TG2003: Elephant Beetle UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION
Common Information
| Type | Value |
|---|---|
| UUID | 2aace9e2-28d6-478d-bd06-a2f68e9713ce |
| Fingerprint | e410c77422135319a62b395b50a83609901e0af741e93642aabf5d33211dd38c |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 30, 2023, 6:33 p.m. |
| Added to db | March 10, 2024, 12:32 a.m. |
| Last updated | Aug. 31, 2024, 6:04 a.m. |
| Headline | TG2003: Elephant Beetle UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION |
| Title | TG2003: Elephant Beetle UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION |
| Detected Hints/Tags/Attributes | 224/4/295 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 2 | cve-2017-1000486 |
|
| Details | CVE | 5 | cve-2015-7450 |
|
| Details | CVE | 4 | cve-2010-5326 |
|
| Details | CVE | 1 | cve-2001-0507 |
|
| Details | Domain | 182 | www.mandiant.com |
|
| Details | Domain | 641 | nvd.nist.gov |
|
| Details | Domain | 67 | www.checkpoint.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 1 | www.vonloesch.de |
|
| Details | Domain | 6 | com.sap |
|
| Details | Domain | 138 | java.io |
|
| Details | Domain | 17 | java.util.map |
|
| Details | Domain | 150 | www.w3.org |
|
| Details | Domain | 60 | java.net |
|
| Details | Domain | 37 | java.security |
|
| Details | Domain | 11 | javax.net |
|
| Details | Domain | 1 | insocket.read |
|
| Details | Domain | 1 | www.jcraft.com |
|
| Details | Domain | 1 | portforwardingl.java |
|
| Details | Domain | 3 | request.inputstream.read |
|
| Details | Domain | 339 | system.net |
|
| Details | Domain | 6 | is.read |
|
| Details | Domain | 74 | adodb.stream |
|
| Details | Domain | 7 | xhttp.open |
|
| Details | Domain | 1 | ls255.255.zip |
|
| Details | Domain | 6 | superuser.com |
|
| Details | Domain | 29 | www.cvedetails.com |
|
| Details | Domain | 7 | labs.f-secure.com |
|
| Details | Domain | 1 | cur.py |
|
| Details | Domain | 1 | curl.py |
|
| Details | Domain | 1 | pypost.py |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 1 | elefante.run |
|
| Details | Domain | 34 | system.data |
|
| Details | Domain | 5 | www.sygnia.co |
|
| Details | File | 1 | cpai-2015-0672.html |
|
| Details | File | 1 | jspspy.jsp |
|
| Details | File | 1 | 2%20by%20heartless.php |
|
| Details | File | 1 | filebrowser.html |
|
| Details | File | 1 | sap.jsp |
|
| Details | File | 3 | util.config |
|
| Details | File | 1 | sap.js |
|
| Details | File | 2 | glyphicons-halflings-regular.svg |
|
| Details | File | 1 | woff.jsp |
|
| Details | File | 75 | favicon.ico |
|
| Details | File | 218 | min.js |
|
| Details | File | 1 | min.jsp |
|
| Details | File | 47 | min.css |
|
| Details | File | 1 | login-n.jsp |
|
| Details | File | 1 | login-w.jsp |
|
| Details | File | 1 | ex-ample.jsp |
|
| Details | File | 1 | _example.jsp |
|
| Details | File | 1 | up-base.jsp |
|
| Details | File | 1 | id_win.jsp |
|
| Details | File | 1 | one-lin.jsp |
|
| Details | File | 8 | server.xml |
|
| Details | File | 2125 | cmd.exe |
|
| Details | File | 1 | one-line.jsp |
