Analysis Report

MAR–10369127–1.v1 – MuddyWater

Last Revised
Alert Code
AR22-055A

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) to provide detailed analysis of 23 files identified as MuddyWater tools. MuddyWater is a group of Iranian government-sponsored advanced persistent threat actors that conducts cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.

FBI, CISA, CNMF, NCSC-UK, and NSA are distributing this MAR to enable network defense and reduce exposure to Iranian government malicious cyber activity. For more information on malicious Iranian government cyber activity, visit CISA's webpage at https://www.cisa.gov/uscert/iran.

Of the 23 malware samples analyzed, 14 files were identified as variants of the POWGOOP malware family. Two files were identified as JavaScript files that contain a PowerShell beacon. One file was identified as a Mori backdoor sample. Two malicious Microsoft Excel spreadsheets were identified as Canopy malware (also known as Starwhale) that contained macros and two encoded Windows script files, which maintain persistence and collect and exfiltrate the victim's system data to a command and control (C2).

The POWGOOP samples were discovered as Windows executables (not included this report) and contain three components:

1)    A dynamic-link library (DLL) file renamed as a legitimate filename to enable the DLL side-loading technique.
2)    An obfuscated PowerShell script, obfuscated as a .dat file used to decrypt a file named "config.txt."
3)    An encoded PowerShell script, obfuscated as a text file containing a beacon to a hardcoded Internet Protocol (IP) address.

These components retrieve encrypted commands from a C2 server. The command is decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.

 

For a downloadable copy of IOCs, see: MAR-10369127-1.v1.stix.

Click here for a PDF version of this report.

Submitted Files (19)

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141 (Cooperation terms.xls)

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa (goopdate.dll)

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82 (goopdate.dat)

255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a (TeresitaJordain_config.txt)

3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8 (FML.dll)

42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986 (rj.js)

4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c (ZaibCb15Ak.xls)

5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f (Config2.txt)

7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4 (Dore.dat)

9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7 (Config.txt)

9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051 (libpcre2-8-0.dll)

9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2 (AntheHannah_config.txt)

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c (note.js)

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504 (Core.dat)

b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a (config.txt)

ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9 (config.txt)

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92 (vcruntime140.dll)

e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13 (Core.dat)

e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca (HeidieLeone.txt)

Additional Files (4)

c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e (Outlook.wsf)

d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0 (Outlook.wsf)

ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418 (Outlook.wsf)

f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0 (Outlook.wsf)

IPs (7)

185.117.75.34

185.118.164.21

185.183.96.44

185.183.96.7

192.210.191.188

5.199.133.149

88.119.170.124

Findings

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa

Tags

trojan

Details
Name goopdate.dll
Size 90624 bytes
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 a27655d14b0aabec8db70ae08a623317
SHA1 8344f2c1096687ed83c2bbad0e6e549a71b0c0b1
SHA256 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
SHA512 3c9fa512e7360fecc4db3196e850db8b398d1950a21a3a1f529bbc0a1323cc3b4c8d1bf95acb9ceaa794cf135a56c0e761976f17326594ce08c89117b1700514
ssdeep 1536:Ggw+CKmmOmwE1k4XGt2EkxtNh7aZgvADsW/cd+32UVGHgz:RCBTDE1krt2Ebg5+32UQHgz
Entropy 6.359392
Antivirus
ESET a variant of Win32/Agent.ACHN trojan
Symantec Trojan Horse
Trend Micro Trojan.928E7209
Trend Micro HouseCall Trojan.928E7209
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2020-09-23 02:02:48-04:00
Import Hash 132491700659f9b56970a9b12cbbb348
PE Sections
MD5 Name Raw Size Entropy
dbe1463d7d1b0850df5e47b5320ef5fb header 1024 2.757475
c732c8e6ad0cf8292aa60a9da9dcbe7c .text 54784 6.609888
3bd80fc1bbd1476e125d2e487662e01f .rdata 27648 5.042288
ccd03992b1a52aba460a01a4113d59c8 .data 2560 2.366593
c7a4e8ec050a078d37fff5197af953e2 .rsrc 512 4.712298
2de65738f49b99cdb71355bdc924c55a .reloc 4096 6.411331
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Relationships
12db8bcee0... Related_To 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
Description

