HWP & EPS & Manuscrypt

2018-10-24 kino

http://sfkino.tistory.com/m/71

Thumbnail for HWP & EPS & Manuscrypt

The excerpt describes a malicious HWP/EPS document saved in October 2018 that used shellcode encoded with a 16-byte XOR key to download additional payloads. The delivery chain retrieved follow-on malicious code from WordPress plugin-themed paths on flydashi[.]com, including akism1[.]pgi and akism2[.]pgi. Additional callback or staging infrastructure is listed on theinspectionconsultant[.]com, danagloverinteriors[.]com, and as-brant[.]ru under plugin or theme-like PHP paths. The available evidence is sparse but provides hashes, payload filenames, and download URLs that can support detection and retrospective hunting for Manuscrypt-related activity if the source context supports that association.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 0316f6067bc02c23c1975d83c659da21 2018-10-24 2019-11-18
HASH 1ff597e8bd590896c17d856188d1f09… 2018-10-24 2018-11-01
HASH b2dd7f9bb24428b0e2ed30b9373fe03… 2018-10-24 2018-11-01
HASH 60b56eff7fbc2413d1b755e8b3f2f4e… 2018-10-24 2018-11-01
URL https://as-brant.ru/wp-content/… 2018-10-24 2018-11-01
URL http://danagloverinteriors.com/… 2018-10-24 2018-11-01
URL https://theinspectionconsultant… 2018-10-24 2018-11-01
DOMAIN flydashi.com 2018-10-24 2018-11-01
DOMAIN as-brant.ru 2018-10-24 2018-11-01
DOMAIN theinspectionconsultant.com 2018-10-24 2018-11-01
DOMAIN danagloverinteriors.com 2018-10-24 2018-11-01
HASH e0410c8a915205d5117c6c5171a5f40f 2018-10-24 2018-10-24
HASH f0a87e8475c158f7144ba186b3795ed… 2018-10-24 2018-10-24
HASH ecc8c05dfabdc28e3a6c89e55bd08158 2018-10-24 2018-10-24
HASH 9a301f2a0259bdedb85e2ea4c071534… 2018-10-24 2018-10-24
HASH cd5c8af95851ace218adb1aac09cf16… 2018-10-24 2018-10-24
HASH 059ae0b142af7b91d0c05bf7cd7f3a46 2018-10-24 2018-10-24
URL https://flydashi.com/wp-content… 2018-10-24 2018-10-24
URL https://flydashi.com/wp-content… 2018-10-24 2018-10-24

Related Reports

« Back