Mind the (air) gap: GoldenJackal gooses government guardrails
Tags
cmtmf-attack-pattern: Acquire Infrastructure Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Compromise Infrastructure Develop Capabilities Masquerading Obfuscated Files Or Information Obtain Capabilities Scheduled Task/Job
country: Belarus Israel Russia
maec-delivery-vectors: Watering Hole
attack-pattern: Acquire Infrastructure Data Acquire Infrastructure - T1583 Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Library - T1560.002 Boot Or Logon Autostart Execution - T1547 Cloud Accounts - T1078.004 Cloud Accounts - T1585.003 Cloud Accounts - T1586.003 Command And Scripting Interpreter - T1623 Compromise Infrastructure - T1584 Create Or Modify System Process - T1543 Credentials - T1589.001 Credentials In Files - T1552.001 Data From Local System - T1533 Develop Capabilities - T1587 Dns - T1071.004 Dns - T1590.002 Email Addresses - T1589.002 Encrypted/Encoded File - T1027.013 Establish Accounts - T1585 Exfiltration Over Alternative Protocol - T1639 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 Exfiltration Over C2 Channel - T1646 Exfiltration Over Usb - T1052.001 Exfiltration Over Web Service - T1567 Exfiltration To Cloud Storage - T1567.002 Exploitation Of Remote Services - T1428 Replication Through Removable Media - T1458 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Files And Directories - T1564.001 Hide Artifacts - T1628 Hide Artifacts - T1564 Internal Proxy - T1090.001 Internet Connection Discovery - T1016.001 Internet Connection Discovery - T1422.001 Ip Addresses - T1590.005 Local Account - T1087.001 Local Account - T1136.001 Local Data Staging - T1074.001 Local Email Collection - T1114.001 System Network Configuration Discovery - T1422 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerade File Type - T1036.008 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Native Api - T1575 Obtain Capabilities - T1588 Powershell - T1059.001 Private Keys - T1552.004 Protocol Tunneling - T1572 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software - T1592.002 Software Discovery - T1518 Ssh - T1021.004 Standard Encoding - T1132.001 System Services - T1569 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Service - T1543.003 Unsecured Credentials - T1552 Virtual Private Server - T1583.003 Web Services - T1583.006 Virtual Private Server - T1584.003 Web Services - T1584.006 Tool - T1588.002 Account Discovery - T1087 Standard Application Layer Protocol - T1071 Automated Collection - T1119 Command-Line Interface - T1059 Communication Through Removable Media - T1092 Connection Proxy - T1090 Credentials In Files - T1081 Data Encoding - T1132 Data From Local System - T1005 Data From Removable Media - T1025 Data Staged - T1074 Email Collection - T1114 Execution Through Api - T1106 Exfiltration Over Alternative Protocol - T1048 Exfiltration Over Command And Control Channel - T1041 Exfiltration Over Physical Medium - T1052 Exploitation Of Remote Services - T1210 File And Directory Discovery - T1083 File Deletion - T1107 Hidden Files And Directories - T1158 Indicator Removal On Host - T1070 Masquerading - T1036 Modify Registry - T1112 Network Service Scanning - T1046 Network Share Discovery - T1135 Obfuscated Files Or Information - T1027 Peripheral Device Discovery - T1120 Powershell - T1086 Private Keys - T1145 Process Discovery - T1057 Registry Run Keys / Start Folder - T1060 Remote System Discovery - T1018 Replication Through Removable Media - T1091 Scheduled Task - T1053 Service Execution - T1035 System Information Discovery - T1082 System Network Configuration Discovery - T1016 User Execution - T1204 Automated Collection Exploitation Of Remote Services Masquerading Remote System Discovery Replication Through Removable Media User Execution
Common Information
Type Value
UUID 3b969cbf-2220-4faf-9311-c4d04f1dbfe0
Fingerprint 9524965b21a5ae91
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 7, 2024, midnight
Added to db Oct. 8, 2024, 6:26 p.m.
Last updated Dec. 11, 2024, 6:12 a.m.
