{ "id": "09267763-f7d3-4a1f-be75-9d883523f7c9", "created_at": "2026-04-06T00:11:25.682219Z", "updated_at": "2026-04-10T03:38:19.270306Z", "deleted_at": null, "sha1_hash": "3018f2c572324583cf1c7d439c85671ee9ab51a0", "title": "MAR-10135536-8 – North Korean Trojan: HOPLIGHT | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 258883, "plain_text": "MAR-10135536-8 – North Korean Trojan: HOPLIGHT | CISA\r\nPublished: 2019-10-31 · Archived: 2026-04-05 18:08:07 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the\r\nFederal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has\r\nbeen identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.\r\nDHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government\r\nmalicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThis report provides analysis of twenty malicious executable files. Sixteen of these files are proxy applications that mask\r\ntraffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions\r\nusing valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public\r\nSSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain\r\nany of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily\r\ncontain IP addresses and SSL certificates.\r\nFor a downloadable copy of IOCs, see:\r\nMAR-10135536-8.v2.stix\r\nSubmitted Files (20)\r\n05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690...)\r\n0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 (34E56056E5741F33D823859E77235E...)\r\n084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 (170A55F7C0448F1741E60B01DCEC9C...)\r\n12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3...)\r\n1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 (07D2B057D2385A4CDF413E8D342305...)\r\n2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E...)\r\n32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 (38FC56965DCCD18F39F8A945F6EBC4...)\r\n4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463...)\r\n4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D...)\r\n70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6...)\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 1 of 66\n\n73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33\r\n(3EDCE4D49A2F31B8BA9BAD0B8EF549...)\r\n83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c\u0026BDDF59656A035F94FD...)\r\n8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520\r\n(5C0C1B4C3B1CFD455AC05ACE994AED...)\r\nb05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 (2FF1688FE866EC2871169197F9D469...)\r\nb9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 (2A791769AA73AC757F210F8546125B...)\r\nc66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 (E4ED26D5E2A84CC5E48D285E4EA898...)\r\nd77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2...)\r\nddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79...)\r\nf8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 (D2DA675A8ADFEF9D0C146154084FFF...)\r\nfe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 (F315BE41D9765D69AD60F0B4D29E43...)\r\nAdditional Files (4)\r\n49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)\r\n70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)\r\n96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)\r\ncd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)\r\nIPs (22)\r\n112.175.92.57\r\n113.114.117.122\r\n117.239.241.2\r\n119.18.230.253\r\n128.200.115.228\r\n137.139.135.151\r\n14.140.116.172\r\n181.39.135.126\r\n186.169.2.237\r\n195.158.234.60\r\n197.211.212.59\r\n21.252.107.198\r\n210.137.6.37\r\n218.255.24.226\r\n221.138.17.152\r\n26.165.218.44\r\n47.206.4.145\r\n70.224.36.194\r\n81.94.192.10\r\n81.94.192.147\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 2 of 66\n\n84.49.242.125\r\n97.90.44.200\r\nFindings\r\n05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461\r\nTags\r\ntrojan\r\nDetails\r\nName 23E27E5482E3F55BF828DAB885569033\r\nSize 242688 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 23e27e5482e3f55bf828dab885569033\r\nSHA1 139b25e1ae32a8768238935a8c878bfbe2f89ef4\r\nSHA256 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461\r\nSHA512 2c481ef42dfc9a7a30575293d09a6f81943e307836ec5b8a346354ab5832c15046dd4015a65201311e33f944763fc55dd44fbe390245be5be\r\nssdeep 6144:YnDlYMzUvLFOL9wqk6+pqC8iooIBgajvQlm/Z0cp1:alYiXiooIKajvQeZ3\r\nEntropy 6.537337\r\nAntivirus\r\nAhnlab Trojan/Win32.Generic\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/NukeSped.uxivj\r\nBitDefender Trojan.GenericKD.41198265\r\nCyren W32/Trojan.LXQN-3818\r\nESET a variant of Win32/NukeSped.AI trojan\r\nEmsisoft Trojan.GenericKD.41198265 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nMcAfee Trojan-Hoplight\r\nMicrosoft Security Essentials Trojan:Win32/Hoplight\r\nQuick Heal Trojan.Hoplight.S5793599\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nTrendMicro Trojan.55DEE3DA\r\nTrendMicro House Call Trojan.55DEE3DA\r\nVirusBlokAda Trojan.Casdet\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 3 of 66\n\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-05 21:57:29-04:00\r\nImport Hash ff390ec082b48263a3946814ea18ba46\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nc06924120c87e2cb79505e4ab0c2e192 header 1024 2.542817\r\n3368eda2d5820605a055596c7c438f0f .text 197120 6.441545\r\nec1f06839fa9bc10ad8e183b6bf7c1b5 .rdata 27136 5.956914\r\n1e62b7d9f7cc48162e0651f7de314c8a .data 8192 4.147893\r\n980effd28a6c674865537f313318733a .rsrc 512 5.090362\r\n696fd5cac6e744f336e8ab68a4708fcf .reloc 8704 5.247502\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis artifact is a malicious 32-bit Windows executable. When executed the malware will collect system information about\r\nthe victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives\r\nand partitions.\r\nThe malware is capable of the following functions:\r\n---Begin Malware Capability---\r\nRead, Write, and Move Files\r\nEnumerate System Drives\r\nCreate and Terminate Processes\r\nInject into Running Processes\r\nCreate, Start and Stop Services\r\nModify Registry Settings\r\nConnect to a Remote Host\r\nUpload and Download Files\r\n---End Malware Capability---\r\nThe malware family has 2 versions. Both are nearly identical in functionality but use slightly different command codes. So if\r\nthe opcode for Keepalive in version 1 is 0xB6C1, the opcode in version 2 will be 0xB6C2.\r\nThere may be some versions of the malware that have limited/additional functionality, but most will have these command\r\ncodes:\r\n---Begin Version 1 Command Codes---\r\n0xB6A4 GetComputerlnfo\r\n   -Gets OS Version\r\n   -Opens and sends back multiple registry keys\r\n       Keys are encrypted in actually binary using RC4 with 16 byte key (af 3d 78    23 4a 79 92 81 9d 7f 20 47 ad e3 f2 b3).\r\nKeys are decrypted prior to calling RegOpenKey/RegQueryValue.\r\n   -Calls GetSystemlnfo, returns results of a SYSTEM_INFO struct\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 4 of 66\n\n-Calls GetSystemMetrics and returns results\r\n0xB6AS GetDriveslnfo\r\n   -Gets info about different drives/share drives on system as well as memory available/memory used on those drives\r\n0xB6A6 Directorylist\r\n   -Gives list of all files in a directory that is specified by the C2\r\n0xB6A7 SendFile\r\n   -Sends a file from the victim machine to the C2 that is specified by the C2\r\n0xB6A8 ReceiveFile\r\n   -Victim machine receives file from the C2\r\n0xB6A9 CreateProcess\r\n   -Calls CreateProcessW to run a process via the command line. C2 specifies the path of the file to be run via command line.\r\n0xB6AA EnableLogging\r\n   -Prior to victim and C2 closing out a connection the victim will spawn a new thread that will compile a comprehensive log\r\nof system/session information. Inside this thread it opens a file that is named randomly and places it in the temp directory. It\r\nputs all the log results into this file.\r\n0xB6AB Deletefile\r\n   -Deletes file specified by the C2.\r\n0xB6AC RunCmdPipe\r\n   -Runs CreateProcessW to run a process via the command line. The process will be cmd.exe and the arguments will be the\r\nwindows cmd command that the C2 specifies. The results of this command will be sent to a temporary file and then read\r\nback to the C2 from that file. Afterwards that file is deleted.\r\n0xB6AD Processlist\r\n   -Gets a list of processes\r\n0xB6AE KillProcess\r\n   -Kills process based on the PID that the C2 supplies.\r\n0xB6AF TestEncryption\r\n   -Tests LFSR encryption, no real functionality\r\n0xB6B0 Uninstall\r\n   -Uninstalls the implant from the victim box\r\n0xB6B2 GetConfig\r\n   -Gets the current callback config file from memory, returns the list to C2. There are 10 IP options in this config.\r\n0xB6B3 SetConfig\r\n   -Gets the current callback config file from memory, allows C2 to change the configurations. This will change the beacon\r\nIP to whatever the C2 wants.\r\n0xB6B4 SetCurrentDirectory\r\n   -Changes current working directory to the path supplied by C2\r\n0xB6B5 GetCurrentDirectory\r\n   -Gets the current working directory and returns it to the C2\r\n0xB6C1 KeepAlive\r\n   -C2s sends this as a keep alive to the victim, victim responds with confirmation    that it received the keep alive and keeps\r\nsession open\r\n---End Version 1 Command Codes---\r\nThe malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure\r\ncommunication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a\r\nvariety of web services to clients around the world.\r\nThe malware uses the default certificates/private keys that come with PolarSSL. These are generally used for testing\r\npurposes only. Additionally the C2 IPs that act as the server for the TLS handshake require the malware to respond back\r\nwith a client key. This key is also a default key found within the PolarSSL libraries.\r\n---Begin SSL Certificate Header---\r\n1 0     UNL10U\r\nPolarSSL10UPolarSSL Test CA0\r\n110212144407Z\r\n2102121144407Z0\u003c1 0 UNL10U\r\nPolarSSL10UPolarSSL Client 200\r\n---End SSL Certificate Header---\r\nWhen executed, the malware will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the\r\nmalware. These IP addresses are referenced in 'udbcgiut.dat' below. The malware also contains an embedded Zlib\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 5 of 66\n\ncompression library that appears to further obfuscate the communications payload.\r\nAfter the TLS authentication is completed this particular malware does NOT use the session key that is generated via TLS. It\r\nuses a custom Linear Feedback Shift Register (LFSR) encryption scheme to encrypt all communications after the\r\ncompletion of the handshake. A python script to decrypt traffic is given below:\r\n---Begin LFSR Decryption Script---\r\nclass lfsr:\r\n   def _init_(self):\r\n       self.b = (0, 0, 0, 0)\r\n       self.data = b\"\r\n       self.L= 0\r\n   def lfsr_init(self, data):\r\n       self.L = len(data)\r\n       self.data = data\r\n       self.b[0] = 0\r\n       self.b[1] = 0xc2b45678\r\n       self.b[2] = 0x90abcdef\r\n       self.b[3] = 0xfe268455\r\n   for i in range(int(self.L / 3)):\r\n       self.b[1] ^= self.b[2]\r\n       self.b[2] ^= self.b[3]\r\n       self.b[3] ^= self.b[1]\r\n   for i in range{self.L % 3):\r\n       self.b[1] |= self.b[2]\r\n       self.b[2] |= self.b[3]\r\n       self.b[3] |= self.b[1]\r\n    def lfsr_1(self):\r\n       r = 0\r\n       if (self.b[1] \u0026 0x200) == 0x200:\r\n           r += 1\r\n       if (self.b[2] \u0026 0x800) == 0x800:\r\n           r += 1\r\n       if (self.b[3] \u0026 0x800) == 0x800:\r\n           r += 1\r\n       if r \u003c= 1:\r\n           self.b[0] = 1\r\n       else:\r\n           self.b[0] = 0\r\n   def lfsr_2(self):\r\n       v1 = self.b[1]\r\n       r = (self.b[1] \u003e\u003e 9) \u0026 1\r\n       v3 = r == self.b[0]\r\n       self.b[0] ^= r\r\n       if not v3:\r\n           r = (v1 ^ ((v1 ^ (( v1 ^ (v1 \u003e\u003e 1)) \u003e\u003e 1)) \u003e\u003e 3)) \u003e\u003e 13\r\n           v4 = 2 * (v1 \u0026 0x3ffff)\r\n           self.b[1] = v4\r\n           if (r \u0026 1):\r\n               self.b[1] = v4 ^ 1\r\n   def lfsr_3(self):\r\n       v1 = self.b[2]\r\n       r = (self.b[2] \u003e\u003e 11) \u0026 1\r\n       v3 = r == self.b[0]\r\n       self.b[0] ^= r\r\n       if not v3:\r\n           r = (v1 ^ ((v1 ^ ((v1 ^ (v1 \u003e\u003e 1)) \u003e\u003e 4)) \u003e\u003e 4)) \u003e\u003e 12\r\n           v4 = 2 * (v1 \u0026 0x1fffff)\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 6 of 66\n\nself.b[2] = v4\r\n           if (r \u0026 1):\r\n               self.b[2] = v4 ^ 1\r\n   def lfsr 4(self):\r\n       v1 = self.b[3]\r\n       r = (self.b[3] \u003e\u003e 11) \u0026 1\r\n       v3 = r == self.b[0]\r\n       self.b[0] ^= r\r\n       if not v3:\r\n           r = (v1 ^ ((v1 ^ ((v1 ^ (v1 \u003e\u003e 1)) \u003e\u003e 3)) \u003e\u003e 1)) \u003e\u003e 17\r\n           v4 = 2 * (v1 \u0026 0x3fffff)\r\n           self.b[3] = v4\r\n           if (r \u0026 1):\r\n               self.b[3] = v4 ^ 1\r\n   def lfsr_genKeyByte(self):\r\n       self.lfsr_1()\r\n       self.lfsr_2()\r\n       self.lfsr_3()\r\n       self.lfsr_4()\r\n       v2 = self.b[1] ^ self.b[2] ^ self.b[3]\r\n       r = (v2 \u003e\u003e 0x18) ^ (v2 \u003e\u003e 0x10) ^ (v2 \u003e\u003e 0x8) ^ v2\r\n       r \u0026= 0xff\r\n       return r\r\n   def crypt(self):\r\n       r= b\"\r\n       for i in range(len(self.data)):\r\n           k = self.lfsr_genKeyByte()\r\n           r += bytes([self.data[i] ^ k])\r\n       return r\r\n---End LFSR Decryption Script---\r\nThe following notable strings have been linked to the use of the SSL certificates and can be used to identify the malware:\r\n---Begin Notable Strings---\r\nfjiejffndxklfsdkfjsaadiepwn\r\nofuierfsdkljffjoiejftyuir\r\nreykfgkodfgkfdskgdfogpdokgsdfpg\r\nztretrtireotreotieroptkierert\r\netudjfirejer\r\nyrty\r\nuiyy\r\nuiyiyj lildvucv\r\nerfdfe poiiumwq\r\n---End Notable Strings---\r\nThe next four artifacts contain identical characteristics as those described above. Therefore, only capability that is unique\r\nwill be described for the following four artifacts.