[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe
Report
Share
•0 likes•114 views
![© NTT All Rights Reserved
SSV Downloader
DLL Side-Loading
• ssvagent.exe
• Legitimate & signed exe file
› Symantec Endpoint Protection (RtvStart.exe)
MSVCR110.dll
• SSV Downloader
• Download encoded SSV RAT
› https[:]//www.flushcdn[.]com/download/image9588.jpg
2021
SSV RAT
Legit EXE
SSV Downloader
www.flushcdn[.]com](https://image.slidesharecdn.com/rintarokoikeoperationsoftwareconceptsenglish-220117021629/75/cb21-operation-software-concepts-a-beautiful-envelope-for-wrapping-weapon-by-rintaro-koike-shogo-hayashi-and-ryuichi-tanabe-10-2048.jpg?cb=1668475695)
![© NTT All Rights Reserved
SSV Downloader
MSVCR110.dll
• SSV Downloader
• Decode “image9588.jpg”
› 5bytes XOR
» [0x0e, 0x06, 0x33, 0x11, 0x12]
» This actor prefers to use 5bytes XOR
2021](https://image.slidesharecdn.com/rintarokoikeoperationsoftwareconceptsenglish-220117021629/75/cb21-operation-software-concepts-a-beautiful-envelope-for-wrapping-weapon-by-rintaro-koike-shogo-hayashi-and-ryuichi-tanabe-11-2048.jpg?cb=1668475695)
![© NTT All Rights Reserved
SSV RAT
Basic RAT
• File operation
• Download, upload, create, delete, move, copy, search
› Download & execute WerNis RAT
• Process operation
• Create, kill self
• Traffic
• RC4 encoded (Key: 0x1fa8cc16)
2021
SSV RAT
DATA
Legit EXE Decoder
WerNis RAT (Encoded)
api.flushcdn[.]com
api.hostupoeui[.]com](https://image.slidesharecdn.com/rintarokoikeoperationsoftwareconceptsenglish-220117021629/75/cb21-operation-software-concepts-a-beautiful-envelope-for-wrapping-weapon-by-rintaro-koike-shogo-hayashi-and-ryuichi-tanabe-12-2048.jpg?cb=1668475695)
![© NTT All Rights Reserved
WerNis RAT
2nd RAT
• Mutex
• WerNisSvc3
• File operation
• Download, upload, delete, move, copy, search
› Download & execute Mimikatz
2021
DATA
Legit EXE Decoder
WerNis RAT (Encoded)
info.hostupoeui[.]com
DATA
Decoder
Mimikatz (Encoded)](https://image.slidesharecdn.com/rintarokoikeoperationsoftwareconceptsenglish-220117021629/75/cb21-operation-software-concepts-a-beautiful-envelope-for-wrapping-weapon-by-rintaro-koike-shogo-hayashi-and-ryuichi-tanabe-13-2048.jpg?cb=1668475695)
![© NTT All Rights Reserved
Tools
Mimikatz
• mm.exe
• Decode crack.dll
› 5bytes XOR
» [0x09, 0x12, 0x0e, 0x47, 0x51]
• crack.dll
• Encoded Mimikatz
• Attacker exploited Zerologon
2021](https://image.slidesharecdn.com/rintarokoikeoperationsoftwareconceptsenglish-220117021629/75/cb21-operation-software-concepts-a-beautiful-envelope-for-wrapping-weapon-by-rintaro-koike-shogo-hayashi-and-ryuichi-tanabe-15-2048.jpg?cb=1668475695)
![© NTT All Rights Reserved
Past SSV family cases
In January 2021, SSV Dropper executed SSV Downloader. This can be related to
an attack case against Mongolia in December 2020.
