Blevene Blevene

## QuickNotes
CyberCom

https://twitter.com/CNMF_VirusAlert/status/1146130046127681536

https://twitter.com/CNMF_VirusAlert/status/1146130046127681536


https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited))

b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet ,	2017-01-14 03:35Z

## IOCs
#Source Blog Post
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
---

#Yara Rules
---
rule WinntiLinux_Dropper : azazel_fork
{
    meta:
        desc = "Detection of Linux variant of Winnti"

## Hashes.csv
samples	day	signers	Signer 1	Signer 2	Signer 3	Extra Stuff
a83f2d4073b7ecaf4f277db62ec44f8b10a9f16a297ebb4db9826a7a08eb06d2	2019-02-20	南昌博众彩软件有限公司; WoTrus Code Signing CA; Certum Trusted Network CA	南昌博众彩软件有限公司	 WoTrus Code Signing CA	 Certum Trusted Network CA
7639f505eb9b8ab4e585a2dd5e9f300e936ba73e5b5db4c51bcb0ba52e751581	2018-08-20	A&W Global Ltd; thawte SHA256 Code Signing CA; thawte	A&W Global Ltd	 thawte SHA256 Code Signing CA	 thawte
bf920c41e76de53a7660c12b7d14d2f1ad60539b142654893e7cc420b2bdbc2b	2018-12-19	深圳市掌星立意科技有限公司; VeriSign Class 3 Code Signing 2010 CA; VeriSign	深圳市掌星立意科技有限公司	 VeriSign Class 3 Code Signing 2010 CA	 VeriSign
d3aaad15925caae5262366e3a5bf4edec0246877c340e2ba75e5dc96f8410c4a	2018-10-05	LEMONADE EVENTS LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™	LEMONADE EVENTS LIMITED	 COMODO RSA Code Signing CA	 COMODO SECURE™
54fb9e302b497f99c6e7ac891e31faaeaf62245e8c0f65ca7a81c7916225d511	2018-10-25	AmeriTechnology Group, Inc.; Go Daddy Secure Certificate Authority - G2; Go Daddy Roo

## Rietspoof
f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
426a4cd4fc593ad0b9b8050a3e4e89299db5aa32f72647f41905e43ab74abea3
5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993
523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
1cdc2057c31742b43538d29d749b6a4a1f62be12beeb3a384c77ce17826ef9b9
5c06e75410dd1dbae2fadf7ffe09e7ef2d3dab3c24760141ff3ca20f2f80c140
30a44e3a5ea574049809eb57638b0fd7f11aab150ac791d202d930b7d3e7bd09

## 3AN Limited CN
b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef
f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434
b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a
acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993
523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73

## Hoplight IOCs (Extras)
Sourced from VT search, YARA rule provided by US-CERT, modified for VTGrep
content:fjiejffndxklfsdkfjsaadiepwn AND (content:google.co OR content:naver.co)

Ref: https://www.bleepingcomputer.com/news/security/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/
a1eb5a0f15cbe7cdd5eb84839f7490aecf38979467f549a9f9b0591e75d7fab6
b0284e9c4cba2bfd019436d4cbe8f1238fd3f6ed4cb79576057be8c4b74d95e0
741c0e5234c85c488f165d5248707436210f15a5c9a43003fec741da1ad05f98
797a23e0900113b23d468d0050cd0c05f15d3afb34eec4d0e27a6f06398dd849
5712e44c3083e394310042afaef6eb40fbe0c56e551433a6370b1f4b9ef0c0e9
889b744a81ccf1209d724798aa1ef1aa2212ba82007c942a6a8746b7b0c3d616

## lockergoga.csv
first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country
1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL
1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9

