### www.fidelissecurity.com www.threatgeek.com @FidSecSys +1800.652.4020 ``` Fidelis Threat Advisory #1010 "njRAT", The Saga Continues December 2, 2013 Document Status: FINAL Last Revised: 2013-12-02 Executive Summary #### In June 2013, we released a paper containing information about the njRAT malware that included its functionality, indicators of compromise, and campaign codes used on the variants we had identified. (http://www.fidelissecurity.com/threatadvisory). To this day, we continue to observe waves of blunt phishing attacks from compromised hosts in the Middle East, showing threat actors using multiple tools (including njRAT, AdwindRAT, Xtreme RAT, and H-Worm) in clustered phishing attacks against the same targets. Some of these attacks continue to target the U.S. telecommunications sector with threat actors sending phishing emails using business-oriented lures containing the aforementioned tools or links to websites that serve these tools. Additionally, we continue to directly observe significant activity from threat actors sending commands to the victim systems in the Middle East. Further, we are observing attackers using the following obfuscators to make detection of this malware specimen more difficult for security analysts: -­‐ .NetShrink (http://www.pelock.com/products/netshrink) -­‐ Confuser v1.9.0.0 (http://confuser.codeplex.com/) -­‐ .NET Reactor (http://www.eziriz.com/) This document provides details of the njRAT campaign codes used, versions, ports, and CnC nodes currently observed sending commands to victim systems. It’s also clear that threat actors are actively using the following version of njRAT: 0.3.6, 0.4.1a, 0.5.0E, 0.6.4. Threat Overview "njRAT" is a robust remote access trojan (RAT) which upon reaching and infecting an end-point, allows the attacker to have full control over the victim system. Among other things, with this access, the attacker could start scanning other systems in the victim network to perform lateral movement. ``` Users are granted permission to copy and/or distribute this document in its original electronic form and print copies for personal use. This document cannot be modified or converted to any other electronic or machine-readable form in whole or in part without prior written approval of General Dynamics Fidelis Cybersecurity Solutions, Inc. While we have done our best to ensure that the material found in this document is accurate, General Dynamics Fidelis Cybersecurity Solutions, Inc. makes no guarantee that the information contained herein is error free. Copyright © 2013 General Dynamics Fidelis Cybersecurity Solutions Rev 2013-12-02 ----- ### www.fidelissecurity.com www.threatgeek.com @FidSecSys +1800.652.4020 ``` Indicators and Mitigation Strategies #### The following table contains information about the observed CnC nodes, ports, campaign codes, and njRAT versions: ``` **CnC** **Port** **CnC GeoLocation** **Campaign Code** **Campaign Code** **Version** **(Base64 encoded)** **(Base64 decoded)** 105.129.18.216 1177 SGFja2VkIEJ5IEPDoH Hacked By 0.6.4 Morocco BpaVRvc184NEFERTA CÃ piiTos_84ADE0 yRA== 2D 105.157.2.178 1177 Morocco S3J5c3RhbF84NEFER Krystal_84ADE02D 0.5.0E TAyRA== 108.62.213.238 1177 Phoenix, AZ, United QkJNIFBJTl8xQ0NDRj BBM 0.6.4 States Y5Ng== PIN_1CCCF696 108.62.213.67 1177 Phoenix, AZ, United QkJNIFBJTl8xQ0NDRj BBM 0.6.4 States Y5Ng== PIN_1CCCF696 122.151.223.20 1177 Melbourne, Australia am5vbjlfQTY3QzdDMD jnon9_A67C7C01 0.6.4 3 E= 145.255.78.228 1177 Muscat, Oman WHhYX1h4WF8yMEJG XxX_XxX_20BF08 0.5.0E MDgzQg== 3B 149.200.131.81 1177 Jordan SGFjS2VkX0RFNkEyM HacKed_DE6A20C 0.6.4 ENB A 149.200.224.19 1177 Jordan SGFjS2VkX0RFNkEyM HacKed_DE6A20C 0.6.4 6 ENB A 159.0.83.175 100 Khobar, Saudi SGFjS2VkXzI0NjlFQTI5 HacKed_2469EA2 0.5.0E Arabia 9 178.238.189.53 1177 Amman, Jordan QkJNIFBJTl8xQ0NDRj BBM 0.6.4 Y5Ng== PIN_1CCCF696 188.121.234.17 1177 Paris, France SGFjS2VkX0I0MkY4Nj HacKed_B42F860 0.6.4 Az 3 188.121.236.87 1177 Paris, France SGFjS2VkX0I0MkY4Nj HacKed_B42F860 0.6.4 Az 3 188.121.242.49 1177 Paris, France SGFjS2VkX0I0MkY4Nj HacKed_B42F860 0.6.4 Az 3 188.50.60.154 1177 Jiddah, Saudi d2luMzJfMzRDOEM5Q win32_34C8C9BF 0.6.4 Arabia kY= 188.51.30.43 1177 Jiddah, Saudi SGFjS2VkXzRDMTBD HacKed_4C10CE3 0.6.4 Arabia RTND C 188.51.69.179 1177 Jiddah, Saudi SGFjS2VkXzc2MTQ4Qj HacKed_76148B5 0.5.0E Arabia VG F 188.53.13.164 1177 Riyadh, Saudi TXIuRk9YX0VGRTE3Q Mr.FOX_EFE17AA 0.4.1a Copyright © 2013 General Dynamics Fidelis Cybersecurity Solutions Rev 2013-12-02 |CnC|Port|CnC GeoLocation|Campaign Code (Base64 encoded)|Campaign Code (Base64 decoded)|Version| |---|---|---|---|---|---| |105.129.18.216|1177|Morocco|SGFja2VkIEJ5IEPDoH BpaVRvc184NEFERTA yRA==|Hacked By CÃ piiTos_84ADE0 2D|0.6.4| |105.157.2.178|1177|Morocco|S3J5c3RhbF84NEFER TAyRA==|Krystal_84ADE02D|0.5.0E| |108.62.213.238|1177|Phoenix, AZ, United States|QkJNIFBJTl8xQ0NDRj Y5Ng==|BBM PIN_1CCCF696|0.6.4| |108.62.213.67|1177|Phoenix, AZ, United States|QkJNIFBJTl8xQ0NDRj Y5Ng==|BBM PIN_1CCCF696|0.6.4| |122.151.223.20 3|1177|Melbourne, Australia|am5vbjlfQTY3QzdDMD E=|jnon9_A67C7C01|0.6.4| |145.255.78.228|1177|Muscat, Oman|WHhYX1h4WF8yMEJG MDgzQg==|XxX_XxX_20BF08 3B|0.5.0E| |149.200.131.81|1177|Jordan|SGFjS2VkX0RFNkEyM ENB|HacKed_DE6A20C A|0.6.4| |149.200.224.19 