\r\n2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nTags\r\ntrojan\r\nDetails\r\nName 5C3898AC7670DA30CF0B22075F3E8ED6\r\nSize 221184 bytes\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 7 of 66\n\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 5c3898ac7670da30cf0b22075f3e8ed6\r\nSHA1 91110c569a48b3ba92d771c5666a05781fdd6a57\r\nSHA256 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nSHA512 700ec4d923cf0090f4428ac3d4d205b551c3e48368cf90d37f9831d8a57e73c73eb507d1731662321c723362c9318c3f019716991073dc9a4\r\nssdeep 3072:nKBzqEHcJw0sqz7vLFOLBAqui1mqLK1VaU9BzNRyHmdMaF0QqWN0Qjpthmu:nKg0cJ19z7vLFOLSqp0q7syHeFhnhm\r\nEntropy 6.346504\r\nAntivirus\r\nAhnlab Trojan/Win32.Generic\r\nAntiy Trojan/Win32.NukeSped\r\nAvira TR/NukeSped.bqdkh\r\nBitDefender Trojan.GenericKD.41198269\r\nCyren W32/Trojan.MYIL-1461\r\nESET a variant of Win32/NukeSped.AI trojan\r\nEmsisoft Trojan.GenericKD.41198269 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nMcAfee Trojan-Hoplight\r\nMicrosoft Security Essentials Trojan:Win32/Hoplight\r\nQuick Heal Trojan.Hoplight.S5774771\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nTrendMicro Trojan.55DEE3DA\r\nTrendMicro House Call Trojan.55DEE3DA\r\nVirusBlokAda BScope.Trojan.Casdet\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-05-16 02:35:55-04:00\r\nImport Hash 6ffc5804961e26c43256df683fea6922\r\nPE Sections\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 8 of 66\n\nMD5 Name Raw Size Entropy\r\nadb596d3ceae66510778e3bf5d4d9582 header 4096 0.695660\r\n6453931a0b6192e0bbd6476e736ca63f .text 184320 6.343388\r\n0ba1433cc62ba7903ada2f1e57603e83 .rdata 16384 6.246206\r\n76a08265777f68f08e5e6ed2102cb31d .data 12288 4.050945\r\ncb8939d6bc1cd076acd850c3850bdf78 .rsrc 4096 3.289605\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\n2151c1977b... Connected_To 81.94.192.147\r\n2151c1977b... Connected_To 112.175.92.57\r\n2151c1977b... Related_To 181.39.135.126\r\n2151c1977b... Related_To 197.211.212.59\r\n2151c1977b... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n2151c1977b... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen this artifact is executed, it will write the file 'udbcgiut.dat' to C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp.\r\nThe malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts\r\nare over TCP Port 443.\r\nThe two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the\r\nmalware. However, only connections to the first two IP addresses were attempted during analysis.\r\n197.211.212.59\r\nPorts\r\n7443 TCP\r\nWhois\r\ninetnum:        197.211.208.0 - 197.211.215.255\r\nnetname:        ZOL-16e-MOBILE-CUSTOMERS\r\ndescr:         ZOL Customers on ZTE Mobile WiMAX Platform\r\ncountry:        ZW\r\nadmin-c:        BS10-AFRINIC\r\nadmin-c:        GJ1-AFRINIC\r\nadmin-c:        JHM1-AFRINIC\r\ntech-c:         BS10-AFRINIC\r\ntech-c:         GJ1-AFRINIC\r\ntech-c:         JHM1-AFRINIC\r\nstatus:         ASSIGNED PA\r\nmnt-by:         LIQUID-TOL-MNT\r\nsource:         AFRINIC # Filtered\r\nparent:         197.211.192.0 - 197.211.255.255\r\nperson:         B Siwela\r\naddress:        3rd Floor Greenbridge South\r\naddress:        Eastgate Center\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 9 of 66\n\naddress:        R. Mugabe Road\r\naddress:        Harare\r\naddress:        Zimbabwe\r\nphone:         +263774673452\r\nfax-no:         +2634702375\r\nnic-hdl:        BS10-AFRINIC\r\nmnt-by:         GENERATED-DVCNVXWBH3VN3XZXTRPHOT0OJ77GUNN3-MNT\r\nsource:         AFRINIC # Filtered\r\nperson:         G Jaya\r\naddress:        3rd Floor Greenbridge South\r\naddress:        Eastgate Center\r\naddress:        R. Mugabe Road\r\naddress:        Harare\r\naddress:        Zimbabwe\r\nphone:         +263773373135\r\nfax-no:         +2634702375\r\nnic-hdl:        GJ1-AFRINIC\r\nmnt-by:         GENERATED-QPEEUIPPW1WPRZ5HLHRXAVHDOKWLC9UC-MNT\r\nsource:         AFRINIC # Filtered\r\nperson:         John H Mwangi\r\naddress:        Liquid Telecom Kenya\r\naddress:        P.O.Box 62499 - 00200\r\naddress:        Nairobi Kenya\r\naddress:        Nairobi, Kenya\r\naddress:        Kenya\r\nphone:         + 254 20 556 755\r\nRelationships\r\n197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. The domain, zol-ad-bdc.zol.co.zw is associated with the IP address, however, no DNS\r\nquery is made for the name.\r\n181.39.135.126\r\nPorts\r\n7443 TCP\r\nWhois\r\ninetnum:     181.39.135.120/29\r\nstatus:     reallocated\r\nowner:     Clientes Guayaquil\r\nownerid:     EC-CLGU1-LACNIC\r\nresponsible: Tomislav Topic\r\naddress:     Kennedy Norte Mz. 109 Solar 21, 5, Piso 2\r\naddress:     5934 - Guayaquil - GY\r\ncountry:     EC\r\nphone:     +593 4 2680555 [101]\r\nowner-c:     SEL\r\ntech-c:     SEL\r\nabuse-c:     SEL\r\ncreated:     20160720\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 10 of 66\n\nchanged:     20160720\r\ninetnum-up: 181.39/16\r\nnic-hdl:     SEL\r\nperson:     Carlos Montero\r\ne-mail:     networking@TELCONET.EC\r\naddress:     Kennedy Norte MZ, 109, Solar 21\r\naddress:     59342 - Guayaquil -\r\ncountry:     EC\r\nphone:     +593 42680555 [4601]\r\ncreated:     20021004\r\nchanged:     20170323\r\nRelationships\r\n181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. No domain is associated with the IP address.\r\n112.175.92.57\r\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        112.160.0.0 - 112.191.255.255\r\nnetname:        KORNET\r\ndescr:         Korea Telecom\r\nadmin-c:        IM667-AP\r\ntech-c:         IM667-AP\r\ncountry:        KR\r\nstatus:         ALLOCATED PORTABLE\r\nmnt-by:         MNT-KRNIC-AP\r\nmnt-irt:        IRT-KRNIC-KR\r\nlast-modified: 2017-02-03T02:21:58Z\r\nsource:         APNIC\r\nirt:            IRT-KRNIC-KR\r\naddress:        Seocho-ro 398, Seocho-gu, Seoul, Korea\r\ne-mail:         hostmaster@nic.or.kr\r\nabuse-mailbox: hostmaster@nic.or.kr\r\nadmin-c:        IM574-AP\r\ntech-c:         IM574-AP\r\nauth:         # Filtered\r\nmnt-by:         MNT-KRNIC-AP\r\nlast-modified: 2017-10-19T07:36:36Z\r\nsource:         APNIC\r\nperson:         IP Manager\r\naddress:        Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90\r\ncountry:        KR\r\nphone:         +82-2-500-6630\r\ne-mail:         kornet_ip@kt.com\r\nnic-hdl:        IM667-AP\r\nmnt-by:         MNT-KRNIC-AP\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 11 of 66\n\nlast-modified: 2017-03-28T06:37:04Z\r\nsource:         APNIC\r\nRelationships\r\n112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. The domain, mail.everzone.co.kr is associated with the IP address, however, no DNS\r\nquery is made for the name.\r\n81.94.192.147\r\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        81.94.192.0 - 81.94.192.255\r\nnetname:        IOMARTHOSTING\r\ndescr:         iomart Hosting Limited\r\ncountry:        GB\r\nadmin-c:        RA1415-RIPE\r\ntech-c:         RA1415-RIPE\r\nstatus:         ASSIGNED PA\r\nremarks:        ABUSE REPORTS: abuse@redstation.com\r\nmnt-by:         REDSTATION-MNT\r\nmnt-domains:    REDSTATION-MNT\r\nmnt-routes:     REDSTATION-MNT\r\ncreated:        2016-02-14T11:44:25Z\r\nlast-modified: 2016-02-14T11:44:25Z\r\nsource:         RIPE\r\nrole:         Redstation Admin Role\r\naddress:        Redstation Limited\r\naddress:        2 Frater Gate Business Park\r\naddress:        Aerodrome Road\r\naddress:        Gosport\r\naddress:        Hampshire\r\naddress:        PO13 0GW\r\naddress:        UNITED KINGDOM\r\nabuse-mailbox: abuse@redstation.com\r\ne-mail:         abuse@redstation.com\r\nnic-hdl:        RA1415-RIPE\r\nmnt-by:         REDSTATION-MNT\r\ncreated:        2005-04-22T17:34:33Z\r\nlast-modified: 2017-05-02T09:47:13Z\r\nsource:         RIPE\r\n% Information related to '81.94.192.0/24AS20860'\r\nroute:         81.94.192.0/24\r\ndescr:         Wayne Dalton - Redstation Ltd\r\norigin:         AS20860\r\nmnt-by:         GB10488-RIPE-MNT\r\ncreated:        2015-11-03T12:58:00Z\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 12 of 66\n\nlast-modified: 2015-11-03T12:58:00Z\r\nsource:         RIPE\r\nRelationships\r\n81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe,\r\nMalware3.exe, and Malware5.exe. No domain is associated with the IP address.\r\n70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nTags\r\ntrojan\r\nDetails\r\nName udbcgiut.dat\r\nSize 1171 bytes\r\nType data\r\nMD5 ae829f55db0198a0a36b227addcdeeff\r\nSHA1 04833210fa57ea70a209520f4f2a99d049e537f2\r\nSHA256 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nSHA512 1b4509102ac734ce310b6f8631b1bedd772a38582b4feda9fee09f1edd096006cf5ba528435c844effa97f95984b07bd2c111aa480bb22f4bcf\r\nssdeep 3:ElclFUl8GlFcmzkXIil23X1ll:ElcUXmQkXQ3\r\nEntropy 0.395693\r\nAntivirus\r\nAhnlab BinImage/Hoplight\r\nAntiy Trojan/Generic.Generic\r\nIkarus Trojan.Win32.Hoplight\r\nMcAfee Trojan-Hoplight.b\r\nMicrosoft Security Essentials Trojan:Win32/Hoplight\r\nTrendMicro Trojan.22D9D34C\r\nTrendMicro House Call Trojan.22D9D34C\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n70902623c9... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 13 of 66\n\n70902623c9... Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n70902623c9... Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n70902623c9... Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nDescription\r\n'udbcgiut.dat' is dropped by three of the four PE32 executables. This file contains a 32byte unicode string uniquely generated\r\nfor the infected system, as well as four socket pairs in hexidecimal.\r\n---Begin Decoded Socket Pairs---\r\n197.211.212.59:443\r\n181.39.135.126:443\r\n112.175.92.57:7443\r\n81.94.192.147:7443\r\n---End Decoded Socket Pairs---\r\nThe unicode string generated during this analysis was '8a9b11762b96c4b6'. The socket pairs remain the same for all\r\ninstances of the malware.\r\nFor the PE32 executables, 'udbcgiut.dat' was dropped in the victim's profile at %AppData%\\Local\\Temp. For the 64bit\r\nexecutables, 'udbcgiut.dat' was dropped in C:\\Windows.