This file was identified as a launcher and is contained within an executable "GoogleUpdate.exe" (not included in this submission). The DLL is renamed as a legitimate filename "goopdate.dll" to enable a DLL side-loading technique. Note: goopdate.dll is the name of a module belonging to Goopdate from Google Inc. The DLL side-loading technique is used to rename a malicious DLL to the name of a dependent file of a legitimate executable in order to execute its malicious code. For this variant, GoogleUpdate.exe depends on a legitimate file ‘goopdate.dll’. The malicious POWGOOP DLL is therefore renamed goopdate.dll to force GoogleUpdate.exe to execute the malicious code, which spawns a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function (Figure 1). This results in a PowerShell script, a "goopdate.dat" file (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) decrypting a co-located "config.txt" file (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9), another obfuscated PowerShell script containing the C2 beacon.

Screenshots

Figure 1 - Screenshot of GoogleUpdate.exe spawning a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function.

Figure 1 - Screenshot of GoogleUpdate.exe spawning a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function.

Figure 2 - Screenshot of the PowerShell script being decrypted.

Figure 2 - Screenshot of the PowerShell script being decrypted.

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82

Details
Name goopdate.dat
Size 115546 bytes
Type data
MD5 218d4151b39e4ece13d3bf5ff4d1121b
SHA1 28e799d9769bb7e936d1768d498a0d2c7a0d53fb
SHA256 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
SHA512 8f859945f0c3e590db99bb35f4127f34910268c44f94407e98a5399fec44d92523d07230e793209639914afe61d17dfb41273193e30bbfb950b29ffce3d4b9d5
ssdeep 3072:bI+Rz2t2VGAQIP2DR7mOOfKI12sKDrS51ODTKjI2:bpF2t2VV2DNmOOyI8s441FjI
Entropy 7.971267
Antivirus
Bitdefender Generic.Exploit.Donut.2.5DE6F72C
Emsisoft Generic.Exploit.Donut.2.5DE6F72C (B)
Lavasoft Generic.Exploit.Donut.2.5DE6F72C
Sophos ATK/DonutLdr-A
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
2471a039cb... Related_To ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
2471a039cb... Related_To 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
Description

This file was identified as an obfuscated PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This obfuscated PowerShell script is used to decode and run the additional obfuscated PowerShell script "config.txt" (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

Screenshots

Figure 3 - Screenshot of the de-obfuscated PowerShell script.

Figure 3 - Screenshot of the de-obfuscated PowerShell script.

ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9

Details
Name config.txt
Size 3364 bytes
Type data
MD5 52299ffc8373f58b62543ec754732e55
SHA1 ca97ac295b2cd57501517c0efd67b6f8a7d1fbdf
SHA256 ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
SHA512 6c9dc3ae0d3090bab57285ac1bc86d0fa60096221c99a383cc1a5a7da1c0614dfdbe4e6fa2aea9ff1e8d3415495d2d444c2f15ad9a1fd3847ddb0fc721f101a2
ssdeep 48:oN/rGOTDwOQ0rSt4tD9f+1o09KP/iyrjfODVosSh9lwrjhChwsFKDUGymwx:qroOlfBPz5sSh+w9v
Entropy 5.346853
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
ce9bd1acf3... Related_To 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
ce9bd1acf3... Connected_To 185.183.96.7
Description

This file was identified as an encrypted PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This PowerShell script is decoded by "goopdate.dat" (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) and contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]183[.]96[.]7:443/index.php
--End C2 IP address--

The malware used the hardcoded C2 to pass remote commands to the victim machine. The encrypted commands are decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.

The script uses 1-3 randomly generated human names as variables and function names (Figure 4). The script uses a modified Base64 routine adding or subtracting by 2, using two consecutive functions (Base64Dec, QueenieSusanneAvril) to decrypt remote commands to execute locally and two consecutive functions (Marlie, Kassandra) to encrypt the result and pass to the “Cookie:” parameter to be passed back to the C2 node.

The config.txt can be run separately as a .ps1 PowerShell script to execute the de-obfuscated code, which results in the victim machine pulling down any command the threat actor places in the index.php file located at 185[.]183[.]96[.]7:443 (ie. 'whoami') and executes locally on the victim machine. The script exfiltrates the result of the command in a Base64 encoded string passed through the 'Cookie: <Base64_encoded_string>' part of the packet (Figure 6).

