Tag: SAGE
Finding a Good Man: Part 2
Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...
SAGE 2.2 Ransomware from Good Man Gate
IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...
Malware breakdown 