{
	"id": "12473a63-2569-40be-b552-e0b91a375d5f",
	"created_at": "2026-04-06T00:18:21.904345Z",
	"updated_at": "2026-04-10T13:11:27.605735Z",
	"deleted_at": null,
	"sha1_hash": "0118358b3808e3512210a65c52943ccea90da96a",
	"title": "MAR-10135536-8 – North Korean Trojan: HOPLIGHT | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 174976,
	"plain_text": "MAR-10135536-8 – North Korean Trojan: HOPLIGHT | CISA\r\nPublished: 2019-04-10 · Archived: 2026-04-05 14:56:35 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial\r\nproduct or service, referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol, see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and\r\nthe Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan\r\nmalware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S.\r\nGovernment refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information\r\non HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\nDHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government\r\nmalicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThis report provides analysis of nine malicious executable files. Seven of these files are proxy applications that mask traffic\r\nbetween the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using\r\nvalid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL\r\ncertificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any\r\nof the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP\r\naddresses and SSL certificates.\r\nFor a downloadable copy of IOCs, see:\r\nMAR-10135536-8.stix\r\nSubmitted Files (9)\r\n05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690...)\r\n12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3...)\r\n2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E...)\r\n4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463...)\r\n4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D...)\r\n70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6...)\r\n83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c\u0026BDDF59656A035F94FD...)\r\nd77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2...)\r\nddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79...)\r\nAdditional Files (4)\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 1 of 41\n\n49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)\r\n70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)\r\n96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)\r\ncd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)\r\nIPs (15)\r\n112.175.92.57\r\n113.114.117.122\r\n128.200.115.228\r\n137.139.135.151\r\n181.39.135.126\r\n186.169.2.237\r\n197.211.212.59\r\n21.252.107.198\r\n26.165.218.44\r\n47.206.4.145\r\n70.224.36.194\r\n81.94.192.10\r\n81.94.192.147\r\n84.49.242.125\r\n97.90.44.200\r\nFindings\r\n05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461\r\nTags\r\ntrojan\r\nDetails\r\nName 23E27E5482E3F55BF828DAB885569033\r\nSize 242688 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 23e27e5482e3f55bf828dab885569033\r\nSHA1 139b25e1ae32a8768238935a8c878bfbe2f89ef4\r\nSHA256 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461\r\nSHA512 2c481ef42dfc9a7a30575293d09a6f81943e307836ec5b8a346354ab5832c15046dd4015a65201311e33f944763fc55dd44fbe390245be5be\r\nssdeep 6144:YnDlYMzUvLFOL9wqk6+pqC8iooIBgajvQlm/Z0cp1:alYiXiooIKajvQeZ3\r\nEntropy 6.537337\r\nAntivirus\r\nESET a variant of Win32/NukeSped.AI trojan\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 2 of 41\n\nSymantec Heur.AdvML.B\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-05 21:57:29-04:00\r\nImport Hash ff390ec082b48263a3946814ea18ba46\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nc06924120c87e2cb79505e4ab0c2e192 header 1024 2.542817\r\n3368eda2d5820605a055596c7c438f0f .text 197120 6.441545\r\nec1f06839fa9bc10ad8e183b6bf7c1b5 .rdata 27136 5.956914\r\n1e62b7d9f7cc48162e0651f7de314c8a .data 8192 4.147893\r\n980effd28a6c674865537f313318733a .rsrc 512 5.090362\r\n696fd5cac6e744f336e8ab68a4708fcf .reloc 8704 5.247502\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim\r\nmachine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and\r\npartitions.\r\nThe malware is capable of the following functions:\r\n---Begin Malware Capability---\r\nRead, Write, and Move Files\r\nEnumerate System Drives\r\nCreate and Terminate Processes\r\nInject into Running Processes\r\nCreate, Start and Stop Services\r\nModify Registry Settings\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 3 of 41\n\nConnect to a Remote Host\r\nUpload and Download Files\r\n---End Malware Capability---\r\nThe malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure\r\ncommunication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a\r\nvariety of web services to clients around the world.\r\n---Begin SSL Certificate Header---\r\n1 0     UNL10U\r\nPolarSSL10UPolarSSL Test CA0\r\n110212144407Z\r\n2102121144407Z0\u003c1 0 UNL10U\r\nPolarSSL10UPolarSSL Client 200\r\n---End SSL Certificate Header---\r\nWhen executed, the malware will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the\r\nmalware. These IP addresses are referenced in 'udbcgiut.dat' below. The malware also contains an embedded Zlib\r\ncompression library that appears to further obfuscate the communications payload.\r\nThe following notable strings have been linked to the use of the SSL certificates and can be used to identify the malware:\r\n---Begin Notable Strings---\r\nfjiejffndxklfsdkfjsaadiepwn\r\nofuierfsdkljffjoiejftyuir\r\nreykfgkodfgkfdskgdfogpdokgsdfpg\r\nztretrtireotreotieroptkierert\r\netudjfirejer\r\nyrty\r\nuiyy\r\nuiyiyj lildvucv\r\nerfdfe poiiumwq\r\n---End Notable Strings---\r\nThe next four artifacts contain identical characteristics as those described above. Therefore, only capability that is unique\r\nwill be described for the following four artifacts.\r\n2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nTags\r\ntrojan\r\nDetails\r\nName 5C3898AC7670DA30CF0B22075F3E8ED6\r\nSize 221184 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 5c3898ac7670da30cf0b22075f3e8ed6\r\nSHA1 91110c569a48b3ba92d771c5666a05781fdd6a57\r\nSHA256 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nSHA512 700ec4d923cf0090f4428ac3d4d205b551c3e48368cf90d37f9831d8a57e73c73eb507d1731662321c723362c9318c3f019716991073dc9a\r\nssdeep 3072:nKBzqEHcJw0sqz7vLFOLBAqui1mqLK1VaU9BzNRyHmdMaF0QqWN0Qjpthmu:nKg0cJ19z7vLFOLSqp0q7syHeFhnhm\r\nEntropy 6.346504\r\nAntivirus\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 4 of 41\n\nESET a variant of Win32/NukeSped.AI trojan\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-05-16 02:35:55-04:00\r\nImport Hash 6ffc5804961e26c43256df683fea6922\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nadb596d3ceae66510778e3bf5d4d9582 header 4096 0.695660\r\n6453931a0b6192e0bbd6476e736ca63f .text 184320 6.343388\r\n0ba1433cc62ba7903ada2f1e57603e83 .rdata 16384 6.246206\r\n76a08265777f68f08e5e6ed2102cb31d .data 12288 4.050945\r\ncb8939d6bc1cd076acd850c3850bdf78 .rsrc 4096 3.289605\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\n2151c1977b... Connected_To 81.94.192.147\r\n2151c1977b... Connected_To 112.175.92.57\r\n2151c1977b... Related_To 181.39.135.126\r\n2151c1977b... Related_To 197.211.212.59\r\n2151c1977b... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n2151c1977b... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 5 of 41\n\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen this artifact is executed, it will write the file 'udbcgiut.dat' to C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp.\r\nThe malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts\r\nare over TCP Port 443.\r\nThe two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the\r\nmalware. However, only connections to the first two IP addresses were attempted during analysis.