API tools faq
paste
Advertisement
VRad

#Zebrocy_181018

VRad
Oct 18th, 2018
4,107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.26 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Zebrocy #Trojan #xmltarget #W97M
  2.  
  3. https://pastebin.com/sXcERsQd
  4. exfiltrated data by @Jan0fficial https://pastebin.com/1mR0rZz7
  5. identificated by @Techhelplistcom
  6.  
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_zebrocy_181018/
  9. https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
  10. https://www.scmagazineuk.com/sofacy-rolls-zebrocy-toolkit-hit-government-targets/article/1486758
  11.  
  12. attack_vector
  13. --------------
  14. email attach .docx > xml.rels > GET .dotm > macro > exe
  15.  
  16. email_headers
  17. --------------
  18. Received: from st04.mi6.kiev.ua ([91.198.36.36])
  19. by out16.mi6.kiev.ua with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
  20. (Exim 4.90_1)
  21. (envelope-from <upap.mfa.gov@i.ua>)
  22. id 1gD2qn-0006Tb-0i
  23. for user1@victim000; Thu, 18 Oct 2018 10:36:09 +0300
  24. Received: from web by st04.mi6.kiev.ua with local (Exim 4.80.1)
  25. (envelope-from <upap.mfa.gov@i.ua>)
  26. id 1gD2qm-0004NU-RT
  27. for user1@victim000; Thu, 18 Oct 2018 10:36:08 +0300
  28. To: user1@victim000
  29. Subject: 41500029
  30. From: Політичний департамент <upap.mfa.gov@i.ua>
  31. Date: Thu, 18 Oct 2018 10:36:08 +0300
  32. MIME-Version: 1.0
  33. X-Mailer: I.UA Mail System
  34. X-Server: st04.mi6.kiev.ua
  35. X-Sender-IP: 176.119.30.208
  36. X-User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
  37.  
  38. email_subjects
  39. --------------
  40. 41500029
  41.  
  42. files
  43. --------------
  44. SHA-256 c20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f
  45. File name 1500029.docx
  46. File size 11.4 KB
  47.  
  48. SHA-256 86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46
  49. File name Note_template.dotm
  50. File size 401 KB
  51.  
  52. SHA-256 c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65
  53. File name ~office.exe
  54. File size 353.5 KB
  55.  
  56. SHA-256 074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426
  57. File name mslicsrv.exe (mcrthost.exe)
  58. File size 164 KB
  59.  
  60. activity
  61. **************
  62.  
  63. docx > settings.xml.rels > Target="http://185.203.118.198/documents/Note_template.dotm"
  64.  
  65. http://185.203.118.198/documents/Note_template.dotm
  66.  
  67. http://185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php?tbm=C4BA3647
  68.  
  69. netwrk
  70. --------------
  71. 185.203.118.198 OPTIONS /documents/ HTTP/1.1 Microsoft Office Protocol Discovery
  72. 185.203.118.198 OPTIONS / HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.1.7601
  73. 185.203.118.198 GET /documents/Note_template.dotm HTTP/1.1 Mozilla/4.0
  74. 185.203.118.198 HEAD /documents/Note_template.dotm HTTP/1.1 Microsoft Office Existence Discovery
  75. 185.203.118.198 POST /en_action_device/center_correct_customer/drivers-i7-x86.php?tbm=AC38D1C7
  76. HTTP/1.0 (application/x-www-form-urlencoded) Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
  77.  
  78. comp
  79. --------------
  80. WINWORD.EXE 185.203.118.198:80:80
  81. svchost.exe 185.203.118.198:80:80
  82. WINWORD.EXE 185.203.118.198:80:80
  83. ~office.exe 185.203.118.198:80:80
  84. WINWORD.EXE 185.203.118.198:80:80
  85. mslicsrv.exe 138.204.170.189:443:443
  86. mslicsrv.exe 138.204.170.189:443:443
  87.  
  88. proc
  89. --------------
  90. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  91. C:\Users\operator\AppData\Roaming\Network\~office.exe
  92. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n
  93. C:\Windows\SysWOW64\cmd.exe /c SYSTEMINFO & TASKLIST
  94. "C:\Users\operator\AppData\Roaming\Capability\mslicsrv.exe"
  95.  
  96. persist
  97. --------------
  98. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.10.2018 17:11
  99. AudioDrv c:\users\operator\appdata\roaming\capability\mslicsrv.exe 15.10.2018 16:51
  100.  
  101. drop
  102. --------------
  103. C:\Users\operator\AppData\Roaming\Network\~office.exe
  104. C:\Users\operator\AppData\Roaming\Capability\mslicsrv.exe
  105.  
  106. # # #
  107. https://www.virustotal.com/#/file/c20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f/details
  108. https://www.virustotal.com/#/file/86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46/details
  109. https://www.virustotal.com/#/file/c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65/details
  110. https://www.virustotal.com/#/file/074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426/details
  111.  
  112. https://analyze.intezer.com/#/analyses/6281721d-1810-487d-9fa1-fcea5e8dc109
  113. https://analyze.intezer.com/#/analyses/e0c0fd5b-3aec-4b81-a685-e2815fac6807
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!