File tree Expand file tree Collapse file tree 1 file changed +27
-2
lines changed Expand file tree Collapse file tree 1 file changed +27
-2
lines changed Original file line number Diff line number Diff line change 1- # fancybear
2- Fancy Bear Source Code
1+ # Fancy Bear Source Code
2+ This repo contains actual source code found during IR.
3+ The code provides a communication channel for the attacker and infected client. It uses Google's gmail servers to send and receive encoded messages.
4+
5+ Some artifacts are summorized below:
6+ - Comments are in english, with a lot of grammar mistakes
7+ - Subject of an email is: 'piradi nomeri'. This is Georgian language
8+ - It saves files with dataluri_timetsamp.dat. 'Dataluri' is also Georgian for "details".
9+ - In the email body it uses the word: "gamarjoba". Meaning 'Hello' in Russian and Georgian.
10+
11+ These are the Gmail account details used, I've verified they once worked (but not anymore!):
12+ POP3_MAIL_IP = 'pop.gmail.com'
13+ POP3_PORT = 995
14+ POP3_ADDR = 'jassnovember30@gmail.com '
15+ POP3_PASS = '30Jass11'
16+
17+ SMTP_MAIL_IP = 'smtp.gmail.com'
18+ SMTP_PORT = 587
19+ SMTP_TO_ADDR = 'userdf783@mailtransition.com '
20+ SMTP_FROM_ADDR = 'ginabetz75@gmail.com '
21+ SMTP_PASS = '75Gina75'
22+
23+ Command and Control server:
24+ XAS_IP = '104.152.187.66'
25+ XAS_GATE = '/updates/'
26+
27+ The code is completely left as found on the original server, including the log files.
You can’t perform that action at this time.
0 commit comments