2021
SSV Dropper
(news.exe)
Legit EXE
SSV Downloader
With Macro
PS1
?
drmtake[.]tk
in December 2020](https://image.slidesharecdn.com/rintarokoikeoperationsoftwareconceptsenglish-220117021629/75/cb21-operation-software-concepts-a-beautiful-envelope-for-wrapping-weapon-by-rintaro-koike-shogo-hayashi-and-ryuichi-tanabe-19-2048.jpg?cb=1668475695)
[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe
•0 likes•114 views
Report
Share
Download to read offline
In April 2021, we observed new targeted attack campaign and we named it "Operation Software Concepts". Operation Software Concepts aimed at Russia, Mongolia and South Korea as attacking targets by using unknown malwares. Some malwares associate to past Royal Road RTF Weaponizer related attacks and ShimRAT by Mofang. In this presentation, we will show the whole case of Operation Software Concepts, the detailed analysis result about the malwares which were used in the operation, and relations of several past attack cases. Afterwards, we will explain the connection to some attack groups.
![[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...](https://cdn.slidesharecdn.com/ss_thumbnails/tomonagakinosasakithelazarusgroupsattackoperationstargetingjapanenglish-220117021055-thumbnail.jpg?width=384&fit=bounds)
More Related Content
What's hot
![[JaSST nano] テストケースを作ってもらうときに気を付けていたことをお話するの](https://cdn.slidesharecdn.com/ss_thumbnails/jasstnano-210615122424-thumbnail.jpg?width=384&fit=bounds)
What's hot(20)
![[JaSST nano] テストケースを作ってもらうときに気を付けていたことをお話するの](https://cdn.slidesharecdn.com/ss_thumbnails/jasstnano-210615122424-thumbnail.jpg?width=768&fit=bounds)
Similar to [CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe
Similar to [CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe(20)
![Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...](https://cdn.slidesharecdn.com/ss_thumbnails/2021-10-26whytimeseries-influxdaysna-211026005527-thumbnail.jpg?width=768&fit=bounds)
More from CODE BLUE
![[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t2s052022-10-28-dfirandthreathuntingwithwindowseventlogszachmathisversion3-230103072306-eb57bdc0-thumbnail.jpg?width=384&fit=bounds)
![[cb22] Tales of 5G hacking by Karsten Nohl](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s09221127-230103071757-420d7b85-thumbnail.jpg?width=384&fit=bounds)
![[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...](https://cdn.slidesharecdn.com/ss_thumbnails/anjieyangyourprintercodebluefortranslator-230103071138-8fcd3032-thumbnail.jpg?width=384&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashien-230103064031-868ff2ae-thumbnail.jpg?width=384&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashijp-230103063336-b5b21552-thumbnail.jpg?width=384&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupiloen-230103062123-07ea5347-thumbnail.jpg?width=384&fit=bounds)
More from CODE BLUE(20)
![[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t2s052022-10-28-dfirandthreathuntingwithwindowseventlogszachmathisversion3-230103072306-eb57bdc0-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Tales of 5G hacking by Karsten Nohl](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s09221127-230103071757-420d7b85-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...](https://cdn.slidesharecdn.com/ss_thumbnails/anjieyangyourprintercodebluefortranslator-230103071138-8fcd3032-thumbnail.jpg?width=768&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashien-230103064031-868ff2ae-thumbnail.jpg?width=768&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashijp-230103063336-b5b21552-thumbnail.jpg?width=768&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupiloen-230103062123-07ea5347-thumbnail.jpg?width=768&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupilojp-230103061253-df49295c-thumbnail.jpg?width=768&fit=bounds)
