admin/APT_REPORT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

REPORT

Browse Source
This commit is contained in:
blackorbird
2019-04-08 16:00:01 +08:00
parent 92057ee0ef
commit 0e8648849d
14 changed files with 101384 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
APT28/history-report-pdf/20180713_CSE_APT28_X-Agent_Op-Roman Holiday-Report_v6_1.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/APT28-Center-of-Storm-2017.pdf Normal file
View File

Binary file not shown.

101329
APT28/history-report-pdf/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf Normal file
View File

File diff suppressed because one or more lines are too long

BIN
APT28/history-report-pdf/Bitdefender_In-depth_analysis_of_APT28__The_Political_Cyber-Espionage.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/New Xagent Mac Malware Linked with the APT28 _ Bitdefender Labs.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/Sednit APT Group Meets Hacking Team.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/Threat_Group_APT28_Slips_Office_Malware.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/apt28-targets-hospitality-sector.html.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/apt28.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/eset-sednit-part-2.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/eset-sednit-part1.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/eset-sednit-part3.pdf Normal file
View File

Binary file not shown.

BIN
APT28/history-report-pdf/sednit-update-analysis-zebrocy_.pdf Normal file
View File

Binary file not shown.

55
APT28/yara/APT28.yar Normal file
View File

@@ -0,0 +1,55 @@
import "pe"
rule Dropper_APT28XAGENTJuly2018 {
meta:
description = "Yara Rule for dropper of APT28 XAGENT July2018"
tlp = "white"
category = "informational"
strings:
$a = {8B 45 FC 8B 10 FF}
$b = {33 2E 34 2D 31 39}
condition:
(pe.number_of_sections == 9
and pe.sections[3].name == ".bss"
and all of them)
or (pe.number_of_sections == 3
and pe.sections[0].name == "UPX0"
and pe.sections[1].name == "UPX1"
and pe.number_of_resources == 70
and pe.resources[61].type == pe.RESOURCE_TYPE_RCDATA
and pe.resources[60].t
ype == pe.RESOURCE_TYPE_RCDATA
and pe.resources[59].type == pe.RESOURCE_TYPE_RCDATA)
}
rule FirstPayload_upnphost_APT28XAGENTJuly2018 {
meta:
description = "Yara Rule for APT28 XAGENT July2018 First Payload"
tlp = "white"
category = "informational"
strings:
$a = {56 AB 37 92 E8}
$b = {41 75 74 6F 49 74}
condition:
pe.number_of_resources == 26
and pe.resources[19].type == pe.RESOURCE_TYPE_RCDATA
and pe.version_info["FileDescription"] contains
"Compatibility"
and all of them
}
rule SecondPayload_sdbn_APT28XAGENTJuly2018 {
meta:
description = "Yara Rule for AP
T28 XAGENT July2018 Second Payload sdbn.dll"
category = "informational"
strings:
$a = {0F BE C9 66 89}
$b = {8B EC 83 EC 10}
condition:
pe.number_of_sections == 6
and pe.number_of_resources == 1
and pe.resources[0].type == pe.RESOURCE_TYPE_VERSION
and pe.version_info["ProductName"] contains "Microsoft"
and all of them
}