Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rickey-g/fancybear
Fancy Bear Source Code
https://github.com/rickey-g/fancybear
Last synced: 3 months ago
JSON representation
Fancy Bear Source Code
- Host: GitHub
- URL: https://github.com/rickey-g/fancybear
- Owner: rickey-g
- Created: 2017-01-04T19:17:10.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2017-01-09T00:27:09.000Z (over 7 years ago)
- Last Synced: 2024-01-16T22:13:40.316Z (5 months ago)
- Language: Python
- Size: 199 KB
- Stars: 261
- Watchers: 30
- Forks: 199
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Lists
- my-awesome-stars - rickey-g/fancybear - Fancy Bear Source Code (Python)
README
# Fancy Bear Source Code
This repo contains actual source code found during IR.
The code provides a communication channel for the attacker and infected client. It uses Google's gmail servers to send and receive encoded messages.
### Some artifacts are summorized below
- Comments are in english, with a lot of grammar mistakes
- Subject of an email is: '**piradi nomeri**'. This means Personal Number in Georgian
- It saves files with **detaluri_**timetsamp.dat. 'Detaluri' is also Georgian for "details".
- In the email body it uses the word: "**gamarjoba**". Meaning 'Hello' in Georgian.
### These are the Gmail account details used, I've verified they once worked (but not anymore!)
- POP3_MAIL_IP = 'pop.gmail.com'
- POP3_PORT = 995
- POP3_ADDR = '[email protected]'
- POP3_PASS = '30Jass11'
- SMTP_MAIL_IP = 'smtp.gmail.com'
- SMTP_PORT = 587
- SMTP_TO_ADDR = '[email protected]'
- SMTP_FROM_ADDR = '[email protected]'
- SMTP_PASS = '75Gina75'
### Command and Control server
- XAS_IP = '104.152.187.66'
- XAS_GATE = '/updates/'
**The code is completely left as found on the original server, including the log files.**
**ESET** has the complete source code of XAgent, read their report here:
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf