2018-08-29 • kino •
A malicious file themed around the AltPlanet coin used a familiar EPS vulnerability to initiate the attack. The downloaded file was encrypted with 0xAA and identified in the excerpt as Manuscrypt. The listed command-and-control infrastructure includes dgjswgl.com/include/freelist.php and lfsyjk.com/include/listview.php, along with hashes for the document or payload artifacts. The evidence is useful for hunting EPS-based delivery, XOR-protected Manuscrypt payload retrieval, and the small set of associated C2 paths.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 83127fca1209e0a866add74d9b7d95a5 | 2018-08-29 | 2018-08-29 |
| HASH | 349b8afa3a1daf495e7178b563a7de3… | 2018-08-29 | 2018-08-29 |
| HASH | 8e0f0cc87b9d80e5928cf19fe273cde… | 2018-08-29 | 2018-08-29 |
| HASH | a3b2d8a13b8b63908c5ce9afd0becc4d | 2018-08-29 | 2018-08-29 |
| URL | https://lfsyjk.com/include/list… | 2018-08-29 | 2018-08-29 |
| URL | https://totobbs.com/data/flower… | 2018-08-29 | 2018-08-29 |
| URL | https://dgjswgl.com/include/fre… | 2018-08-29 | 2018-08-29 |
| URL | https://lnlyjd.com/include/cont… | 2018-08-29 | 2018-08-29 |
| URL | https://totobbs.com/data/flower… | 2018-08-29 | 2018-08-29 |
| DOMAIN | lnlyjd.com | 2018-08-29 | 2018-08-29 |
| DOMAIN | lfsyjk.com | 2018-08-29 | 2018-08-29 |
| DOMAIN | totobbs.com | 2018-08-29 | 2018-08-29 |
| DOMAIN | dgjswgl.com | 2018-08-29 | 2018-08-29 |