\r\n197.211.212.59\r\nPorts\r\n7443 TCP\r\nWhois\r\ninetnum:        197.211.208.0 - 197.211.215.255\r\nnetname:        ZOL-16e-MOBILE-CUSTOMERS\r\ndescr:         ZOL Customers on ZTE Mobile WiMAX Platform\r\ncountry:        ZW\r\nadmin-c:        BS10-AFRINIC\r\nadmin-c:        GJ1-AFRINIC\r\nadmin-c:        JHM1-AFRINIC\r\ntech-c:         BS10-AFRINIC\r\ntech-c:         GJ1-AFRINIC\r\ntech-c:         JHM1-AFRINIC\r\nstatus:         ASSIGNED PA\r\nmnt-by:         LIQUID-TOL-MNT\r\nsource:         AFRINIC # Filtered\r\nparent:         197.211.192.0 - 197.211.255.255\r\nperson:         B Siwela\r\naddress:        3rd Floor Greenbridge South\r\naddress:        Eastgate Center\r\naddress:        R. Mugabe Road\r\naddress:        Harare\r\naddress:        Zimbabwe\r\nphone:         +263774673452\r\nfax-no:         +2634702375\r\nnic-hdl:        BS10-AFRINIC\r\nmnt-by:         GENERATED-DVCNVXWBH3VN3XZXTRPHOT0OJ77GUNN3-MNT\r\nsource:         AFRINIC # Filtered\r\nperson:         G Jaya\r\naddress:        3rd Floor Greenbridge South\r\naddress:        Eastgate Center\r\naddress:        R. Mugabe Road\r\naddress:        Harare\r\naddress:        Zimbabwe\r\nphone:         +263773373135\r\nfax-no:         +2634702375\r\nnic-hdl:        GJ1-AFRINIC\r\nmnt-by:         GENERATED-QPEEUIPPW1WPRZ5HLHRXAVHDOKWLC9UC-MNT\r\nsource:         AFRINIC # Filtered\r\nperson:         John H Mwangi\r\naddress:        Liquid Telecom Kenya\r\naddress:        P.O.Box 62499 - 00200\r\naddress:        Nairobi Kenya\r\naddress:        Nairobi, Kenya\r\naddress:        Kenya\r\nphone:         + 254 20 556 755\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 6 of 41\n\nRelationships\r\n197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. The domain, zol-ad-bdc.zol.co.zw is associated with the IP address, however, no DNS\r\nquery is made for the name.\r\n181.39.135.126\r\nPorts\r\n7443 TCP\r\nWhois\r\ninetnum:     181.39.135.120/29\r\nstatus:     reallocated\r\nowner:     Clientes Guayaquil\r\nownerid:     EC-CLGU1-LACNIC\r\nresponsible: Tomislav Topic\r\naddress:     Kennedy Norte Mz. 109 Solar 21, 5, Piso 2\r\naddress:     5934 - Guayaquil - GY\r\ncountry:     EC\r\nphone:     +593 4 2680555 [101]\r\nowner-c:     SEL\r\ntech-c:     SEL\r\nabuse-c:     SEL\r\ncreated:     20160720\r\nchanged:     20160720\r\ninetnum-up: 181.39/16\r\nnic-hdl:     SEL\r\nperson:     Carlos Montero\r\ne-mail:     networking@TELCONET.EC\r\naddress:     Kennedy Norte MZ, 109, Solar 21\r\naddress:     59342 - Guayaquil -\r\ncountry:     EC\r\nphone:     +593 42680555 [4601]\r\ncreated:     20021004\r\nchanged:     20170323\r\nRelationships\r\n181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. No domain is associated with the IP address.\r\n112.175.92.57\r\nPorts\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 7 of 41\n\n443 TCP\r\nWhois\r\ninetnum:        112.160.0.0 - 112.191.255.255\r\nnetname:        KORNET\r\ndescr:         Korea Telecom\r\nadmin-c:        IM667-AP\r\ntech-c:         IM667-AP\r\ncountry:        KR\r\nstatus:         ALLOCATED PORTABLE\r\nmnt-by:         MNT-KRNIC-AP\r\nmnt-irt:        IRT-KRNIC-KR\r\nlast-modified: 2017-02-03T02:21:58Z\r\nsource:         APNIC\r\nirt:            IRT-KRNIC-KR\r\naddress:        Seocho-ro 398, Seocho-gu, Seoul, Korea\r\ne-mail:         hostmaster@nic.or.kr\r\nabuse-mailbox: hostmaster@nic.or.kr\r\nadmin-c:        IM574-AP\r\ntech-c:         IM574-AP\r\nauth:         # Filtered\r\nmnt-by:         MNT-KRNIC-AP\r\nlast-modified: 2017-10-19T07:36:36Z\r\nsource:         APNIC\r\nperson:         IP Manager\r\naddress:        Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90\r\ncountry:        KR\r\nphone:         +82-2-500-6630\r\ne-mail:         kornet_ip@kt.com\r\nnic-hdl:        IM667-AP\r\nmnt-by:         MNT-KRNIC-AP\r\nlast-modified: 2017-03-28T06:37:04Z\r\nsource:         APNIC\r\nRelationships\r\n112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. The domain, mail.everzone.co.kr is associated with the IP address, however, no DNS\r\nquery is made for the name.\r\n81.94.192.147\r\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        81.94.192.0 - 81.94.192.255\r\nnetname:        IOMARTHOSTING\r\ndescr:         iomart Hosting Limited\r\ncountry:        GB\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 8 of 41\n\nadmin-c:        RA1415-RIPE\r\ntech-c:         RA1415-RIPE\r\nstatus:         ASSIGNED PA\r\nremarks:        ABUSE REPORTS: abuse@redstation.com\r\nmnt-by:         REDSTATION-MNT\r\nmnt-domains:    REDSTATION-MNT\r\nmnt-routes:     REDSTATION-MNT\r\ncreated:        2016-02-14T11:44:25Z\r\nlast-modified: 2016-02-14T11:44:25Z\r\nsource:         RIPE\r\nrole:         Redstation Admin Role\r\naddress:        Redstation Limited\r\naddress:        2 Frater Gate Business Park\r\naddress:        Aerodrome Road\r\naddress:        Gosport\r\naddress:        Hampshire\r\naddress:        PO13 0GW\r\naddress:        UNITED KINGDOM\r\nabuse-mailbox: abuse@redstation.com\r\ne-mail:         abuse@redstation.com\r\nnic-hdl:        RA1415-RIPE\r\nmnt-by:         REDSTATION-MNT\r\ncreated:        2005-04-22T17:34:33Z\r\nlast-modified: 2017-05-02T09:47:13Z\r\nsource:         RIPE\r\n% Information related to '81.94.192.0/24AS20860'\r\nroute:         81.94.192.0/24\r\ndescr:         Wayne Dalton - Redstation Ltd\r\norigin:         AS20860\r\nmnt-by:         GB10488-RIPE-MNT\r\ncreated:        2015-11-03T12:58:00Z\r\nlast-modified: 2015-11-03T12:58:00Z\r\nsource:         RIPE\r\nRelationships\r\n81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. No domain is associated with the IP address.\r\n70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nDetails\r\nName udbcgiut.dat\r\nSize 1171 bytes\r\nType data\r\nMD5 ae829f55db0198a0a36b227addcdeeff\r\nSHA1 04833210fa57ea70a209520f4f2a99d049e537f2\r\nSHA256 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 9 of 41\n\nSHA512 1b4509102ac734ce310b6f8631b1bedd772a38582b4feda9fee09f1edd096006cf5ba528435c844effa97f95984b07bd2c111aa480bb22f4bc\r\nssdeep 3:ElclFUl8GlFcmzkXIil23X1ll:ElcUXmQkXQ3\r\nEntropy 0.395693\r\nAntivirus\r\nNo matches found.\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n70902623c9... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n70902623c9... Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n70902623c9... Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nDescription\r\n'udbcgiut.dat' is dropped by three of the four PE32 executables. This file contains a 32byte unicode string uniquely generated\r\nfor the infected system, as well as four socket pairs in hexidecimal.\r\n---Begin Decoded Socket Pairs---\r\n197.211.212.59:443\r\n181.39.135.126:443\r\n112.175.92.57:7443\r\n81.94.192.147:7443\r\n---End Decoded Socket Pairs---\r\nThe unicode string generated during this analysis was '8a9b11762b96c4b6'. The socket pairs remain the same for all\r\ninstances of the malware.\r\nFor the PE32 executables, 'udbcgiut.dat' was dropped in the victim's profile at %AppData%\\Local\\Temp. For the 64bit\r\nexecutables, 'udbcgiut.dat' was dropped in C:\\Windows.\r\n4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818\r\nTags\r\ntrojan\r\nDetails\r\nName C5DC53A540ABE95E02008A04A0D56D6C\r\nSize 241152 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 c5dc53a540abe95e02008a04a0d56d6c\r\nSHA1 4cfe9e353b1a91a2add627873846a3ad912ea96b\r\nSHA256 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 10 of 41\n\nSHA512 fc33c99facfbc98d164e63167353bdcff7c1704810e4bb64f7e56812412d84099b224086c04aea66e321cd546d8cf6f14196f5b58d5e931c68\r\nssdeep 6144:LA5cWD93YuzTvLFOLoqbWbnuX7ZEAV6efA/Pawzq:Xc93YbLZEAV6mX\r\nEntropy 6.534884\r\nAntivirus\r\nESET a variant of Win32/NukeSped.AS trojan\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-04 21:31:07-04:00\r\nImport Hash c76f6bb3f2ce6f4ce3e83448836f3ddd\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n64cb3246aafa83129f7fd6b25d572a9f header 1024 2.625229\r\ne8c15e136370c12020eb23545085b9f6 .text 196096 6.431942\r\ncf0eb4ad22ac1ca687b87a0094999ac8 .rdata 26624 5.990247\r\nb246681e20b3c8ff43e1fcf6c0335287 .data 8192 4.116777\r\n6545248a1e3449e95314cbc874837096 .rsrc 512 5.112624\r\n31a7ab6f707799d327b8425f6693c220 .reloc 8704 5.176231\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nThis artifact appears to be named 'lamp.exe'. The malware contains the following debug pathway:\r\n---Begin Debug Pathway---\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 11 of 41\n\nZ:\\Develop\\41.LampExe\\Release\\LampExe.pdb\r\n---End Debug Pathway---\r\nddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nTags\r\nadwaretrojan\r\nDetails\r\nName BE588CD29B9DC6F8CFC4D0AA5E5C79AA\r\nName ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nSize 267776 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 be588cd29b9dc6f8cfc4d0aa5e5c79aa\r\nSHA1 06be4fe1f26bc3e4bef057ec83ae81bd3199c7fc\r\nSHA256 ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nSHA512 c074ec876350b3ee3f82208041152c0ecf25cc8600c8277eec389c253c12372e78da59182a6df8331b05e0eefb07c142172951115a582606f\r\nssdeep 6144:UEFpmt3md/iA3uiyzOvLFOLYqnHGZlDwf/OYy85eqmJKRPg:/PQ3mJxeigqi/OYy+/g\r\nEntropy 6.554499\r\nAntivirus\r\nESET a variant of Win32/NukeSped.AI trojan\r\nFilseclab Adware.Amonetize.heur.xjym.mg\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-06 10:33:38-04:00\r\nImport Hash 8184d5d35e3a4640bb5d21698a4b6021\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 12 of 41\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n59b5d567b9b7b9da0ca0936675fd95fe header 1024 2.658486\r\nc0b6929e0f01a7b61bde3d7400a801e0 .text 218624 6.470188\r\nce1e5ab830fcfaa2d7bea92f56e9026e .rdata 27136 5.962575\r\n006bad003b65738ed203a576205cc546 .data 8192 4.157373\r\n992987e022da39fcdbeede8ddd48f226 .rsrc 3072 5.511870\r\n4be460324f0f4dc1f6a0983752094cce .reloc 9728 5.303151\r\nPackers/Compilers/Cryptors\r\nRelationships\r\nddea408e17... Connected_To 81.94.192.147\r\nddea408e17... Connected_To 112.175.92.57\r\nddea408e17... Connected_To 181.39.135.126\r\nddea408e17... Connected_To 197.211.212.59\r\nddea408e17... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nddea408e17... Connected_To 81.94.192.10\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nThis program attempts to initiate a TLS Handshake to the four IP/Port pairs listed in 'udbcgiut.dat'. If the program is unable\r\nto establish a connection, the file 'udbcgiut.dat' is deleted.\r\nAfter 'udbcgiut.dat' is deleted, an outbound SSL connection is made to 81.94.192.10. The IP address is hard coded in the\r\nmalware and are not randomly generated.\r\nThis artifact also loads several APIs that are commonly associated with Pass-The-Hash (PTH) toolkits, indicating a\r\ncapability to harvest user credentials and passwords.\r\n---Begin Common PTH APIs---\r\nSamiChangePasswordUser\r\nSamFreeMemory\r\nSamCloseHandle\r\nSamOpenUser\r\nSamLookupNamesInDomain\r\nSamOpenDomain\r\nSamConnect\r\n---End Common PTH APIs---\r\n81.94.192.10\r\nWhois\r\nDomain name:\r\n       redstation.net.uk\r\n   Registrant:\r\n       Redstation Limited\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 13 of 41\n\nRegistrant type:\r\n       UK Limited Company, (Company number: 3590745)\r\n   Registrant's address:\r\n       2 Frater Gate Business Park\r\n       Aerodrome Road\r\n       Gosport\r\n       Hampshire\r\n       PO13 0GW\r\n       United Kingdom\r\n   Data validation:\r\n       Nominet was able to match the registrant's name and address against a 3rd party data source on 21-Feb-2017\r\n   Registrar:\r\n       Easyspace Ltd [Tag = EASYSPACE]\r\n       URL: https://www.easyspace.com/domain-names/extensions/uk\r\n   Relevant dates:\r\n       Registered on: 11-Apr-2005\r\n       Expiry date: 11-Apr-2019\r\n       Last updated: 12-Apr-2017\r\n   Registration status:\r\n       Registered until expiry date.\r\n   Name servers:\r\n       ns1.redstation.com\r\n       ns2.redstation.com\r\nRelationships\r\n81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware5.dll'. No domain is associated with the\r\nIP address.\r\n12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nTags\r\ntrojan\r\nDetails\r\nName 868036E102DF4CE414B0E6700825B319\r\nSize 453791 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 868036e102df4ce414b0e6700825b319\r\nSHA1 7f1e68d78e455aa14de9020abd2293c3b8ec6cf8\r\nSHA256 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nSHA512 724d83493dbe86cfcee7f655272d2c733baa5470d7da986e956c789aa1b8f518ad94b575e655b4fe5f6f7d426b9aa7d8304fc879b82a38514\r\nssdeep 12288:eb/3G8vg+Rg1cvAHtE0MLa07rt5POui6z:+/3G8vg+pvi9Sa07rt4ui6z\r\nEntropy 7.713852\r\nAntivirus\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 14 of 41\n\nNANOAV Trojan.Win64.Crypted.excqpl\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\n90 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c\r\nPE Metadata\r\nCompile Date 2017-06-06 10:54:03-04:00\r\nImport Hash 947a389c3886c5fa7f3e972fd4d7740c\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ne772c7a04c7e3d53c58fdb8a88bb0c02 header 1024 2.486400\r\na6a2750e5b57470403299e0327553042 .text 34816 6.297430\r\ncc5d69374e9b0266a4b1119e5274d392 .rdata 12288 4.715650\r\nac4ee21fcb2501656efc217d139ec804 .data 5120 1.876950\r\n359af12d4a14ced423d39736dfec613a .pdata 2560 3.878158\r\n097e0e4be076b795a7316f1746bace8a .rsrc 3072 5.514584\r\n5849f380266933d6f3c5c4740334b041 .reloc 1024 2.517963\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n12480585e0... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n12480585e0... Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nThis artifact is a malicious x64 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nIn addition to the capabilities described above, this variant will hook the Windows Local Security Authority (lsass.exe).\r\n'lsass.exe' will check the registry for the data value 'rdpproto' under the key SYSTEM\\CurrentControlSet\\Control\\Lsa Name:\r\nSecurity Packages. If not found, this value is added by 'lsass.exe'.\r\nNext, the malware will drop the embedded file, 'rdpproto.dll' into the %System32% directory.\r\nThe file, 'udbcgiut.dat' is then written to C:\\Windows. Outbound connection attempts are made to the socket pairs found\r\nwithin this file as described above.\r\n49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nTags\r\ntrojan\r\nDetails\r\nName rdpproto.dll\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 15 of 41\n\nSize 391680 bytes\r\nType PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nMD5 dc268b166fe4c1d1c8595dccf857c476\r\nSHA1 8264556c8a6e460760dc6bb72ecc6f0f966a16b8\r\nSHA256 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nSHA512 b47c4caa0b5c17c982fcd040c7171d36ec962fe32e9b8bec567ee14b187507fe90e026aa05eec17d36c49a924eeaed55e66c95a111cfa9dcae\r\nssdeep 6144:jfsTC8amAXJeZP6BPjIDeLkigDxcvAHjVXjhtBGshMLa1Mj7rtlkiP60dwtudIye:jvg+Rg1cvAHtE0MLa07rt5POui6\r\nEntropy 7.893665\r\nAntivirus\r\nAvira TR/Crypt.XPACK.xuqld\r\nBitDefender Trojan.Generic.22790108\r\nESET a variant of Generik.MYWMFCM trojan\r\nEmsisoft Trojan.Generic.22790108 (B)\r\nIkarus Trojan.SuspectCRC\r\nNANOAV Trojan.Win64.Crypted.excqpl\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\n99 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c\r\nPE Metadata\r\nCompile Date 2017-06-06 11:34:06-04:00\r\nImport Hash 360d26520c50825099ec61e97b01a43b\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n3bb2a7d6aab283c82ab853f536157ce2 header 1024 2.524087\r\nb0bf8ec7b067fd3592c0053702e34504 .text 23552 6.180871\r\n6cc98c5fef3ea1b782262e355b5c5862 .rdata 10752 4.635336\r\n484d4698d46b3b5ad033c1a80ba83acf .data 4096 2.145716\r\na07c8f17c18c6789a3e757aec183aea6 .pdata 2048 3.729952\r\nfae0d0885944745d98849422bd799457 .rsrc 348672 7.997488\r\n0c1c23e1fb129b1b1966f70fc75cf20e .reloc 1536 1.737829\r\nRelationships\r\n49757cf856... Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\n49757cf856... Connected_To 21.252.107.198\r\n49757cf856... Connected_To 70.224.36.194\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 16 of 41\n\n49757cf856... Connected_To 113.114.117.122\r\n49757cf856... Connected_To 47.206.4.145\r\n49757cf856... Connected_To 84.49.242.125\r\n49757cf856... Connected_To 26.165.218.44\r\n49757cf856... Connected_To 137.139.135.151\r\n49757cf856... Connected_To 97.90.44.200\r\n49757cf856... Connected_To 128.200.115.228\r\n49757cf856... Connected_To 186.169.2.237\r\nDescription\r\n\"rdpproto.dll\" is dropped into the %System32% directory by 868036E102DF4CE414B0E6700825B319. When the library is\r\nloaded,\r\n\"rdpproto.dll\" will attempt to send SSL Client Hello packets to any of the following embedded IP addresses:\r\n---Begin Embedded IP Addresses---\r\n21.252.107.198\r\n70.224.36.194\r\n113.114.117.122\r\n47.206.4.145\r\n84.49.242.125\r\n26.165.218.44\r\n137.139.135.151\r\n97.90.44.200\r\n128.200.115.228\r\n186.169.2.237\r\n---End Embedded IP Addresses---\r\nThis artifact contains the following notable strings:\r\n---Begin Notable Strings---\r\nCompanyName\r\nAdobe System Incorporated\r\nFileDescription\r\nMicrosoftWindows TransFilter/FilterType : 01 WindowsNT Service\r\nFileVersion\r\n6.1 Build 7601\r\nInternalName\r\nTCP/IP Packet Filter Service\r\nLegalCopyright\r\nCopyright 2015 - Adobe System Incorporated\r\nLegalTrademarks\r\nOriginalFileName\r\nTCP/IP - PacketFilter\r\n---End Notable Strings---\r\n21.252.107.198\r\nPorts\r\n23164 TCP\r\nWhois\r\nNetRange:     21.0.0.0 - 21.255.255.255\r\nCIDR:         21.0.0.0/8\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 17 of 41\n\nNetName:        DNIC-SNET-021\r\nNetHandle:     NET-21-0-0-0-1\r\nParent:         ()\r\nNetType:        Direct Allocation\r\nOriginAS:    \r\nOrganization: DoD Network Information Center (DNIC)\r\nRegDate:        1991-06-30\r\nUpdated:        2009-06-19\r\nRef:            https://whois.arin.net/rest/net/NET-21-0-0-0-1\r\nOrgName:        DoD Network Information Center\r\nOrgId:         DNIC\r\nAddress:        3990 E. Broad Street\r\nCity:         Columbus\r\nStateProv:     OH\r\nPostalCode:     43218\r\nCountry:        US\r\nRegDate:        \r\nUpdated:        2011-08-17\r\nRef:            https://whois.arin.net/rest/org/DNIC\r\nRelationships\r\n21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n70.224.36.194\r\nPorts\r\n59681 TCP\r\nWhois\r\nDomain Name: AMERITECH.NET\r\nRegistry Domain ID: 81816_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.corporatedomains.com\r\nRegistrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html\r\nUpdated Date: 2017-06-09T05:27:34Z\r\nCreation Date: 1996-06-14T04:00:00Z\r\nRegistry Expiry Date: 2018-06-13T04:00:00Z\r\nRegistrar: CSC Corporate Domains, Inc.