Screenshots

Figure 4 - Screenshot of the script.

Figure 4 - Screenshot of the script.

Figure 5 - Screenshot of the GET request sent over port 443 for "index.php" from the IP address 185[.]183[.]96[.]7.

Figure 5 - Screenshot of the GET request sent over port 443 for "index.php" from the IP address 185[.]183[.]96[.]7.

Figure 6 - Screenshot of the GET request.

Figure 6 - Screenshot of the GET request.

185.183.96.7

Tags

command-and-control

URLs
  • 185.183.96.7/index.php
Ports
  • 443 TCP
Whois

Queried whois.ripe.net with "-B 185.183.96.7"...

% Information related to '185.183.96.0 - 185.183.96.255'

% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'

inetnum:        185.183.96.0 - 185.183.96.255
netname:        EU-HOSTSAILOR
descr:         HostSailor NL Services
country:        NL
admin-c:        AA31720-RIPE
tech-c:         AA31720-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HS
created:        2016-12-23T09:52:06Z
last-modified: 2016-12-23T09:52:06Z
source:         RIPE

person:         Ali Al-Attiyah
address:        Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area
address:        Dubai P.O. Box 98362
address:        United Arab Emirates
phone:         +971 455 77 845
nic-hdl:        AA31720-RIPE
mnt-by:         MNT-HS
created:        2016-12-21T19:19:26Z
last-modified: 2019-03-18T14:07:12Z
source:         RIPE

% Information related to '185.183.96.0/24AS60117'

route:         185.183.96.0/24
descr:         EU-HOSTSAILOR 185.183.96.0/24
origin:         AS60117
mnt-by:         MNT-HS
created:        2016-12-23T09:50:04Z
last-modified: 2016-12-23T09:50:04Z
source:         RIPE

Relationships
185.183.96.7 Connected_From ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
Description

config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9) attempts to connect to this IP address.

9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051

Tags

trojan

Details
Name libpcre2-8-0.dll
Size 96768 bytes
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 860f5c2345e8f5c268c9746337ade8b7
SHA1 6c55d3acdc2d8d331f0d13024f736bc28ef5a7e1
SHA256 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
SHA512 15b758ada75ae3a6848e3e528e07b19e0efb4156105f0e2ff4486c6df35574c63ccaae5e00d3c4f1ac3f5032f3eb5732179d187979779af4658e8e4dc5020f9f
ssdeep 1536:TjdtPuB/MpXu7QeqqPKaSc9/Sc+Amru3xobZFsWo/dcd+0Q+MoOl5:TfuBwXuUeqqPIkSc4u3xobb+0Q+MRl5
Entropy 6.397339
Antivirus
ESET a variant of Win32/Agent.ADJB trojan
VirusBlokAda BScope.Trojan.Agentb
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2020-10-05 03:59:42-04:00
Import Hash 412395ba322a0d1b557db71f338aadde
PE Sections
MD5 Name Raw Size Entropy
b474b7d68214633e93dc1ab3fcad9a4b header 1024 2.769462
d9e1cff126e23d40d396bebc0fe103be .text 55296 6.612472
8528c24241b97c45d2f90f3ef1baceec .rdata 33280 5.178997
96565e257370e82ea6cc20bdc7831a7b .data 2560 2.380258
43041985e356ec1bb76514dd6d7a347f .rsrc 512 4.717679
6b5a16c382d161788b9cc48d74f91543 .reloc 4096 6.435504
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Description

This file was identified as a launcher and is renamed as a legitimate filename "libpcre2-8-0.dll" to enable a DLL side-loading technique. Note: libpcre2-8-0.dll is a library for Mingw-w64, an open source software development environment. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa).

