## Malware Party **Operation Desert Eagle takes a look into the recent activity of the Molerats (Gaza cybergang) group.** ----- **"The quarrel between Trump and Abbas"** **"Exclusive video of an assassin of the leader of the Hamas movement Mazen Faqha."** **"A leaked document that outlines Majid Faraj's plan to install Dahlan as head of the Gaza** ----- ----- **2nd part of the beacon** ----- **Another interesting thing to note is that the backdoor does not make the GET requests to the domain** **names above (wiknet[.]wikaba[.]com or wiknet[.]moo[.]com). Rather it uses the IP that the host name** **points to (in this case, my fakenet dns ip).** **Let’s take a look on how this network traffic compares to the older NeD Worm samples** **[Above image taken from (http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf)](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation DustySky_TLP_WHITE.pdf))** **---------------------------------------------------------------------------------------------------------------------------** ### Host Activity: **Dropped Files:** **C:\Program Files (x86)\%AppDate%\29175\explorer.vbs** **C:\Program Files (x86)\%AppDate%\29175\News.url** **C:\Users\User\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\explorer.lnk** ----- **After execution, a registry key (HKU\...\Software\Microsoft\KeyName:) is created which contains the** **backdoor in base64.** **A VBScript replaces the following characters (~&^^%) each with a “0”. After the characters are** **replaced, the file is then base64 decoded and executed.** **C:\CheckVersion.php – contains the POST data used in the 2** **nd portion of the beacon** **---------------------------------------------------------------------------------------------------------------------------** ### Additional Backdoor Obfuscation/Delivery: **Sample (4cbebeda71dceb9914a21d06e22223af)** **Once executed the sample makes a request for:** **hxxps://gist[.]githubusercontent[.]com/0lol0/e69206a709a80133aebf55153847a6b2/raw/906a89289a** ----- **When taking a look at the github account for user “0lol0” we can see that the actors have reused this** ----- |IOC|Type/Comments| |---|---| |Wiknet[.]wikaba[.]com C&C|| |Wiknet[.]moo[.]com C&C|| |104.200.67[.]190 C&C|| |a856f56fec6abdc3a93c3715be1 MD5 - The quarrel between 567e5 Trump and Abbas|| |91d0770261df8a1b3eba61483fd MD5 - Who stands around the b255c attempt to assassinate al – Jubeir|| |b241ae467006667eca4c2619855 MD5 - Exclusive video of an f5377 assassin of the leader of the Hamas movement Mazen Faqha.|| ----- **601ed** **between Hamas and Al-Thani?** **4cbebeda71dceb9914a21d06e2** **2223af** **MD5 - A leaked document that** **outlines Majid Faraj's plan to** **install Dahlan as head of the** **Gaza government!** **ea406ea60a05afa14f7debc67a7** **5a472** **1c64b27a58b016a966c654f1fdf4** **c155** **c8ab6e29d76d43268a5028f17fe** **4f48e** **2a7e0463c7814465f9a78355c47** **54d0a** **d01ff6f0bfb1b515e8ba10a453c7** **4d53** **9bda0be7b30155c26c9236cbac7** **31dbd** **Enter your comment...** **MD5 - Backdoor** **MD5 - Backdoor** **MD5 - Backdoor** **MD5 - Backdoor** **MD5 - Backdoor** **MD5 - starts\explorer.vbs** **Popular posts from this blog** #### Word add-in persistence found in the wild **[January 06, 2018](http://mymalwareparty.blogspot.tw/2018/01/word-add-in-persistence-found-in-wild.html)** **Word add-in persistence found in the wild@Blu3_team** **@Malwareparty** **…** **20180106** **…** ----- **[Powered by Blogger](https://www.blogger.com)** **Theme images by** **[Michael Elkan](http://www.offset.com/photos/394244)** ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- -----