\r\nRegistrar IANA ID: 299\r\nRegistrar Abuse Contact Email: domainabuse@cscglobal.com\r\nRegistrar Abuse Contact Phone: 8887802723\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: NS1.ATTDNS.COM\r\nName Server: NS2.ATTDNS.COM\r\nName Server: NS3.ATTDNS.COM\r\nName Server: NS4.ATTDNS.COM\r\nDNSSEC: unsigned\r\nDomain Name: ameritech.net\r\nRegistry Domain ID: 81816_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.corporatedomains.com\r\nRegistrar URL: www.cscprotectsbrands.com\r\nUpdated Date: 2017-06-09T05:27:34Z\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 18 of 41\n\nCreation Date: 1996-06-14T04:00:00Z\r\nRegistrar Registration Expiration Date: 2018-06-13T04:00:00Z\r\nRegistrar: CSC CORPORATE DOMAINS, INC.\r\nRegistrar IANA ID: 299\r\nRegistrar Abuse Contact Email: domainabuse@cscglobal.com\r\nRegistrar Abuse Contact Phone: +1.8887802723\r\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Domain Administrator\r\nRegistrant Organization: AT\u0026T SERVICES, INC.\r\nRegistrant Street: 801 Chestnut Street\r\nRegistrant City: Saint Louis\r\nRegistrant State/Province: MO\r\nRegistrant Postal Code: 63101\r\nRegistrant Country: US\r\nRegistrant Phone: +1.3142358168\r\nRegistrant Phone Ext:\r\nRegistrant Fax: +1.3142358168\r\nRegistrant Fax Ext:\r\nRegistrant Email: att-domains@att.com\r\nRegistry Admin ID:\r\nAdmin Name: Domain Administrator\r\nAdmin Organization: AT\u0026T SERVICES, INC.\r\nAdmin Street: 801 Chestnut Street\r\nAdmin City: Saint Louis\r\nAdmin State/Province: MO\r\nAdmin Postal Code: 63101\r\nAdmin Country: US\r\nAdmin Phone: +1.3142358168\r\nAdmin Phone Ext:\r\nAdmin Fax: +1.3142358168\r\nAdmin Fax Ext:\r\nAdmin Email: att-domains@att.com\r\nRegistry Tech ID:\r\nTech Name: Domain Administrator\r\nTech Organization: AT\u0026T SERVICES, INC.\r\nTech Street: 801 Chestnut Street\r\nTech City: Saint Louis\r\nTech State/Province: MO\r\nTech Postal Code: 63101\r\nTech Country: US\r\nTech Phone: +1.3142358168\r\nTech Phone Ext:\r\nTech Fax: +1.3142358168\r\nTech Fax Ext:\r\nTech Email: att-domains@att.com\r\nName Server: ns3.attdns.com\r\nName Server: ns1.attdns.com\r\nName Server: ns2.attdns.com\r\nName Server: ns4.attdns.com\r\nDNSSEC: unsigned\r\nRelationships\r\n70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 19 of 41\n\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n113.114.117.122\r\nPorts\r\n23397 TCP\r\nWhois\r\ninetnum:        113.112.0.0 - 113.119.255.255\r\nnetname:        CHINANET-GD\r\ndescr:         CHINANET Guangdong province network\r\ndescr:         Data Communication Division\r\ndescr:         China Telecom\r\ncountry:        CN\r\nadmin-c:        CH93-AP\r\ntech-c:         IC83-AP\r\nremarks:        service provider\r\nstatus:         ALLOCATED PORTABLE\r\nmnt-by:         APNIC-HM\r\nmnt-lower:     MAINT-CHINANET-GD\r\nmnt-routes:     MAINT-CHINANET-GD\r\nlast-modified: 2016-05-04T00:15:17Z\r\nsource:         APNIC\r\nmnt-irt:        IRT-CHINANET-CN\r\nirt:            IRT-CHINANET-CN\r\naddress:        No.31 ,jingrong street,beijing\r\naddress:        100032\r\ne-mail:         anti-spam@ns.chinanet.cn.net\r\nabuse-mailbox: anti-spam@ns.chinanet.cn.net\r\nadmin-c:        CH93-AP\r\ntech-c:         CH93-AP\r\nauth:         # Filtered\r\nmnt-by:         MAINT-CHINANET\r\nlast-modified: 2010-11-15T00:31:55Z\r\nsource:         APNIC\r\nperson:         Chinanet Hostmaster\r\nnic-hdl:        CH93-AP\r\ne-mail:         anti-spam@ns.chinanet.cn.net\r\naddress:        No.31 ,jingrong street,beijing\r\naddress:        100032\r\nphone:         +86-10-58501724\r\nfax-no:         +86-10-58501724\r\ncountry:        CN\r\nmnt-by:         MAINT-CHINANET\r\nlast-modified: 2014-02-27T03:37:38Z\r\nsource:         APNIC\r\nperson:         IPMASTER CHINANET-GD\r\nnic-hdl:        IC83-AP\r\ne-mail:         gdnoc_HLWI@189.cn\r\naddress:        NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU\r\nphone:         +86-20-87189274\r\nfax-no:         +86-20-87189274\r\ncountry:        CN\r\nmnt-by:         MAINT-CHINANET-GD\r\nremarks:        IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn\r\nabuse-mailbox: antispam_gdnoc@189.cn\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 20 of 41\n\nlast-modified: 2014-09-22T04:41:26Z\r\nsource:         APNIC\r\nRelationships\r\n113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n47.206.4.145\r\nPorts\r\n59067 TCP\r\nWhois\r\nDomain Name: FRONTIERNET.NET\r\nRegistry Domain ID: 4305589_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.register.com\r\nRegistrar URL: http://www.register.com\r\nUpdated Date: 2017-09-14T07:53:05Z\r\nCreation Date: 1995-10-14T04:00:00Z\r\nRegistry Expiry Date: 2018-10-13T04:00:00Z\r\nRegistrar: Register.com, Inc.\r\nRegistrar IANA ID: 9\r\nRegistrar Abuse Contact Email: abuse@web.com\r\nRegistrar Abuse Contact Phone: +1.8003337680\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: AUTH.DLLS.PA.FRONTIERNET.NET\r\nName Server: AUTH.FRONTIERNET.NET\r\nName Server: AUTH.LKVL.MN.FRONTIERNET.NET\r\nName Server: AUTH.ROCH.NY.FRONTIERNET.NET\r\nDNSSEC: unsigned\r\nDomain Name: FRONTIERNET.NET\r\nRegistry Domain ID: 4305589_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.register.com\r\nRegistrar URL: www.register.com\r\nUpdated Date: 2017-09-14T00:53:05.00Z\r\nCreation Date: 1995-10-14T04:00:00.00Z\r\nRegistrar Registration Expiration Date: 2018-10-13T04:00:00.00Z\r\nRegistrar: REGISTER.COM, INC.\r\nRegistrar IANA ID: 9\r\nDomain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: FRONTIERNET HOSTMASTER\r\nRegistrant Organization:\r\nRegistrant Street: 95 N. FITZHUGH ST.\r\nRegistrant City: ROCHESTER\r\nRegistrant State/Province: NY\r\nRegistrant Postal Code: 14614-1212\r\nRegistrant Country: US\r\nRegistrant Phone: +1.8664747662\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: HOSTMASTER@FRONTIERNET.NET\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 21 of 41\n\nRegistry Admin ID:\r\nAdmin Name: FRONTIERNET HOSTMASTER\r\nAdmin Organization:\r\nAdmin Street: 95 N. FITZHUGH ST.\r\nAdmin City: ROCHESTER\r\nAdmin State/Province: NY\r\nAdmin Postal Code: 14614-1212\r\nAdmin Country: US\r\nAdmin Phone: +1.8664747662\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: HOSTMASTER@FRONTIERNET.NET\r\nRegistry Tech ID:\r\nTech Name: FRONTIERNET HOSTMASTER\r\nTech Organization:\r\nTech Street: 95 N. FITZHUGH ST.\r\nTech City: ROCHESTER\r\nTech State/Province: NY\r\nTech Postal Code: 14614-1212\r\nTech Country: US\r\nTech Phone: +1.8664747662\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: HOSTMASTER@FRONTIERNET.NET\r\nName Server: AUTH.DLLS.PA.FRONTIERNET.NET\r\nName Server: AUTH.FRONTIERNET.NET\r\nName Server: AUTH.LKVL.MN.FRONTIERNET.NET\r\nName Server: AUTH.ROCH.NY.FRONTIERNET.NET\r\nDNSSEC: unSigned\r\nRelationships\r\n47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n84.49.242.125\r\nPorts\r\n17770 TCP\r\nWhois\r\nDomain Name: NEXTGENTEL.COM\r\nRegistry Domain ID: 13395561_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.domaininfo.com\r\nRegistrar URL: http://www.ports.domains\r\nUpdated Date: 2017-11-10T23:44:50Z\r\nCreation Date: 1999-11-17T15:47:51Z\r\nRegistry Expiry Date: 2018-11-17T15:47:51Z\r\nRegistrar: Ports Group AB\r\nRegistrar IANA ID: 73\r\nRegistrar Abuse Contact Email: abuse@portsgroup.se\r\nRegistrar Abuse Contact Phone: +46.707260017\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 22 of 41\n\nName Server: ANYADNS1.NEXTGENTEL.NET\r\nName Server: ANYADNS2.NEXTGENTEL.NET\r\nDNSSEC: unsigned\r\nDomain Name: nextgentel.com\r\nRegistry Domain ID: 13395561_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.domaininfo.com\r\nRegistrar URL: ports.domains\r\nUpdated Date: 2017-11-10T23:44:50Z\r\nCreation Date: 1999-11-17T15:47:51Z\r\nRegistrar Registration Expiration Date: 2018-11-17T15:47:51Z\r\nRegistrar: PortsGroup AB\r\nRegistrar IANA ID: 73\r\nRegistrar Abuse Contact Email: abuse@portsgroup.se\r\nRegistrar Abuse Contact Phone: +46.317202000\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Hostmaster\r\nRegistrant Organization: NextGenTel AS\r\nRegistrant Street: Sandslimarka 31\r\nRegistrant City: SANDSLI\r\nRegistrant State/Province:\r\nRegistrant Postal Code: 5254\r\nRegistrant Country: NO\r\nRegistrant Phone: +47.55527900\r\nRegistrant Fax: +47.55527910\r\nRegistrant Email: hostmaster@nextgentel.com\r\nRegistry Admin ID:\r\nAdmin Name: Hostmaster\r\nAdmin Organization: NextGenTel AS\r\nAdmin Street: Sandslimarka 31\r\nAdmin City: Sandsli\r\nAdmin State/Province:\r\nAdmin Postal Code: 5254\r\nAdmin Country: NO\r\nAdmin Phone: +47.55527900\r\nAdmin Fax: +47.55527910\r\nAdmin Email: hostmaster@nextgentel.com\r\nRegistry Tech ID:\r\nTech Name: Hostmaster v/ Eivind Olsen\r\nTech Organization: NextGenTel AS\r\nTech Street: Postboks 3 Sandsli\r\nTech City: Bergen\r\nTech State/Province:\r\nTech Postal Code: 5861\r\nTech Country: NO\r\nTech Phone: +47.41649322\r\nTech Fax: +47.55527910\r\nTech Email: hostmaster@nextgentel.com\r\nName Server: ANYADNS1.NEXTGENTEL.NET\r\nName Server: ANYADNS2.NEXTGENTEL.NET\r\nDNSSEC: unsigned\r\nRelationships\r\n84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 23 of 41\n\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n26.165.218.44\r\nPorts\r\n2248 TCP\r\nWhois\r\nNetRange:     26.0.0.0 - 26.255.255.255\r\nCIDR:         26.0.0.0/8\r\nNetName:        DISANET26\r\nNetHandle:     NET-26-0-0-0-1\r\nParent:         ()\r\nNetType:        Direct Allocation\r\nOriginAS:    \r\nOrganization: DoD Network Information Center (DNIC)\r\nRegDate:        1995-04-30\r\nUpdated:        2009-06-19\r\nRef:            https://whois.arin.net/rest/net/NET-26-0-0-0-1\r\nOrgName:        DoD Network Information Center\r\nOrgId:         DNIC\r\nAddress:        3990 E. Broad Street\r\nCity:         Columbus\r\nStateProv:     OH\r\nPostalCode:     43218\r\nCountry:        US\r\nRegDate:        \r\nUpdated:        2011-08-17\r\nRef:            https://whois.arin.net/rest/org/DNIC\r\nOrgTechHandle: MIL-HSTMST-ARIN\r\nOrgTechName: Network DoD\r\nOrgTechPhone: +1-844-347-2457\r\nOrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil\r\nOrgTechRef:    https://whois.arin.net/rest/poc/MIL-HSTMST-ARIN\r\nOrgAbuseHandle: REGIS10-ARIN\r\nOrgAbuseName: Registration\r\nOrgAbusePhone: +1-844-347-2457\r\nOrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil\r\nOrgAbuseRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN\r\nOrgTechHandle: REGIS10-ARIN\r\nOrgTechName: Registration\r\nOrgTechPhone: +1-844-347-2457\r\nOrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil\r\nOrgTechRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN\r\nRelationships\r\n26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n137.139.135.151\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 24 of 41\n\nPorts\r\n64694 TCP\r\nWhois\r\nNetRange:     137.139.0.0 - 137.139.255.255\r\nCIDR:         137.139.0.0/16\r\nNetName:        SUC-OLDWEST\r\nNetHandle:     NET-137-139-0-0-1\r\nParent:         NET137 (NET-137-0-0-0-0)\r\nNetType:        Direct Assignment\r\nOriginAS:    \r\nOrganization: SUNY College at Old Westbury (SCAOW)\r\nRegDate:        1989-11-29\r\nUpdated:        2014-02-18\r\nRef:            https://whois.arin.net/rest/net/NET-137-139-0-0-1\r\nOrgName:        SUNY College at Old Westbury\r\nOrgId:         SCAOW\r\nAddress:        223 Store Hill Road\r\nCity:         Old Westbury\r\nStateProv:     NY\r\nPostalCode:     11568\r\nCountry:        US\r\nRegDate:        1989-11-29\r\nUpdated:        2011-09-24\r\nRef:            https://whois.arin.net/rest/org/SCAOW\r\nOrgTechHandle: SUNYO-ARIN\r\nOrgTechName: SUNYOWNOC\r\nOrgTechPhone: +1-516-876-3379\r\nOrgTechEmail: sunyownoc@oldwestbury.edu\r\nOrgTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nOrgAbuseHandle: SUNYO-ARIN\r\nOrgAbuseName: SUNYOWNOC\r\nOrgAbusePhone: +1-516-876-3379\r\nOrgAbuseEmail: sunyownoc@oldwestbury.edu\r\nOrgAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRAbuseHandle: SUNYO-ARIN\r\nRAbuseName: SUNYOWNOC\r\nRAbusePhone: +1-516-876-3379\r\nRAbuseEmail: sunyownoc@oldwestbury.edu\r\nRAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRTechHandle: SUNYO-ARIN\r\nRTechName: SUNYOWNOC\r\nRTechPhone: +1-516-876-3379\r\nRTechEmail: sunyownoc@oldwestbury.edu\r\nRTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRNOCHandle: SUNYO-ARIN\r\nRNOCName: SUNYOWNOC\r\nRNOCPhone: +1-516-876-3379\r\nRNOCEmail: sunyownoc@oldwestbury.edu\r\nRNOCRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRelationships\r\n137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 25 of 41\n\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n97.90.44.200\r\nPorts\r\n37120 TCP\r\nWhois\r\nDomain Name: CHARTER.COM\r\nRegistry Domain ID: 340223_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.markmonitor.com\r\nRegistrar URL: http://www.markmonitor.com\r\nUpdated Date: 2017-07-03T04:22:18Z\r\nCreation Date: 1994-07-30T04:00:00Z\r\nRegistry Expiry Date: 2019-07-29T04:00:00Z\r\nRegistrar: MarkMonitor Inc.\r\nRegistrar IANA ID: 292\r\nRegistrar Abuse Contact Email: abusecomplaints@markmonitor.com\r\nRegistrar Abuse Contact Phone: +1.2083895740\r\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\r\nName Server: NS1.CHARTER.COM\r\nName Server: NS2.CHARTER.COM\r\nName Server: NS3.CHARTER.COM\r\nName Server: NS4.CHARTER.COM\r\nDNSSEC: unsigned\r\nDomain Name: charter.com\r\nRegistry Domain ID: 340223_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.markmonitor.com\r\nRegistrar URL: http://www.markmonitor.com\r\nUpdated Date: 2017-12-18T04:00:14-0800\r\nCreation Date: 1994-07-29T21:00:00-0700\r\nRegistrar Registration Expiration Date: 2019-07-28T21:00:00-0700\r\nRegistrar: MarkMonitor, Inc.\r\nRegistrar IANA ID: 292\r\nRegistrar Abuse Contact Email: abusecomplaints@markmonitor.com\r\nRegistrar Abuse Contact Phone: +1.2083895740\r\nDomain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)\r\nDomain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)\r\nDomain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)\r\nRegistry Registrant ID:\r\nRegistrant Name: Domain Admin\r\nRegistrant Organization: Charter Communications Operating, LLC\r\nRegistrant Street: 12405 Powerscourt Drive,\r\nRegistrant City: Saint Louis\r\nRegistrant State/Province: MO\r\nRegistrant Postal Code: 63131\r\nRegistrant Country: US\r\nRegistrant Phone: +1.3149650555\r\nRegistrant Phone Ext:\r\nRegistrant Fax: +1.9064010617\r\nRegistrant Fax Ext:\r\nRegistrant Email: hostmaster@charter.com\r\nRegistry Admin ID:\r\nAdmin Name: Domain Admin\r\nAdmin Organization: Charter Communications Operating, LLC\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 26 of 41\n\nAdmin Street: 12405 Powerscourt Drive,\r\nAdmin City: Saint Louis\r\nAdmin State/Province: MO\r\nAdmin Postal Code: 63131\r\nAdmin Country: US\r\nAdmin Phone: +1.3149650555\r\nAdmin Phone Ext:\r\nAdmin Fax: +1.9064010617\r\nAdmin Fax Ext:\r\nAdmin Email: hostmaster@charter.com\r\nRegistry Tech ID:\r\nTech Name: Charter Communications Internet Security and Abuse\r\nTech Organization: Charter Communications Operating, LLC\r\nTech Street: 12405 Powerscourt Drive,\r\nTech City: Saint Louis\r\nTech State/Province: MO\r\nTech Postal Code: 63131\r\nTech Country: US\r\nTech Phone: +1.3142883111\r\nTech Phone Ext:\r\nTech Fax: +1.3149090609\r\nTech Fax Ext:\r\nTech Email: abuse@charter.net\r\nName Server: ns4.charter.com\r\nName Server: ns3.charter.com\r\nName Server: ns1.charter.com\r\nName Server: ns2.charter.com\r\nDNSSEC: unsigned\r\nRelationships\r\n97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n128.200.115.228\r\nPorts\r\n52884 TCP\r\nWhois\r\nDomain Name: UCI.EDU\r\nRegistrant:\r\nUniversity of California, Irvine\r\n6366 Ayala Science Library\r\nIrvine, CA 92697-1175\r\nUNITED STATES\r\nAdministrative Contact:\r\nCon Wieland\r\nUniversity of California, Irvine\r\nOffice of Information Technology\r\n6366 Ayala Science Library\r\nIrvine, CA 92697-1175\r\nUNITED STATES\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 27 of 41\n\n(949) 824-2222\r\noit-nsp@uci.edu\r\nTechnical Contact:\r\nCon Wieland\r\nUniversity of California, Irvine\r\nOffice of Information Technology\r\n6366 Ayala Science Library\r\nIrvine, CA 92697-1175\r\nUNITED STATES\r\n(949) 824-2222\r\noit-nsp@uci.edu\r\nName Servers:\r\nNS4.SERVICE.UCI.EDU     128.200.59.190\r\nNS5.SERVICE.UCI.EDU     52.26.131.47\r\nDomain record activated:    30-Sep-1985\r\nDomain record last updated: 07-Jul-2016\r\nDomain expires:             31-Jul-2018\r\nRelationships\r\n128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n186.169.2.237\r\nPorts\r\n65292 