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

Tags

trojan

Details
Name vcruntime140.dll
Size 93696 bytes
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 cec48bcdedebc962ce45b63e201c0624
SHA1 81f46998c92427032378e5dead48bdfc9128b225
SHA256 dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
SHA512 661a59b4cdb4aab652b24cb9b7ca54cdee1d50ac3b0479cb418cf8ec2f7bda15fcc2622e6b08a784187ec3f43acd678d1d73efacd43ac33501963d5e4dfe32e9
ssdeep 1536:jjevM3civEZfW15lbrWKIAy4pcd8uHxQEbZFsWo/dcdV0yjHe9c0b5i2MUql5:jzcbfO5lbr6Ay4huHxHbbV0eHe9c0b5I
Entropy 6.386276
Antivirus
AhnLab Trojan/Win.Generic
Avira TR/Agent.fizgi
Bitdefender Trojan.GenericKD.37827502
ESET a variant of Win32/Agent.ADJB trojan
Emsisoft Trojan.GenericKD.37827502 (B)
IKARUS Trojan.Win32.Agent
K7 Trojan ( 005893651 )
Lavasoft Trojan.GenericKD.37827502
McAfee RDN/Generic.dx
Symantec Trojan.Gen.MBT
VirusBlokAda BScope.Trojan.Agentb
Zillya! Trojan.Agent.Win32.2507968
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2020-10-11 08:50:42-04:00
Import Hash 99474d9cfb6d6c2c0eada954b5521471
PE Sections
MD5 Name Raw Size Entropy
644538127a7d5372f16bbc62790e1b5d header 1024 2.778786
46d87fd65afee2330ee32fe404fe7657 .text 55808 6.623812
7bc20c2666aeb10cbe1787cdeeb38138 .rdata 29696 5.111049
8adf7f42b993b6d8b658ea5a9d554a49 .data 2560 2.380664
065463fcb19d087772450d47229f013f .rsrc 512 4.717679
1a870fa886d593f0dd1c9ce8816c3a63 .reloc 4096 6.466938
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Description

This file was identified as a launcher and is renamed as a legitimate filename "vcruntime140.dll" to enable a DLL side-loading technique. Note: vcruntime140.dll is a runtime library for Microsoft Visual Studio. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa).

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504

Details
Name Core.dat
Size 222554 bytes
Type data
MD5 a65696d6b65f7159c9ffcd4119f60195
SHA1 570f7272412ff8257ed6868d90727a459e3b179e
SHA256 b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504
SHA512 65661ca585e10699eaded4f722914c79b5922e93ea4ca8ecae4a8e3f1320e7b806996f7a54dffbe9d1cdeda593f08e8d95cd831d57de9d9568ea6d8bd280988b
ssdeep 6144:AD5ss4qHWpWYY3X3YxMNkpMj7vl+AQOjI:Uss4QEWYwYxM+CdZ3
Entropy 7.990578
Antivirus
Bitdefender Generic.Exploit.Donut.2.50F4F7F0
Emsisoft Generic.Exploit.Donut.2.50F4F7F0 (B)
Lavasoft Generic.Exploit.Donut.2.50F4F7F0
Sophos ATK/DonutLdr-A
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13

Details
Name Core.dat
Size 222554 bytes
Type data
MD5 4a022ea1fd2bf5e8c0d8b2343a230070
SHA1 89df0feca9a447465d41ac87cb45a6f3c02c574d
SHA256 e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13
SHA512 bec85adf79b916ee64c4a4b6f2cf60d8321d7394a2ec299c3547160f552ecae403c6a2a9aa669cf789d4d99b01c637ac1d0da3c9ed8872bb6184b5ad9543d580
ssdeep 6144:HzUl+nQWOJ0h0Q+MhozbM8RTVwS9HTkSaRIJjI:HzNQkC06bZuSBTky
Entropy 7.990584
Antivirus
Bitdefender Generic.Exploit.Donut.2.B85DA16C
Emsisoft Generic.Exploit.Donut.2.B85DA16C (B)
Lavasoft Generic.Exploit.Donut.2.B85DA16C
Sophos ATK/DonutLdr-A
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4

