{ "id": "a5944615-4696-427f-843a-a2d84d035e90", "created_at": "2026-04-06T03:36:13.927382Z", "updated_at": "2026-04-10T03:32:04.795008Z", "deleted_at": null, "sha1_hash": "dbfccf3a0e51a3fb3e8b7acdbc58052137f829a8", "title": "Hamas-linked SameCoin campaign malware analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5888048, "plain_text": "Hamas-linked SameCoin campaign malware analysis\r\nBy Cyber Threat Research Team\r\nPublished: 2024-02-14 · Archived: 2026-04-06 03:11:48 UTC\r\nPublished on 14 February, 2024 17min\r\nIdentifier: TRR240201.\r\nSummary\r\nFollowing an X post by IntezerLab about an attack campaign that they dubbed “SameCoin”, we analyzed the samples they\r\ndiscovered and found a few identical variants. The infection vector appears to be an email impersonating the Israeli National\r\nCyber Directorate, which tricks the reader into downloading malicious files which are presented as ‘security patches’.\r\nVictims who download and execute linked files are infected with a wiper which, under certain circumstances, could also\r\ninfect other hosts in the network. We assess that the campaign’s reach was limited, evidenced by the fact that the malware\r\nlinked in the email was downloaded only a few dozen times.\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 1 of 15\n\nBelow we provide analysis of the discovered samples and discuss attribution.\r\nInfection chain\r\nAccording to a screen capture published by Intezer, the infection vector appears to be an email impersonating the Israeli\r\nNational Cyber Directorate (INCD), sent on February 11, 2024. The email explains that “The INCD has detected an\r\nimminent, major cyber attack sponsored by Iran, exploiting previously-unknown vulnerabilities in the personal computers\r\nand mobile phones of our citizens”. It urges the reader to download “security patches” for macOS, iOS, Windows and\r\nAndroid, with the macOS and iOS links pointing at non-existing URLs under the legitimate INCD website. Victims who\r\ndownload and execute the Android or Windows applications links in the malicious emails are infected with a wiper.\r\nWhile we could not retrieve any sample of such email, we could determine that some of the originally referenced malicious\r\nfiles (such as SHA-256 556b5101e0e8aee004bed89f1686ce781a075fde5a8a86fa5409fe34a2d1b6d9 ) were made available via\r\nthe legitimate Gofile public files hosting service (see Fig. 1):\r\nGoFile shortened link1 Distributed file\r\nMetadata\r\n(at time of\r\naccess)\r\nhxxps://gofile[.]io/d/WeFbpd\r\nINCD-SecurityUpdate-FEB24.rar , SHA-256\r\n82db3b82e49259ff9184b58c19e9107473d2eb40c586ffb85462e6a649db2051\r\nUploaded\r\non 2024-\r\n02-11\r\n07:50:20,\r\ndownloaded\r\n13 times.\r\nhxxps://gofile[.]io/d/BnWjB6\r\nINCD-SecurityUpdate-FEB24.rar , SHA-256\r\n7e8caa1c3c1de1d8d8761e618408efdc875fb925bda31e0489234664642e33c3\r\nUploaded\r\non 2024-\r\n02-11\r\n07:52:12,\r\ndownloaded\r\n8 times.\r\nhxxps://gofile[.]io/d/ikswEJ\r\nINCD-SecurityUpdate-FEB24.apk , SHA-256\r\n556b5101e0e8aee004bed89f1686ce781a075fde5a8a86fa5409fe34a2d1b6d9\r\nUploaded\r\non 2024-\r\n02-11\r\n08:33:13,\r\ndownloaded\r\n11 times.\r\nhxxps://gofile[.]io/d/ssLPJv\r\nINCD-SecurityUpdate-FEB24.apk , SHA-256\r\n556b5101e0e8aee004bed89f1686ce781a075fde5a8a86fa5409fe34a2d1b6d9\r\nUploaded\r\non 2024-\r\n02-11\r\n08:37:17,\r\ndownloaded\r\n1 time.\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 2 of 15\n\nFigure 1 – Malicious file as published on Gofile\r\nBoth the names of the hosted files and their upload times are consistent with what has been reported on the email-based\r\ninfection campaign. As a result, we believe with medium to high confidence that these links were embedded in the malicious\r\nemails, and were the source of distribution for the malicious files:\r\nINCD-SecurityUpdate-FEB24.rar : RAR archive which contains a SameCoin Loader payload, ultimately deploying\r\nthe SameCoin Wiper for Windows;\r\nINCD-SecurityUpdate-FEB24.apk : malicious APK, a wiper for Android.