CKA Forums
Login 
canadian forums
bottom
 
 
Canadian Forums

Author Topic Options
Offline
CKA Uber
CKA Uber
User avatar
Profile
Posts: 11481
PostPosted: Wed Jun 13, 2018 6:51 pm
 


More “coincidental” Russian ties surface:

Quote:
British political operatives met with Russian ambassador days after Trump visit

British political operatives met with Russian ambassador days after Trump visit
London (CNN) — Two British political operatives were in regular contact with the Russian ambassador in London while they campaigned for, and met with, Donald Trump in the United States in 2016, a review of emails and social media posts shows.

Arron Banks and Andy Wigmore were prominent figures in the 2016 campaign for the United Kingdom to leave the European Union.

Banks' donation of more than 8 million pounds (nearly $11 million) to the pro-Brexit campaign is the subject of a probe by the country's Electoral Commission, amid concerns of Russian interference.

After successfully campaigning for Brexit in June, the men's attention appeared to turn to the United States.

Trump's personal attorney splits with his own legal team
In August 2016, Banks and Wigmore attended a Trump rally in Mississippi with Nigel Farage from the United Kingdom Independence Party (UKIP).

Farage spoke at the event, and was introduced by then-candidate Trump as "the man behind Brexit."

Social media posts show the men traveled to Las Vegas for the final presidential debate in October 2016 and Banks told CNN he also attended a Trump event in St. Louis.

After the election, Banks and Wigmore were among a small group of Britons who visited the then-President-elect at Trump Tower in New York City.

Throughout the same period, Banks and Wigmore were in regular contact with the Russian ambassador in London.

Emails reviewed by CNN show dozens of correspondences between the Russian embassy officials and the two men, including lunch and embassy event invitations...


https://www.cnn.com/2018/06/13/politics ... index.html

More Russian operatives! Team Trump is lousy with them! It’s ok though. As long as you can’t prove Trump knew anything it it’s a “nothingburger”.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 26522
Online
CKA Moderator
CKA Moderator
 San Jose Sharks


GROUP_AVATAR
User avatar
Profile
Posts: 58099
PostPosted: Thu Jun 14, 2018 10:17 am
 


DrCaleb wrote:


Trump already made clear that on-site verification and inspection will be a requirement for any treaty between the US and the DPRK.


Offline
CKA Uber
CKA Uber
User avatar
Profile
Posts: 14242
PostPosted: Thu Jun 14, 2018 10:43 am
 


Maybe he said that but the thing that was signed between him Lil Kim said nothing of the sort.


Online
CKA Moderator
CKA Moderator
 San Jose Sharks


GROUP_AVATAR
User avatar
Profile
Posts: 58099
PostPosted: Thu Jun 14, 2018 10:54 am
 


Here's a little something that may have some impact on the Nork issue. Note that DHS opted to make sure that this info can be made public. That's pretty rare. Most of these communications that I get are all marked, at a minimum, as (FOUO) For Official Use Only.

In any case and from email:

Quote:
National Cyber Awareness System:
AR18-165A: MAR-10135536-12 – North Korean Trojan: TYPEFRAME
06/14/2018 10:16 AM EDT