\r\n4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818\r\nTags\r\ntrojan\r\nDetails\r\nName C5DC53A540ABE95E02008A04A0D56D6C\r\nSize 241152 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 c5dc53a540abe95e02008a04a0d56d6c\r\nSHA1 4cfe9e353b1a91a2add627873846a3ad912ea96b\r\nSHA256 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818\r\nSHA512 fc33c99facfbc98d164e63167353bdcff7c1704810e4bb64f7e56812412d84099b224086c04aea66e321cd546d8cf6f14196f5b58d5e931c68\r\nssdeep 6144:LA5cWD93YuzTvLFOLoqbWbnuX7ZEAV6efA/Pawzq:Xc93YbLZEAV6mX\r\nEntropy 6.534884\r\nAntivirus\r\nAhnlab Trojan/Win32.Hoplight\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/NukeSped.qdbcu\r\nBitDefender Trojan.GenericKD.31879714\r\nESET a variant of Win32/NukeSped.AS trojan\r\nEmsisoft Trojan.GenericKD.31879714 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0051d4f01 )\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 14 of 66\n\nMcAfee Trojan-Hoplight\r\nMicrosoft Security Essentials Trojan:Win32/Hoplight\r\nQuick Heal Trojan.Hoplight.S5793599\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nTrendMicro Trojan.55DEE3DA\r\nTrendMicro House Call Trojan.55DEE3DA\r\nVirusBlokAda Trojan.Casdet\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-04 21:31:07-04:00\r\nImport Hash c76f6bb3f2ce6f4ce3e83448836f3ddd\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n64cb3246aafa83129f7fd6b25d572a9f header 1024 2.625229\r\ne8c15e136370c12020eb23545085b9f6 .text 196096 6.431942\r\ncf0eb4ad22ac1ca687b87a0094999ac8 .rdata 26624 5.990247\r\nb246681e20b3c8ff43e1fcf6c0335287 .data 8192 4.116777\r\n6545248a1e3449e95314cbc874837096 .rsrc 512 5.112624\r\n31a7ab6f707799d327b8425f6693c220 .reloc 8704 5.176231\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nThis artifact appears to be named 'lamp.exe'. The malware contains the following debug pathway:\r\n---Begin Debug Pathway---\r\nZ:\\Develop\\41.LampExe\\Release\\LampExe.pdb\r\n---End Debug Pathway---\r\nddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nTags\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 15 of 66\n\nadwaretrojan\r\nDetails\r\nName BE588CD29B9DC6F8CFC4D0AA5E5C79AA\r\nName ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nSize 267776 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 be588cd29b9dc6f8cfc4d0aa5e5c79aa\r\nSHA1 06be4fe1f26bc3e4bef057ec83ae81bd3199c7fc\r\nSHA256 ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nSHA512 c074ec876350b3ee3f82208041152c0ecf25cc8600c8277eec389c253c12372e78da59182a6df8331b05e0eefb07c142172951115a582606f6\r\nssdeep 6144:UEFpmt3md/iA3uiyzOvLFOLYqnHGZlDwf/OYy85eqmJKRPg:/PQ3mJxeigqi/OYy+/g\r\nEntropy 6.554499\r\nAntivirus\r\nAhnlab Trojan/Win32.Generic\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/NukeSped.yvkuj\r\nBitDefender Trojan.GenericKD.31879713\r\nCyren W32/Trojan.TBKF-4720\r\nESET a variant of Win32/NukeSped.AI trojan\r\nEmsisoft Trojan.GenericKD.31879713 (B)\r\nFilseclab Adware.Amonetize.heur.xjym.mg\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nMcAfee Trojan-Hoplight\r\nMicrosoft Security Essentials Trojan:Win32/Nukesped.PA!MTB\r\nQuick Heal Trojan.Generic\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nTrendMicro Trojan.55DEE3DA\r\nTrendMicro House Call Trojan.55DEE3DA\r\nVirusBlokAda BScope.Trojan.Casdet\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 16 of 66\n\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-06 10:33:38-04:00\r\nImport Hash 8184d5d35e3a4640bb5d21698a4b6021\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n59b5d567b9b7b9da0ca0936675fd95fe header 1024 2.658486\r\nc0b6929e0f01a7b61bde3d7400a801e0 .text 218624 6.470188\r\nce1e5ab830fcfaa2d7bea92f56e9026e .rdata 27136 5.962575\r\n006bad003b65738ed203a576205cc546 .data 8192 4.157373\r\n992987e022da39fcdbeede8ddd48f226 .rsrc 3072 5.511870\r\n4be460324f0f4dc1f6a0983752094cce .reloc 9728 5.303151\r\nPackers/Compilers/Cryptors\r\nRelationships\r\nddea408e17... Connected_To 81.94.192.147\r\nddea408e17... Connected_To 112.175.92.57\r\nddea408e17... Connected_To 181.39.135.126\r\nddea408e17... Connected_To 197.211.212.59\r\nddea408e17... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nddea408e17... Connected_To 81.94.192.10\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nThis program attempts to initiate a TLS Handshake to the four IP/Port pairs listed in 'udbcgiut.dat'. If the program is unable\r\nto establish a connection, the file 'udbcgiut.dat' is deleted.\r\nAfter 'udbcgiut.dat' is deleted, an outbound SSL connection is made to 81.94.192.10. The IP address is hard coded in the\r\nmalware and are not randomly generated.\r\nThis artifact also loads several APIs that are commonly associated with Pass-The-Hash (PTH) toolkits, indicating a\r\ncapability to harvest user credentials and passwords.\r\n---Begin Common PTH APIs---\r\nSamiChangePasswordUser\r\nSamFreeMemory\r\nSamCloseHandle\r\nSamOpenUser\r\nSamLookupNamesInDomain\r\nSamOpenDomain\r\nSamConnect\r\n---End Common PTH APIs---\r\n81.94.192.10\r\nWhois\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 17 of 66\n\nDomain name:\r\n       redstation.net.uk\r\n   Registrant:\r\n       Redstation Limited\r\n   Registrant type:\r\n       UK Limited Company, (Company number: 3590745)\r\n   Registrant's address:\r\n       2 Frater Gate Business Park\r\n       Aerodrome Road\r\n       Gosport\r\n       Hampshire\r\n       PO13 0GW\r\n       United Kingdom\r\n   Data validation:\r\n       Nominet was able to match the registrant's name and address against a 3rd party data source on 21-Feb-2017\r\n   Registrar:\r\n       Easyspace Ltd [Tag = EASYSPACE]\r\n       URL: https://www.easyspace.com/domain-names/extensions/uk\r\n   Relevant dates:\r\n       Registered on: 11-Apr-2005\r\n       Expiry date: 11-Apr-2019\r\n       Last updated: 12-Apr-2017\r\n   Registration status:\r\n       Registered until expiry date.\r\n   Name servers:\r\n       ns1.redstation.com\r\n       ns2.redstation.com\r\nRelationships\r\n81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware5.dll'. No domain is associated with the\r\nIP address.\r\n12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nTags\r\ndroppertrojan\r\nDetails\r\nName 868036E102DF4CE414B0E6700825B319\r\nSize 453791 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 868036e102df4ce414b0e6700825b319\r\nSHA1 7f1e68d78e455aa14de9020abd2293c3b8ec6cf8\r\nSHA256 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nSHA512 724d83493dbe86cfcee7f655272d2c733baa5470d7da986e956c789aa1b8f518ad94b575e655b4fe5f6f7d426b9aa7d8304fc879b82a385142\r\nssdeep 12288:eb/3G8vg+Rg1cvAHtE0MLa07rt5POui6z:+/3G8vg+pvi9Sa07rt4ui6z\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 18 of 66\n\nEntropy 7.713852\r\nAntivirus\r\nAhnlab Trojan/Win64.Hoplight\r\nAntiy Trojan/Generic.Generic\r\nAvira TR/Dropper.ezydy\r\nCyren W64/Trojan.PLQG-3049\r\nESET a variant of Win64/NukeSped.BV trojan\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Generic Trojan.ix\r\nMicrosoft Security Essentials Trojan:Win64/Hoplight\r\nNANOAV Trojan.Win64.Crypted.excqpl\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Hoplight\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Gen.MBT\r\nTrendMicro Trojan.D58D9624\r\nTrendMicro House Call Trojan.D58D9624\r\nVirusBlokAda Trojan.Win64.Hoplight\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\n90 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c\r\nPE Metadata\r\nCompile Date 2017-06-06 10:54:03-04:00\r\nImport Hash 947a389c3886c5fa7f3e972fd4d7740c\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ne772c7a04c7e3d53c58fdb8a88bb0c02 header 1024 2.486400\r\na6a2750e5b57470403299e0327553042 .text 34816 6.297430\r\ncc5d69374e9b0266a4b1119e5274d392 .rdata 12288 4.715650\r\nac4ee21fcb2501656efc217d139ec804 .data 5120 1.876950\r\n359af12d4a14ced423d39736dfec613a .pdata 2560 3.878158\r\n097e0e4be076b795a7316f1746bace8a .rsrc 3072 5.514584\r\n5849f380266933d6f3c5c4740334b041 .reloc 1024 2.517963\r\nPackers/Compilers/Cryptors\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 19 of 66\n\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n12480585e0... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n12480585e0... Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nThis artifact is a malicious x64 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nIn addition to the capabilities described above, this variant will hook the Windows Local Security Authority (lsass.exe).\r\n'lsass.exe' will check the registry for the data value 'rdpproto' under the key SYSTEM\\CurrentControlSet\\Control\\Lsa Name:\r\nSecurity Packages. If not found, this value is added by 'lsass.exe'.\r\nNext, the malware will drop the embedded file, 'rdpproto.dll' into the %System32% directory.\r\nThe file, 'udbcgiut.dat' is then written to C:\\Windows. Outbound connection attempts are made to the socket pairs found\r\nwithin this file as described above.\r\n49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nTags\r\ntrojan\r\nDetails\r\nName rdpproto.dll\r\nSize 391680 bytes\r\nType PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nMD5 dc268b166fe4c1d1c8595dccf857c476\r\nSHA1 8264556c8a6e460760dc6bb72ecc6f0f966a16b8\r\nSHA256 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nSHA512 b47c4caa0b5c17c982fcd040c7171d36ec962fe32e9b8bec567ee14b187507fe90e026aa05eec17d36c49a924eeaed55e66c95a111cfa9dcae0\r\nssdeep 6144:jfsTC8amAXJeZP6BPjIDeLkigDxcvAHjVXjhtBGshMLa1Mj7rtlkiP60dwtudIye:jvg+Rg1cvAHtE0MLa07rt5POui6\r\nEntropy 7.893665\r\nAntivirus\r\nAhnlab Trojan/Win64.Hoplight\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/Crypt.XPACK.xuqld\r\nBitDefender Trojan.Generic.22790108\r\nESET a variant of Win64/NukeSped.BV trojan\r\nEmsisoft Trojan.Generic.22790108 (B)\r\nIkarus Trojan.SuspectCRC\r\nK7 Trojan ( 0054bb211 )\r\nMcAfee Hoplight-FDXG!DC268B166FE4\r\nMicrosoft Security Essentials Trojan:Win64/Hoplight\r\nNANOAV Trojan.Win64.Crypted.excqpl\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 20 of 66\n\nQuick Heal Trojan.Agent\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nVirusBlokAda Trojan.Win64.Agent\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\n99 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c\r\nPE Metadata\r\nCompile Date 2017-06-06 11:34:06-04:00\r\nImport Hash 360d26520c50825099ec61e97b01a43b\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n3bb2a7d6aab283c82ab853f536157ce2 header 1024 2.524087\r\nb0bf8ec7b067fd3592c0053702e34504 .text 23552 6.180871\r\n6cc98c5fef3ea1b782262e355b5c5862 .rdata 10752 4.635336\r\n484d4698d46b3b5ad033c1a80ba83acf .data 4096 2.145716\r\na07c8f17c18c6789a3e757aec183aea6 .pdata 2048 3.729952\r\nfae0d0885944745d98849422bd799457 .rsrc 348672 7.997488\r\n0c1c23e1fb129b1b1966f70fc75cf20e .reloc 1536 1.737829\r\nRelationships\r\n49757cf856... Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\n49757cf856... Connected_To 21.252.107.198\r\n49757cf856... Connected_To 70.224.36.194\r\n49757cf856... Connected_To 113.114.117.122\r\n49757cf856... Connected_To 47.206.4.145\r\n49757cf856... Connected_To 84.49.242.125\r\n49757cf856... Connected_To 26.165.218.44\r\n49757cf856... Connected_To 137.139.135.151\r\n49757cf856... Connected_To 97.90.44.200\r\n49757cf856... Connected_To 128.200.115.228\r\n49757cf856... Connected_To 186.169.2.237\r\nDescription\r\n\"rdpproto.dll\" is dropped into the %System32% directory by 868036E102DF4CE414B0E6700825B319. When the library is\r\nloaded,\r\n\"rdpproto.dll\" will attempt to send SSL Client Hello packets to any of the following embedded IP addresses:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 21 of 66\n\n---Begin Embedded IP Addresses---\r\n21.252.107.198\r\n70.224.36.194\r\n113.114.117.122\r\n47.206.4.145\r\n84.49.242.125\r\n26.165.218.44\r\n137.139.135.151\r\n97.90.44.200\r\n128.200.115.228\r\n186.169.2.237\r\n---End Embedded IP Addresses---\r\nThis artifact contains the following notable strings:\r\n---Begin Notable Strings---\r\nCompanyName\r\nAdobe System Incorporated\r\nFileDescription\r\nMicrosoftWindows TransFilter/FilterType : 01 WindowsNT Service\r\nFileVersion\r\n6.1 Build 7601\r\nInternalName\r\nTCP/IP Packet Filter Service\r\nLegalCopyright\r\nCopyright 2015 - Adobe System Incorporated\r\nLegalTrademarks\r\nOriginalFileName\r\nTCP/IP - PacketFilter\r\n---End Notable Strings---\r\n21.252.107.198\r\nPorts\r\n23164 TCP\r\nWhois\r\nNetRange:     21.0.0.0 - 21.255.255.255\r\nCIDR:         21.0.0.0/8\r\nNetName:        DNIC-SNET-021\r\nNetHandle:     NET-21-0-0-0-1\r\nParent:         ()\r\nNetType:        Direct Allocation\r\nOriginAS:    \r\nOrganization: DoD Network Information Center (DNIC)\r\nRegDate:        1991-06-30\r\nUpdated:        2009-06-19\r\nRef:            https://whois.arin.net/rest/net/NET-21-0-0-0-1\r\nOrgName:        DoD Network Information Center\r\nOrgId:         DNIC\r\nAddress:        3990 E. Broad Street\r\nCity:         Columbus\r\nStateProv:     OH\r\nPostalCode:     43218\r\nCountry:        US\r\nRegDate:        \r\nUpdated:        2011-08-17\r\nRef:            https://whois.arin.net/rest/org/DNIC\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 22 of 66\n\nRelationships\r\n21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n70.224.36.194\r\nPorts\r\n59681 TCP\r\nWhois\r\nDomain Name: AMERITECH.NET\r\nRegistry Domain ID: 81816_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.corporatedomains.com\r\nRegistrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html\r\nUpdated Date: 2017-06-09T05:27:34Z\r\nCreation Date: 1996-06-14T04:00:00Z\r\nRegistry Expiry Date: 2018-06-13T04:00:00Z\r\nRegistrar: CSC Corporate Domains, Inc.\r\nRegistrar IANA ID: 299\r\nRegistrar Abuse Contact Email: domainabuse@cscglobal.com\r\nRegistrar Abuse Contact Phone: 8887802723\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: NS1.ATTDNS.COM\r\nName Server: NS2.ATTDNS.COM\r\nName Server: NS3.ATTDNS.COM\r\nName Server: NS4.ATTDNS.COM\r\nDNSSEC: unsigned\r\nDomain Name: ameritech.net\r\nRegistry Domain ID: 81816_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.corporatedomains.com\r\nRegistrar URL: www.cscprotectsbrands.com\r\nUpdated Date: 2017-06-09T05:27:34Z\r\nCreation Date: 1996-06-14T04:00:00Z\r\nRegistrar Registration Expiration Date: 2018-06-13T04:00:00Z\r\nRegistrar: CSC CORPORATE DOMAINS, INC.