My friends help me to find some sample .Thanks to
驭龙 and
轩夏
https://www.fireeye.com/blog/threat-res ... hreat.html
The spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):
MD5 b9208a5b0504cb2283b1144fc455eaaa
Filename 使命公民運動 我們的異象.doc
MD5 ec19ed7cddf92984906325da59f75351
Filename 新聞稿及公佈.doc
MD5 6495b384748188188d09e9d5a0c401a4
Filename (代發)[采訪通知]港大校友關注組遞信行動.doc
MD5 d76261ba3b624933a6ebb5dd73758db4
Filename time.exe
This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage
service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.
After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:
MD5 d76261ba3b624933a6ebb5dd73758db4
Filename WmiApCom
MD5 79b68cdd0044edd4fbf8067b22878644
Filename WmiApCom.bat
password infected
(79.19 KiB) Downloaded 63 times
(3.45 KiB) Downloaded 54 times