Original release date: June 14, 2018
Description
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users and administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections.
For a downloadable copy of IOCs, see:
• MAR-10135536-12.stix
Submitted Files (11)
201c7cd10a2bd50dde0948d14c3c7a0732955c908a3392aee3d08b94470c9d33 (1C53E7269FE9D84C6DF0A25BA59B82...)
20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64 (EF9DB20AB0EEBF0B7C55AF4EC0B7BC...)
3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210 (java.exe)
40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116 (CA67F84D5A4AC1459934128442C53B...)
4bd7d801d7ce3fe9c2928dbc834b296e934473f5bbcc9a1fd18af5ebd43192cd (3229A6CEA658B1B3CA5CA9AD7B40D8...)
546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1 (6AB301FC3296E1CEB140BF5D294894...)
675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1 (10B28DA8EEFAC62CE282154F273B3E...)
8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8 (F5A4235EF02F34D547F71AA5434D9B...)
c9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777 (BFB41BC0C3856AA0A81A5256B7B8DA...)
d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92 (BF474B8ACD55380B1169BB949D60E9...)
e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7 (60294C426865B38FDE7C5031AFC4E4...)
Additional Files (3)
089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359 (midimapper.rs)
a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6 (laxhost.dll)
e088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef (dwnhost.dll)
IPs (7)
111.207.78.204
181.119.19.56
184.107.209.2
59.90.93.97
80.91.118.45
81.0.213.173
98.101.211.162
Findings
8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8
Tags
remote-access-trojantrojan
Details
Name F5A4235EF02F34D547F71AA5434D9BB4
Size 490705 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f5a4235ef02f34d547f71aa5434d9bb4
SHA1 338699d56f17ab91fa2da1cb446593c013ae1a01
SHA256 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8
SHA512 27c610096248492fce0f8f478c62255cd1abc4ceb4a1ae310ca311a6d38ee3b93ce75ba45089204d0eb2036393bdcb98b3e77396d5ae6b9eecacc3a019ed225e
ssdeep 12288:2okf/Epk6/lctEJxrXtl3h1ihDnjvAHR7ie5XtO/DRUKwS4Z/B5:2o6/EpH/iwNXtlhSnjg+e5A/DaZp5
Entropy 7.788643
Antivirus
Avira TR/Crypt.ZPACK.Gen
Symantec Heur.AdvML.C
Yara Rules
hidden_cobra_consolidated.yara rule enc_PK_header { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4" strings: $s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = { ae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
hidden_cobra_consolidated.yara rule import_obfuscation_2 { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" strings: $s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6 D5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3 03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
ssdeep Matches
No matches found.
PE Metadata
Compile Date 2017-06-05 21:21:28-04:00
Import Hash edb148321293bdc8b7ba8fbe0b1c6ed9
PE Sections
MD5 Name Raw Size Entropy
dde6c6e739f41680377511c709f7209a header 4096 0.590336
db44e1900789a7fd43b05d3871c9ab03 .text 53248 6.538652
91d9797bd52d49fb73009fc3e0cdd7c5 .rdata 12288 3.476192
ef4ab26cc2c30397b12c53c759fcbef2 .data 16384 2.132158
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
8c3e0204f5... Contains a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6
Description
This file is a 32-bit Windows portable executable file designed to install a Remote Access Trojan (RAT) as a service on the victim system. The malware accepts the following argument during execution "68S3mI2AMcmOz3BgjnuYpLlZ4fZog7sd”.

The RAT’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:

--Begin RC4 key--
85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B
--End RC4 key--


Decrypted strings of interest are displayed below:

--Begin strings of interest--
host.dll
"Task Notification Service"
"Monitors And Notifies Task Scheduling And Interaction"
netsvcs
--End strings of interest--


When executed, the RAT checks if the module "C:\Windows\system32\laxhost.dll" is installed on the compromised system. If it is not installed, it will load an embedded RC4 encrypted archive file from the start of the offset "0x15000”.

The malware decrypts the archive using the same RC4 key. The decrypted archive contains a malicious DLL module, which is decompressed and installed into "C:\Windows\system32\laxhost.dll”. The first three characters of the module name are randomly generated.

The malware contains an RC4 encrypted configuration file data (192 bytes). During runtime, it installs the encrypted configuration data into the following registry key:

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll"
ValueName = "Description"
ValueData = "RC4 encrypted configuration file data"
--End registry key--


The malware installs a malicious DLL module as a serviceDLL in the "netsvcs" service group in order to execute "C:\Windows\system32\laxhost.dll" using the Windows service hosting process, "%SYSTEMROOT%\system32\svchost.exe." The service name and the display name are randomly generated.