\r\nLoader\r\nFilename INCD-SecurityUpdate-FEB24.exe\r\nCompilation time 2023-Oct-07 13:30:55\r\nHash (SHA256) cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6\r\nFigure 2 – Loader logic\r\nStaging mode\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 3 of 15\n\nThe loader operates in two modes (see Fig. 2). The first one consists in staging itself, and is triggered automatically when\r\nthe program isn’t located in C:\\Users\\Public . In that case, it performs a few checks to verify if the current machine is\r\nsuitable for infection:\r\nLooking into the following registry keys if one of the configured keyboard layouts corresponds to Hebrew ( 0x40d ,\r\nas shown in Figure 3):\r\nHKCU\\Keyboard Layout\\Preload\r\nHKLM\\System\\Keyboard Layout\\Preload\r\nEnsuring that the current machine has at least 2 CPUs, supposedly as a light anti-sandbox countermeasure.\r\nIf these conditions are met, a last check is performed: whether the program is running with administrator privileges. If so,\r\nthe program moves on the the next mode of operation. Otherwise, it copies itself as C:\\Users\\Public\\Microsoft System\r\nAgent.exe and invokes its new copy using the runas keyword to request elevated privileges to the user, and terminates\r\nexecution. To do so, it dynamically resolves the ShellExecuteEx function by manually parsing the imports of\r\nShell32.dll .\r\nIf ShellExecuteEx fails for any reason, the loader moves on to the next mode.\r\nFigure 3 – Code excerpt looking for traces of Hebrew language on the infected machine\r\nInfection mode\r\nIn this second mode, the loader performs its malicious actions on the victim machines. First, it deploys a number of\r\nembedded components:\r\nA .NET sample (Tasks Spreader) as C:\\Users\\Public\\Windows Defender Agent.exe , if the machine is connected to\r\na DC.\r\nA C Wiper as C:\\Users\\Public\\Microsoft System Manager.exe .\r\nA JPG file, as C:\\Users\\Public\\Microsoft Connection Agent.jpg .\r\nA propaganda Video, as C:\\Users\\Public\\Video.mp4 .\r\nWhen all files are dropped, the loader runs all the deployed executables (manually resolving CreateProcessA by manually\r\nparsing the exports of Kernel32.dll ). Finally, it sets the dropped JPG file as the Desktop wallpaper, turns the sound\r\nvolume up by simulating roughly 50 presses on the corresponding keyboard key, and starts playing the propaganda video\r\nwith the default player.\r\nAmong the three loader variants we discovered, the only difference we observed is between the compilation timestamps, set\r\na few minutes apart. Those timestamps are set to October 7, 2023, the day of Hamas’ attack.\r\nWiper\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 4 of 15\n\nFilename Microsoft System Manager.exe\r\nCompilation time 2024-Feb-11 16:18:24\r\nHash (SHA256) e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89\r\nThis C executable is a simple wiper which crawls all drives on the system from A: to Z: in order to discover all writable\r\nfiles. Directories named Program Files (x86) , Program Files , Program Data and Windows are excluded (whether or\r\nnot they are located at the root of a drive).\r\nNext, the wiper creates 20 threads which all receive a portion of the generated filelist and iterate through it. Each file is\r\nopened and overwritten with 1111 random bytes obtained from the rand() function. This implies that the bytes located\r\nafter offset 1111 in each file may still be present on the storage medium, and could potentially be recovered through\r\nforensics methods. The wiper excludes the files that were dropped by the Loader from being overwritten:\r\nC:\\Users\\Public\\Microsoft Connection Agent.jpg\r\nC:\\Users\\Public\\Video.mp4\r\nC:\\Users\\Public\\Microsoft System Agent.exe (the Loader)\r\nC:\\Users\\Public\\Microsoft System Manager.exe (the Wiper itself)\r\nC:\\Users\\Public\\Windows Defender Agent.exe (the Tasks Spreader)\r\nThe main logic of the wiper runs in a while (1) loop. In other words, the wiping process restarts as soon as it finishes.