ioc[.]one - OSINT Cyber Threat Intelligence Database

Makop: The Toolkit of a Criminal Gang

Tags

country:	Italy Russia
attack-pattern:	Data System Information Discovery - T1426 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Rootkit - T1014 System Information Discovery - T1082 Rootkit

Show in Graph

Common Information

Type	Value
UUID	8403654f-cd15-4f7a-a106-29c5875c664f
Fingerprint	3f5048f5a215a6e5
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 12, 2023, 7:14 p.m.
Added to db	March 12, 2023, 8:53 p.m.
Last updated	Nov. 17, 2024, 5:58 p.m.
Headline	Makop: The Toolkit of a Criminal Gang
Title	Makop: The Toolkit of a Criminal Gang
Detected Hints/Tags/Attributes	62/2/16

Source URLs

	Redirection	Url
Details	Source	https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11?source=rss------cybersecurity-5

URL Provider

Details	Provider	Source level domain
Details	medium.com	medium.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	167	✔	Cybersecurity on Medium	https://medium.com/feed/tag/cybersecurity	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	CVE	14		cve-2019-7481
Details	CVE	10		cve-2021-20028
Details	File	3		arestore.exe
Details	File	6		data.exe
Details	File	24		c.exe
Details	File	16		3869.exe
Details	File	17		everything.exe
Details	File	6		ydark.exe
Details	File	68		mscoree.dll
Details	md5	3		7f86b67ac003eda9d2929c9317025013
Details	md5	3		e245f8d129e8eadb00e165c569a14b71
Details	md5	3		6A58B52B184715583CDA792B56A0A1ED
Details	md5	3		b69d036d1dcfc5c0657f3a1748608148
Details	md5	3		9fd28d2318f66e4fe37a9a5bc1637928
Details	Yara rule	2		import "pe" rule PuffedUp { meta: author = "@luc4m" date = "20230312" modified = "20230312" hash = "e245f8d129e8eadb00e165c569a14b71" description = "puffedup tool in makop ransomware toolkit" tlp = "CLEAR" strings: $main_1 = { 00 72 [4] 28 [4] 00 72 [4] 0A 72 [4] 28 [4] 00 29 } $main_2 = { 0B 07 28 [4] 80 [4] 28 [4] 00 2A } $sash_3 = { 72 [4] 0C [4] 72 [4] 0D 28 [4] 13 08 2C 06 } $sash_4 = { 16 FE 01 13 0C 11 0C 2C 17 11 08 } $sash_5 = { 1C 0D 00 20 [4] 28 [4] 00 00 DE 00 } condition: uint16(0) == 0x5a4d and pe.imports("mscoree.dll") and (2 of ($sash_) or 1 of ($main_)) }
Details	Yara rule	2		import "pe" rule ARestore { meta: author = "@luc4m" date = "20230312" modified = "20230312" hash = "7f86b67ac003eda9d2929c9317025013" description = "ARestore in makop ransomware toolkit" tlp = "CLEAR" strings: $junk_1 = { 2B 09 28 [4] 14 16 9A 26 16 2D F9 14 2A } $obj_1 = { 38 [4] 26 20 [4] 38 [4] FE [4] 38 [4] 20 [4] 20 [4] 59 9C 20 [4] FE [4] 28 [4] 38 } $obj_2 = { FE [4] 20 [4] FE [4] 9C 20 [4] 38 [4] 12 } $string_1 = "ADLogic" nocase $string_2 = "GetUserFromGroupAsync" nocase $string_3 = "WriteResultAsync" nocase $string_4 = "ParseLoginAsync" nocase $string_5 = "GenerateCredentials" nocase $string_6 = "GetUserAsync" nocase $string_7 = "IsAuthenticated" nocase condition: uint16(0) == 0x5a4d and pe.imports("mscoree.dll") and ((1 of ($junk_) or 1 of ($obj_)) and 3 of ($string_*)) }