6|1177|Jordan|SGFjS2VkX0RFNkEyM ENB|HacKed_DE6A20C A|0.6.4| |159.0.83.175|100|Khobar, Saudi Arabia|SGFjS2VkXzI0NjlFQTI5|HacKed_2469EA2 9|0.5.0E| |178.238.189.53|1177|Amman, Jordan|QkJNIFBJTl8xQ0NDRj Y5Ng==|BBM PIN_1CCCF696|0.6.4| |188.121.234.17|1177|Paris, France|SGFjS2VkX0I0MkY4Nj Az|HacKed_B42F860 3|0.6.4| |188.121.236.87|1177|Paris, France|SGFjS2VkX0I0MkY4Nj Az|HacKed_B42F860 3|0.6.4| |188.121.242.49|1177|Paris, France|SGFjS2VkX0I0MkY4Nj Az|HacKed_B42F860 3|0.6.4| |188.50.60.154|1177|Jiddah, Saudi Arabia|d2luMzJfMzRDOEM5Q kY=|win32_34C8C9BF|0.6.4| |188.51.30.43|1177|Jiddah, Saudi Arabia|SGFjS2VkXzRDMTBD RTND|HacKed_4C10CE3 C|0.6.4| |188.51.69.179|1177|Jiddah, Saudi Arabia|SGFjS2VkXzc2MTQ4Qj VG|HacKed_76148B5 F|0.5.0E| |188.53.13.164|1177|Riyadh, Saudi|TXIuRk9YX0VGRTE3Q|Mr.FOX_EFE17AA|0.4.1a| ----- ### www.fidelissecurity.com www.threatgeek.com @FidSecSys +1800.652.4020 Arabia UE= 188.55.10.93 1177 Jiddah, Saudi SGFjS2VkX0YyNjE4MT HacKed_F261818F 0.5.0E Arabia hG 188.66.233.10 192 Muscat, Oman SC1Xb3JtXzU4MzMzM H- 0.5.0E TFD Worm_5833311C 197.1.104.120 1177 YnkgYW5nbGUxMF8y by 0.6.4 Tunisia NDMzM0Q2Qg== angle10_24333D6 B 197.200.4.207 1177 Algeria SGFjS2VkXzVFNjM3Q HacKed_5E637A3 0.6.4 TM0 4 197.205.71.16 1177 Algeria SGFjS2VkXzVFNjM3Q HacKed_5E637A3 0.6.4 TM0 4 197.205.81.38 1177 Algeria SGFjS2VkXzVFNjM3Q HacKed_5E637A3 0.6.4 TM0 4 197.39.177.138 1177 4paRIE5lVyBVc2VS4pa NeW UseR 0.4.1a Egypt RIF83RTFFQUFCNw= _7E1EAAB7 = 197.39.229.96 1177 4paRIE5lVyBVc2VS4pa NeW UseR 0.4.1a Egypt RIF9GRTQwOEVFRQ= _FE408EEE = 37.106.93.153 1177 Riyadh, Saudi 2KfZhNi52YrYryDYudm 0.4.1a Arabia A2YDZitiv2YrZhiDZhdi5 2KfZg9mFX0Y4REJDO ﺍاﻟﻌﻳﯾﺩد ﻋــﻳﯾﺩدﻳﯾﻥن UMz ﻣﻌﺎﻛﻡم_F8DBC9C3 37.16.55.155 1177 Saudi Arabia 2LHZiNin2KrYsV9DNk ﺭرﻭوﺍاﺗﺭر_C6E85284 0.5.0E U4NTI4NA== 37.200.239.243 1177 Oman VFRUVF81MEMwNDY TTTT_50C04604 0.5.0E wNA== 37.238.194.107 1177 Iraq 2YLZhtin2LUg2KjYutiv2 (0xD982D986D8A7 0.6.4 KfYr18yNDMzM0Q2Qg D8B520D8A8D8B == AD8AFD8A7D8AF) _24333D6B Potential HEX-2String: ﻗﻨﺎﺹص ﺑﻐﺪﺍاﺩد Potential translation to English: "Baghdad Sniper" 37.238.233.102 1177 Iraq SGFjS2VkX0I4MTkzOT HacKed_B8193912 0.5.0E Ey 41.103.74.108 1177 Ouled Yaïch, Algeria dmljdGltXzI0MzMzRDZ victim_24333D6B 0.6.4 C Copyright © 2013 General Dynamics Fidelis Cybersecurity Solutions Rev 2013-12-02 |Col1|Col2|Arabia|UE=|Col5|Col6| |---|---|---|---|---|---| |188.55.10.93|1177|Jiddah, Saudi Arabia|SGFjS2VkX0YyNjE4MT hG|HacKed_F261818F|0.5.0E| |188.66.233.10|192|Muscat, Oman|SC1Xb3JtXzU4MzMzM TFD|H- Worm_5833311C|0.5.0E| |197.1.104.120|1177|Tunisia|YnkgYW5nbGUxMF8y NDMzM0Q2Qg==|by angle10_24333D6 B|0.6.4| |197.200.4.207|1177|Algeria|SGFjS2VkXzVFNjM3Q TM0|HacKed_5E637A3 4|0.6.4| |197.205.71.16|1177|Algeria|SGFjS2VkXzVFNjM3Q TM0|HacKed_5E637A3 4|0.6.4| |197.205.81.38|1177|Algeria|SGFjS2VkXzVFNjM3Q TM0|HacKed_5E637A3 4|0.6.4| |197.39.177.138|1177|Egypt|4paRIE5lVyBVc2VS4pa RIF83RTFFQUFCNw= =|NeW UseR _7E1EAAB7|0.4.1a| |197.39.229.96|1177|Egypt|4paRIE5lVyBVc2VS4pa RIF9GRTQwOEVFRQ= =|NeW UseR _FE408EEE|0.4.1a| |37.106.93.153|1177|Riyadh, Saudi Arabia|2KfZhNi52YrYryDYudm A2YDZitiv2YrZhiDZhdi5 2KfZg9mFX0Y4REJDO UMz|نﻥﯾﻳدﺩﯾﻳــﻋ دﺩﯾﻳﻌﻟاﺍ مﻡﻛﺎﻌﻣ_F8DBC9C3|0.4.1a| |37.16.55.155|1177|Saudi Arabia|2LHZiNin2KrYsV9DNk U4NTI4NA==|رﺭﺗاﺍوﻭر_ﺭ C6E85284|0.5.0E| |37.200.239.243|1177|Oman|VFRUVF81MEMwNDY wNA==|TTTT_50C04604|0.5.0E| |37.238.194.107|1177|Iraq|2YLZhtin2LUg2KjYutiv2 KfYr18yNDMzM0Q2Qg ==|(0xD982D986D8A7 D8B520D8A8D8B AD8AFD8A7D8AF) _24333D6B Potential HEX-2- String: دﺩاﺍﺪﻐﺑ صﺹﺎﻨﻗ Potential translation to English: "Baghdad Sniper"|0.6.4| |37.238.233.102|1177|Iraq|SGFjS2VkX0I4MTkzOT Ey|HacKed_B8193912|0.5.0E| |41.103.74.108|1177|Ouled Yaïch, Algeria|dmljdGltXzI0MzMzRDZ C|victim_24333D6B|0.6.4| ----- ### www.fidelissecurity.com www.threatgeek.com @FidSecSys +1800.652.4020 41.104.68.83 1177 Algeria dmljdGltXzI0MzMzRDZ victim_24333D6B 0.6.4 C 41.107.233.206 1177 Algeria MjAxM18xRUYwNzBE 2013_1EF070D4 0.4.1a NA== 41.230.233.96 1177 Safaqis, Tunisia SGFjS2VkXzRBQjAwN HacKed_4AB004D 0.5.0E EQ4 8 41.237.75.126 1177 Cairo, Egypt 2YfZh9mH2YcgXzI0Mz (0xD987D987D987 0.6.4 MzRDZC D98720)_24333D6 B Potential HEX-2String: ﻫﮬﮪھﻬﮭﻬﮭﻪﮫ Potential translation to English: "Haha" 41.251.165.158 1177 Casablanca, REE3aWFfNjBEMDUw DA7ia_60D050C3 0.5.0E Morocco QzM= 41.252.201.131 1177 4pyrLS3il48g4pyYSM6s `✫--●` `✘HάckeƦ✘` - - 0.6.4 Libya Y2tlxqbinJgg4pePLS3in `✫_445EBC27` KtfNDQ1RUJDMjc= 41.252.227.78 1177 4pyrLS3il48g4pyYSM6s `✫--●` `✘HάckeƦ✘` - - 0.6.4 Benghazi, Libya Y2tlxqbinJgg4pePLS3in `✫_445EBC27` KtfNDQ1RUJDMjc= 41.35.161.186 1177 WFhYWFhYWFhYWFh XXXXXXXXXXXXX 0.5.0E Cairo, Egypt YWFhYWFhYWFhYX0 XXXXXXXX_E656 U2NTYxNkEz 16A3 41.35.182.232 1177 WFhYWFhYWFhYWFh XXXXXXXXXXXXX 0.5.0E Alexandria, Egypt YWFhYWFhYWFhYX0 XXXXXXXX_BC2F JDMkY0NjY5 4669 41.35.193.145 1177 WFhYWFhYWFhYWFh XXXXXXXXXXXXX 0.5.0E Mansoura, Egypt YWFhYWFhYWFhYXz XXXXXXXX_5EED VFRUQyREY5 2DF9 46.20.37.177 1177 Germany RGVhZGx5IEhhY2tlcl9 Deadly 0.6.4 CMEM3MkY5MA== Hacker_B0C72F90 5.0.236.136 1177 Syrian Arab SGFjS2VkX0E2OTlER HacKed_A699DE5 0.5.0E Republic TU4 8 5.0.42.144 1177 Syrian Arab aGhoaGhoaGhoaWtra2 hhhhhhhhhikkkkkk, 0.6.4 Republic traywsX0ZDQUZDNDB,_FCAFC40E F 5.21.235.105 1177 Oman amVuc2lpaV8xQzAyQ jensiii_1C02ACA5 0.5.0E UNBNQ== 5.245.30.151 1177 Saudi Arabia 2LPZgNmA2YDZgNmA