\r\nRegistrar IANA ID: 299\r\nRegistrar Abuse Contact Email: domainabuse@cscglobal.com\r\nRegistrar Abuse Contact Phone: +1.8887802723\r\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Domain Administrator\r\nRegistrant Organization: AT\u0026T SERVICES, INC.\r\nRegistrant Street: 801 Chestnut Street\r\nRegistrant City: Saint Louis\r\nRegistrant State/Province: MO\r\nRegistrant Postal Code: 63101\r\nRegistrant Country: US\r\nRegistrant Phone: +1.3142358168\r\nRegistrant Phone Ext:\r\nRegistrant Fax: +1.3142358168\r\nRegistrant Fax Ext:\r\nRegistrant Email: att-domains@att.com\r\nRegistry Admin ID:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 23 of 66\n\nAdmin Name: Domain Administrator\r\nAdmin Organization: AT\u0026T SERVICES, INC.\r\nAdmin Street: 801 Chestnut Street\r\nAdmin City: Saint Louis\r\nAdmin State/Province: MO\r\nAdmin Postal Code: 63101\r\nAdmin Country: US\r\nAdmin Phone: +1.3142358168\r\nAdmin Phone Ext:\r\nAdmin Fax: +1.3142358168\r\nAdmin Fax Ext:\r\nAdmin Email: att-domains@att.com\r\nRegistry Tech ID:\r\nTech Name: Domain Administrator\r\nTech Organization: AT\u0026T SERVICES, INC.\r\nTech Street: 801 Chestnut Street\r\nTech City: Saint Louis\r\nTech State/Province: MO\r\nTech Postal Code: 63101\r\nTech Country: US\r\nTech Phone: +1.3142358168\r\nTech Phone Ext:\r\nTech Fax: +1.3142358168\r\nTech Fax Ext:\r\nTech Email: att-domains@att.com\r\nName Server: ns3.attdns.com\r\nName Server: ns1.attdns.com\r\nName Server: ns2.attdns.com\r\nName Server: ns4.attdns.com\r\nDNSSEC: unsigned\r\nRelationships\r\n70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n113.114.117.122\r\nPorts\r\n23397 TCP\r\nWhois\r\ninetnum:        113.112.0.0 - 113.119.255.255\r\nnetname:        CHINANET-GD\r\ndescr:         CHINANET Guangdong province network\r\ndescr:         Data Communication Division\r\ndescr:         China Telecom\r\ncountry:        CN\r\nadmin-c:        CH93-AP\r\ntech-c:         IC83-AP\r\nremarks:        service provider\r\nstatus:         ALLOCATED PORTABLE\r\nmnt-by:         APNIC-HM\r\nmnt-lower:     MAINT-CHINANET-GD\r\nmnt-routes:     MAINT-CHINANET-GD\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 24 of 66\n\nlast-modified: 2016-05-04T00:15:17Z\r\nsource:         APNIC\r\nmnt-irt:        IRT-CHINANET-CN\r\nirt:            IRT-CHINANET-CN\r\naddress:        No.31 ,jingrong street,beijing\r\naddress:        100032\r\ne-mail:         anti-spam@ns.chinanet.cn.net\r\nabuse-mailbox: anti-spam@ns.chinanet.cn.net\r\nadmin-c:        CH93-AP\r\ntech-c:         CH93-AP\r\nauth:         # Filtered\r\nmnt-by:         MAINT-CHINANET\r\nlast-modified: 2010-11-15T00:31:55Z\r\nsource:         APNIC\r\nperson:         Chinanet Hostmaster\r\nnic-hdl:        CH93-AP\r\ne-mail:         anti-spam@ns.chinanet.cn.net\r\naddress:        No.31 ,jingrong street,beijing\r\naddress:        100032\r\nphone:         +86-10-58501724\r\nfax-no:         +86-10-58501724\r\ncountry:        CN\r\nmnt-by:         MAINT-CHINANET\r\nlast-modified: 2014-02-27T03:37:38Z\r\nsource:         APNIC\r\nperson:         IPMASTER CHINANET-GD\r\nnic-hdl:        IC83-AP\r\ne-mail:         gdnoc_HLWI@189.cn\r\naddress:        NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU\r\nphone:         +86-20-87189274\r\nfax-no:         +86-20-87189274\r\ncountry:        CN\r\nmnt-by:         MAINT-CHINANET-GD\r\nremarks:        IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn\r\nabuse-mailbox: antispam_gdnoc@189.cn\r\nlast-modified: 2014-09-22T04:41:26Z\r\nsource:         APNIC\r\nRelationships\r\n113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n47.206.4.145\r\nPorts\r\n59067 TCP\r\nWhois\r\nDomain Name: FRONTIERNET.NET\r\nRegistry Domain ID: 4305589_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.register.com\r\nRegistrar URL: http://www.register.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 25 of 66\n\nUpdated Date: 2017-09-14T07:53:05Z\r\nCreation Date: 1995-10-14T04:00:00Z\r\nRegistry Expiry Date: 2018-10-13T04:00:00Z\r\nRegistrar: Register.com, Inc.\r\nRegistrar IANA ID: 9\r\nRegistrar Abuse Contact Email: abuse@web.com\r\nRegistrar Abuse Contact Phone: +1.8003337680\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: AUTH.DLLS.PA.FRONTIERNET.NET\r\nName Server: AUTH.FRONTIERNET.NET\r\nName Server: AUTH.LKVL.MN.FRONTIERNET.NET\r\nName Server: AUTH.ROCH.NY.FRONTIERNET.NET\r\nDNSSEC: unsigned\r\nDomain Name: FRONTIERNET.NET\r\nRegistry Domain ID: 4305589_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.register.com\r\nRegistrar URL: www.register.com\r\nUpdated Date: 2017-09-14T00:53:05.00Z\r\nCreation Date: 1995-10-14T04:00:00.00Z\r\nRegistrar Registration Expiration Date: 2018-10-13T04:00:00.00Z\r\nRegistrar: REGISTER.COM, INC.\r\nRegistrar IANA ID: 9\r\nDomain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: FRONTIERNET HOSTMASTER\r\nRegistrant Organization:\r\nRegistrant Street: 95 N. FITZHUGH ST.\r\nRegistrant City: ROCHESTER\r\nRegistrant State/Province: NY\r\nRegistrant Postal Code: 14614-1212\r\nRegistrant Country: US\r\nRegistrant Phone: +1.8664747662\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: HOSTMASTER@FRONTIERNET.NET\r\nRegistry Admin ID:\r\nAdmin Name: FRONTIERNET HOSTMASTER\r\nAdmin Organization:\r\nAdmin Street: 95 N. FITZHUGH ST.\r\nAdmin City: ROCHESTER\r\nAdmin State/Province: NY\r\nAdmin Postal Code: 14614-1212\r\nAdmin Country: US\r\nAdmin Phone: +1.8664747662\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: HOSTMASTER@FRONTIERNET.NET\r\nRegistry Tech ID:\r\nTech Name: FRONTIERNET HOSTMASTER\r\nTech Organization:\r\nTech Street: 95 N. FITZHUGH ST.\r\nTech City: ROCHESTER\r\nTech State/Province: NY\r\nTech Postal Code: 14614-1212\r\nTech Country: US\r\nTech Phone: +1.8664747662\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 26 of 66\n\nTech Email: HOSTMASTER@FRONTIERNET.NET\r\nName Server: AUTH.DLLS.PA.FRONTIERNET.NET\r\nName Server: AUTH.FRONTIERNET.NET\r\nName Server: AUTH.LKVL.MN.FRONTIERNET.NET\r\nName Server: AUTH.ROCH.NY.FRONTIERNET.NET\r\nDNSSEC: unSigned\r\nRelationships\r\n47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n84.49.242.125\r\nPorts\r\n17770 TCP\r\nWhois\r\nDomain Name: NEXTGENTEL.COM\r\nRegistry Domain ID: 13395561_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.domaininfo.com\r\nRegistrar URL: http://www.ports.domains\r\nUpdated Date: 2017-11-10T23:44:50Z\r\nCreation Date: 1999-11-17T15:47:51Z\r\nRegistry Expiry Date: 2018-11-17T15:47:51Z\r\nRegistrar: Ports Group AB\r\nRegistrar IANA ID: 73\r\nRegistrar Abuse Contact Email: abuse@portsgroup.se\r\nRegistrar Abuse Contact Phone: +46.707260017\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: ANYADNS1.NEXTGENTEL.NET\r\nName Server: ANYADNS2.NEXTGENTEL.NET\r\nDNSSEC: unsigned\r\nDomain Name: nextgentel.com\r\nRegistry Domain ID: 13395561_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.domaininfo.com\r\nRegistrar URL: ports.domains\r\nUpdated Date: 2017-11-10T23:44:50Z\r\nCreation Date: 1999-11-17T15:47:51Z\r\nRegistrar Registration Expiration Date: 2018-11-17T15:47:51Z\r\nRegistrar: PortsGroup AB\r\nRegistrar IANA ID: 73\r\nRegistrar Abuse Contact Email: abuse@portsgroup.se\r\nRegistrar Abuse Contact Phone: +46.317202000\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Hostmaster\r\nRegistrant Organization: NextGenTel AS\r\nRegistrant Street: Sandslimarka 31\r\nRegistrant City: SANDSLI\r\nRegistrant State/Province:\r\nRegistrant Postal Code: 5254\r\nRegistrant Country: NO\r\nRegistrant Phone: +47.55527900\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 27 of 66\n\nRegistrant Fax: +47.55527910\r\nRegistrant Email: hostmaster@nextgentel.com\r\nRegistry Admin ID:\r\nAdmin Name: Hostmaster\r\nAdmin Organization: NextGenTel AS\r\nAdmin Street: Sandslimarka 31\r\nAdmin City: Sandsli\r\nAdmin State/Province:\r\nAdmin Postal Code: 5254\r\nAdmin Country: NO\r\nAdmin Phone: +47.55527900\r\nAdmin Fax: +47.55527910\r\nAdmin Email: hostmaster@nextgentel.com\r\nRegistry Tech ID:\r\nTech Name: Hostmaster v/ Eivind Olsen\r\nTech Organization: NextGenTel AS\r\nTech Street: Postboks 3 Sandsli\r\nTech City: Bergen\r\nTech State/Province:\r\nTech Postal Code: 5861\r\nTech Country: NO\r\nTech Phone: +47.41649322\r\nTech Fax: +47.55527910\r\nTech Email: hostmaster@nextgentel.com\r\nName Server: ANYADNS1.NEXTGENTEL.NET\r\nName Server: ANYADNS2.NEXTGENTEL.NET\r\nDNSSEC: unsigned\r\nRelationships\r\n84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n26.165.218.44\r\nPorts\r\n2248 TCP\r\nWhois\r\nNetRange:     26.0.0.0 - 26.255.255.255\r\nCIDR:         26.0.0.0/8\r\nNetName:        DISANET26\r\nNetHandle:     NET-26-0-0-0-1\r\nParent:         ()\r\nNetType:        Direct Allocation\r\nOriginAS:    \r\nOrganization: DoD Network Information Center (DNIC)\r\nRegDate:        1995-04-30\r\nUpdated:        2009-06-19\r\nRef:            https://whois.arin.net/rest/net/NET-26-0-0-0-1\r\nOrgName:        DoD Network Information Center\r\nOrgId:         DNIC\r\nAddress:        3990 E. Broad Street\r\nCity:         Columbus\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 28 of 66\n\nStateProv:     OH\r\nPostalCode:     43218\r\nCountry:        US\r\nRegDate:        \r\nUpdated:        2011-08-17\r\nRef:            https://whois.arin.net/rest/org/DNIC\r\nOrgTechHandle: MIL-HSTMST-ARIN\r\nOrgTechName: Network DoD\r\nOrgTechPhone: +1-844-347-2457\r\nOrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil\r\nOrgTechRef:    https://whois.arin.net/rest/poc/MIL-HSTMST-ARIN\r\nOrgAbuseHandle: REGIS10-ARIN\r\nOrgAbuseName: Registration\r\nOrgAbusePhone: +1-844-347-2457\r\nOrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil\r\nOrgAbuseRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN\r\nOrgTechHandle: REGIS10-ARIN\r\nOrgTechName: Registration\r\nOrgTechPhone: +1-844-347-2457\r\nOrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil\r\nOrgTechRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN\r\nRelationships\r\n26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n137.139.135.151\r\nPorts\r\n64694 TCP\r\nWhois\r\nNetRange:     137.139.0.0 - 137.139.255.255\r\nCIDR:         137.139.0.0/16\r\nNetName:        SUC-OLDWEST\r\nNetHandle:     NET-137-139-0-0-1\r\nParent:         NET137 (NET-137-0-0-0-0)\r\nNetType:        Direct Assignment\r\nOriginAS:    \r\nOrganization: SUNY College at Old Westbury (SCAOW)\r\nRegDate:        1989-11-29\r\nUpdated:        2014-02-18\r\nRef:            https://whois.arin.net/rest/net/NET-137-139-0-0-1\r\nOrgName:        SUNY College at Old Westbury\r\nOrgId:         SCAOW\r\nAddress:        223 Store Hill Road\r\nCity:         Old Westbury\r\nStateProv:     NY\r\nPostalCode:     11568\r\nCountry:        US\r\nRegDate:        1989-11-29\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 29 of 66\n\nUpdated:        2011-09-24\r\nRef:            https://whois.arin.net/rest/org/SCAOW\r\nOrgTechHandle: SUNYO-ARIN\r\nOrgTechName: SUNYOWNOC\r\nOrgTechPhone: +1-516-876-3379\r\nOrgTechEmail: sunyownoc@oldwestbury.edu\r\nOrgTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nOrgAbuseHandle: SUNYO-ARIN\r\nOrgAbuseName: SUNYOWNOC\r\nOrgAbusePhone: +1-516-876-3379\r\nOrgAbuseEmail: sunyownoc@oldwestbury.edu\r\nOrgAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRAbuseHandle: SUNYO-ARIN\r\nRAbuseName: SUNYOWNOC\r\nRAbusePhone: +1-516-876-3379\r\nRAbuseEmail: sunyownoc@oldwestbury.edu\r\nRAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRTechHandle: SUNYO-ARIN\r\nRTechName: SUNYOWNOC\r\nRTechPhone: +1-516-876-3379\r\nRTechEmail: sunyownoc@oldwestbury.edu\r\nRTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRNOCHandle: SUNYO-ARIN\r\nRNOCName: SUNYOWNOC\r\nRNOCPhone: +1-516-876-3379\r\nRNOCEmail: sunyownoc@oldwestbury.edu\r\nRNOCRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN\r\nRelationships\r\n137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n97.90.44.200\r\nPorts\r\n37120 TCP\r\nWhois\r\nDomain Name: CHARTER.COM\r\nRegistry Domain ID: 340223_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.markmonitor.com\r\nRegistrar URL: http://www.markmonitor.com\r\nUpdated Date: 2017-07-03T04:22:18Z\r\nCreation Date: 1994-07-30T04:00:00Z\r\nRegistry Expiry Date: 2019-07-29T04:00:00Z\r\nRegistrar: MarkMonitor Inc.