Hunting 8Base

Jeremie Wolff

2024-07-06

Abstract

Unmasking potential 8Base infra and ACH. We identified a potential 8Base infrastructure and analyzed using ACH to determine its association with the ransomware group.

What is 8Base?

Recent victims include multiple Japanese companies. Active since March 2022. First known ransom demand: 2023-05-23.

Content

Technical Indicators

Hunting Query (Censys)

services.http.response.headers: (key: Set-Cookie and value.headers: 8base_session*)

Single IP identified: 92.118.36.204

First seen:

Can this be the ip address hosting 8base contents?

Infrastructure Analysis

Indicator Details
IP 92.118.36.204
ASN 209132 (Alviva Holding Limited)
Ports1 22/SSH, 53/DNS, 80/HTTP, 3389/RDP, 5985/HTTP, 5358/HTTP
Historical activity Port scanning: 2022-04-07 to 2022-09-16
Cookies 8base_session, fakeIP

The ip was running RDP on port 33891.

Remote Desktop Protocol
\x03\x00\x00\x13\x0e\xd0\x00\x00\x124\x00\x02\x1f\x08\x00\x08\x00\x00\x00

Flag: PROTOCOL_HYBRID_EX
Target_Name: WIN-9Q7DGOLE4A8
Product_Version: 10.0.17763 Ntlm 15
OS: Windows Server 2019, Version 1809/Windows 10, Version 1809
NetBIOS_Domain_Name: WIN-9Q7DGOLE4A8
NetBIOS_Computer_Name: WIN-9Q7DGOLE4A8
DNS_Domain_Name: WIN-9Q7DGOLE4A8
DNS_Computer_Name: WIN-9Q7DGOLE4A8
System_Time: 2023-04-17 16:51:20 +0000 UTC

Analysis

Analysis of Competing Hypotheses

Analysis of Competing Hypotheses (ACH) is a structured analytical technique for evaluating multiple explanations for observed intelligence data.

Hypotheses

  1. 92.118.36.204 is 8Base infrastructure
  2. 92.118.36.204 is a clone/similar operation
  3. 92.118.36.204 is an 8Base victim

Evidences

  1. IP hosts the 8base resource
  2. Uses cookie 8base_session
  3. Uses cookie fakeIP
  4. Doesn't have onion header
  5. Has RDP with hostname WIN-9Q7DGOLE4A8
  6. Located in ASN 209132 (Alviva Holding Limited)
  7. Is hosting on that IP since 2023-11-08 (first seen on urlscan.io)
  8. First known ransom is 2023-05-23
  9. Historical port scanning activity from 2022-04-07 to 2022-09-16
  10. Running Windows Server 2019 or Windows 10, Version 1809
  11. System time recorded as 2023-04-17 16:51:20 +0000 UTC
  12. Cobalt Strike server on adjacent IP 92.118.36.203 2

Assessment

Evidences Weight H1. 8Base infrastructure H2. Clone/similar operation H3. 8Base victim
E1. IP hosts the 8base resource HIGH ++ + -
E2. Uses cookie 8base_session HIGH ++ + -
E3. Uses cookie fakeIP MEDIUM ++ + -
E4. Doesn’t have onion header LOW - + N
E5. Has RDP with hostname WIN-9Q7DGOLE4A8 MEDIUM + + ++
E6. Located in ASN 209132 (Alviva Holding Limited) LOW N N N
E7. Hosting since 2023-11-08 MEDIUM + + -
E8. First known ransom is 2023-05-23 LOW N N N
E9. Historical port scanning (2022-04-07 to 2022-09-16) MEDIUM - + -
E10. Running Windows Server 2019/Windows 10 LOW N N +
E11. System time: 2023-04-17 16:51:20 UTC LOW N N N
E12. Nearby Cobalt Strike server LOW N + -

Legend: ++ Strong support, + Support, N Neutral, - Contradict

Summary

  1. Cookie usage strongly indicates 8Base association (H1/H2).
  2. Absence of onion header weakens H1, supports H2.
  3. RDP presence and Cobalt Strike beacons support H3.
  4. Prsence of a Cobalt Strike server next supports H1/H2.
  5. No response delay strongly supports H1, contradicts H2.
  6. Historical scanning activity supports H2, contradicts H3.

Future work

  1. Monitor for 8base_session and fakeIP cookies in HTTP traffic.
  2. Investigate ASN 209132.
  3. Investigate WIN-9Q7DGOLE4A8.

Conclusion

This analysis suggests 92.118.36.204 is likely 8Base infrastructure, but clone operation remains a possibility.

With ❤️, Jeremie Wolff (cdmMPvpP1zZytZw1qB2UkESatsIlnxR40b3KsML6lx)

  1. Ports 22 and 80 are still active (2024-07-06). 3389/RDP, 5985/HTTP, 5358/HTTP were last active at 2023-04-16.↩︎

  2. https://www.virustotal.com/gui/ip-address/92.118.36.203/community↩︎