ـــــــﻼﻡم 0.5.0E 2YDZgNmE2KfZhSBA @@_C6F05B1E Copyright © 2013 General Dynamics Fidelis Cybersecurity Solutions Rev 2013-12-02 |41.104.68.83|1177|Algeria|dmljdGltXzI0MzMzRDZ C|victim_24333D6B|0.6.4| |---|---|---|---|---|---| |41.107.233.206|1177|Algeria|MjAxM18xRUYwNzBE NA==|2013_1EF070D4|0.4.1a| |41.230.233.96|1177|Safaqis, Tunisia|SGFjS2VkXzRBQjAwN EQ4|HacKed_4AB004D 8|0.5.0E| |41.237.75.126|1177|Cairo, Egypt|2YfZh9mH2YcgXzI0Mz MzRDZC|(0xD987D987D987 D98720)_24333D6 B Potential HEX-2- String: ﮫﻪﮭﻬﮭﻬھ ﻫﮬﮪ Potential translation to English: "Haha"|0.6.4| |41.251.165.158|1177|Casablanca, Morocco|REE3aWFfNjBEMDUw QzM=|DA7ia_60D050C3|0.5.0E| |41.252.201.131|1177|Libya|4pyrLS3il48g4pyYSM6s Y2tlxqbinJgg4pePLS3in KtfNDQ1RUJDMjc=|✫--● ✘HάckeƦ✘ ●-- ✫_445EBC27|0.6.4| |41.252.227.78|1177|Benghazi, Libya|4pyrLS3il48g4pyYSM6s Y2tlxqbinJgg4pePLS3in KtfNDQ1RUJDMjc=|✫--● ✘HάckeƦ✘ ●-- ✫_445EBC27|0.6.4| |41.35.161.186|1177|Cairo, Egypt|WFhYWFhYWFhYWFh YWFhYWFhYWFhYX0 U2NTYxNkEz|XXXXXXXXXXXXX XXXXXXXX_E656 16A3|0.5.0E| |41.35.182.232|1177|Alexandria, Egypt|WFhYWFhYWFhYWFh YWFhYWFhYWFhYX0 JDMkY0NjY5|XXXXXXXXXXXXX XXXXXXXX_BC2F 4669|0.5.0E| |41.35.193.145|1177|Mansoura, Egypt|WFhYWFhYWFhYWFh YWFhYWFhYWFhYXz VFRUQyREY5|XXXXXXXXXXXXX XXXXXXXX_5EED 2DF9|0.5.0E| |46.20.37.177|1177|Germany|RGVhZGx5IEhhY2tlcl9 CMEM3MkY5MA==|Deadly Hacker_B0C72F90|0.6.4| |5.0.236.136|1177|Syrian Arab Republic|SGFjS2VkX0E2OTlER TU4|HacKed_A699DE5 8|0.5.0E| |5.0.42.144|1177|Syrian Arab Republic|aGhoaGhoaGhoaWtra2 traywsX0ZDQUZDNDB F|hhhhhhhhhikkkkkk, ,_FCAFC40E|0.6.4| |5.21.235.105|1177|Oman|amVuc2lpaV8xQzAyQ UNBNQ==|jensiii_1C02ACA5|0.5.0E| |5.245.30.151|1177|Saudi Arabia|2LPZgNmA2YDZgNmA 2YDZgNmE2KfZhSBA|مﻡﻼـــــــ @@_C6F05B1E|0.5.0E| ----- ### www.fidelissecurity.com www.threatgeek.com @FidSecSys +1800.652.4020 QF9DNkYwNUIxRQ== 77.30.214.106 87 Riyadh, Saudi bW9oYW1tYWRfQUUy mohammad_AE20 0.5.0E Arabia MDAwMkU= 002E 78.155.90.73 1177 Syrian Arab Vi5JLlBfNDY1NTFCNT V.I.P_46551B58 0.5.0E Republic g= 79.124.66.146 1177 Bulgaria SGFjXzZFREVEODc5 Hac_6EDED879 0.6.4 79.124.66.148 1177 Bulgaria SGFjXzZFREVEODc5 Hac_6EDED879 0.6.4 79.124.66.177 1177 Bulgaria SGFjXzZFREVEODc5 Hac_6EDED879 0.6.4 79.124.66.197 1177 Bulgaria SGFjXzZFREVEODc5 Hac_6EDED879 0.6.4 79.124.66.200 1177 Bulgaria SGFjXzZFREVEODc5 Hac_6EDED879 0.6.4 79.124.66.205 1177 Bulgaria SGFjXzZFREVEODc5 Hac_6EDED879 0.6.4 90.148.71.207 1177 Mecca, Saudi NjRfNkMyRUJEMkY= 64_6C2EBD2F 0.5.0E Arabia 90.153.166.68 1177 Syrian Arab SGFjS2VkX0FFNTE5N HacKed_AE5195E 0.3.6 Republic UVB A 90.153.204.11 1177 Syrian Arab SGFjS2VkX0FFNTE5N HacKed_AE5195E 0.3.6 Republic UVB A 90.153.205.21 