0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
33 Ansichten2 Seiten
The document summarizes indicators of a fake updates campaign involving a malicious JavaScript file downloaded from a compromised website that dropped and executed the Chthonic banking trojan. It provides file hashes, analysis links, network traffic, and other technical details observed related to the infection chain and command and control infrastructure.
The document summarizes indicators of a fake updates campaign involving a malicious JavaScript file downloaded from a compromised website that dropped and executed the Chthonic banking trojan. It provides file hashes, analysis links, network traffic, and other technical details observed related to the infection chain and command and control infrastructure.
The document summarizes indicators of a fake updates campaign involving a malicious JavaScript file downloaded from a compromised website that dropped and executed the Chthonic banking trojan. It provides file hashes, analysis links, network traffic, and other technical details observed related to the infection chain and command and control infrastructure.
- File size: 18,992 bytes - File name: Chrome.Update.9684ff.js (different hex characters before .js each download) - Any.Run analysis: https://app.any.run/tasks/6fc29add-83dc-4f5e-ae1a-8cce674124f8 - CAPE sandbox: https://cape.contextis.com/analysis/61711/ - Reverse.it: https://www.reverse.it/sample/9b446e8bbf065897ac511fa36c0e028f3cf3aef17cc507843193e fecba12a30a - NOTE: This was a different name/file hash each time it was downloaded from the fake update page
FOLLOW-UP EXE RETRIEVED AFTER RUNNING THE .JS FILE (CHTHONIC):
11AC.tmp: MS Windows registry file, NT/2000 or above
143B.tmp: MS Windows registry file, NT/2000 or above 35324533.tmp: PE32 executable (DLL) (console) Intel 80386, for MS Windows 64594E6E.tmp: PE32 executable (DLL) (console) Intel 80386, for MS Windows a4c0b2b7c36fc6231.png: PNG image data, 1366 x 768, 8-bit/color RGBA, non-interlaced nircmdc.exe: PE32+ executable (console) x86-64, for MS Windows
- 146.83.204.167 port 80 - www.med.ufro.cl - Compromised site
- 81.4.122.101 port 443 - click.clickanalytics208.com - Redirect to fake updates page - 93.95.100.178 port 443 - snap.cr-acad.com - fake Google update page (index page) - 93.95.100.178 port 80 - snap.cr-acad.com - other URLs for fake Google update page
TRAFFIC GENERATED BY DOWNLOADED .JS FILE:
- 188.165.62.40 port 80 - 3c22c4fa.static.spillpalletonline.com - POST /pixel.gif
- 188.165.62.40 port 80 - 3c22c4fa.static.spillpalletonline.com - POST /pixel.gif? ss&ss1img
TRAFFIC GENERATED BY CHTHONIC BANKING TROJAN:
- 5.135.183.146 TCP port 53 - DNS query for afroamericanec.bit
- 31.3.135.232 TCP port 53 - DNS query for afroamericanec.bit - 51.254.25.115 TCP port 53 - DNS query for afroamericanec.bit - 58.251.121.110 TCP port 53 - DNS query for afroamericanec.bit - 59.36.120.151 TCP port 53 - DNS query for afroamericanec.bit - 180.163.8.114 TCP port 53 - DNS query for afroamericanec.bit - 188.165.200.156 TCP port 53 - DNS query for afroamericanec.bit
- 8.208.22.216 port 80 - afroamericanec.bit - POST /en/
- 8.208.22.216 port 80 - afroamericanec.bit - POST /en/www/