The installed service information is displayed below:

--Begin service information--
ServiceName = "Irmon"
DisplayName = "Irmon"
DesiredAccess = SERVICE_ALL_ACCESS
ServiceType = SERVICE_WIN32_SHARE_PROCESS
StartType = SERVICE_AUTO_START
BinaryPathName = "%SYSTEMROOT%\system32\svchost.exe -k netsvcs"
--End service information--
a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6
Tags
backdoorremote-access-trojantrojan
Details
Name laxhost.dll
Size 843776 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 aa7924157b77dd1ff749d474f3062f90
SHA1 4f02a6bf2b24c371e9f589cff8e32b4d94cf4f29
SHA256 a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6
SHA512 5150d8b063297d0da04288b4e4e2ad3d54b7546d909a71557789529d73703673098c37970280cd62c45306458cfcda701c1a7cee31ee7fb2192e627e11f0a3bd
ssdeep 24576:r/pmC31xkE8sOvtQ6Wtuc0WhgpaM2yYq:bpj0E8sOvtQ6Wtuc0WhgpaM2yYq
Entropy 6.681288
Antivirus
Microsoft Security Essentials Backdoor:Win32/SilverMob.A!dha
Yara Rules
hidden_cobra_consolidated.yara rule import_obfuscation_2 { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" strings: $s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6 D5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3 03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
ssdeep Matches
No matches found.
PE Metadata
Compile Date 2017-06-09 13:59:30-04:00
Import Hash 180f8d53e7b967e9af9444547c05f192
Company Name Microsoft Corporation
File Description Xps Object Model in memory creation and deserialization
Internal Name xpsservices.dll
Legal Copyright Microsoft Corporation. All rights reserved.
Original Filename xpsservices.dll
Product Name Microsoft Windows Operating System
Product Version 6.1.7601.17514
PE Sections
MD5 Name Raw Size Entropy
e1b6f98aadc18cf1b2e1796eb3d8b783 header 4096 0.800174
5d97a9d06913043a085d8071f7a5ab7c .text 540672 6.661444
bab7eb304870fe36e8c98f5085b8603c .rdata 163840 6.184319
33e00b6b91f87e1e948a8bc44803837f .data 81920 4.853104
4093ef4294e5d39c92ba4d89a6c92a15 .rsrc 8192 3.983157
39ddff289842b4fafc796c9795b870c8 .reloc 45056 5.723684
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0
Microsoft Visual C++ 6.0 DLL (Debug)
Relationships
a71017302e... Connected_To 59.90.93.97
a71017302e... Contained_Within 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8
Description
laxhost.dll (original name: KDCOLCWP.DLL) is a 32-bit Windows dynamic-link library (DLL) file and is a RAT module that was installed as a service by the file 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8.

laxhost.dll’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:

--Begin RC4 key--
85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B
--End RC4 key--

When executed, it loads and decrypts the encrypted configuration file data from the registry using the same RC4 key:

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll"
ValueName = "Description"
ValueData = "RC4 encrypted configuration file data"
--End registry key--

The decrypted data contains hexadecimal-encoded C2 IP address and port number:

--Begin IP and port # list -
BB 01 3B 5A 5D 61 ==> 59.90.93.97:443
--End IP and port # list --

The malware attempts to connect to its C2 server 59.90.93.97 using port 443 and wait for further instructions.

The malware is designed to accept instructions from the remote server to perform the following functions:

