Need a unique gift idea?
A Pastebin account makes a great Christmas gift
SHARE
TWEET

#Zebrocy_181018

VRad Oct 18th, 2018 (edited) 1,310 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. #IOC #OptiData #VR #Zebrocy #Trojan #xmltarget #W97M
  2.  
  3. https://pastebin.com/sXcERsQd
  4. exfiltrated data by @Jan0fficial https://pastebin.com/1mR0rZz7
  5. identificated by @Techhelplistcom
  6.  
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_zebrocy_181018/
  9. https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
  10. https://www.scmagazineuk.com/sofacy-rolls-zebrocy-toolkit-hit-government-targets/article/1486758
  11.  
  12. attack_vector
  13. --------------
  14. email attach .docx > xml.rels > GET .dotm > macro > exe
  15.  
  16. email_headers
  17. --------------
  18. Received: from st04.mi6.kiev.ua ([91.198.36.36])
  19.     by out16.mi6.kiev.ua with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
  20.     (Exim 4.90_1)
  21.     (envelope-from <upap.mfa.gov@i.ua>)
  22.     id 1gD2qn-0006Tb-0i
  23.     for user1@victim000; Thu, 18 Oct 2018 10:36:09 +0300
  24. Received: from web by st04.mi6.kiev.ua with local (Exim 4.80.1)
  25.     (envelope-from <upap.mfa.gov@i.ua>)
  26.     id 1gD2qm-0004NU-RT
  27.     for user1@victim000; Thu, 18 Oct 2018 10:36:08 +0300
  28. To: user1@victim000
  29. Subject: 41500029
  30. From: Політичний департамент <upap.mfa.gov@i.ua>
  31. Date: Thu, 18 Oct 2018 10:36:08 +0300
  32. MIME-Version: 1.0
  33. X-Mailer: I.UA Mail System
  34. X-Server: st04.mi6.kiev.ua
  35. X-Sender-IP: 176.119.30.208
  36. X-User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
  37.  
  38. email_subjects
  39. --------------
  40. 41500029
  41.  
  42. files
  43. --------------
  44. SHA-256 c20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f
  45. File name   1500029.docx
  46. File size   11.4 KB
  47.  
  48. SHA-256 86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46
  49. File name   Note_template.dotm
  50. File size   401 KB
  51.  
  52. SHA-256 c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65
  53. File name   ~office.exe
  54. File size   353.5 KB
  55.  
  56. SHA-256 074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426
  57. File name   mslicsrv.exe    (mcrthost.exe)
  58. File size   164 KB
  59.  
  60. activity
  61. **************
  62.  
  63. docx > settings.xml.rels > Target="http://185.203.118.198/documents/Note_template.dotm"
  64.  
  65. http://185.203.118.198/documents/Note_template.dotm
  66.  
  67. http://185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php?tbm=C4BA3647
  68.  
  69. netwrk
  70. --------------
  71. 185.203.118.198 OPTIONS /documents/             HTTP/1.1    Microsoft Office Protocol Discovery
  72. 185.203.118.198 OPTIONS /               HTTP/1.1    Microsoft-WebDAV-MiniRedir/6.1.7601
  73. 185.203.118.198 GET /documents/Note_template.dotm   HTTP/1.1    Mozilla/4.0
  74. 185.203.118.198 HEAD /documents/Note_template.dotm  HTTP/1.1    Microsoft Office Existence Discovery
  75. 185.203.118.198 POST /en_action_device/center_correct_customer/drivers-i7-x86.php?tbm=AC38D1C7
  76.                             HTTP/1.0  (application/x-www-form-urlencoded)   Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
  77.  
  78. comp
  79. --------------
  80. WINWORD.EXE          185.203.118.198:80:80
  81. svchost.exe          185.203.118.198:80:80
  82. WINWORD.EXE          185.203.118.198:80:80
  83. ~office.exe          185.203.118.198:80:80
  84. WINWORD.EXE          185.203.118.198:80:80
  85. mslicsrv.exe         138.204.170.189:443:443
  86. mslicsrv.exe         138.204.170.189:443:443
  87.  
  88. proc
  89. --------------
  90. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  91. C:\Users\operator\AppData\Roaming\Network\~office.exe
  92. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n
  93. C:\Windows\SysWOW64\cmd.exe /c SYSTEMINFO & TASKLIST
  94. "C:\Users\operator\AppData\Roaming\Capability\mslicsrv.exe"
  95.  
  96. persist
  97. --------------
  98. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              18.10.2018 17:11   
  99. AudioDrv            c:\users\operator\appdata\roaming\capability\mslicsrv.exe   15.10.2018 16:51
  100.  
  101. drop
  102. --------------
  103. C:\Users\operator\AppData\Roaming\Network\~office.exe
  104. C:\Users\operator\AppData\Roaming\Capability\mslicsrv.exe
  105.  
  106. # # #
  107. https://www.virustotal.com/#/file/c20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f/details
  108. https://www.virustotal.com/#/file/86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46/details
  109. https://www.virustotal.com/#/file/c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65/details
  110. https://www.virustotal.com/#/file/074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426/details
  111.  
  112. https://analyze.intezer.com/#/analyses/6281721d-1810-487d-9fa1-fcea5e8dc109
  113. https://analyze.intezer.com/#/analyses/e0c0fd5b-3aec-4b81-a685-e2815fac6807
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top