Tags

trojan

Details
Name Dore.dat
Size 208222 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6c084c8f5a61c6bec5eb5573a2d51ffb
SHA1 61608ed1de56d0e4fe6af07ecba0bd0a69d825b8
SHA256 7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4
SHA512 4eaa2d6f29d2712f3487ff7e3a463ec4ba711ba36edda422db126840282e8705ebee6304cc9a54433c7fac7759f98a9543eda881726d8b788f4487b8d4f42423
ssdeep 6144:LiJOsC/WBmefvpzeChVsg3euJHs7pdcAOlnI:LLWBmyvp/s5uJHs7pdcvI
Entropy 6.489815
Antivirus
Avira HEUR/AGEN.1144435
Bitdefender Generic.Exploit.Shellcode.PE.1.A192654B
ESET PowerShell/Runner.AA trojan
Emsisoft Generic.Exploit.Shellcode.PE.1.A192654B (B)
IKARUS Trojan.PowerShell.Runner
K7 Riskware ( 0040eff71 )
Lavasoft Generic.Exploit.Shellcode.PE.1.A192654B
Sophos Mal/Swrort-Y
Symantec Trojan Horse
VirusBlokAda BScope.Trojan.Wacatac
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2020-10-11 08:50:37-04:00
Import Hash ec0fa343230fe2524df352e5e73f52a2
PE Sections
MD5 Name Raw Size Entropy
57e428c7f6e8430e0380e9a1681a940c header 1024 2.806123
89eb652b81f7b3cd7e9ee9e718575c09 .text 135168 6.614331
4f6c6295c85743cc3a2ca8f5dc2c4648 .rdata 58368 5.330927
3fe517cfbe9700ed9c311661377fcbd9 .data 4096 3.056628
7d123d6987b6fa0f191e9ee2fb0d9484 .rsrc 512 4.711341
320df1e8ed4184af06bb4c62a00cc47b .reloc 8704 6.441951
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a

Details
Name config.txt
Size 3615 bytes
Type data
MD5 b6b0edf0b31bc95a042e13f3768a65c3
SHA1 5168a8880abe8eb2d28f10787820185fe318859e
SHA256 b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a
SHA512 669e655ca79c95d8d25e56cb0c4c71574ff74f55e11930e9cdbfb4a3767fce0d09ab362d2f188a153ba25497b8a2508d0501bca342c0558f06e921f603b2218c
ssdeep 48:oOd/U/82KlaUdrSS1A82RBBboWuP7qgGgmzfBUXX7PXTWPJJ5wx:YmP71+Ju
Entropy 5.291145
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
b6133e04a0... Connected_To 185.117.75.34
Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]117[.]75[.]34
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

185.117.75.34

Tags

command-and-control

Ports
  • 443 TCP
Whois

Queried whois.ripe.net with "-B 185.117.75.34"...

% Information related to '185.117.75.0 - 185.117.75.255'

% Abuse contact for '185.117.75.0 - 185.117.75.255' is 'abuse@hostsailor.com'

inetnum:        185.117.75.0 - 185.117.75.255
netname:        EU-HOSTSAILOR-20140124
descr:         HostSailor NL Services
country:        NL
admin-c:        AF11712-RIPE
tech-c:         AF11712-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HS
created:        2016-02-01T08:50:02Z
last-modified: 2016-02-01T08:50:02Z
source:         RIPE

person:         Host Sailor Ltd - Administrative role account
address:        Suite No: 1605, Churchill Executive Tower, Burj Khalifa Area
address:        Dubai P.O. Box 98362
address:        United Arab Emirates
phone:         +97145577845
nic-hdl:        AF11712-RIPE
mnt-by:         MNT-HS
created:        2014-06-30T16:22:26Z
last-modified: 2019-05-29T09:39:31Z
source:         RIPE

Relationships
185.117.75.34 Connected_From e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca
185.117.75.34 Connected_From b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a
Description

config.txt (b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a) and HeidieLeone.txt (e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca) attempt to connect to this IP address.

9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7

Tags

trojan

Details
Name Config.txt
Size 5037 bytes
Type ASCII text, with very long lines, with no line terminators
MD5 a0421312705e847a1c8073001fd8499c
SHA1 3204447f54adeffb339ed3e00649ae428544eca3
SHA256 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
SHA512 32c89ce4ec39c0f05fdd578ac7dbd51a882fdca632a00a591655992f258fe1b870c5ac6732d79c835578fd85c237d69d10886b1bec087217b921b8dbd2d7ab50
ssdeep 96:ND25Bb2G+6C3z+FPyY1PgWuRuSpqq8HRYwC+w7ivocD6ZpY59lmBZ1q0c3:NKnCGO3iFPysIW8YlHRYw5w6F6ZpYUB0
Entropy 5.941005
Antivirus
ESET PowerShell/Agent.FP trojan
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
192[.]210[.]191[.]188
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

192.210.191.188

Tags

command-and-control

Ports
  • 443 TCP
Whois

Queried whois.arin.net with "n ! NET-192-210-191-0-1"...