\r\nRegistrar IANA ID: 292\r\nRegistrar Abuse Contact Email: abusecomplaints@markmonitor.com\r\nRegistrar Abuse Contact Phone: +1.2083895740\r\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 30 of 66\n\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\r\nName Server: NS1.CHARTER.COM\r\nName Server: NS2.CHARTER.COM\r\nName Server: NS3.CHARTER.COM\r\nName Server: NS4.CHARTER.COM\r\nDNSSEC: unsigned\r\nDomain Name: charter.com\r\nRegistry Domain ID: 340223_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.markmonitor.com\r\nRegistrar URL: http://www.markmonitor.com\r\nUpdated Date: 2017-12-18T04:00:14-0800\r\nCreation Date: 1994-07-29T21:00:00-0700\r\nRegistrar Registration Expiration Date: 2019-07-28T21:00:00-0700\r\nRegistrar: MarkMonitor, Inc.\r\nRegistrar IANA ID: 292\r\nRegistrar Abuse Contact Email: abusecomplaints@markmonitor.com\r\nRegistrar Abuse Contact Phone: +1.2083895740\r\nDomain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)\r\nDomain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)\r\nDomain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)\r\nRegistry Registrant ID:\r\nRegistrant Name: Domain Admin\r\nRegistrant Organization: Charter Communications Operating, LLC\r\nRegistrant Street: 12405 Powerscourt Drive,\r\nRegistrant City: Saint Louis\r\nRegistrant State/Province: MO\r\nRegistrant Postal Code: 63131\r\nRegistrant Country: US\r\nRegistrant Phone: +1.3149650555\r\nRegistrant Phone Ext:\r\nRegistrant Fax: +1.9064010617\r\nRegistrant Fax Ext:\r\nRegistrant Email: hostmaster@charter.com\r\nRegistry Admin ID:\r\nAdmin Name: Domain Admin\r\nAdmin Organization: Charter Communications Operating, LLC\r\nAdmin Street: 12405 Powerscourt Drive,\r\nAdmin City: Saint Louis\r\nAdmin State/Province: MO\r\nAdmin Postal Code: 63131\r\nAdmin Country: US\r\nAdmin Phone: +1.3149650555\r\nAdmin Phone Ext:\r\nAdmin Fax: +1.9064010617\r\nAdmin Fax Ext:\r\nAdmin Email: hostmaster@charter.com\r\nRegistry Tech ID:\r\nTech Name: Charter Communications Internet Security and Abuse\r\nTech Organization: Charter Communications Operating, LLC\r\nTech Street: 12405 Powerscourt Drive,\r\nTech City: Saint Louis\r\nTech State/Province: MO\r\nTech Postal Code: 63131\r\nTech Country: US\r\nTech Phone: +1.3142883111\r\nTech Phone Ext:\r\nTech Fax: +1.3149090609\r\nTech Fax Ext:\r\nTech Email: abuse@charter.net\r\nName Server: ns4.charter.com\r\nName Server: ns3.charter.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 31 of 66\n\nName Server: ns1.charter.com\r\nName Server: ns2.charter.com\r\nDNSSEC: unsigned\r\nRelationships\r\n97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n128.200.115.228\r\nPorts\r\n52884 TCP\r\nWhois\r\nDomain Name: UCI.EDU\r\nRegistrant:\r\nUniversity of California, Irvine\r\n6366 Ayala Science Library\r\nIrvine, CA 92697-1175\r\nUNITED STATES\r\nAdministrative Contact:\r\nCon Wieland\r\nUniversity of California, Irvine\r\nOffice of Information Technology\r\n6366 Ayala Science Library\r\nIrvine, CA 92697-1175\r\nUNITED STATES\r\n(949) 824-2222\r\noit-nsp@uci.edu\r\nTechnical Contact:\r\nCon Wieland\r\nUniversity of California, Irvine\r\nOffice of Information Technology\r\n6366 Ayala Science Library\r\nIrvine, CA 92697-1175\r\nUNITED STATES\r\n(949) 824-2222\r\noit-nsp@uci.edu\r\nName Servers:\r\nNS4.SERVICE.UCI.EDU     128.200.59.190\r\nNS5.SERVICE.UCI.EDU     52.26.131.47\r\nDomain record activated:    30-Sep-1985\r\nDomain record last updated: 07-Jul-2016\r\nDomain expires:             31-Jul-2018\r\nRelationships\r\n128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 32 of 66\n\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n186.169.2.237\r\nPorts\r\n65292 TCP\r\nWhois\r\ninetnum:     186.168/15\r\nstatus:     allocated\r\naut-num:     N/A\r\nowner:     COLOMBIA TELECOMUNICACIONES S.A. ESP\r\nownerid:     CO-CTSE-LACNIC\r\nresponsible: Administradores Internet\r\naddress:     Transversal 60, 114, A 55\r\naddress:     N - BOGOTA - Cu\r\ncountry:     CO\r\nphone:     +57 1 5339833 []\r\nowner-c:     CTE7\r\ntech-c:     CTE7\r\nabuse-c:     CTE7\r\ninetrev:     186.169/16\r\nnserver:     DNS5.TELECOM.COM.CO\r\nnsstat:     20171220 AA\r\nnslastaa:    20171220\r\nnserver:     DNS.TELECOM.COM.CO\r\nnsstat:     20171220 AA\r\nnslastaa:    20171220\r\ncreated:     20110404\r\nchanged:     20141111\r\nnic-hdl:     CTE7\r\nperson:     Grupo de Administradores Internet\r\ne-mail:     admin.internet@TELECOM.COM.CO\r\naddress:     Transversal, 60, 114 A, 55\r\naddress:     571111 - BOGOTA DC - CU\r\ncountry:     CO\r\nphone:     +57 1 7050000 [71360]\r\ncreated:     20140220\r\nchanged:     20140220\r\nRelationships\r\n186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\nDescription\r\nA high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the\r\nIP address.\r\n4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nTags\r\ntrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 33 of 66\n\nName 42682D4A78FE5C2EDA988185A344637D\r\nName 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nSize 346624 bytes\r\nType PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nMD5 42682d4a78fe5c2eda988185a344637d\r\nSHA1 4975de2be0a1f7202037f5a504d738fe512191b7\r\nSHA256 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nSHA512 213e4a0afbfac0bd884ab262ac87aee7d9a175cff56ba11aa4c75a4feb6a96c5e4e2c26adbe765f637c783df7552a56e4781a3b17be5fda2cf78\r\nssdeep 6144:nCgsFAkxS1rrtZQXTip12P04nTnvze6lxjWV346vze6lpjWV34Evze6lSjWV34a7:nCgsukxS1vtZ+5nvze6lxjWV346vze6N\r\nEntropy 6.102810\r\nAntivirus\r\nAhnlab Trojan/Win32.Generic\r\nAntiy Trojan/Win64.NukeSped\r\nAvira TR/NukeSped.tbxxd\r\nBitDefender Trojan.GenericKD.41198710\r\nCyren W64/Trojan.NKDY-0871\r\nESET a variant of Win64/NukeSped.T trojan\r\nEmsisoft Trojan.GenericKD.41198710 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Trojan ( 0054bc321 )\r\nMcAfee Generic Trojan.ix\r\nMicrosoft Security Essentials Trojan:Win64/Hoplight\r\nQuick Heal Trojan.Hoplight.S5795935\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nTrendMicro Trojan.A7CCF529\r\nTrendMicro House Call Trojan.A7CCF529\r\nVirusBlokAda Trojan.Win64.Hoplight\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 34 of 66\n\nCompile Date 2017-06-06 11:24:44-04:00\r\nImport Hash e395fbfa0104d0173b3c4fdd3debdceb\r\nCompany Name Kamsky Co,.Ltd\r\nFile Description Vote_Controller\r\nInternal Name MDL_170329_x86_V06Lv3\r\nLegal Copyright Copyright \\u24d2 2017\r\nOriginal Filename Vote_Controller\r\nProduct Name Kamsky ColdFear\r\nProduct Version 17, 0, 0, 0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n40d66d1a2f846d7c3bf291c604c9fca3 header 1024 2.628651\r\nd061ffec6721133c433386c96520bc55 .text 284160 5.999734\r\ncbbc6550dcbdcaf012bdbf758a377779 .rdata 38912 5.789426\r\nc83bcaab05056d5b84fc609f41eed210 .data 7680 3.105496\r\nb9fc36206883aa1902566b5d01c27473 .pdata 8704 5.319307\r\n1c1d46056b4cb4627a5f92112b7e09f7 .rsrc 4096 5.608168\r\n3baedaa3d6b6d6dc9fb0ec4f5c3b007c .reloc 2048 2.331154\r\nRelationships\r\n4a74a9fd40... Connected_To 21.252.107.198\r\n4a74a9fd40... Connected_To 70.224.36.194\r\n4a74a9fd40... Connected_To 113.114.117.122\r\n4a74a9fd40... Connected_To 47.206.4.145\r\n4a74a9fd40... Connected_To 84.49.242.125\r\n4a74a9fd40... Connected_To 26.165.218.44\r\n4a74a9fd40... Connected_To 137.139.135.151\r\n4a74a9fd40... Connected_To 97.90.44.200\r\n4a74a9fd40... Connected_To 128.200.115.228\r\n4a74a9fd40... Connected_To 186.169.2.237\r\nDescription\r\nThis artifact is a malicious 64bit Windows dynamic library called 'Vote_Controller.dll'. The file shares similar functionality\r\nwith 'rdpproto.dll' above, and attempts to connect to the same ten IP addresses.\r\n42682D4A78FE5C2EDA988185A344637D also contains the same public SSL certificate as many of the artifacts above.\r\nThe file contains the following notable strings:\r\n---Begin Notable Strings---\r\nCompanyName\r\nKamsky Co, .Ltd\r\nFileDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 35 of 66\n\nVote_Controller\r\nFileVersion\r\n49, 0, 0, 0\r\nInternalName\r\nMDL_170329_x86_V06Lv3\r\nLegalCopyright\r\nCopyright\r\n2017\r\nLegalTrademarks\r\nOriginalFileName\r\nVote_Controller\r\nPrivateBuild\r\nProductName\r\nKamsky ColdFear\r\nProductVersion\r\n17, 0, 0, 0\r\n---End Notable Strings---\r\n83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nTags\r\ntrojan\r\nDetails\r\nName 3021B9EF74c\u0026BDDF59656A035F94FD08\r\nName 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nSize 245760 bytes\r\nType PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nMD5 3021b9ef74c7bddf59656a035f94fd08\r\nSHA1 05ad5f346d0282e43360965373eb2a8d39735137\r\nSHA256 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nSHA512 f8fcc5ed34b7bf144fc708d01d9685f0cb2e678c173d014987d6ecbf4a7c3ed539452819237173a2ab14609a913cf46c3bd618cffe7b5990c6\r\nssdeep 6144:4+ZmN/ix9bd+Rvze6lxjWV346vze6lpjWV34Evze6lSjWV34avze6lkjWV34z5FT:4+ZmN/ix9b8Rvze6lxjWV346vze6lpjn\r\nEntropy 5.933390\r\nAntivirus\r\nAhnlab Trojan/Win64.Hoplight\r\nAntiy Trojan/Win32.Hoplight\r\nAvira TR/AD.APTLazerus.ltfzr\r\nBitDefender Trojan.Agent.DVDE\r\nCyren W64/Trojan.KDWH-2913\r\nESET a variant of Win64/NukeSped.BW trojan\r\nEmsisoft Trojan.Agent.DVDE (B)\r\nIkarus Trojan.Agent\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Generic Trojan.jp\r\nMicrosoft Security Essentials Trojan:Win64/Hoplight\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 36 of 66\n\nQuick Heal Trojan.Generic\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Hoplight\r\nTrendMicro Trojan.A7CCF529\r\nTrendMicro House Call Trojan.A7CCF529\r\nVirusBlokAda Trojan.Win64.Hoplight\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-05-16 02:44:21-04:00\r\nImport Hash ca767ccbffbed559cbe77c923e3af1f8\r\nCompany Name Kamsky Co,.Ltd\r\nFile Description Vote_Controller\r\nInternal Name MDL_170329_x86_V06Lv3\r\nLegal Copyright Copyright \\u24d2 2017\r\nOriginal Filename Vote_Controller\r\nProduct Name Kamsky ColdFear\r\nProduct Version 17, 0, 0, 0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n83ec15e3cf335f784144db4208b328c9 header 1024 2.790421\r\n036c57e89ea3a6afa819c242c5816b70 .text 206848 5.688491\r\n4812d2f39e9a8ae569370d423ba31344 .rdata 26112 6.000116\r\ncb41e8f63b7c22c401a0634cb4fe1909 .data 2048 4.748331\r\n3cc7651747904bfe94ed18f44354a706 .pdata 5120 4.962073\r\n9e92c54604ea67e76210c3c914e9608c .rsrc 4096 5.606351\r\n71dcfb1ec7257ee58dcc20cafb0be691 .reloc 512 0.673424\r\nRelationships\r\n83228075a6... Connected_To 112.175.92.57\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 37 of 66\n\nThis artifact is 64bit Windows dynamic library file which shares many of the same characteristics and name\r\n(Vote_Controller.dll) as 42682D4A78FE5C2EDA988185A344637D above.\r\nWhen this library is loaded it will look for the file 'udbcgiut.dat' in C:\\WINDOWS. If 'udbcgiut.dat' is not found, the file will\r\nattempt connections to the same ten IP addresses described under 'rdpproto.dll' above.\r\nOne notable difference with this variant is that it uses the Windows Management Instrumentation (WMI) process to\r\nrecompile the Managed Object Format (MOF) files in the WMI repository. At runtime, the malware will enumerate the\r\ndrivers located in the registry at HKLM\\Software\\WBEM\\WDM.\r\nThese files are then recompiled by invoking wmiprvse.exe through svchost.exe:\r\n\"C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\".\r\nMOF files are written in a SQL-like language and are run (compiled) by the operating system when a predetermined event\r\ntakes place. Recent malware variants have been observed modifying the MOF files within the system registry to run specific\r\ncommands and create persistency on the system.\r\nOf note, the paravirtual SCSI driver for VMWare Tools is also located in HKLM\\Software\\WBEM\\WDM within a virtual\r\nimage. When this driver is recompiled by the malware, VMWare Tools no longer works. It cannot be determined if this is an\r\nintentional characteristic of the malware to hinder analysis, or simply a symptom of the method used to establish persistence.\r\n70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nTags\r\ntrojan\r\nDetails\r\nName 61E3571B8D9B2E9CCFADC3DDE10FB6E1\r\nSize 258052 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 61e3571b8d9b2e9ccfadc3dde10fb6e1\r\nSHA1 55daa1fca210ebf66b1a1d2db1aa3373b06da680\r\nSHA256 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nSHA512 235f7b920f54c4d316386cbf6cc14db1929029e8053270e730be15acc8e9f333231d2d984681bea26013a1d1cf4670528ba0989337be13ad4\r\nssdeep 6144:d71TKN7LBHvS+bujAfrsxwkm1Ka5l7gTtJUGx:dxKHPuj8WR0K6VgTtZx\r\nEntropy 7.829590\r\nAntivirus\r\nAhnlab Trojan/Win32.Hoplight\r\nAntiy Trojan/Win32.NukeSped\r\nAvira TR/NukeSped.oppme\r\nBitDefender Dropped:Trojan.Generic.22954895\r\nEmsisoft Dropped:Trojan.Generic.22954895 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nMcAfee Trojan-Hoplight\r\nMicrosoft Security Essentials Trojan:Win32/Nukesped.PA!MTB\r\nNANOAV Trojan.Win32.NukeSped.fpblwf\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 38 of 66\n\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Gen.MBT\r\nTrendMicro Trojan.55DEE3DA\r\nTrendMicro House Call Trojan.55DEE3DA\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule crypt_constants_2 { meta: Author = \"CISA trusted 3rd party\" Incident =\r\n\"10135536\" Date = \"2018-04-19\" Category = \"Hidden_Cobra\" Family = \"n/a\"\r\nDescription = \"n/a\" strings: $ = {efcdab90} $ = {558426fe} $ = {7856b4c2}\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of\r\nthem }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-08-23 00:19:59-04:00\r\nImport Hash 8e253f83371d82907ff72f57257e3810\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n84f39a6860555231d60a55c72d07bc5e header 4096 0.586304\r\n649c24790b60bda1cf2a85516bfc7fa0 .text 24576 5.983290\r\nfbd6ca444ef8c0667aed75820cc99dce .rdata 4096 3.520964\r\n0ecb4bcb0a1ef1bf8ea4157fabdd7357 .data 4096 3.988157\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n70034b33f5... Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\n70034b33f5... Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n70034b33f5... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\n70034b33f5... Connected_To 81.94.192.147\r\n70034b33f5... Connected_To 112.175.92.57\r\n70034b33f5... Connected_To 181.39.135.126\r\n70034b33f5... Connected_To 197.211.212.59\r\n70034b33f5... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nDescription\r\nThis artifact is a malicious PE32 executable. When executed, the artifact sets up the service, 'Network UDP Trace\r\nManagement Service'.\r\nTo set up the service, the program drops a dynamic library, 'UDPTrcSvc.dll' into the %System32% directory.\r\nNext, the following registry keys are added:\r\n---Begin Registry Keys---\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 39 of 66\n\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: Type Value: 20\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: Start Value: 02\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: ImagePath Value:\r\n\"%SystemRoot%\\System32\\svchost.exe -k mdnetuse\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: DisplayName Value: \"Network UDP Trace Management\r\nService\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc Name: ObjectName Value: \"LocalSystem\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\UDPTrcSvc\\Parameters Name: ServiceDll Value:\r\n\"%SystemRoot%\\System32\\svchost.exe -k mdnetuse\"\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\mdnetuse\r\n---End Registry Keys---\r\nThe service is started by invoking svchost.exe.\r\nAfter writing 'UDPTrcSvd.dll' to disk, the program drops two additional files. Similar to\r\n5C3898AC7670DA30CF0B22075F3E8ED6 above, the program writes the file 'udbcgiut.dat' to the victim's profile at\r\n%AppData/Local/Temp%. A second file is written to the victim's profile in the %AppData/Local/VirtualStore/Windows%\r\ndirectory and identified as 'MSDFMAPI.INI'. 'MSDFMAPI.INI' is also written to C:\\WINDOWS. More information on the\r\ncontent of these files is below.\r\n61E3571B8D9B2E9CCFADC3DDE10FB6E1 attempts the same outbound connections as\r\n5C3898AC7670DA30CF0B22075F3E8ED6, however the file does not contain any of the public SSL certificates referenced\r\nabove.\r\ncd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName UDPTrcSvc.dll\r\nSize 221184 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 0893e206274cb98189d51a284c2a8c83\r\nSHA1 d1f4cf4250e7ba186c1d0c6d8876f5a644f457a4\r\nSHA256 cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\nSHA512 8042356ff8dc69fa84f2de10a4c34685c3ffa798d5520382d4fbcdcb43ae17e403a208be9891cca6cf2bc297f767229a57f746ca834f6b79056\r\nssdeep 3072:WsyjTzEvLFOL8AqCiueLt1VFu9+zcSywy0mcj90nSJ5NatCmtWwNQLK:W/zEvLFOLdq9uebdSwHN9n5wtkwNwK\r\nEntropy 6.359677\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/NukeSped.davct\r\nBitDefender Trojan.Generic.22954895\r\nESET Win32/NukeSped.AI trojan\r\nEmsisoft Trojan.Generic.22954895 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nMcAfee Trojan-Hoplight\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 40 of 66\n\nMicrosoft Security Essentials Trojan:Win32/Hoplight\r\nNANOAV Trojan.Win32.NukeSped.fcodob\r\nQuick Heal Trojan.Hoplight\r\nSophos Troj/Hoplight-C\r\nSymantec Trojan.Gen.MBT\r\nSystweak malware.gen-ra\r\nTrendMicro Trojan.CCD7B260\r\nTrendMicro House Call Trojan.CCD7B260\r\nVirusBlokAda Trojan.Tiggre\r\nZillya! Trojan.NukeSped.Win32.73\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-08-23 00:23:04-04:00\r\nImport Hash 30d3466536de2b423897a3c8992ef999\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nd37b95aa17fa132415b37ec777f439ff header 4096 0.709908\r\nbadbc93c35554aec904ab0c34f05fbe0 .text 180224 6.295472\r\n64f7a9cafdad34003aba4547bba0e25b .rdata 16384 6.372911\r\nc792eb0c57577f4f3649775cbf32b253 .data 12288 3.996008\r\n8791f715ae89ffe2c7d832c1be821edc .reloc 8192 5.154376\r\nRelationships\r\ncd5ff67ff7... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nDescription\r\nThis artifact is a malicious 32bit Windows dynamic library. 'UDPTrcSvc.dll' is identified as the 'Network UDP Trace\r\nManagement Service'. The following description is provided:\r\n---Begin Service Description---\r\nNetwork UDP Trace Management Service Hosts TourSvc Tracing. If this service is stopped, notifications of network trace\r\nwill no longer function and there might not be access to service functions. If this service is disabled, notifications of and\r\nmonitoring to network state will no longer function.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 41 of 66\n\n---End Service Description---\r\nThe service is invoked with the command, 'C:\\Windows\\System32\\svchost.exe -k mdnetuse'.\r\nWhen the service is run a modification to the system firewall is attempted, 'cmd.exe /c netsh firewall add portopening TCP 0\r\n\"adp\"'.\r\nUnlike many of the files listed above that use a public certificate from naver.com, 'UDPTrcSvc.dll' uses a public SSL\r\ncertificate from google.com.\r\n96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nTags\r\ntrojan\r\nDetails\r\nName MSDFMAPI.INI\r\nSize 2 bytes\r\nType data\r\nMD5 c4103f122d27677c9db144cae1394a66\r\nSHA1 1489f923c4dca729178b3e3233458550d8dddf29\r\nSHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nSHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78\r\nssdeep 3::\r\nEntropy 0.000000\r\nAntivirus\r\nNetGate Trojan.Win32.Malware\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\n100 028f5531e8593ce6faf30dd5c5131abf1400fc4deb4d322f3f39578f14348be1\r\n100 132fde08d7f788dece120e98bf6c794bafb655959764798ead053b872d097638\r\n100 200608c94d52d33ff86b8f4db28451752eeae7c70062488f380f112e11b4350a\r\n100 2d07a41ae992770085117e9815300bfd0730745883e60b24aaad5e69dfc087ae\r\n100 3d1066ae1cd00d635b2131664a7d0d5483554901ed6aae9d627b697ecb02718e\r\n100 5309e677c79cffae49a65728c61b436d3cdc2a2bab4c81bf0038415f74a56880\r\n100 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479\r\nRelationships\r\n96a296d224... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n96a296d224... Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nDescription\r\n'MSDFMAPI.INI' is written to C:\\WINDOWS and to %UserProfile\\AppData\\Local\\VirtualStore\\Windows%. During\r\nanalysis, two NULL characters were written to the file. The purpose of the file has not been determined.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 42 of 66\n\nd77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nTags\r\ntrojan\r\nDetails\r\nName F8D26F2B8DD2AC4889597E1F2FD1F248\r\nName d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nSize 456241 bytes\r\nType data\r\nMD5 f8d26f2b8dd2ac4889597e1f2fd1f248\r\nSHA1 dd132f76a4aff9862923d6a10e54dca26f26b1b4\r\nSHA256 d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nSHA512 34f8d10ebcab6f10c5140e94cf858761e9fa2e075db971b8e49c7334e1d55237f844ed6cf8ce735e984203f58d6b5032813b55e29a59af4bfff\r\nssdeep 12288:MG31DF/ubokxmgF8JsVusikiWxdj3tIQLYe:NlI0UV0ou1kiWvm4Ye\r\nEntropy 7.999350\r\nAntivirus\r\nAhnlab BinImage/Agent\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/Agent.anrq\r\nBitDefender Trojan.Agent.DVDS\r\nCyren Trojan.GTWY-8\r\nEmsisoft Trojan.Agent.DVDS (B)\r\nIkarus Trojan.Agent\r\nMcAfee Trojan-Hoplight.b\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis artifact contains a similar public SSL certificate from naver.com, similar to many of the files above. The payload of the\r\nfile appears to be encoded with a password or key. No context was provided with the file's submission.\r\nb9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\nTags\r\ntrojan\r\nDetails\r\nName 2A791769AA73AC757F210F8546125B57\r\nSize 110592 bytes\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 43 of 66\n\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 2a791769aa73ac757f210f8546125b57\r\nSHA1 269f1cc44f6b323118612bde998d17e5bfbf555e\r\nSHA256 b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\nSHA512 1e88edf97f62282323928a304762864d69e0e5a1b98c7824cf7ee8af92a5a7d17586e30165c6b6ec4b64ea64dd97d6f2b3a3ef880debc8c6ea\r\nssdeep 1536:BdQGY/Ni+mo06N1homALeoYbrAUD7Qum5T9Xlxgj5MX7jbthYWL3:DQGYFFzxAgoYbrAOQum5TsgjbHP\r\nEntropy 6.406443\r\nAntivirus\r\nAhnlab Trojan/Win32.Akdoor\r\nAntiy Trojan/Win32.Autophyte\r\nAvira TR/AD.APTLazerus.zobau\r\nBitDefender Gen:Variant.Graftor.487501\r\nCyren W32/Trojan.BCDT-8700\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Graftor.487501 (B)\r\nHuorong Trojan/NukeSped.a\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.E!dha\r\nNANOAV Trojan.Win32.NukeSped.fyoobu\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-G\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nVirusBlokAda BScope.Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win32.158\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 44 of 66\n\nCompile Date 2017-08-11 01:03:45-04:00\r\nImport Hash e56949fef3294200cb30be8009694a42\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n3d755df7f28ddb5a661a68637cfdf23e header 4096 0.647583\r\n8f28409d19efb02746f0cc7f186ac3e3 .text 86016 6.553916\r\n03ec21be9a3702ad9b6a107a387c2be1 .rdata 16384 5.844150\r\ncecd220a4af1182a425b07c4547fd1e6 .data 4096 2.638490\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\nb9a26a5692... Connected_To 117.239.241.2\r\nb9a26a5692... Connected_To 195.158.234.60\r\nb9a26a5692... Connected_To 218.255.24.226\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been\r\nmodified the malware will beacon back to the following hard coded IPs:\r\n--Begin IP List--\r\n117.239.241.2\r\n218.255.24.226\r\n195.158.234.60\r\n--End IP List--\r\nClient uses uk.yahoo.com for client hello server name instead of naver.com.\r\n117.239.241.2\r\nRelationships\r\n117.239.241.2 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\n218.255.24.226\r\nRelationships\r\n218.255.24.226 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\n195.158.234.60\r\nRelationships\r\n195.158.234.60 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\n1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 45 of 66\n\nTags\r\ntrojan\r\nDetails\r\nName 07D2B057D2385A4CDF413E8D342305DF\r\nSize 2608223 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 07d2b057d2385a4cdf413e8d342305df\r\nSHA1 1991e7797b2e97179b7604497f7f6c39eba2229b\r\nSHA256 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676\r\nSHA512 fa2535b08c43c0dae210c12c4a5445925723d50f8828e0d0b89ec70d08aaa2f1d222eea9fd4be40c46c9024b3ed9bfe33e16724496c1c4f90e\r\nssdeep 49152:2sn+T/ymkSsvc1vb+oNEOaPmztSWNz25hqhbR5C7kcaFZweRrjxQTgZdy:2sck5ojp+Ef25al5CyjwSJQMzy\r\nEntropy 7.981828\r\nAntivirus\r\nAhnlab Trojan/Win32.Akdoor\r\nAntiy Trojan/Win64.NukeSped\r\nAvira TR/NukeSped.cgnux\r\nBitDefender Trojan.GenericKD.41793016\r\nCyren W64/Trojan.DUQO-0431\r\nESET a variant of Win64/NukeSped.AH trojan\r\nEmsisoft Trojan.GenericKD.41793016 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Trojan ( 00545d8d1 )\r\nMcAfee Trojan-HidCobra.a\r\nMicrosoft Security Essentials Trojan:Win32/Casdet!rfn\r\nNANOAV Trojan.Win64.NukeSped.gayjsq\r\nQuick Heal Trojan.Casdet\r\nSophos Troj/NukeSpe-H\r\nSymantec Trojan.Hoplight\r\nTACHYON Trojan/W64.Agent.2608223\r\nTrendMicro TSPY_KI.58F058EF\r\nTrendMicro House Call TSPY_KI.58F058EF\r\nVirusBlokAda Trojan.Agent\r\nZillya! Trojan.Agent.Win32.1135323\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 46 of 66\n\nPE Metadata\r\nCompile Date 2018-02-12 15:06:28-05:00\r\nImport Hash 347c977c6137a340c7cc0fcd5b224aef\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n28fc69ad12a0765af4cc06fbd261cb24 header 1024 2.672166\r\n88425c71e7e293d43db9868e4693b365 .text 89088 6.415516\r\nbb0048e4f3851ea07b365828ddf613f7 .rdata 26624 4.912250\r\n50e3efe1a6ea325c87f8e86e2fbd40b4 .data 5632 2.093641\r\nf56a65eb9562d6c6d607f867d1d0fd09 .pdata 4608 4.725531\r\n6a9a84d523e53e1d43c31b2cc069930c .rsrc 1536 4.308150\r\ndab5e290c15de9634d93d8f592a44633 .reloc 1536 2.912599\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nDescription\r\nThis artifact is a malicious 64bit Windows dynamic library. When run the malware drops a Themida packed DLL. This DLL\r\nruns and drops another DLL that acts as the Remote admin tool. This RAT is very similar to version 2 in op codes and\r\nfunctionality however it uses real TLS instead of the LFSR encryption. Additionally it encodes it's data with XOR Ox47\r\nSUB Ox28 prior to being TLS encrypted.