Headline Mind the (air) gap: GoldenJackal gooses government guardrails
Title Mind the (air) gap: GoldenJackal gooses government guardrails
Detected Hints/Tags/Attributes 255/4/141
Attributes
Details Type #Events CTI Value
Details Domain 1
0e6c.py
Details Domain 1
edc5-4055-37cd-d2d2.py
Details Domain 1
5488-240b-c00f-203a.py
Details Domain 1
8744-a287-35be-4ea0.py
Details Domain 1
63d5-be5f-e4df-7e65.py
Details Domain 1
c7b4-0999-aec4-a0c8.py
Details Domain 1
1ee0-7c3a-3331-4df3.py
Details Domain 1
a86b-108c-36c7-6972.py
Details Domain 1
2648-69f9-6dc0-3476.py
Details Domain 1
9ea4-fb87-6d57-924a.py
Details Domain 1
4b19-7f72-8c17-dceb.py
Details Domain 1
mysmb.py
Details Domain 6
checker.py
Details Domain 1
8b55-3ac9-5c30-d0c4.py
Details Domain 1
0ffc-667e-dce4-b270.py
Details Domain 1
update46.zip
Details Domain 13
smtp-mail.outlook.com
Details Domain 9
smtp.office365.com
Details Domain 284
outlook.com
Details Domain 117
eset.com
Details Domain 1
spy.agent.ca
Details Domain 4
assistance.uz
Details Domain 3
thehistore.com
Details Domain 3
xgraphic.ro
Details Email 2
mariaalpane@outlook.com
Details Email 2
katemarien087@outlook.com
Details Email 2
spanosmitsotakis@outlook.com
Details Email 72
threatintel@eset.com
Details File 486
lsass.exe
Details File 1
winaeromodule.exe
Details File 1
0e6c.py
Details File 1
edc5-4055-37cd-d2d2.py
Details File 1
5488-240b-c00f-203a.py
Details File 1
8744-a287-35be-4ea0.py
Details File 1
63d5-be5f-e4df-7e65.py
Details File 1
c7b4-0999-aec4-a0c8.py
Details File 1
1ee0-7c3a-3331-4df3.py
Details File 1
a86b-108c-36c7-6972.py
Details File 1
2648-69f9-6dc0-3476.py
Details File 1
9ea4-fb87-6d57-924a.py
Details File 1
4b19-7f72-8c17-dceb.py
Details File 1
mysmb.py
Details File 7
checker.py
Details File 1
8b55-3ac9-5c30-d0c4.py
Details File 1
0ffc-667e-dce4-b270.py
Details File 1
reports.ini
Details File 1
squirrelcache.dat
Details File 24
update.bat
Details File 1
%username%\\appdata\\local\\update.exe
Details File 178
update.exe
Details File 414
c:\windows\system32\cmd.exe
Details File 1
update46.zip
Details File 1
update46.tar
Details File 8
openssl.exe
Details File 1
libssl-3-x64.dll
Details File 2
libcrypto-3-x64.dll
Details File 1
duplxer_black_list_for_external_use.py
Details File 1
send_to_hole.py
Details File 1
c:\programdata\microsoft\windows\caches\cversions.ini
Details File 2
press.pdf
Details File 7
credentials.json
Details File 2
token.json
Details File 1
winaero.exe
Details File 1
officeautocomplete.exe
Details File 1
prinntfy.dll
Details File 1
zupdater.exe
Details File 3
fc.exe
Details File 4
fp.exe
Details File 8
cb.exe
Details File 107
googleupdate.exe
Details File 2196
cmd.exe
Details sha1 3
da9562f5268fa61d19648dff9c6a57fb8ab7b0d7
Details sha1 3
5f12ffd272aabc0d5d611d18812a196a6ea2faa9
Details sha1 3
6de7894f1971fdc1df8c4e4c2edcc4f4489353b6
Details sha1 3
7cb7c3e98cab2226f48ba956d3be79c52ab62140
Details sha1 3