![[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanen-230103060535-324b96bf-thumbnail.jpg?width=768&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanjp-230103060017-24438771-thumbnail.jpg?width=768&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashien-230103055145-37529240-thumbnail.jpg?width=768&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashijp-230103054428-3dbd8ee7-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s05u25yuumatakienkentarovar5-230102092618-bbf74898-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachinejapanesemachinetranslation-230102091457-ae9568be-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachine-230102091156-e3c59f0e-thumbnail.jpg?width=768&fit=bounds)
![[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s04zih-cingliaoyu-tungchnagclouddragonscredentialfactoryispoweringupitsespionageactivitiesagains-230102085356-8e46661b-thumbnail.jpg?width=768&fit=bounds)
![[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...](https://cdn.slidesharecdn.com/ss_thumbnails/codeblue2022chechangsilviayeh-230102084414-c1570bd5-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherenglishesix1-230102083158-ba91a7f7-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherjapanese1-230102082553-e0b239bb-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s08takahiroharuyamac2scan-230101090416-eee10a0a-thumbnail.jpg?width=768&fit=bounds)
![[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s07tomonagamasubuchifightagainstmalwaredevelopmentlifecycle2022-10-1806-230101090047-9ab922cd-thumbnail.jpg?width=768&fit=bounds)
Recently uploaded
Recently uploaded(20)
[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe
- 1. Operation Software Concepts Beautiful Envelope for Wrapping Weapon NTT Security (Japan) KK Rintaro Koike, Shogo Hayashi, Ryuichi Tanabe
- 2. © NTT All Rights Reserved About us • Rintaro Koike (小池 倫太郎) • Security analyst at NTT Security Japan (threat research, malware analysis) • Founder of nao_sec • Shogo Hayashi (林 匠悟) • Security analyst at NTT Security Japan (responding to EDR detections, creating custom signatures) • Co-founder of SOCYETI • Ryuichi Tanabe (田邉 龍一) • Security analyst at NTT Security Japan (responding to EDR detections, malware analysis) • Speaker of VB2021 localhost, TheSAS2021
- 3. © NTT All Rights Reserved Motivation & Goal Operation Software Concepts • Introducing campaign overview • Targets, characteristics, purpose • Showing detailed analysis results • SSV Dropper, SSV Downloader, SSV RAT and WerNis RAT • Considering relationships and attribution
- 4. © NTT All Rights Reserved 4 © NTT All Rights Reserved 2021 1. Attack Overview 2. Malware Analysis 3. Attribution 4. Wrap-Up Agenda
- 5. © NTT All Rights Reserved Attack Flow 2021 SCR SSV Dropper DLL EXE Legitimate-A SSV Downloader Malware Server SSV RAT Create & Execute Download Load EXE C&C Server-A EXE Legitimate-B Data WerNis RAT EXE Legitimate-C C&C Server-B EXE Loader Data Mimikatz DLL Decoder Load Execute Download Inject Download Load Domain Controller Zerologon
