August 2017
Intermediate to advanced
284 pages
7h 56m
English
Here are some example products based on the GLASS WIZARD threat.
As described in Chapter 9 Short Form products are one or two page tactical products meant for quick release and consumption.
This is a short form IOC report detailing indicators of the Hydraq malware used by the GLASS WIZARD actor.
Hydraq is one of the pieces of malware used by GLASS WIZARD on important targets. The following indicators may be useful for identifying malicious activity.
| Indicator | Context | Notes |
|---|---|---|
| Rasmon.dll | Filename | |
| Securmon.dll | Filename | |
| A0029670.dll | Filename | |
| AppMgmt.dll | Filename | |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %] | Malware reg key | Space removed before random chars |
| %System%/acelpvc.dll | Secondary file | Not a definitive indicator |
| %System%/VedioDriver.dll | Secondary file | Not a definitive indicator |
| RaS[FOUR RANDOM CHARACTERS] | Service name | May have false positives as a result |
| yahooo.8866.org | C2 domain | |
| sl1.homelinux.org | C2 domain | |
| 360.homeunix.com | C2 domain | |
| li107-40.members.linode.com | C2 domain | |
| ftp2.homeunix.com | C2 domain | |
| update.ourhobby.com | C2 domain | |
| blog1.servebeer.com | C2 domain |
Read now
Unlock full access