\r\nTasks Spreader\r\nFile name Windows Defender Agent.exe\r\nCompilation time 2091-Dec-05 00:39:31\r\nHash (SHA-256) b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7\r\n“Tasks Spreader” is a .NET binary which is dropped and executed by the Loader when the infected computer is connected to\r\nan Active Directory (AD) domain. Its only goal is to spread the Loader across the domain, by copying it to other computers,\r\nthen triggering its execution through a scheduled task.\r\nThe compilation time of the binary has been tampered with, but the standard “Legal Copyright” metadata property of the\r\n.NET assembly is set to Copyright © 2024 , which indicates it may have been compiled in 2024.\r\nThe Tasks Spreader leverages the .NET System.DirectoryServices namespace and a LDAP query to browse all computers\r\nof all domains in the AD forest of the infected computer. It then copies the local Loader to all those remote computers\r\n(except for the one currently executing Tasks Spreader), from C:\\Users\\Public\\Microsoft System Agent.exe to \\\\\r\n\u003cremote computer name\u003e\\C$\\Users\\Public\\Microsoft System Agent.exe , using the File.Copy .NET method.\r\nTasks Spreader uses System.DirectoryServices ‘s Connect method to remotely create a scheduled task on all computers\r\nwhere the Loader has been copied to. This task is aimed at executing the Loader, immediately and when a user of the\r\nDomain users default group logs in. The scheduled task is created using a Schedule.Service COM object, enabling\r\nuniversal operation of the Windows Task Scheduler Service without the need for language-specific objects, or reliance on\r\nschtasks.exe . This may effectively bypass the detection of scheduled tasks creation by some security products.\r\nThe created task is named MicrosoftEdgeUpdateTaskMachinesCores , set to execute the copied Loader binary at \\\\\r\n\u003ccomputer name\u003e\\C$\\Users\\Public\\Microsoft System Agent.exe , and its description mimics the one from Microsoft Edge\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 5 of 15\n\nupdate tasks.\r\nIt should be noted that most actions that are attempted by the Tasks Spreader (most notably creating a file and scheduling a\r\ntask on remote computers) requires proper privileges. The file copy operation to remote computers is attempted without any\r\nprior check for such privileges. Any failure (programatic exception) is caught and ignored, which means that if the AD forest\r\ncan be browsed for computers, the file copy will be attempted to all found computers of all domains, making the operation\r\nextremely noisy (and in theory, every computer that executes the Loader in a domain will attempt the same).\r\nAPK\r\nFilename INCD-SecurityUpdate-FEB24.apk\r\nCertificate start date 2024-Feb-09 15:16:26\r\nHash (SHA256) 556b5101e0e8aee004bed89f1686ce781a075fde5a8a86fa5409fe34a2d1b6d9\r\nThis APK (Android Package Kit), also distributed under the pretense of being a security update, starts by requesting the\r\npermission to access all files on the device (see Fig. 4 and 5). If the permissions are denied, an English message is shown\r\n(“Permission not granted!”).\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 6 of 15\n\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 7 of 15\n\nFigure 4 – Request to manage the device files from the SecureIsrael application\r\nOnce filesystem access has been granted, control is transferred to a function called deleteInCHunks() (sic.) located in a\r\nnative library ( libexampleone.so ) bundled with the APK, while the application starts playing the same propaganda video\r\nas the one contained in the Loader. This video (~45MB) represents most of the contents of the APK.