- 6. © NTT All Rights Reserved Evasion Techniques Techniques used in Operation Software Concepts • Valid signature • SSV Dropper • DLL Side-Loading • Symantec Endpoint Protection (RtvStart.exe) • Microsoft Edge Update (MicrosoftEdgeUpdate.exe) • Process Injection • WerNis RAT (dllhost.exe) • Loader & Encoded Data • SSV Downloader, WerNis RAT, Mimikatz 2021
- 7. © NTT All Rights Reserved Attack Operation Timeline (2021-04-22) 2021 Time (JST) Object Description 16:32 SSV RAT Executed and accessed to C&C server 16:44 – 16:55 SSV RAT Investigated environment of host 17:09 SSV RAT Downloaded WerNis RAT from C&C server 17:15 WerNis RAT Executed and accessed to C&C server 17:17 – 17:43 WerNis RAT Investigated environment of Active Directory 17:52 Mimikatz Exploited DC by Zerologon 17:47 – 17:56 WerNis RAT Captured Desktop many times 18:08 - Attacker stopped operation
- 8. © NTT All Rights Reserved Malware Analysis 8 © NTT All Rights Reserved 2021
- 9. © NTT All Rights Reserved SSV Dropper With a valid signature • SOFTWARE CONCEPTS LIMITED 1. Drop exe + dll files • C:¥ProgramData¥Apacha › ssvagent.exe › MSVCR110.dll 2. Execute ssvagent.exe 2021 SSV Dropper (Signed) Legit EXE SSV Downloader
- 10. © NTT All Rights Reserved SSV Downloader DLL Side-Loading • ssvagent.exe • Legitimate & signed exe file › Symantec Endpoint Protection (RtvStart.exe) MSVCR110.dll • SSV Downloader • Download encoded SSV RAT › https[:]//www.flushcdn[.]com/download/image9588.jpg 2021 SSV RAT Legit EXE SSV Downloader www.flushcdn[.]com
- 11. © NTT All Rights Reserved SSV Downloader MSVCR110.dll • SSV Downloader • Decode “image9588.jpg” › 5bytes XOR » [0x0e, 0x06, 0x33, 0x11, 0x12] » This actor prefers to use 5bytes XOR 2021
- 12. © NTT All Rights Reserved SSV RAT Basic RAT • File operation • Download, upload, create, delete, move, copy, search › Download & execute WerNis RAT • Process operation • Create, kill self • Traffic • RC4 encoded (Key: 0x1fa8cc16) 2021 SSV RAT DATA Legit EXE Decoder WerNis RAT (Encoded) api.flushcdn[.]com api.hostupoeui[.]com
- 13. © NTT All Rights Reserved WerNis RAT 2nd RAT • Mutex • WerNisSvc3 • File operation • Download, upload, delete, move, copy, search › Download & execute Mimikatz 2021 DATA Legit EXE Decoder WerNis RAT (Encoded) info.hostupoeui[.]com DATA Decoder Mimikatz (Encoded)
- 14. © NTT All Rights Reserved WerNis RAT 2nd RAT • Process operation • Create, remote shell • Information theft • System/disk information, desktop screen, keylogging › Encoded (XOR 0x7f) & write to “SetEvent.dll” • Traffic • HTTPS communication 2021
- 15. © NTT All Rights Reserved Tools Mimikatz • mm.exe • Decode crack.dll › 5bytes XOR » [0x09, 0x12, 0x0e, 0x47, 0x51] • crack.dll • Encoded Mimikatz • Attacker exploited Zerologon 2021
- 16. © NTT All Rights Reserved Attribution 16 © NTT All Rights Reserved 2021
- 17. © NTT All Rights Reserved Activity Timeline 2021 Mar-2019 May-2020 Dec-2020 Jan-2021 Mar-2021 May-2021 Jul-2021 RU WerNis RAT + Lockdown Loader + ShadowPad SSV Dropper -> SSV Downloader MN Royal Road RTF -> SSV Dropper -> SSV Downloader SSV Dropper (looks like Able Soft) -> CobaltStrike Beacon Malicious document files -> PowerShell SSV Dropper -> SSV Downloader etc Tonto exploited Exchange Server and executed ShadowPad SSV Dropper -> SSV Downloader Lockdown Loader -> ShimRAT
