ioc[.]one - OSINT Cyber Threat Intelligence Database

Hamas-linked SameCoin campaign malware analysis

Tags

country:	Iran Israel
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Scheduled Task - T1053.005 Screen Capture - T1513 Vulnerabilities - T1588.006 Scheduled Task - T1053 Screen Capture - T1113 Screen Capture

Show in Graph

Common Information

Type	Value
UUID	588fa86e-e357-4346-bf66-90254203df56
Fingerprint	e544087207f4e6e2
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 14, 2024, 10:05 a.m.
Added to db	Aug. 31, 2024, 10:53 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Hamas-linked SameCoin campaign malware analysis
Title	Hamas-linked SameCoin campaign malware analysis
Detected Hints/Tags/Attributes	63/3/46

Source URLs

	Redirection	Url
Details	Source	https://harfanglab.io/insidethelab/samecoin-malware-hamas/

URL Provider

Details	Provider	Source level domain
Details	harfanglab.io	harfanglab.io

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	422	✔	Inside The Lab - HarfangLab	https://harfanglab.io/insidethelab/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	26	gofile.io
Details	Domain	3	libexampleone.so
Details	Domain	1	extremismterms.adl.org
Details	File	1	incd-securityupdate-feb24.rar
Details	File	3	incd-securityupdate-feb24.apk
Details	File	1	incd-securityupdate-feb24.exe
Details	File	48	agent.exe
Details	File	185	shell32.dll
Details	File	13	manager.exe
Details	File	3	agent.jpg
Details	File	1	userspublicvideo.mp4
Details	File	748	kernel32.dll
Details	File	249	schtasks.exe
Details	File	1	c:\users\public\microsoft connection agent.jpg
Details	File	1	c:\users\public\video.mp4
Details	File	1	c:\users\public\microsoft system agent.exe
Details	File	1	c:\users\public\microsoft system manager.exe
Details	File	1	c:\users\public\windows defender agent.exe
Details	sha256	1	556b5101e0e8aee004bed89f1686ce781a075fde5a8a86fa5409fe34a2d1b6d9
Details	sha256	1	82db3b82e49259ff9184b58c19e9107473d2eb40c586ffb85462e6a649db2051
Details	sha256	1	7e8caa1c3c1de1d8d8761e618408efdc875fb925bda31e0489234664642e33c3
Details	sha256	1	cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6
Details	sha256	4	e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89
Details	sha256	4	b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7
Details	sha256	1	248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817
Details	sha256	1	9b62af6b13b610f4f90810b2f5aef0a455a301a06c98c49a531384d90f90f921
Details	sha256	1	ea2ff8f681fd1ab2a4d22f245e6475c68e7fcf9d7f6ec3a549776c4bbe279553
Details	sha256	1	1624e5c9dd10c4ef21dee571cac3343cac1a6a94a847d85dc264786f4ef24f40
Details	sha256	1	598ed8a0a9a3b3c94bf8d8bfdd9f86882d7c97f9f3dc6c85e3e34ad77489186c
Details	sha256	1	4d28afa4d22ddae336de418380de21bb750231331ccdacfd4b7eff5ab6b1b693
Details	sha256	1	5a5eea6a56aebb2d8b939dc57967395b1b85cbfe7ca06b86a1916dfa31858e09
Details	sha256	1	c3938b85ec97fe4f433102b050f89250236b7379994da55314c24c623fb469a9
Details	sha256	1	18d6b9d09782c49162b9b57eaae077cbc37d25132253578fa4874eb2b7a46c50
Details	Threat Actor Identifier - APT-C	79	APT-C-23
Details	Url	1	https://gofile.io/d/wefbpd
Details	Url	1	https://gofile.io/d/bnwjb6
Details	Url	1	https://gofile.io/d/ikswej
Details	Url	1	https://gofile.io/d/sslpjv
Details	Url	1	https://store9.gofile.io/download/76732040-c118-40cc-a33e-f7fb22f1c1aa/incd-securityupdate-feb24.rar\|samecoin
Details	Url	1	https://store27.gofile.io/download/15c1c6a0-2f5b-44ee-951d-a64778fed86d/incd-securityupdate-feb24.rar\|samecoin
Details	Url	1	https://store2.gofile.io/download/fab845cc-aba0-49ce-ab89-753d7685bd46/incd-securityupdate-feb24.apk\|samecoin
Details	Url	1	https://store2.gofile.io/download/803df49c-d77d-44d0-ad2f-28818432a4ce/incd-securityupdate-feb24.apk\|samecoin
Details	Url	1	https://extremismterms.adl.org/glossary/inverted-red-triangle
Details	Windows Registry Key	1	HKCUKeyboard
Details	Windows Registry Key	1	HKLMSystemKeyboard
Details	Yara rule	1	rule samecoin_campaign_nativewiper { meta: author = "HarfangLab" description = "Matches the native Android library used in the SameCoin campaign" references = "TRR240201" last_modified = "2024-02-13" context = "file" hash = "248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817" strings: $native_export = "Java_com_example_exampleone_MainActivity_deleteInCHunks" $f1 = "_Z9chunkMainv" $f2 = "_Z18deleteFilesInChunkRKNSt6__" $f3 = "_Z18overwriteWithZerosPKc" $s1 = "/storage/emulated/0/" $s2 = "FileLister" $s3 = "Directory chunks deleted." $s4 = "Current Chunk Size is: %dln" condition: filesize < 500KB and uint32(0) == 0x464C457F and ($native_export or all of ($f) or all of ($s)) }