Weaponisation phase

We have found a domain prankglassinebracket.jumpingcrab.com and IP addresses associated with the attacker during the investigations.

In the weaponisation phase, the adversaries would:

  • Create Malware/Malicious document to gain initial access/evade detection etc.

  • Establish domains similar to the target domain to trick users.

  • Create a Command and Control Server for the post-exploitation communication/activity etc.

Use OSINT to find out more about the attacker.

  • Robtex is a Threat Intel site that provides information about IP addresses, domain names, etc.

  • ThreatCrowd is a Search Engine for Threats that provides intel based on the IP, domain, email address, etc.

  • Virustotal is an OSINT site used to analyze suspicious files, domains, IP, etc.

  • Domaintools gives whois information on sites.


What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?