- 18. © NTT All Rights Reserved 2021 Past SSV family cases In March 2019, SSV Dropper and SSV Downloader were observed in an attack using Royal Road RTF against Mongolia In May 2020, SSV Dropper “AbleRepair.exe” executed CobaltStrike Beacon SSV Dropper Legit EXE SSV Downloader Royal Road RTF DATA Legit EXE Decoder CobaltStrike Beacon SSV Dropper (AbleRepair.exe)
- 19. © NTT All Rights Reserved Past SSV family cases In January 2021, SSV Dropper executed SSV Downloader. This can be related to an attack case against Mongolia in December 2020. 2021 SSV Dropper (news.exe) Legit EXE SSV Downloader With Macro PS1 ? drmtake[.]tk in December 2020
- 20. © NTT All Rights Reserved Past case using WerNis RAT In March 2021, a Russian defense company submitted some files at the same time to VirusTotal • WerNis RAT Loader (with huge padding) • Lockdown Loader (with huge padding) • ShadowPad 2021
- 21. © NTT All Rights Reserved 2021 Lockdown Loader Characteristics • A loader for executing encoded malware • In May 2021, a Lockdown Loader executing ShimRAT was observed • Mainly observed in Russia • Contains huge padding data sometimes Dropper DATA Legit EXE Lockdown Loader Shim RAT
- 22. © NTT All Rights Reserved 2021 Overlap with others APT31 (BRONZE VINEWOOD) • HanaLoader/RAT and SSV family are similar • DLL Side-Loading • File path and name • Registry key • Self Deleting method • Target organization • Using Mimikatz Using TopDNS as name server • Operation Software Concepts • Russian incident (in March 2021) • Recent Mofang activities
- 23. © NTT All Rights Reserved 2021 Overlap with others Vicious Panda • Same target • 2020/03 › Royal Road RTF • 2021/08 › SSV Dropper https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
- 24. © NTT All Rights Reserved 2021 APT31 Tonto Mofang Secureworks Report Recent Mofang Activity Royal Road Related Attack Microsoft Exchange Related Attack Operation Software Concepts Russian Incident SSV RAT SSV Downloader SSV Dropper WerNis RAT Lockdown Loader ShadowPad ShimRAT TopDNS NameServer
- 25. © NTT All Rights Reserved Wrap-Up 25 © NTT All Rights Reserved 2021
- 26. © NTT All Rights Reserved Wrap-Up Operation Software Concepts • Targeting Russian and Mongolian government or defense sector • Multiple stages • SSV Dropper drops and executes SSV Downloader • SSV Downloader downloads SSV RAT to operate remotely • WerNis RAT and Mimikatz can be additionally downloaded and executed • SSV family has been in use since March 2019 at least • Overlapping with various attack groups such as Tonto, APT31 and Mofang • One of these groups may have attacked or the tools maybe shared between these groups 2021
- 27. © NTT All Rights Reserved Any Questions? 27 2021
- 28. © NTT All Rights Reserved Appendix: IOC • SSV Dropper • 2b495829b8b3319f98e22f35d7bd48c4dea1b9bafe80749d628da99fede6d694 • c3bf8fb3dbbce74d3448d7608ea6dd0567f6bcc437693abd1dcab0ab7fb48155 • 5d0872d07c6837dbc3bfa85fd8f79da3d83d7bb7504a6de7305833090b214f2c • 78cc364e761701455bdc4bce100c2836566e662b87b5c28251c178eba2e9ce7e • be5431c999094078e617ce27d27a064b44616421bde334e0bc6fe625ce961ced • 002dc9f6823ad8d3de23bcb5e41bcefd895df573ed3d89e0821243aa9b7bb4a8 • 679955ff2a97ea11a181ae60c775eff78fadd767bc641ca0d1cff86a26df8ac8 • 8276c2c3a9680de856f5d6dc920a63445b430496ad16c0f3f45ccaf0e995b296 • 874b946b674715c580e7b379e9597e48c85c04cca3a2790d943f56600b575d2f 2021