8f722eb29221c6eaea9a96971d7fb78dab2ad923
Details sha1 3
24fbcec23e8b4b40fea188132b0e4a90c65e3ffb
Details sha1 3
a87ceb21ef88350707f278063d7701bde0f8b6b7
Details sha1 3
9cbe8f7079da75d738302d7db7e97a92c4de5b71
Details sha1 3
9083431a738f031ac6e33f0e9133b3080f641d90
Details sha1 3
c830efd843a233c170285b4844c5960ba8381979
Details sha1 3
f7192914e00dd0ce31df0911c073f522967c6a97
Details sha1 3
b2baa5898505b32df7fe0a7209fc0a8673726509
Details IPv4 209
1.1.1.1
Details IPv4 3
83.24.9.124
Details IPv4 3
196.29.32.210
Details MITRE ATT&CK Techniques 63
T1583.003
Details MITRE ATT&CK Techniques 34
T1583.004
Details MITRE ATT&CK Techniques 14
T1584.006
Details MITRE ATT&CK Techniques 101
T1587.001
Details MITRE ATT&CK Techniques 8
T1585.003
Details MITRE ATT&CK Techniques 59
T1588.002
Details MITRE ATT&CK Techniques 482
T1059.001
Details MITRE ATT&CK Techniques 352
T1059.003
Details MITRE ATT&CK Techniques 60
T1059.006
Details MITRE ATT&CK Techniques 244
T1106
Details MITRE ATT&CK Techniques 180
T1569.002
Details MITRE ATT&CK Techniques 380
T1204.002
Details MITRE ATT&CK Techniques 183
T1543.003
Details MITRE ATT&CK Techniques 397
T1547.001
Details MITRE ATT&CK Techniques 286
T1053.005
Details MITRE ATT&CK Techniques 98
T1564.001
Details MITRE ATT&CK Techniques 307
T1070.004
Details MITRE ATT&CK Techniques 186
T1036.005
Details MITRE ATT&CK Techniques 25
T1036.008
Details MITRE ATT&CK Techniques 558
T1112
Details MITRE ATT&CK Techniques 18
T1027.013
Details MITRE ATT&CK Techniques 90
T1552.001
Details MITRE ATT&CK Techniques 27
T1552.004
Details MITRE ATT&CK Techniques 73
T1087.001
Details MITRE ATT&CK Techniques 598
T1083
Details MITRE ATT&CK Techniques 170
T1046
Details MITRE ATT&CK Techniques 188
T1120
Details MITRE ATT&CK Techniques 443
T1057
Details MITRE ATT&CK Techniques 246
T1018
Details MITRE ATT&CK Techniques 188
T1518
Details MITRE ATT&CK Techniques 1022
T1082
Details MITRE ATT&CK Techniques 42
T1016.001
Details MITRE ATT&CK Techniques 184
T1135
Details MITRE ATT&CK Techniques 113
T1210
Details MITRE ATT&CK Techniques 56
T1091
Details MITRE ATT&CK Techniques 29
T1560.002
Details MITRE ATT&CK Techniques 113
T1119
Details MITRE ATT&CK Techniques 542
T1005
Details MITRE ATT&CK Techniques 34
T1025
Details MITRE ATT&CK Techniques 51
T1074.001
Details MITRE ATT&CK Techniques 35
T1114.001
Details MITRE ATT&CK Techniques 461
T1071.001
Details MITRE ATT&CK Techniques 9
T1092
Details MITRE ATT&CK Techniques 101
T1132.001
Details MITRE ATT&CK Techniques 97
T1572
Details MITRE ATT&CK Techniques 35
T1090.001
Details MITRE ATT&CK Techniques 433
T1041
Details MITRE ATT&CK Techniques 3
T1052.001
Details MITRE ATT&CK Techniques 102
T1567.002
Details MITRE ATT&CK Techniques 19
T1048.002
Details Url 3
https://1.1.1.1
Details Url 2
https://83.24.9.124
Details Url 2
http://196.29.32.210
Details Url 1
https://83.24.9.124/8102/.
Details Windows Registry Key 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced