DISGOMOJI Malware

    Thursday, August 22, 2024 In: Threat Research Print

    Date: 08/22/2024

    Severity: Medium

    Summary

    DISGOMOJI Malware is a type of malicious software that primarily targets Android devices. It is known for its ability to steal sensitive information, such as personal data and credentials, by disguising itself as seemingly harmless applications or tools. Once installed, DISGOMOJI can monitor user activity, exfiltrate data, and potentially spread further through compromised contacts. Its stealthy nature and data-stealing capabilities make it a significant threat to mobile security.

    Indicators of Compromise (IOC) List

    URL/Domain

    www.dev.clawsindia.in

    www.www.clawsindia.in

    autoconfig.clawsindia.in

    email.coordsec2.in

    pop.clawsindia.in

    www.awesscholarship.in

    ftp.publicinfo.in

    mx10.clawsindia.in

    www.esttsec.in

    epar.emailnic-tech.email

    www.nic-tech.in

    www.ordai.quest

    www.awesindia.online

    localhost.clawsindia.in

    dev.clawsindia.in

    mail.clawsindia.in

    sql.clawsindia.in

    clawsindia.in

    epar-online.in

    login.emailnic.online

    mbox.clawsindia.in

    awesscholarship.in

    pcda.admincoord.in

    cpanel.clawsindia.in

    email.publicinfo.in

    shop.clawsindia.in

    www.clawsindia.in

    certdehli.in

    help.clawsindia.in

    defenseinsight.in

    email.apsdelhicantt.in

    emailnic-tech.email

    awesindia.online

    infosec2.in

    imap.clawsindia.in

    www.coordsec2.in

    www.apsdelhicantt.in

    gate.clawsindia.in

    www.epar-online.in

    email.parichay.online

    esttsec.in

    lists.clawsindia.in

    dc-mx.ae172f95f2ec.defenseinsight.in

    www2.clawsindia.in

    outlook.emailnic.online

    http://ordai.quest/vmcoreinfo

    portal.clawsindia.in

    accounts.emailnic.online

    email.gov.in.parichay.online

    cloud.publicinfo.in

    apsdelhicantt.in

    ordai.quest

    mx4.clawsindia.in

    mail.defenseinsight.in

    email.emailnic.online

    webmail.clawsindia.in

    www.defenseinsight.in

    mx0.clawsindia.in

    mail6.clawsindia.in

    parichay.online

    adfs.clawsindia.in

    webdisk.estbsec.in

    play.emailnic.online

    account.emailnic.online

    admincoord.in

    intranet.clawsindia.in

    www.estbsec.in

    www.infosec2.in

    www.admincoord.in

    nic-tech.in

    smtp.mail.clawsindia.in

    webdisk.defenseinsight.in

    whm.clawsindia.in

    www.publicinfo.in

    email.emailnic-tech.email

    emailnic.online

    mailgate.clawsindia.in

    www.old.clawsindia.in

    IP Address

    179.43.175.111

    Hash

    f68b17f1261aaa4460d759d95124fbd4

13ee4bd10f05ee0499e18de68b3ea4d5

ee8d767069faf558886f1163a92e4009

d5f2e3fafbb0701dc0f1adccc7141e63

237961bbba6d4aa2e0fae720d4ece439

da745b60b5ef5b4881c6bc4b7a48d784

56cb95b63162d0dfceb30100ded1131a

2d4a5050c7ea6c83665807df151e067e

501a6d48fd8f80a134cf71db3804cf95

56cc70b66be99e01d354ba2aaf88041e

fc61b985d8c590860f397d943131bfb5

de115e15a6689cf32519c3a046a78626

f14e778f4d22df275c817ac3014873dc

50fe93394528a0ede52f9eec6c1bf505

e6667ab32fbda86a2d2a72ed7e52b146

55c90ff429e4fd72034922383aa31078

898bfd3df2ccd9508e0bfab672f5f61a

9f3359ae571c247a8be28c0684678304

49cbbf586ba1480599be02915e5a8b34

f2501e8b57486c427579eeda20b729fd

20b4eb5787faa00474f7d27c0fea1e4b

a9182c812c7f7d3e505677a57c8a353b

8bf9cf1363e404a9ad3e0fa9e53057cb

01c34ccd7ca7c5cdf88272d8c9071004

3d4e5dbf9b7a6e7336a354b71d4d1a8b

db0676733eb4ee2c490bdc4fe488b40f

60fc5dc410b7482566a74d03549d8246

25dc7c1237e5076c80fb867fb11d058387e1d154

2dfe824d0298201e0efb30f16b3ce8a409ffe006

465ef9d21e73493e9d531378756f91917f9567f4

bfdd02fa593d3858399da6bf591aeb10b2d1da40

892d434f3f59b3b8bd4ca500218a75d39c13ee5b

c1916403a6ad05fed4da5fb53ce743b6ce49e0cb

e5182d13d66c3efaa7676510581d622f98471895

513b4b604d198f44041ed494ee8c7a7f94ac5038

3dff44bede709295fffd3ae3e9599f6ab8197af4

038ae7e6e6708cb58db96512515177d84b71e8c2

1443e58a298458c30ab91b37c0335bdadbacd756

7515a93da10b7d3f4619a38cc3f1a1bd25ddb847

6f3f3c533a2b9031362d88bb7414bf332c93dc9d

d0aff8489c02230d4c0935e21125f81895bf6cde

caa130a8e3f5ca0a7f33de4b2b26e0e25dd10775

1c8cfa8f36897b6b1179dc4bce49b0e2f86e1a4e

5dd201fa53cb5c76103579785a3d220d578dd12a

8c969dbe0fe30244802cda1c8e33b04040831466

e76c3f3a7158c16c28176053286dcb88ac646dbf

e19c23d82d7e7e8e45b1d830ddc7ddb85087c4cc

765b17c1e2e1ab3d2fbdba3ccffcdcc4bd750102

88949119f88b15722a2b75ca84db7a6bfc822948

b8fd89cf6e9aae16321553a2e632e31b2cf2f057

c45e1cc5cd0c98388ec71221278950f9b1257ed8

bcadcb345fc65a9c3d7c78566ad72a77c6076a11

34cefe42aa8347c39a04eaca5a464fa35d6f1e62

5b7b0b0d7d59e616b0cf75a25ad67dfca89495c4

749a8d081e075b921436d07e323964da88bff609

76d9654f28bcaa713a99caa2839a572fc999a726827a0216da71ac184cee6d19

c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002

1387b77a41e5a244c03ea7f5c90a2e528abe0ed7a4e6cb659183f7112c546046

1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99

207334927fc39278e37afe124769ed980e9a8ae86b0346408af64c86a7c99e6a

03666fb1c21d8a8cf38219691d2218d78eef5b00d20f26c25afde5d9e1daf80a

af2201af8054e8e11eef7980fe15dc62eb2b7582f4f2bab4d8256f23f6db984e

8c8ef2d850bd9c987604e82571706e11612946122c6ab089bd54440c0113968e

9709b0876c2a291cb57aa0646f9179d29d89abb2f8868663147ab0ca4e6c501b

26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11

5ecbc33fe3b345f2956cff566203e33b9390a3ed9923b990a46804880ae2f59b

d3d5d0b210c3fc5c679419d6aa9014f62dcd60b0582cd8d544357f6420407b36

5821744413146654397903128fece87d7d9d71c4ade5fd40cdcf3cece2faf8f0

c177361992b207575b9aeb98aad7c2d522eace7ada6f1351434dd79a921ce260

fb30e5c67b92dc17d7a6e412f36d9b521842f8d7df38a00584c1362303b26655

db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32

38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086

bac7e6776c120b2b5da4d171afaea26144e77ad54f7516a0325260ee020b3f52

d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529

3845877017eb07be71820e8514502a3dcd24177540591c5ce2c13aca94caa4ac

e89589e9ce043b28def17c91fa780322205ee08daa8b3cffe67b46bdae0e3a35

cfb9ffb83877b421e95c9a2c3f65c106b9afb42babce7ba824671f9736bf0f7c

3d1b3ba5e1c1d1626595098f042913bc39601c80ab2c934cb994d3c053f218c5

0cb88c8b8e2969af26678df4d3c395101c49c7c808d2cb2d7a0f00f60bdddcba

37bfa72c2820bcf9adb8707ae624452e0b769bc1c1f2a24ebb518c6e1794f3e2

51a372fee89f885741515fa6fdf0ebce860f98145c9883f2e3e35c0fe4432885

dfb72668791b4fe28884706b7756b02b951b43219e528b970ceb0369c86e3fd3

1e657d3047f3534dcd4539ce54db9f5901f7e53999bae340a850cc8d2aacc33c

1b1d1d775571232235ed6fb84413eb60593340c1c1ea3b77bd72d3b68058f55c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "www.dev.clawsindia.in" or url like "www.dev.clawsindia.in" or userdomainname like "www.www.clawsindia.in" or url like "www.www.clawsindia.in" or userdomainname like "autoconfig.clawsindia.in" or url like "autoconfig.clawsindia.in" or userdomainname like "email.coordsec2.in" or url like "email.coordsec2.in" or userdomainname like "pop.clawsindia.in" or url like "pop.clawsindia.in" or userdomainname like "www.awesscholarship.in" or url like "www.awesscholarship.in" or userdomainname like "ftp.publicinfo.in" or url like "ftp.publicinfo.in" or userdomainname like "mx10.clawsindia.in" or url like "mx10.clawsindia.in" or userdomainname like "www.esttsec.in" or url like "www.esttsec.in" or userdomainname like "epar.emailnic-tech.email" or url like "epar.emailnic-tech.email" or userdomainname like "www.nic-tech.in" or url like "www.nic-tech.in" or userdomainname like "www.ordai.quest" or url like "www.ordai.quest" or userdomainname like "www.awesindia.online" or url like "www.awesindia.online" or userdomainname like "localhost.clawsindia.in" or url like "localhost.clawsindia.in" or userdomainname like "dev.clawsindia.in" or url like "dev.clawsindia.in" or userdomainname like "mail.clawsindia.in" or url like "mail.clawsindia.in" or userdomainname like "sql.clawsindia.in" or url like "sql.clawsindia.in" or userdomainname like "clawsindia.in" or url like "clawsindia.in" or userdomainname like "epar-online.in" or url like "epar-online.in" or userdomainname like "login.emailnic.online" or url like "login.emailnic.online" or userdomainname like "mbox.clawsindia.in" or url like "mbox.clawsindia.in" or userdomainname like "awesscholarship.in" or url like "awesscholarship.in" or userdomainname like "pcda.admincoord.in" or url like "pcda.admincoord.in" or userdomainname like "cpanel.clawsindia.in" or url like "cpanel.clawsindia.in" or userdomainname like "email.publicinfo.in" or url like "email.publicinfo.in" or userdomainname like "shop.clawsindia.in" or url like "shop.clawsindia.in" or userdomainname like "www.clawsindia.in" or url like "www.clawsindia.in" or userdomainname like "certdehli.in" or url like "certdehli.in" or userdomainname like "help.clawsindia.in" or url like "help.clawsindia.in" or userdomainname like "defenseinsight.in" or url like "defenseinsight.in" or userdomainname like "email.apsdelhicantt.in" or url like "email.apsdelhicantt.in" or userdomainname like "emailnic-tech.email" or url like "emailnic-tech.email" or userdomainname like "awesindia.online" or url like "awesindia.online" or userdomainname like "infosec2.in" or url like "infosec2.in" or userdomainname like "imap.clawsindia.in" or url like "imap.clawsindia.in" or userdomainname like "www.coordsec2.in" or url like "www.coordsec2.in" or userdomainname like "www.apsdelhicantt.in" or url like "www.apsdelhicantt.in" or userdomainname like "gate.clawsindia.in" or url like "gate.clawsindia.in" or userdomainname like "www.epar-online.in" or url like "www.epar-online.in" or userdomainname like "email.parichay.online" or url like "email.parichay.online" or userdomainname like "esttsec.in" or url like "esttsec.in" or userdomainname like "lists.clawsindia.in" or url like "lists.clawsindia.in" or userdomainname like "dc-mx.ae172f95f2ec.defenseinsight.in" or url like "dc-mx.ae172f95f2ec.defenseinsight.in" or userdomainname like "www2.clawsindia.in" or url like "www2.clawsindia.in" or userdomainname like "outlook.emailnic.online" or url like "outlook.emailnic.online" or userdomainname like "http://ordai.quest/vmcoreinfo" or url like "http://ordai.quest/vmcoreinfo" or userdomainname like "portal.clawsindia.in" or url like "portal.clawsindia.in" or userdomainname like "accounts.emailnic.online" or url like "accounts.emailnic.online" or userdomainname like "email.gov.in.parichay.online" or url like "email.gov.in.parichay.online" or userdomainname like "cloud.publicinfo.in" or url like "cloud.publicinfo.in" or userdomainname like "apsdelhicantt.in" or url like "apsdelhicantt.in" or userdomainname like "ordai.quest" or url like "ordai.quest" or userdomainname like "mx4.clawsindia.in" or url like "mx4.clawsindia.in" or userdomainname like "mail.defenseinsight.in" or url like "mail.defenseinsight.in" or userdomainname like "email.emailnic.online" or url like "email.emailnic.online" or userdomainname like "webmail.clawsindia.in" or url like "webmail.clawsindia.in" or userdomainname like "www.defenseinsight.in" or url like "www.defenseinsight.in" or userdomainname like "mx0.clawsindia.in" or url like "mx0.clawsindia.in" or userdomainname like "mail6.clawsindia.in" or url like "mail6.clawsindia.in" or userdomainname like "parichay.online" or url like "parichay.online" or userdomainname like "adfs.clawsindia.in" or url like "adfs.clawsindia.in" or userdomainname like "webdisk.estbsec.in" or url like "webdisk.estbsec.in" or userdomainname like "play.emailnic.online" or url like "play.emailnic.online" or userdomainname like "account.emailnic.online" or url like "account.emailnic.online" or userdomainname like "admincoord.in" or url like "admincoord.in" or userdomainname like "intranet.clawsindia.in" or url like "intranet.clawsindia.in" or userdomainname like "www.estbsec.in" or url like "www.estbsec.in" or userdomainname like "www.infosec2.in" or url like "www.infosec2.in" or userdomainname like "www.admincoord.in" or url like "www.admincoord.in" or userdomainname like "nic-tech.in" or url like "nic-tech.in" or userdomainname like "smtp.mail.clawsindia.in" or url like "smtp.mail.clawsindia.in" or userdomainname like "webdisk.defenseinsight.in" or url like "webdisk.defenseinsight.in" or userdomainname like "whm.clawsindia.in" or url like "whm.clawsindia.in" or userdomainname like "www.publicinfo.in" or url like "www.publicinfo.in" or userdomainname like "email.emailnic-tech.email" or url like "email.emailnic-tech.email" or userdomainname like "emailnic.online" or url like "emailnic.online" or userdomainname like "mailgate.clawsindia.in" or url like "mailgate.clawsindia.in" or userdomainname like "www.old.clawsindia.in" or url like "www.old.clawsindia.in"

    Detection Query 2

    dstipaddress IN ("179.43.175.111") or ipaddress IN ("179.43.175.111") or publicipaddress IN ("179.43.175.111") or srcipaddress IN ("179.43.175.111")

    Detection Query 3

    md5hash IN ("f68b17f1261aaa4460d759d95124fbd4","13ee4bd10f05ee0499e18de68b3ea4d5","ee8d767069faf558886f1163a92e4009","d5f2e3fafbb0701dc0f1adccc7141e63","237961bbba6d4aa2e0fae720d4ece439","da745b60b5ef5b4881c6bc4b7a48d784","56cb95b63162d0dfceb30100ded1131a","2d4a5050c7ea6c83665807df151e067e","501a6d48fd8f80a134cf71db3804cf95","56cc70b66be99e01d354ba2aaf88041e","fc61b985d8c590860f397d943131bfb5","de115e15a6689cf32519c3a046a78626","f14e778f4d22df275c817ac3014873dc","50fe93394528a0ede52f9eec6c1bf505","e6667ab32fbda86a2d2a72ed7e52b146","55c90ff429e4fd72034922383aa31078","898bfd3df2ccd9508e0bfab672f5f61a","9f3359ae571c247a8be28c0684678304","49cbbf586ba1480599be02915e5a8b34","f2501e8b57486c427579eeda20b729fd","20b4eb5787faa00474f7d27c0fea1e4b","a9182c812c7f7d3e505677a57c8a353b","8bf9cf1363e404a9ad3e0fa9e53057cb","01c34ccd7ca7c5cdf88272d8c9071004","3d4e5dbf9b7a6e7336a354b71d4d1a8b","db0676733eb4ee2c490bdc4fe488b40f","60fc5dc410b7482566a74d03549d8246")

    Detection Query 4

    sha1hash IN ("25dc7c1237e5076c80fb867fb11d058387e1d154","2dfe824d0298201e0efb30f16b3ce8a409ffe006","465ef9d21e73493e9d531378756f91917f9567f4","bfdd02fa593d3858399da6bf591aeb10b2d1da40","892d434f3f59b3b8bd4ca500218a75d39c13ee5b","c1916403a6ad05fed4da5fb53ce743b6ce49e0cb","e5182d13d66c3efaa7676510581d622f98471895","513b4b604d198f44041ed494ee8c7a7f94ac5038","3dff44bede709295fffd3ae3e9599f6ab8197af4","038ae7e6e6708cb58db96512515177d84b71e8c2","1443e58a298458c30ab91b37c0335bdadbacd756","7515a93da10b7d3f4619a38cc3f1a1bd25ddb847","6f3f3c533a2b9031362d88bb7414bf332c93dc9d","d0aff8489c02230d4c0935e21125f81895bf6cde","caa130a8e3f5ca0a7f33de4b2b26e0e25dd10775","1c8cfa8f36897b6b1179dc4bce49b0e2f86e1a4e","5dd201fa53cb5c76103579785a3d220d578dd12a","8c969dbe0fe30244802cda1c8e33b04040831466","e76c3f3a7158c16c28176053286dcb88ac646dbf","e19c23d82d7e7e8e45b1d830ddc7ddb85087c4cc","765b17c1e2e1ab3d2fbdba3ccffcdcc4bd750102","88949119f88b15722a2b75ca84db7a6bfc822948","b8fd89cf6e9aae16321553a2e632e31b2cf2f057","c45e1cc5cd0c98388ec71221278950f9b1257ed8","bcadcb345fc65a9c3d7c78566ad72a77c6076a11","34cefe42aa8347c39a04eaca5a464fa35d6f1e62","5b7b0b0d7d59e616b0cf75a25ad67dfca89495c4","749a8d081e075b921436d07e323964da88bff609")

    Detection Query 5

    sha256hash IN ("76d9654f28bcaa713a99caa2839a572fc999a726827a0216da71ac184cee6d19","c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002","1387b77a41e5a244c03ea7f5c90a2e528abe0ed7a4e6cb659183f7112c546046","1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99","207334927fc39278e37afe124769ed980e9a8ae86b0346408af64c86a7c99e6a","03666fb1c21d8a8cf38219691d2218d78eef5b00d20f26c25afde5d9e1daf80a","af2201af8054e8e11eef7980fe15dc62eb2b7582f4f2bab4d8256f23f6db984e","8c8ef2d850bd9c987604e82571706e11612946122c6ab089bd54440c0113968e","9709b0876c2a291cb57aa0646f9179d29d89abb2f8868663147ab0ca4e6c501b","26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11","5ecbc33fe3b345f2956cff566203e33b9390a3ed9923b990a46804880ae2f59b","d3d5d0b210c3fc5c679419d6aa9014f62dcd60b0582cd8d544357f6420407b36","5821744413146654397903128fece87d7d9d71c4ade5fd40cdcf3cece2faf8f0","c177361992b207575b9aeb98aad7c2d522eace7ada6f1351434dd79a921ce260","fb30e5c67b92dc17d7a6e412f36d9b521842f8d7df38a00584c1362303b26655","db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32","38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086","bac7e6776c120b2b5da4d171afaea26144e77ad54f7516a0325260ee020b3f52","d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529","3845877017eb07be71820e8514502a3dcd24177540591c5ce2c13aca94caa4ac","e89589e9ce043b28def17c91fa780322205ee08daa8b3cffe67b46bdae0e3a35","cfb9ffb83877b421e95c9a2c3f65c106b9afb42babce7ba824671f9736bf0f7c","3d1b3ba5e1c1d1626595098f042913bc39601c80ab2c934cb994d3c053f218c5","0cb88c8b8e2969af26678df4d3c395101c49c7c808d2cb2d7a0f00f60bdddcba","37bfa72c2820bcf9adb8707ae624452e0b769bc1c1f2a24ebb518c6e1794f3e2","51a372fee89f885741515fa6fdf0ebce860f98145c9883f2e3e35c0fe4432885","dfb72668791b4fe28884706b7756b02b951b43219e528b970ceb0369c86e3fd3","1e657d3047f3534dcd4539ce54db9f5901f7e53999bae340a850cc8d2aacc33c","1b1d1d775571232235ed6fb84413eb60593340c1c1ea3b77bd72d3b68058f55c")

    Reference:

    https://gurucul.com/blog/threat-research-disgomoji-malware

    https://otx.alienvault.com/pulse/66712446e23b1d14e4f293eb

    https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government

     

     


    Tags

    MalwareGurucul

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.