--Begin functions performed by the malware--
Get Disk Free Space
Search for files
Execute process in elevated mode
Terminate processes
Delete files
Execute command-using shell
Download and upload files
Read files and write files
Delete Service and uninstall malware components using a batch script
--End functions performed by the malware--
675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1
Tags
proxytrojan
Details
Name 10B28DA8EEFAC62CE282154F273B3E34
Size 466267 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 10b28da8eefac62ce282154f273b3e34
SHA1 25991d00eb1b1204b0066d5aeb79ac691047d7f0
SHA256 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1
SHA512 7955c46e3d5ed3454340821caecd44d6bc1b918ef7bdcd6f0f8d67676cbf0fde52a578583a0388c4d838652d3d1da4615ced6ae2c59b562f030f752cbc7bfb99
ssdeep 6144:qoXLxi/EpH/ae6jEazjsHZ3OJJMUc6ngmOsH95rjw26XwXFLP7E1tC1KRtyn5o1n:qoQ/EpH/mEaiZiJy6ngm95t6qLPJp2d
Entropy 7.761748
Antivirus
ESET a variant of Win32/Agent.YDV trojan
Microsoft Security Essentials Trojan:Win32/Autophyte.B!dha
Symantec Heur.AdvML.C
Yara Rules
hidden_cobra_consolidated.yara rule enc_PK_header { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4" strings: $s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = { ae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
hidden_cobra_consolidated.yara rule import_obfuscation_2 { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" strings: $s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6 D5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3 03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
ssdeep Matches
No matches found.
PE Metadata
Compile Date 2016-07-24 19:38:33-04:00
Import Hash 225e9f7be86d6676c98a852492458049
PE Sections
MD5 Name Raw Size Entropy
58c7eb8637b7fbde7bb31985b77ca1af header 4096 0.591843
65d9f034d6153048c3e51bf5e07d6486 .text 53248 6.446416
eb9c5e8a429ac587cd35f0dcec939295 .rdata 12288 3.434883
d80b556aaa361958d9ecd816ac2a36c7 .data 16384 2.106829
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
675a35e04b... Contains e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7
Description
This file is a 32-bit Windows executable designed to install a proxy module as a service on the victim’s system. This file accepts the following arguments during execution: "68S3mI2AMcmOz3BgjnuYpLlZ4fZog7sd."

The malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:

--Begin RC4 key--
85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B
--End RC4 key--

Decrypted strings of interest are displayed below:

--Begin strings of interest--
"wmplayer.xml"
"printcache.tlb"
"Print Device Cache"
"Manage Print Device Cache And Printing"
printcache
--End strings of interest--

When executed, it will load an embedded RC4 encrypted archive file from the start of the offset "0x15000."

The malware decrypts the archive using the same RC4 key. The decrypted archive contains a proxy module, which is decompressed and installed from the existing file name "wmplayer.xml" to "C:\Windows\system32\printcache.tlb."

The malware installs the module as a serviceDLL in the "printcache" service group in order to execute "C:\Windows\system32\printcache.tlb" using the Windows service hosting process, "%SYSTEMROOT%\system32\svchost.exe."

--Begin service--
ServiceName = "printcache"
DisplayName = "Print Device Cache"
DesiredAccess = SERVICE_ALL_ACCESS
ServiceType = SERVICE_WIN32_SHARE_PROCESS
StartType = SERVICE_AUTO_START
BinaryPathName = "%SYSTEMROOT%\system32\svchost.exe -k printcache"
--End service--

The malware contains an RC4 encrypted configuration file data, which contains port numbers (8 bytes). During runtime, it installs the encrypted configuration data into the following registry key:

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs"
ValueName = "Description"
ValueData = "RC4 encrypted configuration file data"
--End registry key--
e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7
Tags
proxytrojan
Details
Name 60294C426865B38FDE7C5031AFC4E453
Size 778240 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 60294c426865b38fde7c5031afc4e453
SHA1 f8736e3f89f30f082cfd68a73763afcfb0e1c9c3
SHA256 e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7
SHA512 fe96fa2f127a3a71a9edc89268567188f8c585ea8356feb9a2c46224dc7022b3d751848424df745b517e7a1e123c566b6feb094653281026ffd2e9ce81d5a7a1
ssdeep 12288:8iwDMd29KJgSWD8QfEbsjlqxlsiAen1XQ1pV+jPAt:8WghEbvhAeC1pIDAt
Entropy 6.714021
Antivirus
Ahnlab Trojan/Win32.Agent
BitDefender Gen:Variant.Symmi.14589
Emsisoft Gen:Variant.Symmi.14589 (B)
F-secure Gen:Variant.Symmi.14589
Microsoft Security Essentials TrojanProxy:Win32/SilverMob.A!dha
Yara Rules
hidden_cobra_consolidated.yara rule import_obfuscation_2 { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" strings: $s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6 D5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3 03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
ssdeep Matches
No matches found.
PE Metadata
Compile Date 2017-03-02 14:01:47-05:00
Import Hash 09e63e3d425d6b543de4003f71c2b66d
PE Sections
MD5 Name Raw Size Entropy
1eda6d8dec57fac45afb42a6f27080a0 header 4096 0.767469
4109d939d8532ac1bd9f2cfa81a33905 .text 475136 6.632858
3b24a4913977b402a4dcce1694306cfb .rdata 147456 5.923542
f597eb4917ef44a2f9a080fc59f528f3 .data 77824 4.968551
77c814f5856057e7a7f6237bbba51a76 .rsrc 32768 7.100017
438ec3064d499d63eb03035aa1f7a142 .reloc 40960 5.759460
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0
Microsoft Visual C++ 6.0 DLL (Debug)
Relationships
e69d6c2d3e... Contained_Within 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1
Description
This file, printcache.tlb (original name: PDll.dll), is a proxy module installed as a service by the file 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1. This file is designed to open the Windows Firewall on the victim’s machine to allow incoming connections and force the compromised system to function as a proxy server.

The malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:

--Begin Rc4 key--
85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B
--End Rc4 key--

When executed, it loads and decrypts the encrypted configuration file data from the registry using the same RC4 key.

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs"
ValueName = "Description"
ValueData = "RC4 encrypted configuration file data"
--End registry key--

The decrypted data contains hexadecimal encoded port numbers:

--Begin port # list --
BB 01 ==> 1BB ==> 443
7F 00 ==> 7F ==> 127
90 1F ==> 1F90 == 8080
--End port # list --

The malware utilized the following command to open the Windows Firewall on the victim’s machine to allow incoming connections.

--Begin firewall modification--
"netsh.exe advfirewall firewall add rule name="PortOpenning" dir=in protocol=tcp localport=443 action"
--End firewall modification--

The malware attempts to open ports 443, 127, and 8080 and wait for a connection. The malware contains public SSL certificates in its resource named "101” and is designed to generate crafted TLS sessions (fake TLS communication mechanism).

089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359
Tags
proxytrojan
Details
Name midimapper.rs
Size 761856 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 00b0cfb59b088b247c97c8fed383c115
SHA1 0cdee734d3a17de0e81b9b2b0b36804d516c3212
SHA256 089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359
SHA512 9c9f65e277816a42574ddc28724e1afde8c3bffd0e8bf2e0414204d7b07384848718ada43e59c206b6d13dca33c28c4ae3a82ec12b21207efa5cbb8abfacf7d6
ssdeep 12288:5XYoUXvfAkdRwowG358mOlVvRaXKgCJpV4DDxazfAF:+zwowHJ46jJp+DmfAF
Entropy 6.693566
Antivirus
Ahnlab Trojan/Win32.Agent
BitDefender Gen:Variant.Symmi.14589
ESET Win32/NukeSped.AQ trojan
Emsisoft Gen:Variant.Symmi.14589 (B)
F-secure Gen:Variant.Symmi.14589
Ikarus Trojan.Win32.Agentb
K7 Trojan ( 0051e0501 )
Microsoft Security Essentials TrojanProxy:Win32/SilverMob.A!dha
NANOAV Trojan.Win32.NukeSped.eylorq
Quick Heal Genvariant.Symmi
VirusBlokAda Trojan.Agentb
Zillya! Trojan.Agentb.Win32.18439
Yara Rules
hidden_cobra_consolidated.yara rule import_obfuscation_2 { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" strings: $s0 = {A6 D6 02 EB 4E B2 41 EB C3 EF 1F} $s1 = {B6 DF 01 FD 48 B5 } $s2 = {B6 D5 0E F3 4E B5 } $s3 = {B7 DF 0E EE } $s4 = {B6 DF 03 FC } $s5 = {A7 D3 03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
ssdeep Matches
100 dfb41457088fa2003a085c325bcb63666e1e66fa36bdc8975995bfbeac39500d
PE Metadata
Compile Date 2016-07-25 03:12:34-04:00
Import Hash 100f0ee6d217c6b9e15be71a6c42a2d3
PE Sections
MD5 Name Raw Size Entropy
93649845b04705777d78e05982b93e5f header 4096 0.765196
93649845b04705777d78e05982b93e5f header 4096 0.765196
aca858c8ea569b991797da02f8613716 .text 458752 6.614177
aca858c8ea569b991797da02f8613716 .text 458752 6.614177
11b9d8a29ef67ebb2c19f753f1c7ada4 .rdata 147456 5.918054
11b9d8a29ef67ebb2c19f753f1c7ada4 .rdata 147456 5.918054
72b7a8f5d846964649b682d6ef074cc0 .data 77824 4.964840
72b7a8f5d846964649b682d6ef074cc0 .data 77824 4.964840
d73a8feca0f13f34575c84df77fbed0e .rsrc 32768 7.100191
d73a8feca0f13f34575c84df77fbed0e .rsrc 32768 7.100191
61c29b19fe37db83e42ef9ddf46eb40f .reloc 40960 5.689934
61c29b19fe37db83e42ef9ddf46eb40f .reloc 40960 5.689934
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0
Microsoft Visual C++ 6.0 DLL (Debug)
Description
midimapper.rs (original name: MDll.dll) is a proxy module installed as a service. This file is designed to open the Windows Firewall on the victim’s machine to allow incoming connections and force the compromised system to function as a proxy server.

