APT28 and Upcoming Elections: Evidence of Possible Interference (Part II) - Yoroi
Tags
| country: | Russia Ukraine |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Rundll32 - T1218.011 Powershell - T1086 Rundll32 - T1085 |
Common Information
| Type | Value |
|---|---|
| UUID | f55d160c-c788-4707-8d42-82ebdd3ef12f |
| Fingerprint | 341728b90fa70705 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 18, 2019, 11:34 a.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | APT28 and Upcoming Elections: Evidence of Possible Interference (Part II) |
| Title | APT28 and Upcoming Elections: Evidence of Possible Interference (Part II) - Yoroi |
| Detected Hints/Tags/Attributes | 48/3/23 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 2 | %appdata%\user.dat |
|
| Details | File | 14 | user.dat |
|
| Details | File | 2 | %appdata%\mrset.bat |
|
| Details | File | 2 | %appdata%\mvtband.dat |
|
| Details | File | 3 | mrset.bat |
|
| Details | File | 3 | mvtband.dat |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 29 | vbaproject.bin |
|
| Details | sha1 | 1 | f9fd3f1d8da4ffd6a494228b934549d09e3c59d1 |
|
| Details | sha256 | 2 | a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797 |
|
| Details | sha256 | 2 | 8a35b6ecdf43f42dbf1e77235d6017faa70d9c68930bdc891d984a89d895c1e7 |
|
| Details | sha256 | 1 | b40cbf38284e6a1b9157002ad564e40fad2d85ba36437cf95c3b6326ad142520 |
|
| Details | sha256 | 1 | 353aa1f03b36ee51138b61ef1f91f75de01850d73d619bbe5a0050594eba660d |
|
| Details | sha256 | 1 | 58b223f74992f371cab8f1df7c03b9b66f2ea9e3c9e22122898a9be62a05c0b4 |
|
| Details | sha256 | 1 | 51eaf3b30c1ea932843cb9f5b6fb41804976d94a53a507ccb292b8392276cfd6 |
|
| Details | sha256 | 1 | 8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57 |
|
| Details | sha256 | 3 | e259df89e065c4162b273ebb18b75ea153f9bafe30a8c6610204ccf5e3f4ebcd |
|
| Details | Threat Actor Identifier - APT | 783 | APT28 |
|
| Details | Windows Registry Key | 11 | HKCU\Environment |
|
| Details | Yara rule | 1 | rule APT28_office_document_dropper_GAMEFISH {
meta:
description = "Yara Rule for office_document dropper (2017)"
author = "ZLAB Yoroi-Cybaze"
last_updated = "2019-04-16"
tlp = "white"
category = "informational"
strings:
$a = "word\\vbaProject.binPK"
$b = { E3 5D B8 1E 9C C7 11 F4 1E }
$c = { 36 B7 DD E9 6F 33 4B D7 E7 7F }
condition:
all of them
} |
|
| Details | Yara rule | 1 | import "pe"
rule APT28_user_dll {
meta:
description = "Yara Rule for user_dll (2017)"
author = "ZLAB Yoroi-Cybaze"
last_updated = "2019-04-16"
tlp = "white"
category = "informational"
strings:
$a = "MZ"
$b = "GetEnvironmentVariable"
$c = { 49 73 50 72 6F 63 65 73 73 6F 72 }
condition:
all of them and pe.number_of_sections == 5
} |
|
| Details | Yara rule | 1 | rule APT28_mrset_bat {
meta:
description = "Yara Rule for mrset_bat_file (2017)"
author = "ZLAB Yoroi-Cybaze"
last_updated = "2019-04-16"
tlp = "white"
category = "informational"
strings:
$a = "inst_pck"
$b = "mvtband.dat"
condition:
all of them
} |
|
| Details | Yara rule | 1 | import "pe"
rule APT28_mvtband_dat_dll {
meta:
description = "Yara Rule for mvtband_dat_dll (2017)"
author = "ZLAB Yoroi-Cybaze"
last_updated = "2019-04-16"
tlp = "white"
category = "informational"
strings:
$a = "DGMNOEP"
$b = { C7 45 94 0A 25 73 30 8D 45 94 }
condition:
all of them and pe.sections[2].raw_data_size == 0 and pe.version_info["OriginalFilename"] contains "mvtband"
} |