Derin Analiz - Discord CDN Dropper | Tehdit: ORTA

Dosya Kimligi

SHA25641ed808a203e53bf5ad402ddf8af2f4434a17e94ac58224231d936669fd0b229
Boyut66,560 byte PE32 x86 .NET, entropi 5.45, 3 section
TeknikDiscord Dead-Drop - payload Discord CDN uzerinden indirilir

Discord Dead-Drop Teknigi

DISCORD CDN: Malware Discord ek dosya (attachment) olarak depolanip sunulur. CDN URL'si indirme kaynagi olarak kullanilir!
https://cdn.discordapp.com/attachments/1160855778916319336/\n1196248399096328242/Jvvlpovxdup.dat\n  ?ex=65b6f023&is=65a47b23&hm=[hash]\n\n  Jvvlpovxdup.dat <- .dat uzantisi (PE gizleme!)

Teknik Analiz

System.Net.Sockets <- socket baglantisi\nRepositoryTokenFilter <- token bazli filtre/dogrulama\n_Token / token / CreateDelegate <- .NET reflection/invoke\ninjectlast <- enjeksiyonla ilgili string\n\nDiscord CDN avantalari:\n  - Guvenilir CDN -> proxy/AV bypass\n  - URL imzali (ex/is/hm parametreleri) -> gecici erisim\n  - .dat uzantisi -> PE olarak taninamaz

IOC

SHA25641ed808a203e53bf5ad402ddf8af2f4434a17e94ac58224231d936669fd0b229
C2 URLcdn.discordapp.com/attachments/... (Discord dead-drop)
PayloadJvvlpovxdup.dat (.dat uzantili PE)

DiscordCDNDropper — Malware Profile

Discord CDN uzerinden payload indiren .NET dropper. Payload Discord attachment olarak depolanir (.dat uzantisiyla gizlenir). CDN URL imzali (gecici erisim). RepositoryTokenFilter, injectlast stringleri.

Malware Type
Loader
Programming Language
C#/.NET
C2 Protocol
HTTPS/Discord CDN
Target Systems
Küresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (3 indicators)

IOC — DiscordCDNDropper
# SHA256 41ed808a203e53bf5ad402ddf8af2f4434a17e94ac58224231d936669fd0b229 # DOMAIN cdn.discordapp.com # URL https://cdn.discordapp.com/attachments/1160855778916319336/1196248399096328242/Jvvlpovxdup.dat
TypeValueNote
sha256 41ed808a203e53bf5ad402ddf8af2f4434a17e94ac58224231d936669fd0b229
domain cdn.discordapp.com
url https://cdn.discordapp.com/attachments/1160855778916319336/1196248399096328242/Jvvlpovxdup.dat
Tags
discord-cdn-dead-drop-techniquediscordapp-com-attachment-payloaddat-extension-pe-disguiserepositorytokenfilter-token-validationinjectlast-injection-stringsystem-net-sockets-connectioncreatedelegate-net-reflection-invokediscord-trusted-cdn-av-bypasssigned-url-temporary-access-ex-is-hmdiscord-malware-hosting-technique