# Hijack Execution Flow IOC ## DLL Search Order Hijacking 這邊主要的 IOC 都是 Hijack 那隻 Dll 的 Hash Value ### BOOSTWRITE (Loader) [Report](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html) Signed - MD5: a67d6e87283c34459b4660f19747a306 - SHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84 - SHA-256: 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5 - C2: 109.230.199[.]227 - Compiliation Time: 2019-05-20 09:50:55 UTC - mango ENTERPRISE LIMITED, Valid Between 2019-05-22 00:00 UTC through 2020-05-21 23:59 UTC Not Signed: - MD5: af2f4142463f42548b8650a3adf5ceb2 - SHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1 - SHA256: 8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0 - C2: 109.230.199[.]227 ### Crutch [Report](https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/) - SHA-1: A010D5449D29A1916827FDB443E3C84C405CB2A5 - dropped at `C:\Intel\~intel_upd.exe` - PDB Path: `C:\Users\user\Documents\Visual Studio 2012\Projects\MemoryStarter\Release\Extractor.pdb` and `C:\Users\user\Documents\Visual Studio 2012\Projects\MemoryStarter\x64\Release\Extractor.pdb` - Decode Their Payload with RC4 Key `E8 8E 77 7E C7 80 8E E7 CE CE CE C6 C6 CE C6 68` ### Downdelph [Report](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf) Filename: - shcore.dll - dnscli1.dll - apisvcd.dll ### TerraTV [Report](https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/) [IOC Github Page](https://github.com/eset/malware-ioc/tree/master/evilnum#terratv) dll: - 15159.ocx: E0957B2421A6EF3237A33A37DA8B52A9F29863D6 - ACTIVEDS.dll: 1F287AA922911F72F68B4B0C8645B4C909EB07B9 path: - `C:\Users\Public\Public Documents\57494E2D3850535046373333503532\` ### BlackOasis [Report](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) dll: - `C:\ProgramData\ManagerApp\d3d9.dll` ### InvisiMole [Report](https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/) [IOC 連結](https://github.com/eset/malware-ioc/tree/master/invisimole) ## DLL-Sideloading ### APT19 [Report](https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/) MD5: CD8C2BB644496D46BF1E91AD8A8F882B SHA1: CC6EBEEA48A12B396C5FA797E595A0C3B96942DE SHA256: 3EA6B2B51050FE7C07E2CF9FA232DE6A602AA5EFF66A2E997B25785F7CF50DAA Size: 137728 Bytes File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Compile Time: 2015-11-18 15:03:50 C2: www.supermanbox[.]org:22 MD5: 26E863F917DA0B3F7A48304EB6D1B1D3 SHA1: F7984427093BA1FC08412F8594944CEFE2D86CBF SHA256: 3577845D71AE995762D4A8F43B21ADA49D809F95C127B770AFF00AE0B64264A3 Size: 138752 Bytes File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Compile Time: 2015-11-19 16:57:29 C2: www.jbossas[.]org:22 MD5: B06A3A9744E9D4C059422E7AD729EF90 SHA1: 9BA2249F0A8108503820E2D9C8CBFF941089CB2D SHA256: EA67D76E9D2E9CE3A8E5F80FF9BE8F17B2CD5B1212153FDF36833497D9C060C0 Size: 136704 Bytes File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Compile Time: 2015-11-16 16:21:22 C2: supermanbox[.]org:22 MD5: 1CB673679F37B6A3F482BB59B52423AB SHA1: B630B7A8FE065E1A6F51EE74869B3938DC411126 SHA256: B690394540CAB9B7F8CC6C98FD95B4522B84D1A5203B19C4974B58829889DA4C Size: 126976 Bytes File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Compile Time: 2015-07-15 09:38:15 C2: www.microsoft-cache[.]com MD5: 39A95C4CBF28EAA534C8F4FC311FE558 SHA1: F6AEE373F2517F2FB686284C27A84A20999A15A5 SHA256: CCF87057A4AB02E53BFF5828D779A6E704B040AEF863F66E8F571638D7D50CD2 Size: 1973747 Bytes File Type: PE32 executable (GUI) Intel 80386, for MS Windows Compile Time: 2013-06-21 06:26:37 C2: www.microsoft-cache[.]com MD5: 8AFECC8E61FE3805FDD41D4591710976 SHA1: 615B022A56E2473B92C22EFA9198A2210F21BDC3 SHA256: DE33DFCE8143F9F929ABDA910632F7536FFA809603EC027A4193D5E57880B292 Size: 126980 Bytes File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Compile Time: 2015-07-15 09:38:15 C2: www.microsoft-cache[.]com MD5: 2161C859B21C1B4B430774DF0837DA9D SHA1: 380FB5278907FAF3FCA61910F7ED9394B2337EDA SHA256: DE984EDA2DC962FDE75093D876EC3FE525119DE841A96D90DC032BFB993DBDAC Size: 117248 Bytes File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Compile Time: 2015-07-08 13:18:55 C2: www.microsoft-cache[.]com