## SHA256 Hashes
5ae51f890d8c99d4332dfed5e823bafc51f746dbe78de5663c724c97b29ab90f
c44653c5317b897ab9192fbaba95f6844221b3598a785733d98f76f67b19edb9
9690b0623ef3a29ed5ac20318afa2bed1d4da4da26350fd2265c5baa7173f9ac
fea7356239b18ee60184f844d563f2c35b6f5e5461baadd62e1c8a46e643c22d
e423f68c36c629b1160069303a87a926182ae6e1d60cd4d88cfb42198870a1ef
f5ed20002cccd20a5096fea1ce46febb6eaa677048c4b3a82ba5ae16319de4c1
c68b49f15b750abff169e855507dc0c5afc0dfa03a8f3136cbe7fd983258565a
1944deb7d7030d9984c7695607ccb842c239ac0438da4390167f8cb8b43d25c6
56e69d7ff0fa3212bb613654c862d1fe6087c6f6a4d107dc42b480082194bd12
9864893e31021debe9df71f6995e562ca46b3a32412ea6d0661f402110d99855

## Formbook hashes
a34fcd5496fab5dce127701c2edbeca41a2fdd9407ae1ecb2aaabbe7dcd51e5d
c0bd8ea4a5eb03c1c011694dc281e99f26fb4e6eb9dd1c5f51c174df5aad8b9a
d0ec1dccf63cc373b5799fd5a36be786aa1ad15b96b4688960a928a7d47cddc5
f5d3771c764945a091df5d49d8526acf4bc0b6deb8529c8e9263b1478f92a385
4c9ccbd475b0e44bb280052407f6724c33bfc8a837eabb9cc7821aa8b2bf30e3
d054a1207332dddc61fdec378763bc6db93c7337e76ab6847fc99b0f2193c7db
3776594e0978a844b5f0153ab9a348630f5cb85c1b2e9dc3006e7b639882554b
ad525b5f0e55e0275a092a3fc890066f5ebc1d03c4aae64af9ae326697fecec8
6dc3aa44055834b68b8d111f8fb1d46d8384c629eea18df6622b9ae0870f2d21
58b7e97f8dd79ad3d9ceb412e2e409130f493b6cca1ba1dd40000cb143542b48

## Emotet Indicators
0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038
01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315
079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b
0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac
0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8
0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d
0c2299de95c6449104d90410646ab19ab540d42ec19a74e28642dfac4be9782b
12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a
12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4
136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771
	CyberCom

	https://twitter.com/CNMF_VirusAlert/status/1146130046127681536

	https://twitter.com/CNMF_VirusAlert/status/1146130046127681536


	https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited))

	b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet , 2017-01-14 03:35Z
	#Source Blog Post
	https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
	---

	#Yara Rules
	---
	rule WinntiLinux_Dropper : azazel_fork
	{
	meta:
	desc = "Detection of Linux variant of Winnti"
	samples day signers Signer 1 Signer 2 Signer 3 Extra Stuff
	a83f2d4073b7ecaf4f277db62ec44f8b10a9f16a297ebb4db9826a7a08eb06d2 2019-02-20 南昌博众彩软件有限公司; WoTrus Code Signing CA; Certum Trusted Network CA 南昌博众彩软件有限公司 WoTrus Code Signing CA Certum Trusted Network CA
	7639f505eb9b8ab4e585a2dd5e9f300e936ba73e5b5db4c51bcb0ba52e751581 2018-08-20 A&W Global Ltd; thawte SHA256 Code Signing CA; thawte A&W Global Ltd thawte SHA256 Code Signing CA thawte
	bf920c41e76de53a7660c12b7d14d2f1ad60539b142654893e7cc420b2bdbc2b 2018-12-19 深圳市掌星立意科技有限公司; VeriSign Class 3 Code Signing 2010 CA; VeriSign 深圳市掌星立意科技有限公司 VeriSign Class 3 Code Signing 2010 CA VeriSign
	d3aaad15925caae5262366e3a5bf4edec0246877c340e2ba75e5dc96f8410c4a 2018-10-05 LEMONADE EVENTS LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™ LEMONADE EVENTS LIMITED COMODO RSA Code Signing CA COMODO SECURE™
	54fb9e302b497f99c6e7ac891e31faaeaf62245e8c0f65ca7a81c7916225d511 2018-10-25 AmeriTechnology Group, Inc.; Go Daddy Secure Certificate Authority - G2; Go Daddy Roo
	f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
	acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
	9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
	426a4cd4fc593ad0b9b8050a3e4e89299db5aa32f72647f41905e43ab74abea3
	5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993
	523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
	25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
	1cdc2057c31742b43538d29d749b6a4a1f62be12beeb3a384c77ce17826ef9b9
	5c06e75410dd1dbae2fadf7ffe09e7ef2d3dab3c24760141ff3ca20f2f80c140
	30a44e3a5ea574049809eb57638b0fd7f11aab150ac791d202d930b7d3e7bd09
	b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef
	f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
	f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434
	b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a
	acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
	9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
	5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993
	523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
	25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
	11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73
	Sourced from VT search, YARA rule provided by US-CERT, modified for VTGrep
	content:fjiejffndxklfsdkfjsaadiepwn AND (content:google.co OR content:naver.co)

