Tag: GoodMan

Update on GoodMan

I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomware, ZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot. Below is a list of some recent domains being ...

Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS)

IOCs Network: 188.215.92.104 – hurtmehard.net – Good Man gate 86.106.131.120 – bestdoosales.club – RIG exploit kit 185.100.87.161 – badlywantyou.top – GET /smk/config.jpg – ZeusVM config URL 185.100.87.161 – badlywantyou.top – POST /smk/gate.php – ZeusVM dropzone URL 77.88.55.88 – yandex.ru – Connectivity check File System: o32.tmp is dropped and executed in %TEMP% (self-deletes) The payload q2tlgu9t.exe is dropped ...

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...

Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant. My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a ...