NetRange:     192.210.191.0 - 192.210.191.255
CIDR:         192.210.191.0/24
NetName:        CC-192-210-191-0-24
NetHandle:     NET-192-210-191-0-1
Parent:         CC-11 (NET-192-210-128-0-1)
NetType:        Reallocated
OriginAS:     AS36352
Organization: Virtual Machine Solutions LLC (VMSL-100)
RegDate:        2019-03-26
Updated:        2019-03-26
Ref:            https://rdap.arin.net/registry/ip/192.210.191.0

OrgName:        Virtual Machine Solutions LLC
OrgId:         VMSL-100
Address:        12201 Tukwila International Blvd
City:         Seattle
StateProv:     WA
PostalCode:     98168
Country:        US
RegDate:        2016-06-22
Updated:        2020-12-10
Comment:        http://virmach.com/abuse to report abuse.
Ref:            https://rdap.arin.net/registry/entity/VMSL-100

OrgTechHandle: GOLES88-ARIN
OrgTechName: Golestani, Amir
OrgTechPhone: +1-800-877-2176
OrgTechEmail: report@virmach.com
OrgTechRef:    https://rdap.arin.net/registry/entity/GOLES88-ARIN

OrgAbuseHandle: GOLES88-ARIN
OrgAbuseName: Golestani, Amir
OrgAbusePhone: +1-800-877-2176
OrgAbuseEmail: report@virmach.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/GOLES88-ARIN

Relationships
192.210.191.188 Connected_From 5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
Description

Config.txt (9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7) and Config2.txt (5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f) attempt to connect to this IP address.

5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f

Tags

trojan

Details
Name Config2.txt
Size 5037 bytes
Type ASCII text, with very long lines, with no line terminators
MD5 a16f4f0c00ca43d5b20f7bc30a3f3559
SHA1 94e26fb2738e49bb70b445315c0d63a5d364c71b
SHA256 5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
SHA512 e1f929029e7382e0a900fb3523dbc175d503b1903b034d88aed3e50aed768ce79c52091520e4a3e40c04e00ab70af3d438de35c79502ff8b11adcb45f6f666bd
ssdeep 96:ND25Bb2FNushsy1XSWSAIm0Rs1yjLzJ8f3zT+ujYa42g2QR4HElM+ejX+2jIQSgp:NKnCFvsLcIm0bfzAd4F6HEl92pSgoFu
Entropy 5.935676
Antivirus
ESET PowerShell/Agent.FP trojan
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
5bcdd42208... Connected_To 192.210.191.188
Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
192[.]210[.]191[.]188
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2

Details
Name AntheHannah_config.txt
Size 3491 bytes
Type data
MD5 51bc53a388fce06487743eadc64c4356
SHA1 b9e6fc51fa3940fb632a68907b8513634d76e5a0
SHA256 9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2
SHA512 43d291535b7521a061a24dc0fb1c573d1d011f7afa28e8037dea69eb5ae5bcd69b53a01a636e91827831066f9afc84efc1d556f64dc5cd780f9da79d38783b70
ssdeep 48:oJX/VlShMEtkDJrSYChZh60cIpoEzMPkQwpCUOfcUeHe0eGeBr8ONIPoUy3pIhwx:uStoJCXhbcIvgPkQw8rfcR+xjBrRUsT
Entropy 5.319055
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an encrypted PowerShell script; it contains a beacon.

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a

Details
Name TeresitaJordain_config.txt
Size 3580 bytes
Type data
MD5 0ac499496fb48de0727bbef858dadbee
SHA1 483cd5c9dd887367793261730d59178c19fe13f3
SHA256 255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a
SHA512 be0d181aabd07b122fcdb79a42ba43ed879a5f0528745447f2c93c6d9cb75c00f1d581520c640fd7f4a61a6f27ef82d99ad09ee2f1cc85340252a7eb7a9fa7a1
ssdeep 48:oHyk/BbLGAQUJaqQNMWyT1veKRzKykrSaowAQncpQNiqyC2V+mqoS3NwPK+2/t+Q:dyF1p7cKRzDbRBCUDP9X5NbfZJRQURC7
Entropy 5.296734
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
255e53af8b... Connected_To 185.183.96.44
Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]183[.]96[.]44
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

185.183.96.44

Tags

command-and-control

Ports
  • 443 TCP
Whois

Queried whois.ripe.net with "-B 185.183.96.44"...