\r\nEven if file access permissions are not granted, the application eventually shows the video to the victim. This may be a\r\nprogramming error, as the app contains traces of being built from an example/tutorial project, or could be a conscious\r\nattempt at trying to scare the victim despite not being able to delete its data.\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 8 of 15\n\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 9 of 15\n\nFigure 5 – The progress bar displayed by the application until permissions are granted by the user. The text (in\r\npoorly-worded Hebrew) reads: “Please stand by while performing security check”\r\nNative library\r\nFilename libexampleone.so\r\nHash (SHA256) 248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817\r\nThis library is written in C++ and bundled with its parent APK in several variants (one for each possible CPU architecture).\r\nIt crawls the /storage/emulated/0/ folder (corresponding to the root directory of the emulated storage for the primary\r\nuser profile) and builds a list of files to wipe, similarly to the Windows Wiper. During this process, the folders\r\n/storage/emulated/0/Android/obb and /storage/emulated/0/Android/data are ignored, as they contain binary blobs\r\nand application data which typically cannot be accessed by other applications.\r\nOnce the file list is created, the library creates threads which receive a “chunk” of the list. Each file is overwritten with\r\nzeroes and then removed from the filesystem. Finally, the wiper attempts to remove /storage/emulated/0 and all the files\r\nit contains.\r\nAttribution and propaganda contents\r\nThe wallpaper (JPG file, see Fig. 7) which is dropped by the Loader shows an Israeli “Namer” Armoured Personnel Carrier\r\nvehicle, currently utilized in the ongoing Israel-Hamas war. The image, originally sourced from Wikipedia2, was altered by\r\nthe attacker (see Fig. 6) to depict the vehicle as damaged:\r\nFigure 6 – Composition comparing the original image with the propaganda image, original image from\r\nWikipedia (CC 3.0)\r\nIn the propaganda image (see Fig. 7), Israeli Defence Forces (IDF) are depicted moving into Gaza, transitioning from right\r\nto left, concluding in body bags. Notably, during this transition, the inverted red triangle emoji (🔻) is utilized – this symbol\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 10 of 15\n\nis used to “represent Hamas itself and glorify its use of violence”3\r\n, often shown in Hamas’ propaganda videos upon\r\nattacking IDF. The text on the right reads “You entered it alive”, and above the body bags “You will leave it in pieces”:\r\nFigure 7 – Propaganda image that is dropped by the Loader\r\nThis image however, isn’t new. It was posted as early as December 8, 2023 on X.\r\nThe video which is dropped by the Loader and embedded in the APK also fits Hamas’ ongoing propaganda efforts in turning\r\nthe hostages’ families against Israel’s prime minister Bibi Netanyahu.\r\nFigure 8 – Screen capture of the propaganda video that is shown by the APK and dropped by the Loader\r\nBoth the wallpaper and the video use the same signature “العسكري اإلعالم”) “Military Media”, see Fig. 8, highlighted in red),\r\nwhich is tied with propaganda pieces generated by Hamas. This comes in addition to the aforementioed inverted red triangle\r\nemoji (“🔻”).\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 11 of 15\n\nLastly, the timestamps of the Loader samples were modified to match 07 October 2023, the day when Hamas launched its\r\nattack on Israel.