f416520972d5b1387c5894 Queried command line script to execute PowerShell in order to download another file from hxxp://jiglid[.]com/version
  18. TROJ_POWLOAD.TIAOEIG 8e7e90ca9812222ed762e6f6db677361aa0db526eca54b2a09fb1cfa41eed63f Non-obfuscated PowerShell script to check if infected machine’s IP address is from Japan, then proceed to downloading payload from hxxp://jiglid[.]com/JP
  19. TROJ_POWLOAD.THHOIAH 0323da8293f583e42fd14ad7e997bb3ecc0a508fef9d486314f4d1a1d5c65f58 Obfuscated PowerShell script to check if infected machine’s IP address is from Japan, then proceed to downloading payload from hxxp://jiglid[.]com/JP
  20. TSPY_URSNIF.TIBAIDO 87f0e03c2bb71d7fd620f5693700fca08eefe8f42803051a9d1c4f90e0c5fd57 Final Payload: URSNIF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!