% Information related to '185.183.96.0 - 185.183.96.255'

% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'

inetnum:        185.183.96.0 - 185.183.96.255
netname:        EU-HOSTSAILOR
descr:         HostSailor NL Services
country:        NL
admin-c:        AA31720-RIPE
tech-c:         AA31720-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HS
created:        2016-12-23T09:52:06Z
last-modified: 2016-12-23T09:52:06Z
source:         RIPE

person:         Ali Al-Attiyah
address:        Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area
address:        Dubai P.O. Box 98362
address:        United Arab Emirates
phone:         +971 455 77 845
nic-hdl:        AA31720-RIPE
mnt-by:         MNT-HS
created:        2016-12-21T19:19:26Z
last-modified: 2019-03-18T14:07:12Z
source:         RIPE

% Information related to '185.183.96.0/24AS60117'

route:         185.183.96.0/24
descr:         EU-HOSTSAILOR 185.183.96.0/24
origin:         AS60117
mnt-by:         MNT-HS
created:        2016-12-23T09:50:04Z
last-modified: 2016-12-23T09:50:04Z
source:         RIPE

Relationships
185.183.96.44 Connected_From 255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a
Description

TeresitaJordain_config.txt (255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a) attempts to connect to this IP address.

e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca

Details
Name HeidieLeone.txt
Size 706 bytes
Type ASCII text, with very long lines, with no line terminators
MD5 d68f5417f1d4fc022067bf0313a3867d
SHA1 2f6dd6d11e28bf8b4d7ceec8753d15c7568fb22e
SHA256 e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca
SHA512 39023583902e616a196357a69ab31371842f3b6119914803b19e62388dc873ab02567ac398148f84c68adac6228a8cb4e83afb0be24bdf1603a618669030bf39
ssdeep 12:B6V3vKH/RRNyzV3vowKzV3voDPMV3v7SzV3vHzvm5V3vWQ52LgxxOWpgVEQgjVoL:sV3E/ozV3pKzV3GPMV3OzV3j4V3OQ4sI
Entropy 5.145602
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
e7f6c7b91c... Connected_To 185.117.75.34
Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]117[.]75[.]34
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c

Tags

trojan

Details
Name note.js
Size 3235 bytes
Type ASCII text, with very long lines, with CRLF line terminators
MD5 c0c2cd5cc018e575816c08b36969c4a6
SHA1 47a4e0d466bb20cec5d354e56a9aa3f07cec816a
SHA256 b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
SHA512 4b930da1435a72095badaeca729baca8d6af9ab57607e01bd3dd1216eee75c8f8b7981a92640d475d908c6f22811900133aed8ab8513c38f5bc82b60752bf929
ssdeep 96:/r9/hIgY/5N8s2Q5bQRWs4uQ5WQRWumVxE1Fq:T9/hILLdpG4Rdmwq
Entropy 5.200319
Antivirus
NANOAV Trojan.Script.Heuristic-js.iacgm
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
b1e30cce6d... Connected_To 185.118.164.21
Description

This file is a JavaScript file that contains a PowerShell beacon for a GET request to:

--Begin GET request--
185[.]118[.]164[.]21:80/index?param=<computer_name>/<username>
--End GET request--

The JavaScript is launched using the native file “WScript.exe” where the file also creates persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01. The manifestation function shows the parameters used to build the GET request to 185[.]118[.]164[.]21 and the scheduled task (Figure 7 and Figure 8).

As a persistence mechanism, the manifestation function also copies the file to the User’s Contacts folder, and sets a Scheduled Task to recur daily at 10:01 AM, which would relaunch the PowerShell beacon to 185[.]118[.]164[.]213 (Figure 9).

Screenshots

Figure 7 - Screenshot of the main code for the JavaScript.

Figure 7 - Screenshot of the main code for the JavaScript.