================================================================================
DAIXIN TEAM RANSOMWARE - INDICATORS OF COMPROMISE (IOCs)
Source: CISA Advisory AA22-294A (FBI/HHS Joint) | TLP:WHITE
================================================================================

--- FILE HASHES (SHA-256) ---

9E42E07073E03BDEA4CD978D9E7B44A957281859 3306BE1F3DCFDEE722238
  File: rclone-v1.59.2-windows-amd64\git-log.txt

19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD
  File: rclone-v1.59.2-windows-amd64\rclone.1

NOTE: Additional Rclone v1.59.2 component hashes (rclone.exe, README.html,
README.txt) are listed in the full PDF of CISA AA22-294A. No hash has been
published for the Daixin ransomware binary itself (Babuk ESXi variant).


--- IP ADDRESSES ---

209.97.172[.]51
  Source: SecurityScorecard STRIKE Team (AirAsia incident, Nov 2022)
  Note: Linked to SSH brute-force / large data transfer; may be stale — vet before blocking.

NOTE: CISA AA22-294A publishes NO dedicated C2 IP addresses.


--- DOMAINS / URLS ---

*.ngrok.io
*.ngrok-free.app
  Use: Reverse proxy for data exfiltration (T1567)
  Action: Block or alert on all outbound Ngrok traffic.

NOTE: No specific C2 domains were published in the official advisory.


--- HOST-BASED INDICATORS ---

Targeted ESXi Path:
  /vmfs/volumes/

Encrypted File Extensions:
  .vmdk
  .vmem
  .vswp
  .vmsd
  .vmx
  .vmsn

Ransom Note:
  Location: /vmfs/volumes/ (root level, written alongside encrypted files)
  Known string variant: contains "Daxin" (misspelling of "Daixin") — useful for YARA/grep

Tools Dropped:
  rclone.exe (v1.59.2) — data exfiltration
  ngrok — reverse proxy exfiltration tunnel


--- MITRE ATT&CK TECHNIQUES ---

T1190  - Exploit Public-Facing Application (VPN initial access)
T1078  - Valid Accounts (compromised VPN credentials without MFA)
T1598  - Phishing for Information (spear-phishing recon)
T1563.001 - SSH Hijacking (lateral movement)
T1563.002 - RDP Hijacking (lateral movement)
T1003  - OS Credential Dumping (LSASS)
T1550.002 - Pass the Hash
T1098  - Account Manipulation (ESXi password reset via vCenter)
T1567 / TA0010 - Exfiltration over Web Services (Rclone + Ngrok)
T1486  - Data Encrypted for Impact (ESXi ransomware)


--- YARA / DETECTION NOTES ---

- Deploy Babuk ESXi YARA rules (Daixin payload is based on leaked Babuk Locker source)
- Alert on Sysmon Event ID 10 (LSASS memory access)
- Alert on process creation: rclone.exe with "copy" or "sync" arguments
- Alert on mass file rename/creation matching .vmdk/.vmem/.vswp on /vmfs/volumes/
- Alert on vCenter account password resets on ESXi hosts
- Windows Event ID 4624 Type 3 (NTLM Network Logon) without Kerberos — PtH indicator


================================================================================
References:
  CISA AA22-294A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a
  SecurityScorecard (AirAsia analysis, Nov 2022)
  Produced: February 17, 2026 | TLP:WHITE - May be shared freely
================================================================================