TCP\r\nWhois\r\ninetnum:     186.168/15\r\nstatus:     allocated\r\naut-num:     N/A\r\nowner:     COLOMBIA TELECOMUNICACIONES S.A. ESP\r\nownerid:     CO-CTSE-LACNIC\r\nresponsible: Administradores Internet\r\naddress:     Transversal 60, 114, A 55\r\naddress:     N - BOGOTA - Cu\r\ncountry:     CO\r\nphone:     +57 1 5339833 []\r\nowner-c:     CTE7\r\ntech-c:     CTE7\r\nabuse-c:     CTE7\r\ninetrev:     186.169/16\r\nnserver:     DNS5.TELECOM.COM.CO\r\nnsstat:     20171220 AA\r\nnslastaa:    20171220\r\nnserver:     DNS.TELECOM.COM.CO\r\nnsstat:     20171220 AA\r\nnslastaa:    20171220\r\ncreated:     20110404\r\nchanged:     20141111\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 28 of 41\n\nnic-hdl:     CTE7\r\nperson:     Grupo de Administradores Internet\r\ne-mail:     admin.internet@TELECOM.COM.CO\r\naddress:     Transversal, 60, 114 A, 55\r\naddress:     571111 - BOGOTA DC - CU\r\ncountry:     CO\r\nphone:     +57 1 7050000 [71360]\r\ncreated:     20140220\r\nchanged:     20140220\r\nRelationships\r\n186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nTags\r\ntrojan\r\nDetails\r\nName 42682D4A78FE5C2EDA988185A344637D\r\nName 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nSize 346624 bytes\r\nType PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nMD5 42682d4a78fe5c2eda988185a344637d\r\nSHA1 4975de2be0a1f7202037f5a504d738fe512191b7\r\nSHA256 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nSHA512 213e4a0afbfac0bd884ab262ac87aee7d9a175cff56ba11aa4c75a4feb6a96c5e4e2c26adbe765f637c783df7552a56e4781a3b17be5fda2cf78\r\nssdeep 6144:nCgsFAkxS1rrtZQXTip12P04nTnvze6lxjWV346vze6lpjWV34Evze6lSjWV34a7:nCgsukxS1vtZ+5nvze6lxjWV346vze6N\r\nEntropy 6.102810\r\nAntivirus\r\nESET a variant of Win64/NukeSped.T trojan\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 29 of 41\n\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-06 11:24:44-04:00\r\nImport Hash e395fbfa0104d0173b3c4fdd3debdceb\r\nCompany Name Kamsky Co,.Ltd\r\nFile Description Vote_Controller\r\nInternal Name MDL_170329_x86_V06Lv3\r\nLegal Copyright Copyright \\u24d2 2017\r\nOriginal Filename Vote_Controller\r\nProduct Name Kamsky ColdFear\r\nProduct Version 17, 0, 0, 0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n40d66d1a2f846d7c3bf291c604c9fca3 header 1024 2.628651\r\nd061ffec6721133c433386c96520bc55 .text 284160 5.999734\r\ncbbc6550dcbdcaf012bdbf758a377779 .rdata 38912 5.789426\r\nc83bcaab05056d5b84fc609f41eed210 .data 7680 3.105496\r\nb9fc36206883aa1902566b5d01c27473 .pdata 8704 5.319307\r\n1c1d46056b4cb4627a5f92112b7e09f7 .rsrc 4096 5.608168\r\n3baedaa3d6b6d6dc9fb0ec4f5c3b007c .reloc 2048 2.331154\r\nRelationships\r\n4a74a9fd40... Connected_To 21.252.107.198\r\n4a74a9fd40... Connected_To 70.224.36.194\r\n4a74a9fd40... Connected_To 113.114.117.122\r\n4a74a9fd40... Connected_To 47.206.4.145\r\n4a74a9fd40... Connected_To 84.49.242.125\r\n4a74a9fd40... Connected_To 26.165.218.44\r\n4a74a9fd40... Connected_To 137.139.135.151\r\n4a74a9fd40... Connected_To 97.90.44.200\r\n4a74a9fd40... Connected_To 128.200.115.228\r\n4a74a9fd40... Connected_To 186.169.2.237\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 30 of 41\n\nDescription\r\nThis artifact is a malicious 64bit Windows dynamic library called 'Vote_Controller.dll'. The file shares similar functionality\r\nwith 'rdpproto.dll' above, and attempts to connect to the same ten IP addresses.\r\n42682D4A78FE5C2EDA988185A344637D also contains the same public SSL certificate as many of the artifacts above.\r\nThe file contains the following notable strings:\r\n---Begin Notable Strings---\r\nCompanyName\r\nKamsky Co, .Ltd\r\nFileDescription\r\nVote_Controller\r\nFileVersion\r\n49, 0, 0, 0\r\nInternalName\r\nMDL_170329_x86_V06Lv3\r\nLegalCopyright\r\nCopyright\r\n2017\r\nLegalTrademarks\r\nOriginalFileName\r\nVote_Controller\r\nPrivateBuild\r\nProductName\r\nKamsky ColdFear\r\nProductVersion\r\n17, 0, 0, 0\r\n---End Notable Strings---\r\n83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nDetails\r\nName 3021B9EF74c\u0026BDDF59656A035F94FD08\r\nName 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nSize 245760 bytes\r\nType PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nMD5 3021b9ef74c7bddf59656a035f94fd08\r\nSHA1 05ad5f346d0282e43360965373eb2a8d39735137\r\nSHA256 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nSHA512 f8fcc5ed34b7bf144fc708d01d9685f0cb2e678c173d014987d6ecbf4a7c3ed539452819237173a2ab14609a913cf46c3bd618cffe7b5990c6\r\nssdeep 6144:4+ZmN/ix9bd+Rvze6lxjWV346vze6lpjWV34Evze6lSjWV34avze6lkjWV34z5FT:4+ZmN/ix9b8Rvze6lxjWV346vze6lpjn\r\nEntropy 5.933390\r\nAntivirus\r\nNo matches found.\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 31 of 41\n\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-05-16 02:44:21-04:00\r\nImport Hash ca767ccbffbed559cbe77c923e3af1f8\r\nCompany Name Kamsky Co,.Ltd\r\nFile Description Vote_Controller\r\nInternal Name MDL_170329_x86_V06Lv3\r\nLegal Copyright Copyright \\u24d2 2017\r\nOriginal Filename Vote_Controller\r\nProduct Name Kamsky ColdFear\r\nProduct Version 17, 0, 0, 0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n83ec15e3cf335f784144db4208b328c9 header 1024 2.790421\r\n036c57e89ea3a6afa819c242c5816b70 .text 206848 5.688491\r\n4812d2f39e9a8ae569370d423ba31344 .rdata 26112 6.000116\r\ncb41e8f63b7c22c401a0634cb4fe1909 .data 2048 4.748331\r\n3cc7651747904bfe94ed18f44354a706 .pdata 5120 4.962073\r\n9e92c54604ea67e76210c3c914e9608c .rsrc 4096 5.606351\r\n71dcfb1ec7257ee58dcc20cafb0be691 .reloc 512 0.673424\r\nRelationships\r\n83228075a6... Connected_To 112.175.92.57\r\nDescription\r\nThis artifact is 64bit Windows dynamic library file which shares many of the same characteristics and name\r\n(Vote_Controller.dll) as 42682D4A78FE5C2EDA988185A344637D above.\r\nWhen this library is loaded it will look for the file 'udbcgiut.dat' in C:\\WINDOWS. If 'udbcgiut.dat' is not found, the file will\r\nattempt connections to the same ten IP addresses described under 'rdpproto.dll' above.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 32 of 41\n\nOne notable difference with this variant is that it uses the Windows Management Instrumentation (WMI) process to\r\nrecompile the Managed Object Format (MOF) files in the WMI repository. At runtime, the malware will enumerate the\r\ndrivers located in the registry at HKLM\\Software\\WBEM\\WDM.\r\nThese files are then recompiled by invoking wmiprvse.exe through svchost.exe:\r\n\"C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\".\r\nMOF files are written in a SQL-like language and are run (compiled) by the operating system when a predetermined event\r\ntakes place. Recent malware variants have been observed modifying the MOF files within the system registry to run specific\r\ncommands and create persistency on the system.\r\nOf note, the paravirtual SCSI driver for VMWare Tools is also located in HKLM\\Software\\WBEM\\WDM within a virtual\r\nimage. When this driver is recompiled by the malware, VMWare Tools no longer works. It cannot be determined if this is an\r\nintentional characteristic of the malware to hinder analysis, or simply a symptom of the method used to establish persistence.\r\n70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nTags\r\ntrojan\r\nDetails\r\nName 61E3571B8D9B2E9CCFADC3DDE10FB6E1\r\nSize 258052 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 61e3571b8d9b2e9ccfadc3dde10fb6e1\r\nSHA1 55daa1fca210ebf66b1a1d2db1aa3373b06da680\r\nSHA256 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nSHA512 235f7b920f54c4d316386cbf6cc14db1929029e8053270e730be15acc8e9f333231d2d984681bea26013a1d1cf4670528ba0989337be13ad\r\nssdeep 6144:d71TKN7LBHvS+bujAfrsxwkm1Ka5l7gTtJUGx:dxKHPuj8WR0K6VgTtZx\r\nEntropy 7.829590\r\nAntivirus\r\nBitDefender Dropped:Trojan.GenericKD.30867638\r\nESET a variant of Win32/NukeSped.AI trojan\r\nEmsisoft Dropped:Trojan.GenericKD.30867638 (B)\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 33 of 41\n\nCompile Date 2016-08-23 00:19:59-04:00\r\nImport Hash 8e253f83371d82907ff72f57257e3810\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n84f39a6860555231d60a55c72d07bc5e header 4096 0.586304\r\n649c24790b60bda1cf2a85516bfc7fa0 .text 24576 5.983290\r\nfbd6ca444ef8c0667aed75820cc99dce .rdata 4096 3.520964\r\n0ecb4bcb0a1ef1bf8ea4157fabdd7357 .data 4096 3.988157\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n70034b33f5... Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\n70034b33f5... Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n70034b33f5... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\n70034b33f5... Connected_To 81.94.192.147\r\n70034b33f5... Connected_To 112.175.92.57\r\n70034b33f5... Connected_To 181.39.135.126\r\n70034b33f5... Connected_To 197.211.212.59\r\n70034b33f5... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nDescription\r\nThis artifact is a malicious PE32 executable. When executed, the artifact sets up the service, 'Network UDP Trace\r\nManagement Service'.\r\nTo set up the service, the program drops a dynamic library, 'UDPTrcSvc.dll' into the %System32% directory.\r\nNext, the following registry keys are added:\r\n---Begin Registry Keys---\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: Type Value: 20\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: Start Value: 02\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: ImagePath Value:\r\n\"%SystemRoot%\\System32\\svchost.exe -k mdnetuse\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: DisplayName Value: \"Network UDP Trace Management\r\nService\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: ObjectName Value: \"LocalSystem\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc\\Parameters Name: ServiceDll Value:\r\n\"%SystemRoot%\\System32\\svchost.exe -k mdnetuse\"\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\mdnetuse\r\n---End Registry Keys---\r\nThe service is started by invoking svchost.exe.\r\nAfter writing 'UDPTrcSvd.dll' to disk, the program drops two additional files. Similar to\r\n5C3898AC7670DA30CF0B22075F3E8ED6 above, the program writes the file 'udbcgiut.dat' to the victim's profile at\r\n%AppData/Local/Temp%. A second file is written to the victim's profile in the %AppData/Local/VirtualStore/Windows%\r\ndirectory and identified as 'MSDFMAPI.INI'. 'MSDFMAPI.INI' is also written to C:\\WINDOWS. More information on the\r\ncontent of these files is below.\r\n61E3571B8D9B2E9CCFADC3DDE10FB6E1 attempts the same outbound connections as\r\n5C3898AC7670DA30CF0B22075F3E8ED6, however the file does not contain any of the public SSL certificates referenced\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 34 of 41\n\nabove.\r\ncd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName UDPTrcSvc.dll\r\nSize 221184 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 0893e206274cb98189d51a284c2a8c83\r\nSHA1 d1f4cf4250e7ba186c1d0c6d8876f5a644f457a4\r\nSHA256 cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\nSHA512 8042356ff8dc69fa84f2de10a4c34685c3ffa798d5520382d4fbcdcb43ae17e403a208be9891cca6cf2bc297f767229a57f746ca834f6b79056\r\nssdeep 3072:WsyjTzEvLFOL8AqCiueLt1VFu9+zcSywy0mcj90nSJ5NatCmtWwNQLK:W/zEvLFOLdq9uebdSwHN9n5wtkwNwK\r\nEntropy 6.359677\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/NukeSped.davct\r\nBitDefender Trojan.GenericKD.30867638\r\nESET Win32/NukeSped.AI trojan\r\nEmsisoft Trojan.GenericKD.30867638 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nNANOAV Trojan.Win32.NukeSped.fcodob\r\nSystweak malware.gen-ra\r\nTrendMicro TROJ_FR.8F37E76D\r\nTrendMicro House Call TROJ_FR.8F37E76D\r\nVirusBlokAda Trojan.Tiggre\r\nZillya! Trojan.NukeSped.Win32.73\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara rule lsfr_constants { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 35 of 41\n\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nhidden_cobra_consolidated.yara\r\nrule polarSSL_servernames { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $polarSSL = \"fjiejffndxklfsdkfjsaadiepwn\" $sn1\r\n= \"www.google.com\" $sn2 = \"www.naver.com\" condition: (uint16(0) == 0x5A4D\r\nand uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-08-23 00:23:04-04:00\r\nImport Hash 30d3466536de2b423897a3c8992ef999\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nd37b95aa17fa132415b37ec777f439ff header 4096 0.709908\r\nbadbc93c35554aec904ab0c34f05fbe0 .text 180224 6.295472\r\n64f7a9cafdad34003aba4547bba0e25b .rdata 16384 6.372911\r\nc792eb0c57577f4f3649775cbf32b253 .data 12288 3.996008\r\n8791f715ae89ffe2c7d832c1be821edc .reloc 8192 5.154376\r\nRelationships\r\ncd5ff67ff7... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis artifact is a malicious 32bit Windows dynamic library. 'UDPTrcSvc.dll' is identified as the 'Network UDP Trace\r\nManagement Service'. The following description is provided:\r\n---Begin Service Description---\r\nNetwork UDP Trace Management Service Hosts TourSvc Tracing. If this service is stopped, notifications of network trace\r\nwill no longer function and there might not be access to service functions. If this service is disabled, notifications of and\r\nmonitoring to network state will no longer function.\r\n---End Service Description---\r\nThe service is invoked with the command, 'C:\\Windows\\System32\\svchost.exe -k mdnetuse'.\r\nWhen the service is run a modification to the system firewall is attempted, 'cmd.exe /c netsh firewall add portopening TCP 0\r\n\"adp\"'.\r\nUnlike many of the files listed above that use a public certificate from naver.com, 'UDPTrcSvc.dll' uses a public SSL\r\ncertificate from google.com.\r\n96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nTags\r\ntrojan\r\nDetails\r\nName MSDFMAPI.INI\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 36 of 41\n\nSize 2 bytes\r\nType data\r\nMD5 c4103f122d27677c9db144cae1394a66\r\nSHA1 1489f923c4dca729178b3e3233458550d8dddf29\r\nSHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nSHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d7\r\nssdeep 3::\r\nEntropy 0.000000\r\nAntivirus\r\nNetGate Trojan.Win32.Malware\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\n100 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479\r\nRelationships\r\n96a296d224... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n96a296d224... Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nDescription\r\n'MSDFMAPI.INI' is written to C:\\WINDOWS and to %UserProfile\\AppData\\Local\\VirtualStore\\Windows%. During\r\nanalysis, two NULL characters were written to the file. The purpose of the file has not been determined.\r\nd77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nDetails\r\nName F8D26F2B8DD2AC4889597E1F2FD1F248\r\nName d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nSize 456241 bytes\r\nType data\r\nMD5 f8d26f2b8dd2ac4889597e1f2fd1f248\r\nSHA1 dd132f76a4aff9862923d6a10e54dca26f26b1b4\r\nSHA256 d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nSHA512 34f8d10ebcab6f10c5140e94cf858761e9fa2e075db971b8e49c7334e1d55237f844ed6cf8ce735e984203f58d6b5032813b55e29a59af4bff\r\nssdeep 12288:MG31DF/ubokxmgF8JsVusikiWxdj3tIQLYe:NlI0UV0ou1kiWvm4Ye\r\nEntropy 7.999350\r\nAntivirus\r\nNo matches found.\r\nYara Rules\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 37 of 41\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis artifact contains a similar public SSL certificate from naver.com, similar to many of the files above. The payload of the\r\nfile appears to be encoded with a password or key. No context was provided with the file's submission.\r\nRelationship Summary\r\n2151c1977b... Connected_To 81.94.192.147\r\n2151c1977b... Connected_To 112.175.92.57\r\n2151c1977b... Related_To 181.39.135.126\r\n2151c1977b... Related_To 197.211.212.59\r\n2151c1977b... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n2151c1977b... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\n197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\n81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n70902623c9... Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n70902623c9... Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nddea408e17... Connected_To 81.94.192.147\r\nddea408e17... Connected_To 112.175.92.57\r\nddea408e17... Connected_To 181.39.135.126\r\nddea408e17... Connected_To 197.211.212.59\r\nddea408e17... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nddea408e17... Connected_To 81.94.192.10\r\n81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 38 of 41\n\n12480585e0... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n12480585e0... Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n49757cf856... Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\n49757cf856... Connected_To 21.252.107.198\r\n49757cf856... Connected_To 70.224.36.194\r\n49757cf856... Connected_To 113.114.117.122\r\n49757cf856... Connected_To 47.206.4.145\r\n49757cf856... Connected_To 84.49.242.125\r\n49757cf856... Connected_To 26.165.218.44\r\n49757cf856... Connected_To 137.139.135.151\r\n49757cf856... Connected_To 97.90.44.200\r\n49757cf856... Connected_To 128.200.115.228\r\n49757cf856... Connected_To 186.169.2.237\r\n21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n4a74a9fd40... Connected_To 21.252.107.198\r\n4a74a9fd40... Connected_To 70.224.36.194\r\n4a74a9fd40... Connected_To 113.114.117.122\r\n4a74a9fd40... Connected_To 47.206.4.145\r\n4a74a9fd40... Connected_To 84.49.242.125\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 39 of 41\n\n4a74a9fd40... Connected_To 26.165.218.44\r\n4a74a9fd40... Connected_To 137.139.135.151\r\n4a74a9fd40... Connected_To 97.90.44.200\r\n4a74a9fd40... Connected_To 128.200.115.228\r\n4a74a9fd40... Connected_To 186.169.2.237\r\n83228075a6... Connected_To 112.175.92.57\r\n70034b33f5... Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\n70034b33f5... Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n70034b33f5... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\n70034b33f5... Connected_To 81.94.192.147\r\n70034b33f5... Connected_To 112.175.92.57\r\n70034b33f5... Connected_To 181.39.135.126\r\n70034b33f5... Connected_To 197.211.212.59\r\n70034b33f5... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\ncd5ff67ff7... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n96a296d224... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n96a296d224... Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nRecommendations\r\nCISA would like to remind users and administrators to consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate ACLs.\r\nAdditional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83,\r\nGuide to Malware Incident Prevention \u0026 Handling for Desktops and Laptops.\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact US-CERT and provide information regarding the level of desired analysis.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 40 of 41\n\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to CISA at 1-844-Say-CISA or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA/US-CERT's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR19-100A\r\nPage 41 of 41",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
	],
	"report_names": [
		"AR19-100A"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "32a223a8-3c79-4146-87c5-8557d38662ae",
			"created_at": "2022-10-25T15:50:23.703698Z",
			"updated_at": "2026-04-10T02:00:05.261989Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Lazarus Group",
				"Labyrinth Chollima",
				"HIDDEN COBRA",
				"Guardians of Peace",
				"NICKEL ACADEMY",
				"Diamond Sleet"
			],
			"source_name": "MITRE:Lazarus Group",
			"tools": [
				"RawDisk",
				"Proxysvc",
				"BADCALL",
				"FALLCHILL",
				"WannaCry",
				"MagicRAT",
				"HOPLIGHT",
				"TYPEFRAME",
				"Dtrack",
				"HotCroissant",
				"HARDRAIN",
				"Dacls",
				"KEYMARBLE",
				"TAINTEDSCRIBE",
				"AuditCred",
				"netsh",
				"ECCENTRICBANDWAGON",
				"AppleJeus",
				"BLINDINGCAN",
				"ThreatNeedle",
				"Volgmer",
				"Cryptoistic",
				"RATANKBA",
				"Bankshot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f32df445-9fb4-4234-99e0-3561f6498e4e",
			"created_at": "2022-10-25T16:07:23.756373Z",
			"updated_at": "2026-04-10T02:00:04.739611Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"APT-C-26",
				"ATK 3",
				"Appleworm",
				"Citrine Sleet",
				"DEV-0139",
				"Diamond Sleet",
				"G0032",
				"Gleaming Pisces",
				"Gods Apostles",
				"Gods Disciples",
				"Group 77",
				"Guardians of Peace",
				"Hastati Group",
				"Hidden Cobra",
				"ITG03",
				"Jade Sleet",
				"Labyrinth Chollima",
				"Lazarus Group",
				"NewRomanic Cyber Army Team",
				"Operation 99",
				"Operation AppleJeus",
				"Operation AppleJeus sequel",
				"Operation Blockbuster: Breach of Sony Pictures Entertainment",
				"Operation CryptoCore",
				"Operation Dream Job",
				"Operation Dream Magic",
				"Operation Flame",
				"Operation GhostSecret",
				"Operation In(ter)caption",
				"Operation LolZarus",
				"Operation Marstech Mayhem",
				"Operation No Pineapple!",
				"Operation North Star",
				"Operation Phantom Circuit",
				"Operation Sharpshooter",
				"Operation SyncHole",
				"Operation Ten Days of Rain / DarkSeoul",
				"Operation Troy",
				"SectorA01",
				"Slow Pisces",
				"TA404",
				"TraderTraitor",
				"UNC2970",
				"UNC4034",
				"UNC4736",
				"UNC4899",
				"UNC577",
				"Whois Hacking Team"
			],
			"source_name": "ETDA:Lazarus Group",
			"tools": [
				"3CX Backdoor",
				"3Rat Client",
				"3proxy",
				"AIRDRY",
				"ARTFULPIE",
				"ATMDtrack",
				"AlphaNC",
				"Alreay",
				"Andaratm",
				"AngryRebel",
				"AppleJeus",
				"Aryan",
				"AuditCred",
				"BADCALL",
				"BISTROMATH",
				"BLINDINGCAN",
				"BTC Changer",
				"BUFFETLINE",
				"BanSwift",
				"Bankshot",
				"Bitrep",
				"Bitsran",
				"BlindToad",
				"Bookcode",
				"BootWreck",
				"BottomLoader",
				"Brambul",
				"BravoNC",
				"Breut",
				"COLDCAT",
				"COPPERHEDGE",
				"CROWDEDFLOUNDER",
				"Castov",
				"CheeseTray",
				"CleanToad",
				"ClientTraficForwarder",
				"CollectionRAT",
				"Concealment Troy",
				"Contopee",
				"CookieTime",
				"Cyruslish",
				"DAVESHELL",
				"DBLL Dropper",
				"DLRAT",
				"DRATzarus",
				"DRATzarus RAT",
				"Dacls",
				"Dacls RAT",
				"DarkComet",
				"DarkKomet",
				"DeltaCharlie",
				"DeltaNC",
				"Dembr",
				"Destover",
				"DoublePulsar",
				"Dozer",
				"Dtrack",
				"Duuzer",
				"DyePack",
				"ECCENTRICBANDWAGON",
				"ELECTRICFISH",
				"Escad",
				"EternalBlue",
				"FALLCHILL",
				"FYNLOS",
				"FallChill RAT",
				"Farfli",
				"Fimlis",
				"FoggyBrass",
				"FudModule",
				"Fynloski",
				"Gh0st RAT",
				"Ghost RAT",
				"Gopuram",
				"HARDRAIN",
				"HIDDEN COBRA RAT/Worm",
				"HLOADER",
				"HOOKSHOT",
				"HOPLIGHT",
				"HOTCROISSANT",
				"HOTWAX",
				"HTTP Troy",
				"Hawup",
				"Hawup RAT",
				"Hermes",
				"HotCroissant",
				"HotelAlfa",
				"Hotwax",
				"HtDnDownLoader",
				"Http Dr0pper",
				"ICONICSTEALER",
				"Joanap",
				"Jokra",
				"KANDYKORN",
				"KEYMARBLE",
				"Kaos",
				"KillDisk",
				"KillMBR",
				"Koredos",
				"Krademok",
				"LIGHTSHIFT",
				"LIGHTSHOW",
				"LOLBAS",
				"LOLBins",
				"Lazarus",
				"LightlessCan",
				"Living off the Land",
				"MATA",
				"MBRkiller",
				"MagicRAT",
				"Manuscrypt",
				"Mimail",
				"Mimikatz",
				"Moudour",
				"Mydoom",
				"Mydoor",
				"Mytob",
				"NACHOCHEESE",
				"NachoCheese",
				"NestEgg",
				"NickelLoader",
				"NineRAT",
				"Novarg",
				"NukeSped",
				"OpBlockBuster",
				"PCRat",
				"PEBBLEDASH",
				"PLANKWALK",
				"POOLRAT",
				"PSLogger",
				"PhanDoor",
				"Plink",
				"PondRAT",
				"PowerBrace",
				"PowerRatankba",
				"PowerShell RAT",
				"PowerSpritz",
				"PowerTask",
				"Preft",
				"ProcDump",
				"Proxysvc",
				"PuTTY Link",
				"QUICKRIDE",
				"QUICKRIDE.POWER",
				"Quickcafe",
				"QuiteRAT",
				"R-C1",
				"ROptimizer",
				"Ratabanka",
				"RatabankaPOS",
				"Ratankba",
				"RatankbaPOS",
				"RawDisk",
				"RedShawl",
				"Rifdoor",
				"Rising Sun",
				"Romeo-CoreOne",
				"RomeoAlfa",
				"RomeoBravo",
				"RomeoCharlie",
				"RomeoCore",
				"RomeoDelta",
				"RomeoEcho",
				"RomeoFoxtrot",
				"RomeoGolf",
				"RomeoHotel",
				"RomeoMike",
				"RomeoNovember",
				"RomeoWhiskey",
				"Romeos",
				"RustBucket",
				"SHADYCAT",
				"SHARPKNOT",
				"SIGFLIP",
				"SIMPLESEA",
				"SLICKSHOES",
				"SORRYBRUTE",
				"SUDDENICON",
				"SUGARLOADER",
				"SheepRAT",
				"SierraAlfa",
				"SierraBravo",
				"SierraCharlie",
				"SierraJuliett-MikeOne",
				"SierraJuliett-MikeTwo",
				"SimpleTea",
				"SimplexTea",
				"SmallTiger",
				"Stunnel",
				"TAINTEDSCRIBE",
				"TAXHAUL",
				"TFlower",
				"TOUCHKEY",
				"TOUCHMOVE",
				"TOUCHSHIFT",
				"TOUCHSHOT",
				"TWOPENCE",
				"TYPEFRAME",
				"Tdrop",
				"Tdrop2",
				"ThreatNeedle",
				"Tiger RAT",
				"TigerRAT",
				"Trojan Manuscript",
				"Troy",
				"TroyRAT",
				"VEILEDSIGNAL",
				"VHD",
				"VHD Ransomware",
				"VIVACIOUSGIFT",
				"VSingle",
				"ValeforBeta",
				"Volgmer",
				"Vyveva",
				"W1_RAT",
				"Wana Decrypt0r",
				"WanaCry",
				"WanaCrypt",
				"WanaCrypt0r",
				"WannaCry",
				"WannaCrypt",
				"WannaCryptor",
				"WbBot",
				"Wcry",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"WinorDLL64",
				"Winsec",
				"WolfRAT",
				"Wormhole",
				"YamaBot",
				"Yort",
				"ZetaNile",
				"concealment_troy",
				"http_troy",
				"httpdr0pper",
				"httpdropper",
				"klovbot",
				"sRDI"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434701,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0118358b3808e3512210a65c52943ccea90da96a.pdf",
		"text": "https://archive.orkl.eu/0118358b3808e3512210a65c52943ccea90da96a.txt",
		"img": "https://archive.orkl.eu/0118358b3808e3512210a65c52943ccea90da96a.jpg"
	}
}