|
| Details | File | 7 | javax.xml |
|
| Details | File | 1 | bind.dat |
|
| Details | File | 9 | iisstart.aspx |
|
| Details | File | 82 | default.aspx |
|
| Details | File | 1 | secobject.exe |
|
| Details | File | 1 | c:\temp\net.txt |
|
| Details | File | 1 | queryspn.vbs |
|
| Details | File | 3 | c:\temp\log.txt |
|
| Details | File | 8 | wmiexec.vbs |
|
| Details | File | 7 | context.ini |
|
| Details | File | 1 | portforwardingl.java |
|
| Details | File | 41 | request.url |
|
| Details | File | 3 | cli.exe |
|
| Details | File | 10 | sqlcmd.exe |
|
| Details | File | 1 | dump.html |
|
| Details | File | 7 | st.exe |
|
| Details | File | 2 | s0b.jar |
|
| Details | File | 1 | s0.jar |
|
| Details | File | 6 | master.db |
|
| Details | File | 3 | master.sys |
|
| Details | File | 240 | wmic.exe |
|
| Details | File | 3 | invoke-smbexec.ps1 |
|
| Details | File | 3 | wmi.dll |
|
| Details | File | 1 | exfilitrated_data.zip |
|
| Details | File | 2 | pr64.exe |
|
| Details | File | 2 | internal.exe |
|
| Details | File | 226 | certutil.exe |
|
| Details | File | 5 | pr.exe |
|
| Details | File | 478 | lsass.exe |
|
| Details | File | 1 | out-minidump.ps1 |
|
| Details | File | 165 | reg.exe |
|
| Details | File | 1 | 255.zip |
|
| Details | File | 1 | iiscrack.dll |
|
| Details | File | 1 | httpodbc.dll |
|
| Details | File | 128 | w3wp.exe |
|
| Details | File | 15 | tomcat6.exe |
|
| Details | File | 119 | sqlservr.exe |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1 | iseries.doc |
|
| Details | File | 1 | cweb_jspclassfiles.html |
|
| Details | File | 1 | cmd-pro.jsp |
|
| Details | File | 1 | thumbs.jsp |
|
| Details | File | 1 | greeting.jsp |
|
| Details | File | 1 | cmd-prow.jsp |
|
| Details | File | 1 | xbin10x.jsp |
|
| Details | File | 1 | dn.jsp |
|
| Details | File | 1 | font-awesome.max |
|
| Details | File | 1 | 6.jsp |
|
| Details | File | 1 | logos.jsp |
|
| Details | File | 20 | shell.jsp |
|
| Details | File | 1 | spacer.jsp |
|
| Details | File | 1 | id.jsp |
|
| Details | File | 1 | idpost.jsp |
|
| Details | File | 1 | 20170219.jsp |
|
| Details | File | 1 | sw3.jsp |
|
| Details | File | 1 | proxy-jsp.jsp |
|
| Details | File | 1 | manager10.jsp |
|
| Details | File | 1 | logo_sbi.aspx |
|
| Details | File | 1 | logon.svg |
|
| Details | File | 1 | favicon.jsp |
|
| Details | File | 1 | favic0n.jsp |
|
| Details | File | 1 | l0g.jsp |
|
| Details | File | 1 | heed.jsp |
|
| Details | File | 1 | hellohtml.jsp |
|
| Details | File | 1 | hitcount.jsp |
|
| Details | File | 1 | style.jsp |
|
| Details | File | 1 | helpsessions.jsp |
|
| Details | File | 1 | preaprovewelcome.jsp |
|
| Details | File | 1 | wm_cfshared.jsp |
|
| Details | File | 2 | pro.php |
|
| Details | File | 1 | sql.jsp |
|
| Details | File | 1 | msok.aspx |
|
| Details | File | 6 | logo.svg |
|
| Details | File | 1 | welcome.jsp |
|
| Details | File | 1 | upload.jsp |
|
| Details | File | 1 | ex-b.jsp |
|
| Details | File | 1 | _ap.asp |
|
| Details | File | 1205 | index.php |
|
| Details | File | 1 | logo_sbi.asp |
|
