Tag: Afraidgate

IOCs: 50.97.68.34 – eddieoneverything.com – Compromised Site 138.68.18.73 – null.delayofgame.com – Afraidgate JS 5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127.249.32/data/info.php TYPE: POST URL: hxxp://dutluhnnx.info/data/info.php TYPE: POST URL: hxxp://kqudpyjbcd.biz/data/info.php TYPE: POST DNS requests dutluhnnx.info (69.195.129.70) afgmbssj.org vlrdkvkt.pw jybqbxjcwowph.xyz ggfwsvmnsunvb.work kqudpyjbcd.biz (58.158.177.102) TCP connections 95.85.19.195:80 188.127.249.32:80 69.195.129.70:80 58.158.177.102:80 Hashes: SHA256: ...

IOCs: 195.58.170.31 – skopikundlohn[.]at – Compromised Site 138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS 5.2.73.124 – kqccnxro.thatset.top – Neutrino EK 188.127.249.32 – POST /data/info.php – callback traffic 95.85.19.195 – POST /data/info.php – callback traffic Hashes: SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550 File name: crew.nbbgradstudents.com.js SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9 File name: Neutrino EK Landing Page.htm SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b File name: Neutrino EK SWF Exploit.swf ...

IOCs: red.kamyuenenterprise.hk – JS Redirect – 138.197.128.173 vsjgvbaz.anythingwork.top – Neutrino EK – 176.31.223.167 194.67.210.183 POST /php/upload.php – Locky post-infection callback traffic Hashes: JS file: 049add46d0a527b50a605573c98330ceabaf533559f06e6fc4795cf6ca326bc1 Neutrino EK landing Page: 2bf38bb619b4c89f39356b5e1dac87ffd013e1aefb95617b3d015a5f74856757 Neutrino EK Flash Exploit: fbf67ebbf326ec0b6379d5461b3893eb864fc6c346f71c93a467e90e8aea3354 Neutrino EK Locky Payload: 542209ebd40928a0b4e016fcdd0813f3444dbf139ae3adfc194843abeacdf1fd Visiting the compromised site and looking at the source code I found a script within the HTML tags ...