RIFT: Analysing a Lazarus Shellcode Execution Method
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Scheduled Task - T1053.005 Scheduled Task - T1053 |
Common Information
| Type | Value |
|---|---|
| UUID | cb2a44d1-10dd-4eea-a5a4-95cd534b26e8 |
| Fingerprint | 3a503b1828c800c0 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 23, 2021, 8:43 a.m. |
| Added to db | Jan. 30, 2023, 4:32 p.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | RIFT: Analysing a Lazarus Shellcode Execution Method |
| Title | RIFT: Analysing a Lazarus Shellcode Execution Method |
| Detected Hints/Tags/Attributes | 39/2/45 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | crmute.com |
|
| Details | Domain | 2 | www.advantims.com |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 4 | www.greyhathacker.net |
|
| Details | Domain | 281 | docs.microsoft.com |
|
| Details | Domain | 1 | ropgadget.com |
|
| Details | Domain | 262 | www.welivesecurity.com |
|
| Details | Domain | 87 | app.any.run |
|
| Details | Domain | 4128 | github.com |
|
| Details | File | 30 | c:\windows\system32\wscript.exe |
|
| Details | File | 1 | c:\programlogs\performlogs.vbs |
|
| Details | File | 1 | c:\programlogs\advancedlog.exe |
|
| Details | File | 2 | custom.css |
|
| Details | File | 3 | c:\windows\system32\pcalua.exe |
|
| Details | File | 1 | c:\programlogs\nvwatchdog.bin |
|
| Details | File | 1 | c:\programlogs\wmp.dll |
|
| Details | File | 3 | wmp.dll |
|
| Details | File | 1 | c:\intel\hidasvc.exe |
|
| Details | File | 240 | wmic.exe |
|
| Details | File | 2 | gfxcpl.xsl |
|
| Details | File | 1 | sync.xsl |
|
| Details | File | 1 | abusing_win_functions.html |
|
| Details | File | 4 | eset_operation_interception.pdf |
|
| Details | File | 3 | lazarus_under_the_hood_pdf_final.pdf |
|
| Details | Github username | 35 | neo23x0 |
|
| Details | sha256 | 1 | 47a342545d8df9c2c1e0e945f2c4fca3a440dc00cff40727abff12d307c8c788 |
|
| Details | sha256 | 1 | bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa |
|
| Details | sha256 | 1 | cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610 |
|
| Details | sha256 | 1 | 949bfce2125d76f2d21084f187c681397d113e1bbdc550694a7bce7f451a6e69 |
|
| Details | sha256 | 1 | f188eec1268fd49bdc7375fc5b77ded657c150875fede1a4d797f818d2514e88 |
|
| Details | sha256 | 1 | d6b55dae813a4acd461d1d36ff7ef2597b6a8112feb07fac0cfc46af963690dc |
|
| Details | sha256 | 1 | c0c8a97a04b4d3c7709760fcbe36dc61e3cec294ed4180069131df53b4211da3 |
|
| Details | Url | 1 | http://crmute.com/custom.css |
|
| Details | Url | 2 | https://www.advantims.com/gfxcpl.xsl |
|
| Details | Url | 1 | https://www.advantims.com/sync.xsl |
|
| Details | Url | 1 | https://twitter.com/cpresearch/status/1352310521752662018 |
|
| Details | Url | 2 | https://www.greyhathacker.net/?p=948 |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/api/rpcdce/nf-rpcdce-uuidfromstringa |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa |
|
| Details | Url | 1 | http://ropgadget.com/posts/abusing_win_functions.html |
|
| Details | Url | 1 | https://www.welivesecurity.com/wp-content/uploads/2020/06/eset_operation_interception.pdf |
|
| Details | Url | 2 | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/lazarus_under_the_hood_pdf_final.pdf |
|
| Details | Url | 1 | https://app.any.run/tasks/39059fe7-c4a4-42d1-944b-96c447b2d442 |
|
| Details | Url | 1 | https://twitter.com/cyb3rops/status/1352327393420210181 |
|
| Details | Url | 1 | https://github.com/neo23x0/sigma/blob/master/rules/windows/process_creation/win_office_shell.yml |