| Details | File | 1 | netlogon.vbs |
|
| Details | File | 1 | x8_in.vbs |
|
| Details | File | 1 | x8.vbs |
|
| Details | File | 1 | la.sys |
|
| Details | File | 1 | curl.vbs |
|
| Details | File | 1 | spn.vbs |
|
| Details | File | 1 | insm.ps1 |
|
| Details | File | 1 | dec.ps1 |
|
| Details | File | 3 | sd.exe |
|
| Details | File | 1 | inco.exe |
|
| Details | File | 1 | out-minid.exe |
|
| Details | File | 1 | pr200.exe |
|
| Details | File | 1 | pw7.exe |
|
| Details | File | 1 | cur.py |
|
| Details | File | 1 | curl.py |
|
| Details | File | 1 | pypost.py |
|
| Details | File | 1 | wr2.txt |
|
| Details | File | 4 | rawcap.exe |
|
| Details | File | 51 | system.dat |
|
| Details | File | 24 | a.sql |
|
| Details | Github username | 6 | tennc |
|
| Details | Github username | 24 | sensepost |
|
| Details | Github username | 2 | xl7dev |
|
| Details | Github username | 1 | jitsi |
|
| Details | Github username | 18 | empireproject |
|
| Details | Github username | 3 | twi1ight |
|
| Details | md5 | 1 | 2B3211ADFA73E2508E98A09A54FE9755 |
|
| Details | md5 | 1 | C4549F17EF9C26A1F0878A0D2108876C |
|
| Details | md5 | 1 | D3C04EED90A086F04D838BFE47753CCA |
|
| Details | md5 | 1 | 6B7A67204C6369623E449D1C476E3273 |
|
| Details | md5 | 1 | AC8F639687F62FDEEDCC48007C579A3A |
|
| Details | md5 | 1 | C4C5FFC3754DF0585695F8FD63A2A977 |
|
| Details | md5 | 1 | 27C9E13C9D82935D1B199E2E0BBD262B |
|
| Details | md5 | 1 | CBA007CBD25CAD73CE80A8AC3DD90864 |
|
| Details | md5 | 1 | EB1E6E3D8B1CD2ABC65D080A610A0230 |
|
| Details | md5 | 1 | 93F95277642B592F9CE30E1C3C684866 |
|
| Details | md5 | 1 | 096D652310C3B248015242DB427ACDED |
|
| Details | md5 | 1 | 481FFF46383B00B534EF53FE87579435 |
|
| Details | md5 | 1 | 591D4DF7A83856B49158DC8D34F16C3B |
|
| Details | md5 | 1 | 5E83F542F729F7AE77982826E6BFAA0C |
|
| Details | md5 | 1 | A3AF470DEFC75728677925033D4F4635 |
|
| Details | md5 | 1 | CFE3E93698F6D8C6BE8713DCD3A401D1 |
|
| Details | md5 | 1 | E1A8F9AC2C3E069975C451A072C02F94 |
|
| Details | md5 | 1 | 590852C116DA7E63D806DC6843846F31 |
|
| Details | md5 | 1 | CC187F69FCFB943284F90E4D9815AEF7 |
|
| Details | md5 | 1 | 2DCB13E75E9B58B9546154E00A0B9665 |
|
| Details | md5 | 1 | 835C002731D5068D383E7CBEC8D22F2B |
|
| Details | md5 | 1 | 98B01D5CBC2198DF4EAFF65A2E2A1127 |
|
| Details | md5 | 1 | F4F42C28E29A92C8E80BAD64358B4083 |
|
| Details | md5 | 1 | FC2C2A272D97993E3187414D12C96249 |
|
| Details | md5 | 1 | FEBA4618133D115B5CF1075CCC20AE79 |
|
| Details | md5 | 1 | AC3B4ECACFAAC834DA24FA8DD380606C |
|
| Details | md5 | 1 | 76F9069CA5EA43B97E6F7058D86E26CB |
|
| Details | md5 | 1 | 9C8DC2BF1CB2DF5F5EFE344AA5F99C63 |
|
| Details | md5 | 1 | 562F0570530C7F7DDF844A7EB88A0D43 |
|
| Details | md5 | 1 | 0F14FAD6FCADC250F1E8873DA22143E2 |
|
| Details | md5 | 1 | CCF944D173B51247361C92B321269C9B |
|
| Details | md5 | 1 | DC302B4602CAFC6CC95DBA6316285E26 |
|
| Details | md5 | 1 | 6F7A2C1D59FB896B42B8116FC1330FCC |
|
| Details | md5 | 1 | AFC8C13CD1E0809DBED23BDC75474747 |
|
| Details | md5 | 1 | E47F5F5E31B842866585C7FD486FD815 |
|