	Ref: https://www.bleepingcomputer.com/news/security/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/
	a1eb5a0f15cbe7cdd5eb84839f7490aecf38979467f549a9f9b0591e75d7fab6
	b0284e9c4cba2bfd019436d4cbe8f1238fd3f6ed4cb79576057be8c4b74d95e0
	741c0e5234c85c488f165d5248707436210f15a5c9a43003fec741da1ad05f98
	797a23e0900113b23d468d0050cd0c05f15d3afb34eec4d0e27a6f06398dd849
	5712e44c3083e394310042afaef6eb40fbe0c56e551433a6370b1f4b9ef0c0e9
	889b744a81ccf1209d724798aa1ef1aa2212ba82007c942a6a8746b7b0c3d616
	first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country
	1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL
	1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9
	5ae51f890d8c99d4332dfed5e823bafc51f746dbe78de5663c724c97b29ab90f
	c44653c5317b897ab9192fbaba95f6844221b3598a785733d98f76f67b19edb9
	9690b0623ef3a29ed5ac20318afa2bed1d4da4da26350fd2265c5baa7173f9ac
	fea7356239b18ee60184f844d563f2c35b6f5e5461baadd62e1c8a46e643c22d
	e423f68c36c629b1160069303a87a926182ae6e1d60cd4d88cfb42198870a1ef
	f5ed20002cccd20a5096fea1ce46febb6eaa677048c4b3a82ba5ae16319de4c1
	c68b49f15b750abff169e855507dc0c5afc0dfa03a8f3136cbe7fd983258565a
	1944deb7d7030d9984c7695607ccb842c239ac0438da4390167f8cb8b43d25c6
	56e69d7ff0fa3212bb613654c862d1fe6087c6f6a4d107dc42b480082194bd12
	9864893e31021debe9df71f6995e562ca46b3a32412ea6d0661f402110d99855
	a34fcd5496fab5dce127701c2edbeca41a2fdd9407ae1ecb2aaabbe7dcd51e5d
	c0bd8ea4a5eb03c1c011694dc281e99f26fb4e6eb9dd1c5f51c174df5aad8b9a
	d0ec1dccf63cc373b5799fd5a36be786aa1ad15b96b4688960a928a7d47cddc5
	f5d3771c764945a091df5d49d8526acf4bc0b6deb8529c8e9263b1478f92a385
	4c9ccbd475b0e44bb280052407f6724c33bfc8a837eabb9cc7821aa8b2bf30e3
	d054a1207332dddc61fdec378763bc6db93c7337e76ab6847fc99b0f2193c7db
	3776594e0978a844b5f0153ab9a348630f5cb85c1b2e9dc3006e7b639882554b
	ad525b5f0e55e0275a092a3fc890066f5ebc1d03c4aae64af9ae326697fecec8
	6dc3aa44055834b68b8d111f8fb1d46d8384c629eea18df6622b9ae0870f2d21
	58b7e97f8dd79ad3d9ceb412e2e409130f493b6cca1ba1dd40000cb143542b48
	0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038
	01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315
	079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b
	0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac
	0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8
	0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d
	0c2299de95c6449104d90410646ab19ab540d42ec19a74e28642dfac4be9782b
	12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a
	12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4
	136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771