Share this page!

Jazi Profile picture
Twitter logo
Mar 6 3 tweets 1 min read
This is really interesting!
Maybe it is an #APT attack targeting #Ukriane:

Zip -> dovidka.chm -> WScript.exe ignit.vbs -> wscript.exe desktop.ini -> regasm.exe core.dll

Also it drops "Windows Prefetch.lNk" in Start-Up directory to make "desktop.ini" persistence.
(1/3)
The dropped payload is a small .Net payload that is obfuscated using ConfuserEx. It has been compiled on Jan 31 2022.

IOCs:
e34d6387d3ab063b0d926ac1fca8c4c4
довідка.zip

2556a9e1d5e9874171f51620e5c5e09a
dovidka.chm (According to VT it is exploiting CVE-2019-0541)

(2/3)
ignit.vbs
bd65d0d59f6127b28f0af8a7f2619588

Desktop.ini
a9dcaf1c709f96bc125c8d1262bac4b6

Windows Prefetch.lNk
fb418bb5bd3e592651d0a4f9ae668962

core.dll
d2a795af12e937eb8a89d470a96f15a5

C2:
xbeta[.]online
185.175.158.27
(3/3)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jazi

Jazi Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @h2jazi

Jazi Profile picture
Aug 25, 2021
Some updates on this suspected #Lazarus #APT:(thread, 1/4)
1) The remote template is VBA stomped or at least it was able to hide itself from olevba and oledump
2) The remote template drops an obfuscated vbs file and registers it as a scheduled service
3) All the strings in "OneDriveUpdateNew.vbs" are obfuscated and are decoded using "string_decoder" function with a hardcoded key table.

You can see the decoder and list of the decoded strings used by this vbs file here:
github.com/HHJazi/APT
2/4
4) The vbs file collects the victim info and builds an HTTP request:
"Username-ComputerName_UUID;OSName"
5) Then it encodes the request using hard coded key and sends the generated request to C2
6) Receives a payload from the C2 and writes it into "%APPDATA%/OD_update.exe"
3/4
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @h2jazi has new unrolls!

Check out other threads from @h2jazi!

Read all threads by @h2jazi

:(