\r\nCumulatively, these elements lead us to conclude that a threat-actor who is associated with Hamas is at the helm of this\r\ncampaign. While we could not identify any technical indicator overlap with other known malicious campaigns or actors,\r\nparts of the described activities and techniques fit the Arid Viper APT (APT-C-23, Desert Falcons), which is usually\r\nassociated with Hamas. Namely, we see similarities in the targeting, the high-grade lure content that contrasts with the\r\nmalwares’ lack of sophistication, as well as the diversity in targeted systems (Android and Windows) and programming\r\nlanguages employed. Moreover, using native libraries alongside Android implants is a technique which has been leveraged\r\nby Arid Viper since 2021, as documented by Talos.\r\nAppendix\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\n9b62af6b13b610f4f90810b2f5aef0a455a301a06c98c49a531384d90f90f921|SameCoin Malicious Attachment (RAR)\r\nea2ff8f681fd1ab2a4d22f245e6475c68e7fcf9d7f6ec3a549776c4bbe279553|SameCoin Malicious Attachment (RAR)\r\n82db3b82e49259ff9184b58c19e9107473d2eb40c586ffb85462e6a649db2051|SameCoin Malicious Attachment (RAR)\r\n7e8caa1c3c1de1d8d8761e618408efdc875fb925bda31e0489234664642e33c3|SameCoin Malicious Attachment (RAR)\r\ncff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6|SameCoin Loader\r\n1624e5c9dd10c4ef21dee571cac3343cac1a6a94a847d85dc264786f4ef24f40|SameCoin Loader\r\n598ed8a0a9a3b3c94bf8d8bfdd9f86882d7c97f9f3dc6c85e3e34ad77489186c|SameCoin Loader\r\n4d28afa4d22ddae336de418380de21bb750231331ccdacfd4b7eff5ab6b1b693|SameCoin Loader\r\ne6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89|SameCoin Wiper\r\nb447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7|SameCoin Tasks Spreader\r\n556b5101e0e8aee004bed89f1686ce781a075fde5a8a86fa5409fe34a2d1b6d9|SameCoin APK\r\n5a5eea6a56aebb2d8b939dc57967395b1b85cbfe7ca06b86a1916dfa31858e09|libexampleone.so (arm64-v8a)\r\nc3938b85ec97fe4f433102b050f89250236b7379994da55314c24c623fb469a9|libexampleone.so (arm64-v7a)\r\n248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817|libexampleone.so (x86)\r\n18d6b9d09782c49162b9b57eaae077cbc37d25132253578fa4874eb2b7a46c50|libexampleone.so (x86_64)\r\nFile paths\r\nC:\\Users\\Public\\Microsoft System Agent.exe|SameCoin Loader\r\nC:\\Users\\Public\\Windows Defender Agent.exe|SameCoin Tasks Spreader\r\nC:\\Users\\Public\\Microsoft System Manager.exe|SameCoin Wiper\r\nC:\\Users\\Public\\Microsoft Connection Agent.jpg|SameCoin propaganda image\r\nC:\\Users\\Public\\Video.mp4|SameCoin propaganda video\r\nURLs\r\nhxxps://store9.gofile[.]io/download/76732040-c118-40cc-a33e-f7fb22f1c1aa/INCD-SecurityUpdate-FEB24.rar|SameCoin Malicious\r\nhxxps://store27.gofile[.]io/download/15c1c6a0-2f5b-44ee-951d-a64778fed86d/INCD-SecurityUpdate-FEB24.rar|SameCoin Malicious\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 12 of 15\n\nhxxps://store2.gofile[.]io/download/fab845cc-aba0-49ce-ab89-753d7685bd46/INCD-SecurityUpdate-FEB24.apk|SameCoin APK\r\nhxxps://store2.gofile[.]io/download/803df49c-d77d-44d0-ad2f-28818432a4ce/INCD-SecurityUpdate-FEB24.apk|SameCoin APK\r\nYara rules\r\nThe provided Yara rules require Yara 3.2.0 (Nov 10, 2014) and up.\r\nrule samecoin_campaign_loader {\r\n meta:\r\n description = \"Matches the loader used in the SameCoin campaign\"\r\n references = \"TRR240201\"\r\n hash = \"cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6\"\r\n date = \"2024-02-13\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $hebrew_layout = \"0000040d\" fullword ascii\r\n $runas = \"runas\" fullword ascii\r\n $jpg_magic = { FF D8 FF E0 00 10 4A 46 49 46 00 01 }\r\n $wl_1 = \"C:\\Users\\Public\\Microsoft Connection Agent.jpg\" ascii\r\n $wl_2 = \"C:\\Users\\Public\\Video.mp4\" ascii\r\n $wl_3 = \"C:\\Users\\Public\\Microsoft System Agent.exe\" ascii\r\n $wl_4 = \"C:\\Users\\Public\\Microsoft System Manager.exe\" ascii\r\n $wl_5 = \"C:\\Users\\Public\\Windows Defender Agent.exe\"\r\n condition:\r\n uint16(0) == 0x5A4D and filesize \u003e 5MB and filesize \u003c 7MB and\r\n $hebrew_layout and $runas and $jpg_magic and 