| Details | md5 | 1 | 78BB6EB5BC84ACDFD4B07F462A3BB971 |
|
| Details | md5 | 1 | 37A6D23B84A9477888678060ED4A3EF8 |
|
| Details | md5 | 1 | 836E64ADE11315CD7BB485E85C4EAA42 |
|
| Details | md5 | 1 | 05355B74CA15B230E64A419C1F97E99E |
|
| Details | md5 | 1 | 5045679706EB31A0989E49CCE1DDE5E0 |
|
| Details | md5 | 1 | 6251920D4F0D6E9C176790F0757D4761 |
|
| Details | md5 | 1 | E20BAFF34F7333C9CC92908BAD2C1091 |
|
| Details | md5 | 1 | D1246F01DDB3C0C74C8C48DFEC18EC47 |
|
| Details | md5 | 1 | 4701909F47BBA7B0EB33A3DE944A9F04 |
|
| Details | md5 | 1 | 33C22962E43CEF8627CBC63535F33FCE |
|
| Details | md5 | 1 | F4B56E8B6C0710F1E8A18DC4F11A4EDC |
|
| Details | md5 | 1 | 7AF2CEC0EF9BE0C8BE2A0CF8D2347D89 |
|
| Details | md5 | 1 | EA67A59CC3DF42340EBCB92686C3203F |
|
| Details | md5 | 1 | B130215DD140FA47D06F6E1D5AD8E941 |
|
| Details | md5 | 1 | 254D3286F92CDF2377B452231D03C0C0 |
|
| Details | md5 | 1 | 4BED9C8D06A3BA7215C49F139CA0DD16 |
|
| Details | md5 | 1 | D68E47A6162DA5C13B6BAF14EA060860 |
|
| Details | md5 | 1 | 82667FC82BA7A7249C4BBC9296441113 |
|
| Details | md5 | 1 | BADBE22F22556E60F446D371E99F19E8 |
|
| Details | md5 | 1 | 154A6BFE1B651582F77341561FDC68A4 |
|
| Details | md5 | 1 | A33F7ED0E9CED177647FE38B083BBFEA |
|
| Details | md5 | 1 | 274A9BF3F78BDFC3FBB63520B2C0A9BD |
|
| Details | md5 | 1 | 5B306430ED7F9DB91C94CA6A9B065EFE |
|
| Details | md5 | 1 | 089542D815FBB1BFD7FFC962131F82BE |
|
| Details | md5 | 1 | E911A696064AB6FE659E5214017DBAAD |
|
| Details | md5 | 1 | 4926D1B5D792793CCCB46FEAF17E72AE |
|
| Details | md5 | 1 | 9297AFE02616958E157A675E56AFCB77 |
|
| Details | md5 | 1 | D8801A7B154DD3E231477EED0CDC759A |
|
| Details | md5 | 1 | D37549C3D7166CE14D0803A1909FEDFA |
|
| Details | md5 | 1 | 9E484E32505758A6D991C33652AD1B14 |
|
| Details | md5 | 1 | 879E2DA280D3E004A1E762C718EDABB9 |
|
| Details | md5 | 1 | DB975B51A999D84835C71F73F83B1862 |
|
| Details | md5 | 1 | 4489E8CB847CCCF4D2D87EE3372E8235 |
|
| Details | md5 | 1 | 0B26021F37F01F00CC6CF880BD3D7F68 |
|
| Details | md5 | 1 | 6A09BC6C19C4236C0BD8A01953371A29 |
|
| Details | md5 | 1 | 6E0BD9113D86E8B0BACA936FC508AE73 |
|
| Details | md5 | 1 | A92669EC8852230A10256AC23BBF4489 |
|
| Details | md5 | 1 | D1337B9E8BAC0EE285492B89F895CADB |
|
| Details | md5 | 1 | B2057B29AF51578340CEB87784B6B703 |
|
| Details | md5 | 1 | 572FDD23399EB5612C62A0906AD50C06 |
|
| Details | md5 | 1 | 56CFCD709B5BEA9F7EB49E959EE15A7E |
|
| Details | md5 | 1 | 577E181EC1D59BCCBF181391944D66E2 |
|
| Details | md5 | 1 | A43F35A71450EDF3741D530F8383BBEF |
|
| Details | md5 | 1 | 0D7A08E7F58BFE020C59D739911EE519 |
|
| Details | MITRE ATT&CK Techniques | 542 | T1190 |
|
| Details | MITRE ATT&CK Techniques | 41 | T1078.001 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 460 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 333 | T1059.003 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1059.004 |
|
| Details | MITRE ATT&CK Techniques | 137 | T1059.005 |
|
| Details | MITRE ATT&CK Techniques | 59 | T1059.006 |
|
| Details | MITRE ATT&CK Techniques | 93 | T1059.007 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1047 |