The malware’s APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:

--Begin Rc4 key--
85 C0 7C 17 8B 4D F4 8B 76 20 33 C0 3B C8 77 0B
--End Rc4 key--

When executed, the malware loads and decrypts the encrypted configuration file data from the registry using the same RC4 key.

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs"
ValueName = "Description"
ValueData = "RC4 encrypted configuration file data"
--End registry key--

The decrypted data contains hexadecimal encoded port numbers:

-- Begin port # list --
FB 20 ==> 20FB ==> 8443
-- End port # list --

The malware utilized the following command to open the Windows Firewall on the victim’s machine to allow incoming connections.

--Begin firewall modification--
"netsh.exe advfirewall firewall add rule name="PortOpenning" dir=in protocol=tcp localport=8443 action=allow enable=yes"
--End firewall modification--

The malware attempts to open port 8443 and wait for connection. The malware contains public SSL certificates in its resource named "101”. It is designed to generate crafted TLS sessions (fake TLS communication mechanism).
d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92
Tags
proxytrojan
Details
Name BF474B8ACD55380B1169BB949D60E9E4
Size 466241 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 bf474b8acd55380b1169bb949d60e9e4
SHA1 c60c18fc0226a53be15637ee3ef0b73b0dabd854
SHA256 d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92
SHA512 46995cf3516c160d2f4fa5957c8c67df75f2768b24562b22de46a5d4ef7ba17fecaef2ad900bc6925e0c4284802864361423653154ad0622af18d049fb0419be
ssdeep 12288:G+3/oi/EpRsV97/8Olq3p8YNk5oYEeLxCStEowZVKmZag:Gmoi/EpRsV9S3prgomLE9oVmQg
Entropy 7.760001
Antivirus
Microsoft Security Essentials Trojan:Win32/Autophyte.B!dha
Symantec Heur.AdvML.C
Yara Rules
hidden_cobra_consolidated.yara rule enc_PK_header { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4" strings: $s0 = { 5f a8 80 c5 a0 87 c7 f0 9e e6 } $s1 = { 95 f1 6e 9c 3f c1 2c 88 a0 5a } $s2 = { ae 1d af 74 c0 f5 e1 02 50 10 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
ssdeep Matches
No matches found.
PE Metadata
Compile Date 2017-06-08 07:12:45-04:00
Import Hash 225e9f7be86d6676c98a852492458049
PE Sections
MD5 Name Raw Size Entropy
21257d58787390491b672d426714b015 header 4096 0.592724
dff4417e6006f193afa34a31581d52dd .text 53248 6.423430
5fbeefe580cf5cb5ee032f29c78b5f7b .rdata 12288 3.435650
c5776014ec07771c8d8093a7af1868c7 .data 16384 2.126011
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
d1d490866d... Contains 40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116
Description
This 32-bit Windows executable is a RAT, designed to install a proxy module as a service on the victim’s system.