\r\n73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33\r\nTags\r\ntrojan\r\nDetails\r\nName 3EDCE4D49A2F31B8BA9BAD0B8EF54963\r\nSize 147456 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 3edce4d49a2f31b8ba9bad0b8ef54963\r\nSHA1 1209582451283c46f29a5185f451aa3c989723c9\r\nSHA256 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33\r\nSHA512 0d3de1758b44597ccc4dad46a9b42626237da425a41b8833bf7549a3c809bd7432ce938cd8757b362e2268bead45a0b212c96cc881737cf0\r\nssdeep 3072:bQGYFFzsaXlvJdbx9NAzDZWaNoh05WKRYW7IWwh7:bSFhLlh9N8DZWaNoG5W8VIWC\r\nEntropy 6.605430\r\nAntivirus\r\nAhnlab Trojan/Win32.Akdoor\r\nAntiy Trojan/Win32.Autophyte\r\nAvira TR/AD.APTLazerus.jtxjg\r\nBitDefender Gen:Variant.Zusy.290462\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 47 of 66\n\nCyren W32/Trojan.DXJJ-0934\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Zusy.290462 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.E!dha\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-I\r\nSymantec Trojan.Hoplight\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nVirusBlokAda Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win32.154\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-07-11 14:26:59-04:00\r\nImport Hash cf3e2269004b18054d77ec54601edfd1\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf31fc1b632aa011a29b506385890b3bb header 4096 0.703326\r\n0b401c68fa1a8f024f25189b31fd8caf .text 118784 6.634510\r\n78ad5231f5184af8093a2f31ef1f9952 .rdata 16384 6.126224\r\n8c48fdefd1785500380702796882a0b6 .data 4096 3.860135\r\ne6b0be8044e573ca9fc84de173a7ca3d .reloc 4096 5.404736\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0 DLL\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 48 of 66\n\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nThis file is dropped by a different binary into System32 and then run as a service. When the malware runs it checks a config\r\nfile to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to\r\nthe following hard coded IPs:\r\n--Begin IP List--\r\n192.168.1.2\r\n--End IP List--\r\nClient uses uk.yahoo.com for client hello server name instead of naver.com.\r\n084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319\r\nTags\r\ntrojan\r\nDetails\r\nName 170A55F7C0448F1741E60B01DCEC9CFB\r\nSize 197632 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 170a55f7c0448f1741e60b01dcec9cfb\r\nSHA1 b6b84783816cca123adbc18e78d3b847f04f1d32\r\nSHA256 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319\r\nSHA512 a014cf5772ed993951dc62026e3acef174c424e47fd56583a1563c692ac3ed2ae5e1d51d34974ed04db11824dc9c76290297244e28e5d848c\r\nssdeep 6144:XT1NVhDJSUaZcdHItR3SG88+Tlm5T7BRWj:xx9tuVSe+Tlm5Tt\r\nEntropy 6.262340\r\nAntivirus\r\nAhnlab Trojan/Win32.Akdoor\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/AD.APTLazerus.dsenk\r\nBitDefender Trojan.GenericKD.32643407\r\nCyren W64/Trojan3.AOLF\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Trojan.GenericKD.32643407 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005233111 )\r\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Casdet!rfn\r\nNANOAV Trojan.Win64.NukeSped.fzpbxb\r\nQuick Heal Trojan.Multi\r\nSophos Troj/NukeSpe-G\r\nSymantec Trojan.Hoplight\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 49 of 66\n\nTrendMicro TROJ64_.655BEC93\r\nTrendMicro House Call TROJ64_.655BEC93\r\nVirusBlokAda Trojan.Agent\r\nZillya! Trojan.Agent.Win32.1134660\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-05-03 22:40:47-04:00\r\nImport Hash 0675d7e21ce264449360c0b797c279e7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n48a2d611f70a4718084857fa2f732b21 header 1024 2.780205\r\naaf67ea89d12bea95c148274c71ebac5 .text 44544 6.440744\r\n91171a72af025ca7098ba6c94ecbb2a0 .rdata 25600 3.935800\r\nfc2a61b6f1b29162f93fad1660c4b8af .data 120320 6.379891\r\n114b795f9c567e0a81a04cec6ae1a0b4 .pdata 2560 4.287495\r\n17c80d03f2f5729407ec55eca7e1f5b2 .rsrc 2048 2.948558\r\nc9243c94e36bc012d7d5eb0a3f588dfb .reloc 1536 5.079827\r\nDescription\r\nThis artifact is a malicious 64bit Windows dynamic library. The DLL can be run using the DoStart export. This export calls\r\nwrite file to load the actual implant into a file \"C:\\windows\\msncone.exe\" and then calls Win Exec to execute the implant.\r\nc66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8\r\nTags\r\ntrojan\r\nDetails\r\nName E4ED26D5E2A84CC5E48D285E4EA898C0\r\nSize 157696 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 e4ed26d5e2a84cc5e48d285e4ea898c0\r\nSHA1 c3d28d8e49a24a0c7082053d22597be9b58302b1\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 50 of 66\n\nSHA256 c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8\r\nSHA512 0c0b8fa4e83036b9dbe88b193e93b412c47eee8c6f4b04f04082288d7dce0f0d687e7581e624145bd357e5ad70584b9ab4d9f5a950afe8389\r\nssdeep 3072:MzviXzovLFOLUAqWilvLc1V2n9+zEty7+LEfq0Mg3ewPWTc:Mzv+zovLFOLFqhlvlQz7ZqueweT\r\nEntropy 6.446363\r\nAntivirus\r\nAhnlab Trojan/Win32.Crypt\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/AD.APTLazerus.tmifd\r\nBitDefender Trojan.GenericKD.32416111\r\nCyren W32/Trojan.GVKT-3327\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Trojan.GenericKD.32416111 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Nukesped.PA!MTB\r\nNANOAV Trojan.Win32.NukeSped.fzlqhl\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-E\r\nSymantec Trojan.Hoplight\r\nTrendMicro TROJ_FR.D1E707E2\r\nTrendMicro House Call TROJ_FR.D1E707E2\r\nVir.IT eXplorer Trojan.Win32.Genus.BRN\r\nVirusBlokAda Trojan.Casdet\r\nZillya! Trojan.NukeSped.Win32.153\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-10-23 16:44:37-04:00\r\nImport Hash 861401f76d1251e0d08a8ade1a5ed38c\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 51 of 66\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n0aa18a6525a2203ee52f6df5f9622dcb header 1024 2.637312\r\n33e3584e4c52c24e16fc108224a3f6a3 .text 132608 6.153434\r\n8a43450710359fae49269f1217924cf5 .rdata 16896 6.299497\r\nb0c95d35585e130bea58057c11e9d53b .data 3584 5.455587\r\n3a4fdc31bb49b29d6f19b94641d14ee8 .rsrc 512 5.112624\r\nf74e21bd34aa3a05131ae77f0b48c2b2 .reloc 3072 5.875833\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis artifact is a malicious PE32 executable that is an add-on tool for other Hoplight implants.\r\nWhen malware is run it opens a log file C:\\WINDOWS\\Temp\\ndb.dat that is used for the remainder of the program to log all\r\nactivity.\r\nThe malware runs with an IP as an argument. It sends out a beacon to this IP and connects to it using the same\r\nFakeTLS/PolarSSL protocol as the other samples. After a successful connection to a C2, it uses a named pipe called\r\n\\\\\\\\.\\\\pipe\\\\AnonymousPipe to connect to a running implant and sends tasking to the running implant. The implant returns the\r\nresults of these taskings over the named pipe and the malware sends the results back to the C2.\r\nfe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5\r\nTags\r\ntrojan\r\nDetails\r\nName F315BE41D9765D69AD60F0B4D29E4300\r\nSize 147456 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 f315be41d9765d69ad60f0b4d29e4300\r\nSHA1 f60c2bd78436a14e35a7e85feccb319d3cc040eb\r\nSHA256 fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5\r\nSHA512 bc8f821b4989076e441fbe5668cee0a388adcc375fac4a553f4c27423cd61c4500739820033b32f4197820ddf34decf1a043c6d34619aa18e1\r\nssdeep 3072:pQWbIWSG5bzxbT33FiDZWTNArLioB4Gwhes:pR3SGtJ33YDZWTNMLiGah\r\nEntropy 6.477832\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.Autophyte\r\nAvira TR/AD.APTLazerus.ifaaj\r\nBitDefender Gen:Variant.Graftor.487501\r\nCyren W32/Trojan.CTPG-1488\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Graftor.487501 (B)\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 52 of 66\n\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.E!dha\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-D\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nVirusBlokAda BScope.Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win32.161\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-08-21 12:39:06-04:00\r\nImport Hash 00c4520b07e61d244e7e7b942ebae39f\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n7991745d0f6ed295154f066bb53ccbc2 header 4096 0.767780\r\ncd39ffb10726106d9b85172804784b97 .text 114688 6.620841\r\n3ab93f20dc7859f5510efbf121790dd7 .rdata 16384 5.991690\r\n9fdf9be0cd049c58cb3718927458e69c .data 4096 3.880827\r\n330d3d9d2c3c1a342547cea468095f2a .rsrc 4096 1.138029\r\ncefd737bf48bc8375f92c8f7d9755e3a .reloc 4096 5.221555\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0 DLL\r\nf8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03\r\nTags\r\ntrojan\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 53 of 66\n\nDetails\r\nName D2DA675A8ADFEF9D0C146154084FFF62\r\nSize 139264 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 d2da675a8adfef9d0c146154084fff62\r\nSHA1 c55d080ea24e542397bbbfa00edc6402ec1c902c\r\nSHA256 f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03\r\nSHA512 06f531e49154d59f684475da95693df1fccd50b505e6d3ca028c9d84fcfc79ef287704dd0b24b022bfac6ba9ee581d19f440773dd00cfcfecf0\r\nssdeep 3072:1QGYFFzYCGUXBk/hbpjYr9Lde0NPV1Y88PxbE:1SFhYaXBkjYJLde0Nd1Hqb\r\nEntropy 6.605300\r\nAntivirus\r\nAhnlab Trojan/Win32.Akdoor\r\nAntiy Trojan/Win32.Autophyte\r\nAvira TR/AD.APTLazerus.denpe\r\nBitDefender Gen:Variant.Graftor.487501\r\nCyren W32/Trojan.ATKI-5308\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Graftor.487501 (B)\r\nHuorong Trojan/NukeSped.a\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-FPIA!D2DA675A8ADF\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.E!dha\r\nNANOAV Trojan.Win32.NukeSped.fyopnf\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-F\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nVirusBlokAda BScope.Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win32.146\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 54 of 66\n\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-07-14 18:40:25-04:00\r\nImport Hash 86e90e40d8e53d1e5b06a22353734ed4\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nbf34ee8fcf71c0aa14531ae02d74f359 header 4096 0.647238\r\n66e2b83909b4d47d3e3d20ad44df1acc .text 114688 6.660284\r\nd20ad0b8b42883ae6eb4c89cfbbd893b .rdata 16384 6.057701\r\n5e1b09084dfc15dda52bdac606eaed3d .data 4096 3.824972\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been\r\nmodified the malware will beacon back to the following hard coded IPs:\r\n--Begin IP List--\r\n10.10.30.130\r\n--End IP List--\r\nClient uses uk.yahoo.com for client hello server name instead of naver.com.\r\n32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11\r\nTags\r\ntrojan\r\nDetails\r\nName 38FC56965DCCD18F39F8A945F6EBC439\r\nSize 122880 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 38fc56965dccd18f39f8a945f6ebc439\r\nSHA1 50736517491396015afdf1239017b9abd16a3ce9\r\nSHA256 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11\r\nSHA512 70a1568df0e97e8ab020f108e52ec861a0cdae936ac3340f1657565a8ac8a253179b4c451a79cb7c362fe60ff70be2694705110c67369c645e\r\nssdeep 1536:kSQWbe9BzK0xGtGVyDBWikDsD3bG0aII2Tm5TPb+5MI7jcg9YL23O:fQWbIWSG61UD3bGUI2Tm5TP2Njcmn+\r\nEntropy 6.236928\r\nAntivirus\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 55 of 66\n\nAhnlab Trojan/Win32.Crypt\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/AD.APTLazerus.sogzc\r\nBitDefender Gen:Variant.Graftor.487501\r\nCyren W32/Trojan.ACES-2943\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Graftor.487501 (B)\r\nHuorong Trojan/NukeSped.a\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-FPIA!38FC56965DCC\r\nMicrosoft Security Essentials Trojan:Win32/Nukesped.PA!MTB\r\nNANOAV Trojan.Win32.HiddenCobra.fyqdsh\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-F\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nVirusBlokAda BScope.Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win32.149\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-12-12 12:58:45-05:00\r\nImport Hash 2054fd7bbbbcb62441ba2a21c156d403\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n39af78f4af9f093c2eb4765202eab41a header 4096 0.704943\r\n48f0a09061c556cbde93f864f2adb2e3 .text 94208 6.479768\r\n65fe1d182b2f7322719d142a81a901a8 .rdata 16384 5.812175\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 56 of 66\n\nMD5 Name Raw Size Entropy\r\n43cd1b0954c2785708b9e8da200242e9 .data 4096 2.465375\r\ncab878079ca8c3f53ed3e0d0414e3a3a .rsrc 4096 1.194369\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been\r\nmodified the malware will beacon back to the following hard coded IPs:\r\n--Begin IP List--\r\n218.255.24.226\r\n--End IP List--\r\nClient uses www.bing.com. Microsoft.com, and facebook.com for client hello server name instead of naver.com.\r\n8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 5C0C1B4C3B1CFD455AC05ACE994AED4B\r\nSize 348160 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 5c0c1b4c3b1cfd455ac05ace994aed4b\r\nSHA1 69cda1f1adeeed455b519f9cf188e7787b5efa07\r\nSHA256 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520\r\nSHA512 084d2223934848594e23dbedab5064f98cd3d07d0783d4a7de66800a2a823daf73b0b044aea0ff9516538e6c478c8d18018c006c713e7e63b\r\nssdeep 6144:aR3SGkuDrOZm5Te5EXzO7h2ZMB6zJJ+KFvmjyFdzDs0dRb83hYnOQSzS7:aVSWrOZm5TeOjVMoJFFv+mdzDs+kYnOS\r\nEntropy 7.540376\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nAntiy Trojan/Win32.Autophyte\r\nAvira TR/AD.APTLazerus.itcpp\r\nBitDefender Gen:Variant.Graftor.487501\r\nCyren W32/Trojan.HLGX-3930\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Graftor.487501 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 57 of 66\n\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.E!dha\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-I\r\nSymantec Trojan.Hoplight\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nVirusBlokAda Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win32.163\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-08-12 05:20:38-04:00\r\nImport Hash 3ca68e2a005e05e2c4831de87ae091c0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n787ed8122e53d5ea17e3ece6d9fb7342 header 4096 0.782305\r\n83b06d297acb20b05505da2d09905abd .text 102400 6.523509\r\nb2e739b37837f1c2b941660711daf98f .rdata 16384 5.951907\r\ncd8aa1387168caeb4604401aedb143eb .data 4096 2.718596\r\n8840ce03428c311935a20ac968c10ce7 .rsrc 217088 7.888219\r\n2f0ede5fcdada29ec11ad8cd25c53f77 .reloc 4096 4.923777\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0 DLL\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nThis file is dropped by a different binary into System32 and then run as a service. When the malware runs it checks a config\r\nfile to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to\r\nthe following hard coded IPs:\r\n--Begin IP List--\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 58 of 66\n\n81.94.192.147\r\n112.175.92.57\r\n181.39.135.126\r\n197.211.212.59\r\n--End IP List--\r\n0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571\r\nTags\r\ntrojan\r\nDetails\r\nName 34E56056E5741F33D823859E77235ED9\r\nSize 151552 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 34e56056e5741f33d823859e77235ed9\r\nSHA1 fcc2dcbac7d3cbcf749f6aab2f37cc4b62d0bb64\r\nSHA256 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571\r\nSHA512 93ac57f0b9bf48e39870b88f918f9b6e33404c1667d5f98d0965736e9e001b18152530f1c3a843b91929d308f63739faf3de62077bbfb15503\r\nssdeep 3072:nQWbIWSGw0CkXbhM1Vsm5TJYwMrzPoXL8GnQj3y3:nR3SGQYM16m5TJDwPo7bUC3\r\nEntropy 6.652398\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.Autophyte\r\nAvira HEUR/AGEN.1023221\r\nBitDefender Gen:Variant.Graftor.487501\r\nCyren W32/Trojan.PGQL-0621\r\nESET a variant of Win32/NukeSped.AU trojan\r\nEmsisoft Gen:Variant.Graftor.487501 (B)\r\nHuorong Trojan/NukeSped.a\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0052cf421 )\r\nMcAfee Trojan-FPIA!34E56056E574\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.E!dha\r\nNANOAV Trojan.Win32.NukeSped.fyqduv\r\nQuick Heal Trojan.Generic\r\nSophos Troj/NukeSpe-F\r\nSymantec Trojan Horse\r\nTrendMicro TROJ_FR.D0256DD5\r\nTrendMicro House Call TROJ_FR.D0256DD5\r\nVirusBlokAda BScope.Trojan.Autophyte\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 59 of 66\n\nZillya! Trojan.NukeSped.Win32.166\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-08-12 03:44:57-04:00\r\nImport Hash e93a06b89e75751a9ac2c094ca7da8b0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na45f9a7c2174752a1472fb634ba9d8c7 header 4096 0.715236\r\n2b9f5ce0725453a209a416ab7a13f3df .text 98304 6.576807\r\n03605ec3eefe3b70e118cea4b8655229 .rdata 16384 5.866137\r\n5ac0ab0641ec076e15dd1468e11c57cd .data 4096 2.680020\r\n58ede934084bbe73fa7f9e0d32c4fafb .rsrc 28672 7.045289\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\n0608e41134... Connected_To 14.140.116.172\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been\r\nmodified the malware will beacon back to the following hard coded IPs:\r\n---Begin IP List---\r\n14.140.116.172\r\n---End IP List---\r\nClient uses uk.yahoo.com for client hello server name instead of naver.com.\r\n14.140.116.172\r\nRelationships\r\n14.140.116.172 Connected_From 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 60 of 66\n\nThe file 34E56056E5741F33D823859E77235ED9 beacons to this hard coded IP.\r\nb05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9\r\nTags\r\ntrojan\r\nDetails\r\nName 2FF1688FE866EC2871169197F9D46936\r\nSize 229500 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 2ff1688fe866ec2871169197f9d46936\r\nSHA1 6dc37ff32ea70cbd0078f1881a351a0a4748d10e\r\nSHA256 b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9\r\nSHA512 91c3a6e84ca728ecc26d63b91a09f3081288c9b9592430035b9ea50ba7cf2d4b4ddba4711933d17013d3d06fcb8d70789a37ddfa5c741445e\r\nssdeep 6144:GANjUaXCXwz+vLFOLEq3VNwO9zyPqYNkHms:bNjxXgA9uPqR\r\nEntropy 6.385793\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.NukeSped\r\nAvira TR/AD.APTLazerus.oytdw\r\nBitDefender Trojan.GenericKD.32416090\r\nCyren W32/Trojan.GCCR-6631\r\nESET a variant of Win32/NukeSped.AI trojan\r\nEmsisoft Trojan.GenericKD.32416090 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005329311 )\r\nMcAfee Trojan-HidCobra\r\nMicrosoft Security Essentials Trojan:Win32/Nukesped.PA!MTB\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Generic\r\nSophos Troj/Inject-DZV\r\nSymantec Trojan.Gen.MBT\r\nTrendMicro BKDR_HO.9D36C86C\r\nTrendMicro House Call BKDR_HO.9D36C86C\r\nZillya! Trojan.NukeSped.Win32.160\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule hoplight { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\"\r\nDate = \"2019-08-14\" Category = \"Hidden_Cobra\" Family = \"HOPLIGHT\"\r\nDescription = \"Detects polarSSL certificates\" strings: $polarSSL =\r\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 61 of 66\n\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\r\n0x4550) and ($polarSSL and all of ($p*)) }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-13 11:12:43-04:00\r\nImport Hash 8948765c0ef7c91beff2e97907c801d0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\neb0f947605842ea84fea9d8d8382f056 header 4096 0.684814\r\nf9aa8191af45813b80031064403835f1 .text 192512 6.400854\r\nbbcbbf5f54deaee51d41d404973c30e4 .rdata 16384 6.228868\r\n8ea12cda731d50b93944d8534c11402c .data 12288 3.927662\r\n06d5d2729a367d565819e6867d8caea7 .rsrc 4096 3.317978\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nDescription\r\nThis artifact is a malicious PE32 executable with similar characteristics of those described in\r\n23E27E5482E3F55BF828DAB885569033 above.\r\nWhen the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been\r\nmodified the malware will beacon back to the following hard coded IPs:\r\n---Begin IP List---\r\n210.137.6.37\r\n119.18.230.253\r\n221.138.17.152\r\n---End IP List---\r\nClient uses naver.com for client hello server name.\r\n119.18.230.253\r\nDescription\r\nThe file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.\r\n210.137.6.37\r\nDescription\r\nThe file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.\r\n221.138.17.152\r\nDescription\r\nThe file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.\r\nRelationship Summary\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 62 of 66\n\n2151c1977b... Connected_To 81.94.192.147\r\n2151c1977b... Connected_To 112.175.92.57\r\n2151c1977b... Related_To 181.39.135.126\r\n2151c1977b... Related_To 197.211.212.59\r\n2151c1977b... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n2151c1977b... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\n197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\n81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n70902623c9... Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\n70902623c9... Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n70902623c9... Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nddea408e17... Connected_To 81.94.192.147\r\nddea408e17... Connected_To 112.175.92.57\r\nddea408e17... Connected_To 181.39.135.126\r\nddea408e17... Connected_To 197.211.212.59\r\nddea408e17... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\nddea408e17... Connected_To 81.94.192.10\r\n81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\n12480585e0... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n12480585e0... Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n49757cf856... Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\n49757cf856... Connected_To 21.252.107.198\r\n49757cf856... Connected_To 70.224.36.194\r\n49757cf856... Connected_To 113.114.117.122\r\n49757cf856... Connected_To 47.206.4.145\r\n49757cf856... Connected_To 84.49.242.125\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 63 of 66\n\n49757cf856... Connected_To 26.165.218.44\r\n49757cf856... Connected_To 137.139.135.151\r\n49757cf856... Connected_To 97.90.44.200\r\n49757cf856... Connected_To 128.200.115.228\r\n49757cf856... Connected_To 186.169.2.237\r\n21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\n186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359\r\n4a74a9fd40... Connected_To 21.252.107.198\r\n4a74a9fd40... Connected_To 70.224.36.194\r\n4a74a9fd40... Connected_To 113.114.117.122\r\n4a74a9fd40... Connected_To 47.206.4.145\r\n4a74a9fd40... Connected_To 84.49.242.125\r\n4a74a9fd40... Connected_To 26.165.218.44\r\n4a74a9fd40... Connected_To 137.139.135.151\r\n4a74a9fd40... Connected_To 97.90.44.200\r\n4a74a9fd40... Connected_To 128.200.115.228\r\n4a74a9fd40... Connected_To 186.169.2.237\r\n83228075a6... Connected_To 112.175.92.57\r\n70034b33f5... Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f\r\n70034b33f5... Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\n70034b33f5... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 64 of 66\n\n70034b33f5... Connected_To 81.94.192.147\r\n70034b33f5... Connected_To 112.175.92.57\r\n70034b33f5... Connected_To 181.39.135.126\r\n70034b33f5... Connected_To 197.211.212.59\r\n70034b33f5... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289\r\ncd5ff67ff7... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n96a296d224... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\n96a296d224... Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nb9a26a5692... Connected_To 117.239.241.2\r\nb9a26a5692... Connected_To 195.158.234.60\r\nb9a26a5692... Connected_To 218.255.24.226\r\n117.239.241.2 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\n218.255.24.226 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\n195.158.234.60 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\n0608e41134... Connected_To 14.140.116.172\r\n14.140.116.172 Connected_From 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 65 of 66\n\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-304a\r\nPage 66 of 66\n\nhidden_cobra_consolidated.yara Description = \"Detects polarSSL certificates\" strings: $polarSSL =\n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\n55 84 26 fe } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) ==\n0x4550) and ($polarSSL and all of ($p*)) } \nPage 54 of 66 \n\nDate = \"2019-08-14\" Category Description = \"Detects polarSSL = \"Hidden_Cobra\" certificates\" strings: Family = \"HOPLIGHT\" $polarSSL = \n\"fjiejffndxklfsdkfjsaadiepwn\" $p1 = { ef cd ab 90 } $p2 = { 78 56 b4 c2 } $p3 = {\nPage 61 of 66", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.us-cert.gov/ncas/analysis-reports/ar19-304a" ], "report_names": [ "ar19-304a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434285, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3018f2c572324583cf1c7d439c85671ee9ab51a0.pdf", "text": "https://archive.orkl.eu/3018f2c572324583cf1c7d439c85671ee9ab51a0.txt", "img": "https://archive.orkl.eu/3018f2c572324583cf1c7d439c85671ee9ab51a0.jpg" } }