1177 Syrian Arab SGFjS2VkXzU0OTQ2O HacKed_5494692A 0.3.6 Republic TJB 91.140.142.16 1177 Kuwait, Kuwait SGFjS2VkXzg4NzQ4O HacKed_88748983 0.6.4 Tgz 94.203.114.61 1177 Dubai, United Arab TWF2ZVJpY2tfRUNEO MaveRick_ECD94 0.6.4 Emirates TRBNUI= A5B 94.249.67.47 1177 Amman, Jordan SGFjS2VkX0RFNkEyM HacKed_DE6A20C 0.6.4 ENB A 94.249.69.118 1177 Amman, Jordan SGFjS2VkXzI0MzMzR HacKed_24333D6 0.6.4 DZC B _* The Base64 encoded data can be observed in the network traffic_ ``` The Fidelis Take #### It’s clear from this paper that there continues to be considerable global activity involving threat actors using njRAT and associated tools. We’re publishing these indicators so that others in the security research community can monitor for this activity and potentially correlate against other campaigns and tools that are being investigated. ``` Copyright © 2013 General Dynamics Fidelis Cybersecurity Solutions Rev 2013-12-02 |Col1|Col2|Col3|QF9DNkYwNUIxRQ==|Col5|Col6| |---|---|---|---|---|---| |77.30.214.106|87|Riyadh, Saudi Arabia|bW9oYW1tYWRfQUUy MDAwMkU=|mohammad_AE20 002E|0.5.0E| |78.155.90.73|1177|Syrian Arab Republic|Vi5JLlBfNDY1NTFCNT g=|V.I.P_46551B58|0.5.0E| |79.124.66.146|1177|Bulgaria|SGFjXzZFREVEODc5|Hac_6EDED879|0.6.4| |79.124.66.148|1177|Bulgaria|SGFjXzZFREVEODc5|Hac_6EDED879|0.6.4| |79.124.66.177|1177|Bulgaria|SGFjXzZFREVEODc5|Hac_6EDED879|0.6.4| |79.124.66.197|1177|Bulgaria|SGFjXzZFREVEODc5|Hac_6EDED879|0.6.4| |79.124.66.200|1177|Bulgaria|SGFjXzZFREVEODc5|Hac_6EDED879|0.6.4| |79.124.66.205|1177|Bulgaria|SGFjXzZFREVEODc5|Hac_6EDED879|0.6.4| |90.148.71.207|1177|Mecca, Saudi Arabia|NjRfNkMyRUJEMkY=|64_6C2EBD2F|0.5.0E| |90.153.166.68|1177|Syrian Arab Republic|SGFjS2VkX0FFNTE5N UVB|HacKed_AE5195E A|0.3.6| |90.153.204.11|1177|Syrian Arab Republic|SGFjS2VkX0FFNTE5N UVB|HacKed_AE5195E A|0.3.6| |90.153.205.21|1177|Syrian Arab Republic|SGFjS2VkXzU0OTQ2O TJB|HacKed_5494692A|0.3.6| |91.140.142.16|1177|Kuwait, Kuwait|SGFjS2VkXzg4NzQ4O Tgz|HacKed_88748983|0.6.4| |94.203.114.61|1177|Dubai, United Arab Emirates|TWF2ZVJpY2tfRUNEO TRBNUI=|MaveRick_ECD94 A5B|0.6.4| |94.249.67.47|1177|Amman, Jordan|SGFjS2VkX0RFNkEyM ENB|HacKed_DE6A20C A|0.6.4| |94.249.69.118|1177|Amman, Jordan|SGFjS2VkXzI0MzMzR DZC|HacKed_24333D6 B|0.6.4| ----- ### www.fidelissecurity.com www.threatgeek.com @FidSecSys +1800.652.4020 #### Fidelis XPS™ detects all of the activity documented in this paper. The Fidelis Threat Research Team will continue to actively monitor the ever-evolving threat landscape for the latest threats to our customers’ security. Copyright © 2013 General Dynamics Fidelis Cybersecurity Solutions Rev 2013-12-02 -----