The malware's APIs and strings (registry key, file names, and service name) are RC4 encrypted using the following key:

--Begin Rc4 key--
75 0E 83 C0 02 83 C1 02 84 D2 75 E4 33 C0 EB 05
--End Rc4 key--

Decrypted strings of interest are displayed below:

--Begin strings of interest--
"wmplayer.xml"
"printcache.tlb"
"printcache"
"Print Device Cache"
"Manage Print Device Cache And Printing"
--End strings of interest--

When executed, the malware will load an embedded RC4 encrypted archive file from the start of the offset "0x15000”.

The malware decrypts the archive using the same Rc4 key. The decrypted archive contains a proxy module, which is decompressed and installed from the existing file name "wmplayer.xml" to "C:\Windows\system32\printcache.tlb".

The malware installs the module as a serviceDLL in the "printcache" service group in order to execute "C:\Windows\system32\printcache.tlb" by the Windows service hosting process, "%SYSTEMROOT%\system32\svchost.exe”.





Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 20720
PostPosted: Thu Jun 14, 2018 11:25 am
 


North Korea will have a hissy fit in a month or two, saying that the US didn't hold up its end of the bargain, and tank the whole thing, is my prediction. And the US may well not hold up its end--the term "war games" is pretty vague so they might try to find some wiggle room there. I guess we'll find out come August.


Online
CKA Moderator
CKA Moderator
 San Jose Sharks


GROUP_AVATAR
User avatar
Profile
Posts: 58099
PostPosted: Thu Jun 14, 2018 11:38 am
 


BREAKING NEWS: Just released is The Office of the Inspector General's Audit of the Russia Investigation.

https://www.justice.gov/file/1071991/download

I'm still reading it so no comment at this point.


Offline
CKA Uber
CKA Uber
User avatar
Profile
Posts: 14242
PostPosted: Thu Jun 14, 2018 11:44 am
 


If you’re going to read all of it, clear your schedule for the rest of the day.


Offline
CKA Uber
CKA Uber
 Montreal Canadiens
User avatar
Profile
Posts: 32379
PostPosted: Thu Jun 14, 2018 11:54 am
 


BartSimpson wrote:
BREAKING NEWS: Just released is The Office of the Inspector General's Audit of the Russia Investigation.

https://www.justice.gov/file/1071991/download

I'm still reading it so no comment at this point.





The Associated Press
‏Verified account @AP

The Latest: The Justice Department issues a stinging rebuke to the FBI for its handling of the Hillary Clinton email investigation.


And it won't get anything worse than that.

Alphabet swamp will not be stopped.



WASHINGTON (AP) — The Latest on a report by the Justice Department’s internal watchdog on the FBI’s handling of the Hillary Clinton email investigation. (all times local):

2:40 p.m.

An FBI investigator who worked on probes into Hillary Clinton’s emails and into Russian interference in the 2016 election told an FBI lawyer “we’ll stop” Donald Trump from becoming president.

The inflammatory texts between Peter Strzok and FBI lawyer Lisa Page are highlighted in the report by the Justice Department’s inspector general, which is critical of former FBI director James Comey’s handling of the investigations.

According to the report, Page texted Strzok in August 2016: “(Trump’s) not ever going to become president, right? Right?!”

Strzok responded: “No. No he won’t. We’ll stop it.”

The report says the watchdog “did not find documentary or testimonial evidence” that political bias directly affected parts of the probe, it says Page and Strzok’s conduct “cast a cloud over the entire FBI investigation.”


Offline
Forum Addict
Forum Addict
User avatar
Profile
Posts: 958
PostPosted: Thu Jun 14, 2018 12:17 pm
 


Another day for Dumbfuck Donnie:

Trump accused in lawsuit of misusing charitable foundation
https://apnews.com/50aaffc1cfbb448f9838 ... foundation


Offline
CKA Uber
CKA Uber
 Montreal Canadiens
User avatar
Profile
Posts: 32379
PostPosted: Thu Jun 14, 2018 12:28 pm
 


Although we found no evidence that Lynch and former
President Clinton discussed the Midyear investigation or
engaged in other inappropriate discussion during their
tarmac meeting, we also found that Lynch’s failure to
recognize the appearance problem created by former
President Clinton’s visit and to take action to cut the
visit short was an error in judgment.

PAGE 6

WE FOUND NO EVIDENCE


The meeting was the evidence ffs.

'error in judgement' :roll:
Quote:


As we discuss below and in Chapter Six of our report, the meeting between Lynch and former President Clinton on June 27, 2016 also played a role in Comey’s decision to deliver a unilateral statement.
Comey’s initial draft statement, which he shared with FBI senior leadership on May 2, criticized Clinton’s handling of classified information as “grossly negligent,” but concluded that “no reasonable prosecutor” would bring a case based on the facts developed in the Midyear investigation.
Comey’s draft statement underwent various language changes, including the following:
On the morning of July 5, 2016, Comey contacted Lynch and Yates about his plans to make a public statement
in fact, the Department first learned about Comey’s press conference from a media inquiry, rather than from the FBI
While Lynch asked Comey what the subject matter of the statement was going to be (Comey told her in response it would be about the Midyear investigation),
We found that Lynch, having decided not to recuse herself, retained authority over both the final prosecution decision and the Department’s management of the Midyear investigation
On July 6, the Midyear prosecutors briefed Lynch, Yates, Comey, other members of Department and FBI leadership, and FBI Midyear team members about the basis for the declination recommendation. Lynch subsequently issued a short public statement that she met with the career prosecutors and agents who conducted the investigation and “received and accepted their unanimous recommendation” that the investigation be closed without charges


Online
CKA Moderator
CKA Moderator
 San Jose Sharks


GROUP_AVATAR
User avatar
Profile
Posts: 58099
PostPosted: Thu Jun 14, 2018 1:27 pm
 


From page XII of the IG report is the not-so surprising revelation that FBI agents were taking bribes from reporters in return for leaked information.


Attachments:
File comment: page xii
fbixii.PNG
fbixii.PNG [ 46.89 KiB | Viewed 43 times ]
Offline
CKA Uber
CKA Uber
User avatar
Profile
Posts: 11481
PostPosted: Thu Jun 14, 2018 1:39 pm
 


Photo of Trump saluting North Korean general.

Oops that one’s going to follow you, you completely stupid dumbfuck. What a disgrace and laughingstock.

Image


Offline
CKA Uber
CKA Uber
User avatar
Profile
Posts: 11481
PostPosted: Thu Jun 14, 2018 2:03 pm
 


BartSimpson wrote:
From page XII of the IG report is the not-so surprising revelation that FBI agents were taking bribes from reporters in return for leaked information.


It doesn’t say taking bribes. It says “ tickets to sporting events, golfing outings, drinks and meals, and admittance to nonpublic social events”. It also doesn’t say any of that was provided in exchange or payment fo info. I doubt an FBI agent can be “bribed” with a free beer

A “bribe” has to be something of value and provided in direct exchange for something.


Offline
CKA Uber
CKA Uber
 Montreal Canadiens
User avatar
Profile
Posts: 32379
PostPosted: Thu Jun 14, 2018 2:11 pm
 


BeaverFever wrote:
BartSimpson wrote:
From page XII of the IG report is the not-so surprising revelation that FBI agents were taking bribes from reporters in return for leaked information.


It doesn’t say taking bribes. It says “ tickets to sporting events, golfing outings, drinks and meals, and admittance to nonpublic social events”. It also doesn’t say any of that was provided in exchange or payment fo info. I doubt an FBI agent can be “bribed” with a free beer

A “bribe” has to be something of value and provided in direct exchange for something.



:lol: :lol: :lol: :lol:


ROTFL ROTFL ROTFL ROTFL



Truly, you are an idiot.


Post new topic  Reply to topic  [ 5844 posts ]  Previous  1 ... 376  377  378  379  380  381  382 ... 390  Next



Who is online

Users browsing this forum: BartSimpson, rickc and 14 guests




 
     
All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © Canadaka.net. Powered by © phpBB.