Actor behind Operation LagTime targets Russia
By Sebdraven
Published: 2020-11-25 · Archived: 2026-04-05 20:28:13 UTC
the file f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5 uses the version 7 of royal
road document.
This file drops in memory a new backdoor rewriting the process EQNEDT32.EXE.
This document refers to the ceasefire between Armenia and Azerbaijan and seems to be send by the Mongolian
authorities.
Analysis of the backdoor in memory
This backdoor is a state machine launching different threads. (function 00401640)
The backdoor checks the disk of the computer, the processes launched, the version of windows, the privileges of
the user.
The malware tries many connections to the c2 in different functions:
Press enter or click to view image in full size
The domain of the c2 is in clear text in the malware
Press enter or click to view image in full size
https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9
Page 1 of 3

This backdoor is very simple to analyze. There are no packing and no obfuscation code.
Attribution
For Intezer, the similarity is high with the file
4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34be
Press enter or click to view image in full size
This malware was used in operation lagtime.
https://otx.alienvault.com/indicator/file/4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34bea
Get Sebdraven’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The IP of the C2 is 95.179.131.29 in operation LagTime.
So the campaign against russia is driven by the same threat actor of Operation LagTime IT
The configuration of the backdoor’s C2, 103.106.250.239 which is hosted in Malaysia, has changed in July 2020.
This date seems to be the beginning of the operation.
Press enter or click to view image in full size
IOCs
https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9
Page 2 of 3

Rtf file
f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5
2d678cba2795d0339331125692e9a850a043a22f
ae1b4a5775aca501954076b8024b04ec
Network
custom.songuulcomiss.com
103.106.250.239
Backdoor:
46a9ca7d5364fbe5fd3d6ffb0f8d86e9a9e566708657e59ef8873d3ed536348d
Source: https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9
https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9
Page 3 of 3