|
| Details | MITRE ATT&CK Techniques | 67 | T1505 |
|
| Details | MITRE ATT&CK Techniques | 9 | T1505.001 |
|
| Details | MITRE ATT&CK Techniques | 104 | T1505.003 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1136 |
|
| Details | MITRE ATT&CK Techniques | 116 | T1134 |
|
| Details | MITRE ATT&CK Techniques | 227 | T1574.002 |
|
| Details | MITRE ATT&CK Techniques | 348 | T1036 |
|
| Details | MITRE ATT&CK Techniques | 32 | T1036.003 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1036.005 |
|
| Details | MITRE ATT&CK Techniques | 94 | T1564.001 |
|
| Details | MITRE ATT&CK Techniques | 504 | T1140 |
|
| Details | MITRE ATT&CK Techniques | 89 | T1552.001 |
|
| Details | MITRE ATT&CK Techniques | 289 | T1003 |
|
| Details | MITRE ATT&CK Techniques | 173 | T1003.001 |
|
| Details | MITRE ATT&CK Techniques | 168 | T1046 |
|
| Details | MITRE ATT&CK Techniques | 176 | T1135 |
|
| Details | MITRE ATT&CK Techniques | 99 | T1087.002 |
|
| Details | MITRE ATT&CK Techniques | 139 | T1021.002 |
|
| Details | MITRE ATT&CK Techniques | 118 | T1570 |
|
| Details | MITRE ATT&CK Techniques | 116 | T1560.001 |
|
| Details | MITRE ATT&CK Techniques | 95 | T1572 |
|
| Details | MITRE ATT&CK Techniques | 35 | T1090.001 |
|
| Details | Threat Actor Identifier - FIN | 1 | FIN131 |
|
| Details | Threat Actor Identifier - FIN | 10 | FIN13 |
|
| Details | Url | 1 | https://www.mandiant.com/resources/fin13- |
|
| Details | Url | 1 | https://nvd.nist.gov/vuln/detail/cve-2017-1000486 |
|
| Details | Url | 1 | https://nvd.nist.gov/vuln/detail/cve-2015-7450 |
|
| Details | Url | 1 | https://nvd.nist.gov/vuln/detail/cve-2010-5326 |
|
| Details | Url | 1 | https://www.checkpoint.com/defense/advisories/public/2015/cpai-2015-0672.html |
|
| Details | Url | 1 | https://github.com/tennc/webshell/blob/master/jsp/jspspy.jsp |
|
| Details | Url | 2 | https://github.com/sensepost/regeorg |
|
| Details | Url | 1 | https://github.com/xl7dev/webshell/blob/master/php/ava%20server%20faces%20miniwebcmdshell%200.2%20by%20heartless.php |
|
| Details | Url | 1 | https://www.vonloesch.de/filebrowser.html |
|
| Details | Url | 21 | http://www.w3.org/1999/xhtml |
|
| Details | Url | 1 | http://www.jcraft.com/jsch/examples/portforwardingl.java.html |
|
| Details | Url | 1 | https://github.com/jitsi/jsocks |
|
| Details | Url | 1 | https://github.com/empireproject/empire/blob/master/data/module_source/lateral_movement/invoke-smbexec.ps1 |
|
| Details | Url | 1 | https://github.com/twi1ight/ad-pentest-script/blob/master/wmiexec.vbs |
|
| Details | Url | 1 | https://superuser.com/a/734359 |
|
| Details | Url | 1 | https://www.giac.org/paper/gcih/297/gain-control-windows-2000-server-in-process-table-privilege-escalation-exploit/102330 |
|
| Details | Url | 1 | https://www.cvedetails.com/cve/cve-2001-0507 |
|
| Details | Url | 1 | https://labs.f-secure.com/archive/incognito-v2-0-released |
|
| Details | Url | 1 | https://www.ibm.com/support/knowledgecenter/sseqtp_8.5.5/com.ibm.websphere.base.iseries.doc/ae/cweb_jspclassfiles.html |