- 29. © NTT All Rights Reserved Appendix: IOC • SSV Dropper • 33f136069d7c3a030b2e0738a5ee80d442dee1a202f6937121fa4e92a775fead • 80de328bd22e08855af9d05532b89087d2605f6c469925f48e1cc774e7375304 • eb1005ae12b883a69e81d0f1c0dd162b5e48ada337c163ffbca5d62473913a73 • 9ad30d25e74c272a7965f52a5c06f7343df9a493d21d16b339cc0dc65be8cc2a 2021
- 30. © NTT All Rights Reserved Appendix: IOC • SSV Downloader • cff71b69e36cd552ab2eb9bc605269bb6859ddaff2151d1361b0306b922f8a0f • c15a475f8324fdfcd959ffc40bcbee655cbdc5ab9cbda0caf59d63700989766f • 93eb4a701aac14be362389665a36f7f0747f118e3fc2095bb93c0ceff72ae605 • 00cf3b462059908085fef43e65417e0cca1ac0314cad8af7d89fb34c01f75a03 • 4d9c89a590deb5f3cda6001ea46f8fe2a6ada74e75a8ad14f5c1d14c2980dc47 • 71bd4e5847776d6731510220c3fdf16ad7a55088bd43681cdb408cb9fde59b3d • 7a16da50a63f7a181d07b45ae552c87ee9ffeb78c512405bd9bf6243f920d56c • 48ca9a8188c6d640f20c93a9a106cedc0f78251e4f6c5ad4eacc0266862c9499 • 9b0557eda035fc5817c2a6ab33859bb824389638afc41f9ba49221b312638b64 2021
- 31. © NTT All Rights Reserved Appendix: IOC • SSV Downloader • e724b1ffb3b7aea4c9397a8db348fac3576633faced1c80c739bb439f8b3f8fa • 354bd3dc0f36663e12ec38e302dcfc7a3e57ee13dced3c8a2ff0257532106d3d • b65c14519f2de3115051b0b0ad7ec1cd207ac66228c95006abc9a6b660c2c278 • 0b3d5dd39b60eb43298f4ab89f2c339acf4dc8609d2f7ad6fa1649fd36f5da88 • 34524a538828a976a131c1a9f38294fd50faf0bf671b299e5978b063d3532604 • 61f2a08b3d113fcb57693fb4d392e8327e688e2f126c4286b3d00d72b5098e09 • 900b77a3fb472a8c7a7853e16c736a7eee5607a13bff3c904700815039d0ac90 2021
- 32. © NTT All Rights Reserved Appendix: IOC • SSV RAT • 3e3a7233b46f59ae480f970a9a405756a576447e10676f59c61381ba2789a7cf • 2affdebbaa4f0cfa64e5c42e70d78665ef9ccb2c731c5fe07582ccdfdc05b0cc • 727302e57ca2cc3d514786adf940ce1f6665905664856a89ff6be5eb90b1121c • 7b68299383c3f896e13a5990febba55c7ae6f615e07705125aa15771cd401f5d • b993aab918421ad79964d5d719a4988778ab5a09fc4c699a041fd07fc678dcb5 • 070eeb088a46942f50832a3207ab44b843f293f9685344e04744fe4586f9631e 2021
- 33. © NTT All Rights Reserved Appendix: IOC • WerNis RAT • 72c4c4d80f5878fe80c7cd2552020ea1c7e2c1d1b5ce7fa6b8a172b050d70aac • a2c65fd4baa610e4d6c764d5ac2cbbce8b4226ca34ce34a8544a5dd09e056a48 • 54d299f45472f0b5aebf7d5461723a23687f521c0878b4a364a25f92372abab1 • Mimikatz • 596070358c9cff3358f265cbc4d518c37edb748126dc1b9cdff31943c9608e54 • 2b391473abb5608f666fde872e8c2f126e126034143f39a159c9e13daa056d2c 2021
- 34. © NTT All Rights Reserved Appendix: IOC • Lockdown Loader • 5bc1ea08648b5683b506fe2934999b881516f286b421b92cb45ec8ad8aeb7481 • aaf8bb3d65022444cea3b4810a519b3fb2cecd6fa1c2aae8ef4a55a5f6a007ae • 3b3357f44d2ab14090dd77c1d49be70bfe1f8183cd9f30bfbb1cd845587af4d2 • d4ed5d54f422e7702667e0d7723249e5966b52450adf95e7998358c18d3ca2b2 • 9b0c3478bb2a8f08fca66faaf4a005bf6002266a87e9e6a53690ac4207d2c496 • 905e4e31a499b4982470ed69c756464f3ad5df4e6242fb299ed54d572ffe18f5 • 58cc619c251087e56f761a5c277218785b76138eae357b0f12f955ddf59f5fff • 25750e8196ba73188a91eba8fb2c767bda7450361acc869fbfc86829ed2888e5 2021
- 35. © NTT All Rights Reserved Appendix: IOC • ShimRAT • 4ce6e6da83eb521e8735c178b711449c37d2224414a4f05b394e6f80e936a5b4 • 1098eb0ca4e34ca63ba40dd537d00e858c36e14044a6a592c306877401478ffe • D158cf4fa1a954d1fd5609f67a764fbab188dc03916400caaa15b4c3500ea291 • ShadowPad • 83025b94d64e778d9ab800152b239ddc5b19074779d164af89da564367f8aee0 • Malicious document file • b83b1a3fbec8bf0a54bf03ebd89c82d1da00b3012d135974b0183545a3878621 • a92d4b23c85c59c60227a26a9aac6a38520b2d5b52424db2962257c14198501a • a3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d 2021