Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign - Yoroi
Tags
| country: | Ukraine |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Software - T1592.002 Template Injection - T1221 Scripting - T1064 Scripting |
Common Information
| Type | Value |
|---|---|
| UUID | 449af73f-9b81-4122-bbb1-7b95b58daf4b |
| Fingerprint | a60712522fe60385 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 17, 2020, 12:45 p.m. |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 14, 2024, 2:04 p.m. |
| Headline | Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign |
| Title | Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign - Yoroi |
| Detected Hints/Tags/Attributes | 49/3/39 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | win-apu.ddns.net |
|
| Details | Domain | 1 | apu.dot |
|
| Details | Domain | 1 | get-icons.ddns.net |
|
| Details | Domain | 4 | masseffect.space |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | File | 1 | f.doc |
|
| Details | File | 1 | templates.vbs |
|
| Details | File | 1 | 28847.exe |
|
| Details | File | 1 | wuaucltic.exe |
|
| Details | File | 1 | -post.php |
|
| Details | File | 3 | excelmymacros.txt |
|
| Details | File | 3 | wordmacros.txt |
|
| Details | File | 3 | indexoffice.vbs |
|
| Details | File | 1 | indexoffice.exe |
|
| Details | File | 1 | indexoffice.txt |
|
| Details | File | 1 | %appdata%\roaming\microsoft\windows\start menu\programs\startup\templates.vbs |
|
| Details | File | 1 | autoindex.php |
|
| Details | sha256 | 2 | 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a |
|
| Details | sha256 | 2 | e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 |
|
| Details | sha256 | 4 | c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f |
|
| Details | sha256 | 1 | 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1 |
|
| Details | sha256 | 1 | def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c |
|
| Details | sha256 | 1 | 86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc |
|
| Details | sha256 | 3 | 2f310c5b16620d9f6e5d93db52607f21040b4829aa6110e22ac55fab659e9fa1 |
|
| Details | sha256 | 3 | 145a61a14ec6d32b105a6279cd943317b41f1d27f21ac64df61bcdd464868edd |
|
| Details | sha256 | 1 | ad61df516fb038e806d13d9cc968abaf55eae3b52780d20976ed4e0db440d87b |
|
| Details | sha256 | 1 | f66e820de46bc0d2053c7d24169deb9424f5fdc6973935b108030b03184fcba5 |
|
| Details | sha256 | 1 | 40cd2384824ae960a85fc540a763c342c4dc5c9226308d9eb690c98a302fa7a2 |
|
| Details | Url | 1 | http://win-apu.ddns.net/apu.dot |
|
| Details | Url | 1 | http://get-icons.ddns.net/admin-pc_e42caf54//autoindex.php |
|
| Details | Url | 1 | http://masseffect.space/<pc_name>_<hex_drive_sn>/post.php |
|
| Details | Url | 1 | http://get-icons.ddns.net/apu.dot |
|
| Details | Url | 1 | http://masseffect.space |
|
| Details | Windows Registry Key | 18 | HKEY_CURRENT_USER\Software\Microsoft\Office |
|
| Details | Yara rule | 1 | rule Gamaredon_Campaign_Genuary_2020_Initial_Dropper {
meta:
description = "Yara Rule for Gamaredon_f_doc"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4B 03 }
$a2 = { 8E DA 30 14 DD 57 EA 3F }
$a3 = { 3B 93 46 0F AF B0 2B 33 }
$a4 = { 50 4B 03 04 14 00 06 00 08 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule Gamaredon_Campaign_Genuary_2020_Second_Stage {
meta:
description = "Yara Rule for Gamaredon_apu_dot"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = "Menu\\Programs\\Startup\\\""
$a2 = "RandStrinh"
$a3 = ".txt"
$a4 = "templates.vbs"
$a5 = "GET"
$a6 = "Encode = 1032"
$a7 = "WShell=CreateObject(\"WScript.Shell\")"
$a8 = "Security"
$a9 = "AtEndOfStream"
$a10 = "GenRandom"
$a11 = "SaveToFile"
$a12 = "Sleep"
$a13 = "WinMgmts:{(Shutdown,RemoteShutdown)}!"
$a14 = "Scripting"
$a15 = "//autoindex.php"
condition:
11 of ($a*)
} |
|
| Details | Yara rule | 1 | rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_1 {
meta:
description = "Yara Rule for Gamaredon SFX stage 1"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4D 5A }
$a2 = { FF 75 FC E8 F2 22 01 00 }
$a3 = { FE DE DB DB FE D5 D5 D6 F8 }
$a4 = { 22 C6 24 A8 BE 81 DE 63 }
$a5 = { CF 4F D0 C3 C0 91 B0 0D }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_2 {
meta:
description = "Yara Rule for Gamaredon SFX stage 2"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4D 5A }
$a2 = { 00 E9 07 D4 FD FF 8B 4D F0 81 }
$a3 = { B7 AB FE B2 B1 B5 FA 9B 11 80 }
$a4 = { 81 21 25 E0 38 03 FA F0 AF 11 }
$a5 = { 0A 39 DF F7 40 8D 7B 44 52 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule Gamaredon_Campaign_Genuary_2020_dot_NET_stage {
meta:
description = "Yara Rule for Gamaredon dot NET stage"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4D 5A }
$a2 = "AssemblyCompanyAttribute"
$a3 = "GetDrives"
$a4 = "Aversome"
$a5 = "TotalMilliseconds"
$s1 = { 31 01 C6 01 F2 00 29 01 5C 03 76 }
$s2 = { 79 02 38 03 93 03 B5 03 }
$s3 = { 00 07 00 00 11 00 00 72 01 }
$s4 = { CD DF A6 EF 66 0E 44 D7 }
condition:
all of ($a*) and 2 of ($s*)
} |