Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rickey-g/fancybear

Fancy Bear Source Code
https://github.com/rickey-g/fancybear

Last synced: 4 months ago
JSON representation

Fancy Bear Source Code

Host: GitHub
URL: https://github.com/rickey-g/fancybear
Owner: rickey-g
Created: 2017-01-04T19:17:10.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2017-01-09T00:27:09.000Z (about 8 years ago)
Last Synced: 2024-08-02T14:12:15.239Z (7 months ago)
Language: Python
Size: 199 KB
Stars: 262
Watchers: 30
Forks: 187
Open Issues: 2
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Fancy Bear Source Code
This repo contains actual source code found during IR.
The code provides a communication channel for the attacker and infected client. It uses Google's gmail servers to send and receive encoded messages.

### Some artifacts are summorized below
- Comments are in english, with a lot of grammar mistakes
- Subject of an email is: '**piradi nomeri**'. This means Personal Number in Georgian
- It saves files with **detaluri_**timetsamp.dat. 'Detaluri' is also Georgian for "details".
- In the email body it uses the word: "**gamarjoba**". Meaning 'Hello' in Georgian.

### These are the Gmail account details used, I've verified they once worked (but not anymore!)
- POP3_MAIL_IP = 'pop.gmail.com'
- POP3_PORT = 995
- POP3_ADDR = '[email protected]'
- POP3_PASS = '30Jass11'
- SMTP_MAIL_IP = 'smtp.gmail.com'
- SMTP_PORT = 587
- SMTP_TO_ADDR = '[email protected]'
- SMTP_FROM_ADDR = '[email protected]'
- SMTP_PASS = '75Gina75'

### Command and Control server
- XAS_IP = '104.152.187.66'
- XAS_GATE = '/updates/'

**The code is completely left as found on the original server, including the log files.**

**ESET** has the complete source code of XAgent, read their report here:
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf