Rocke in the Netflow

description: Unit 42 spent six months researching the China-based cybercrime group Rocke, which is the best-known threat actor engaged in cryptomining operations targeting the cloud. We released high-level results from our investigation of Rocke in our recent cloud threat report. This research report provides a deep dive into our investigation of Rocke, which concluded that the group is able to conduct operations with little interference and limited detection risk.

publish date:

reference :

IOC Table
total 46
type value
domain z9ls.com
domain gwjyhs.com
domain thyrsi.com
domain heheda.tk
domain systemten.org
domain sowcar.com
domain baocangwh.cn
domain cloudappconfig.com
domain w2wz.cn
FileHash-SHA256 3086499f5d2b1dc1969fa21332a26054fba7730a9dd7edb108b8a8eca675f6ce
FileHash-SHA256 4dd686d70b701452c5f7c0f58fc37006a67e29e316ff5d13f7e99de664812b4c
FileHash-SHA256 60aadabd2f3f1465f239d2721a663f4b9f9d15e739dcb14df64e241c2d37e30c
FileHash-SHA256 7bbf71453d488c12083c875754063c51c9dc4f762f082f5a9579c0741e172474
FileHash-SHA256 9136080cb4c0424f4b5c0c16f00a3883f66e67c440a851fb7614c3ae8e2aacea
FileHash-SHA256 cd031f8adfbb650b3d79529ec97ca2bc9249d14e4da644957e97e3f0739fd329
FileHash-SHA256 e2db2dca7d84098192c5562c299a76330ca556ac30d583ac8079fe63b61e94d5
FileHash-SHA256 a9228b6a3fe0b8375d6b881626fd4b59fbbf54dbd60a94b085ee0455b3d18fe9
FileHash-SHA256 111ffc37cc5c6932e7ebd640399f651ec6269f198c160a448f74cd37cba64216
FileHash-SHA256 2d55b16850a944ea10b3ae722f3a3fb13307a393c72999711abef2c1a9faccf5
FileHash-SHA256 30762c69d9a761a13dba60e5f4995f389078b797919e7660af1dae978cebda27
FileHash-SHA256 30d8aa6684674895908bc812a7ab4139726b19201e8a45f3751bc8c866f1ee61
FileHash-SHA256 4c4400de4371120a6020ae6cad50890353a6f895cb5a4a3db8e9b8b53db9e10d
FileHash-SHA256 623009a01ecbb1e858e814a843c0b76389f240fe04015b2b86919552a522d7af
FileHash-SHA256 71722975754eac8cf72a2b0a7887d3a6addf0c5236cbb925b467bf4dd427a09a
FileHash-SHA256 833611f8588fbb7a338c0c810dceeb3b0b10fd54509ebd6536765ec9ebef738a
FileHash-SHA256 9223d173cf7ad670b04ac12fe221a13fe1750a4ce2d3a319cdb23b66f09a8d8a
FileHash-SHA256 93c0cd03cccaddb857a21ce6348a54179c1de2c37660d4d402d9c2055a9c5d93
FileHash-SHA256 ba7ea424d66262f02f68c3bfcd1e768bb9c83770e5e2a6da9e7df1844b4e8e3c
FileHash-SHA256 bab27f611518dc55b00b1a9287bdb8e059c4f4cc1607444f40e0c45d5842994f
FileHash-SHA256 c5804091d136706390f8c509adb80231bd1005e642b0ba0195e84536b4432476
FileHash-SHA256 caa8664d59303d983e7e1de5c355754930ed3122227b0a0371a7dd4d8ee335c0
FileHash-SHA256 d0ad0e80e85e242b55602202c899202998097650e922bdd11f6c22558ff06948
FileHash-SHA256 d23c3d07ccbf54952faf5cad9e478883644078230dcc3f4ea24c933fb068f7b7
FileHash-SHA256 e551c64ae5c886c7531c8288e13eac72724822fbee1026bd9efd93c02d44c18f
FileHash-SHA256 073b202d5591ace9e05c8b9b06c6a8b0f86efa9ac3032ca716bc6c33371a7ff3
FileHash-SHA256 21356c827937e9142207586a9c9b7653d68e6602ff5f00fcece4454bd173f053
FileHash-SHA256 52a6a5f103e58d2d6d242b1e74460b7c15b7063161ad7bc868897ff73c8d2a96
FileHash-SHA256 709789321e76c94e04346b6b13d732c2f87990b82367dfe738fc8a348a5363d8
FileHash-SHA256 79fff076f6a2f5ce5cd5589dfe03db2d541548a94a9477f6429e1f69a70b10c3
FileHash-SHA256 891142a761e6f2c155113f31d6289066d159d787f1647dd0b3e7cc83a65676a8
FileHash-SHA256 9d77a75d232aa9e93a255962a70a251943469736bbeab2955c7243f368588c00
FileHash-SHA256 b4578e0c012344b540ff7cbb388364fb692532a9550a2ee34f173364356af290
FileHash-SHA256 28f92f36883b69e281882f19fec1d89190e913a4e301bfc5d80242b74fcba6fe
FileHash-SHA256 6797018a6f29ce3d447bd3503372f78f9513d4648e5cd3ab5ab194a50c72b9c4
FileHash-SHA256 a84283095e0c400c3c4fe61283eca6c13dd0a6157a57adf95ae1dcec491ec519
FileHash-SHA256 1608899ff3bd9983df375fd836464500f160f6305fcc35cfb64abbe94643c962