General

  • Target

    https://www.bing.com/ck/a?!&&p=a86c41c65ff6185fJmltdHM9MTcxOTM2MDAwMCZpZ3VpZD0zMGVkZTk3Yi1hMGIyLTYwYmYtMjEzNy1mZGQxYTFkMDYxNDAmaW5zaWQ9NTE4OQ&ptn=3&ver=2&hsh=3&fclid=30ede97b-a0b2-60bf-2137-fdd1a1d06140&psq=twitch+free+viewers+bot+donwnload&u=a1aHR0cHM6Ly93d3cudGVjaHBvdXQuY29tL2Jlc3QtdHdpdGNoLXZpZXdlci1ib3Qv&ntb=1

  • Sample

    240626-2qptfs1dpk

Malware Config

Extracted

Family

socks5systemz

C2

discord.com

uidsync.net

bttrack.com

boqxdbi.com

http://boqxdbi.com/search/?q=67e28dd86c08f72b460daf4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978a271ea771795af8e05c443db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff615c4eb969c33

http://boqxdbi.com/search/?q=67e28dd86c08f72b460daf4c7c27d78406abdd88be4b12eab517aa5c96bd86ee908749845a8bbc896c58e713bc90c91b36b5281fc235a925ed3e01d6bd974a95129070b410e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee9c9e3fc96c901e

kengano.net

twitter.com

eexsync.com

Targets

    • Target

      https://www.bing.com/ck/a?!&&p=a86c41c65ff6185fJmltdHM9MTcxOTM2MDAwMCZpZ3VpZD0zMGVkZTk3Yi1hMGIyLTYwYmYtMjEzNy1mZGQxYTFkMDYxNDAmaW5zaWQ9NTE4OQ&ptn=3&ver=2&hsh=3&fclid=30ede97b-a0b2-60bf-2137-fdd1a1d06140&psq=twitch+free+viewers+bot+donwnload&u=a1aHR0cHM6Ly93d3cudGVjaHBvdXQuY29tL2Jlc3QtdHdpdGNoLXZpZXdlci1ib3Qv&ntb=1

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Contacts a large (647) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Probable phishing domain

MITRE ATT&CK Enterprise v15

Tasks