3 of ($wl_*)\r\n}\r\nrule samecoin_campaign_wiper {\r\n meta:\r\n description = \"Matches the wiper used in the SameCoin campaign\"\r\n references = \"TRR240201\"\r\n hash = \"e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89\"\r\n date = \"2024-02-13\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $code = { 68 57 04 00 00 50 E8 } // push 1111; push eax; call\r\n $wl_1 = \"C:\\Users\\Public\\Microsoft Connection Agent.jpg\" ascii\r\n $wl_2 = \"C:\\Users\\Public\\Video.mp4\" ascii\r\n $wl_3 = \"C:\\Users\\Public\\Microsoft System Agent.exe\" ascii\r\n $wl_4 = \"C:\\Users\\Public\\Microsoft System Manager.exe\" ascii\r\n $wl_5 = \"C:\\Users\\Public\\Windows Defender Agent.exe\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and filesize \u003c 200KB and\r\n $code and 3 of ($wl_*)\r\n}\r\nrule samecoin_campaign_tasksspreader\r\n{\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 13 of 15\n\nmeta:\r\n description = \"Detect .NET Task Scheduler that is dropper by SameCoin Loader\"\r\n references = \"TRR240201\"\r\n hash = \"b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7\"\r\n date = \"2024-02-13\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $dotNet = \".NETFramework,Version\" ascii fullword\r\n $a1 = \"System.DirectoryServices.ActiveDirectory\" ascii fullword\r\n $a2 = \"GetTypeFromProgID\" ascii fullword\r\n $a3 = \"DirectorySearcher\" ascii fullword\r\n $a4 = \"SearchResultCollection\" ascii fullword\r\n $a5 = \"UnaryOperation\" ascii fullword\r\n $b1 = \"$dc1b29f0-9a87-4383-ad8b-01285614def1\" ascii fullword\r\n $b2 = \"Windows Defender Agent\" ascii fullword\r\n $b3 = \"Windows Defender Agent.exe\" wide ascii fullword\r\n $b4 = /(\\)?C(:|$)\\Users\\Public\\Microsoft System Agent.exe/ wide fullword\r\n $b5 = \"MicrosoftEdgeUpdateTaskMachinesCores\" wide fullword\r\n $b6 = \"WindowsUpdate\" wide fullword\r\n $c1 = \"RegisterTaskDefinition\" wide fullword\r\n $c2 = \"DisallowStartIfOnBatteries\" wide fullword\r\n $c3 = \"StopIfGoingOnBatteries\" wide fullword\r\n $c4 = \"Schedule.Service\" wide fullword\r\n $c5 = \"\\Domain Users\" wide fullword\r\n $c6 = \"(objectClass=computer)\" wide fullword\r\n condition:\r\n filesize \u003e 8KB and filesize \u003c 40KB\r\n and (uint16be(0) == 0x4D5A)\r\n and $dotNet\r\n and (4 of ($a*))\r\n and (\r\n ((any of ($b*)) and (any of ($c*)))\r\n or (all of ($c*))\r\n )\r\n}\r\nrule samecoin_campaign_nativewiper {\r\n meta:\r\n author = \"HarfangLab\"\r\n description = \"Matches the native Android library used in the SameCoin campaign\"\r\n references = \"TRR240201\"\r\n last_modified = \"2024-02-13\"\r\n context = \"file\"\r\n hash = \"248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817\"\r\n strings:\r\n $native_export = \"Java_com_example_exampleone_MainActivity_deleteInCHunks\" ascii\r\n $f1 = \"_Z9chunkMainv\" ascii\r\n $f2 = \"_Z18deleteFilesInChunkRKNSt6__\" ascii\r\n $f3 = \"_Z18overwriteWithZerosPKc\" ascii\r\n $s1 = \"/storage/emulated/0/\" ascii\r\n $s2 = \"FileLister\" ascii\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 14 of 15\n\n$s3 = \"Directory chunks deleted.\"\r\n $s4 = \"Current Chunk Size is: %dln\" ascii\r\n condition:\r\n filesize \u003c 500KB and uint32(0) == 0x464C457F and\r\n ($native_export or all of ($f*) or all of ($s*))\r\n}\r\nSource: https://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nhttps://harfanglab.io/insidethelab/samecoin-malware-hamas/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://harfanglab.io/insidethelab/samecoin-malware-hamas/" ], "report_names": [ "samecoin-malware-hamas" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446573, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbfccf3a0e51a3fb3e8b7acdbc58052137f829a8.pdf", "text": "https://archive.orkl.eu/dbfccf3a0e51a3fb3e8b7acdbc58052137f829a8.txt", "img": "https://archive.orkl.eu/dbfccf3a0e51a3fb3e8b7acdbc58052137f829a8.jpg" } }