2022-06-08 (WEDNESDAY) - MONSTER LIBRA (TA551) SVCREADY INFECTION

NOTES:

ASSOCIATED FILES:

 

INDICATORS

MALWARE:

SHA256 hash: d74c9ebf3a09df2fccd47265ddab693862b09a4d1cfea336675baff32bc83c93

SHA256 hash: 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA256 hash: d1fd5c38787affe3b1a09039baff4f4be3a8a7045927fd32536db3310a886b0c

INFECTION TRAFFIC DOMAINS/IP ADDRESSES:

INFECTION TRAFFIC URLS:

 

IMAGES


Shown above:  Chain of events for this SVCready infection.

 


Shown above:  Word document with macros for SVCready.

 


Shown above:  TCP stream of SVCready DLL retrieved in network traffic.

 


Shown above:  SVCready DLL saved to the local host, run with a copy of rundll32.exe in teh same directory.

 


Shown above:  TCP stream of SVCready C2 traffic.

 


Shown above:  Scheduled task to keep SVCready persistent on the infected Windows host.

 


Shown above:  Alerts on the traffic from Security Onion using the EmergingThreats open ruleset.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.