Skip to content

rickey-g/fancybear

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Fancy Bear Source Code

This repo contains actual source code found during IR. The code provides a communication channel for the attacker and infected client. It uses Google's gmail servers to send and receive encoded messages.

Some artifacts are summorized below

  • Comments are in english, with a lot of grammar mistakes
  • Subject of an email is: 'piradi nomeri'. This means Personal Number in Georgian
  • It saves files with **detaluri_**timetsamp.dat. 'Detaluri' is also Georgian for "details".
  • In the email body it uses the word: "gamarjoba". Meaning 'Hello' in Georgian.

These are the Gmail account details used, I've verified they once worked (but not anymore!)

Command and Control server

  • XAS_IP = '104.152.187.66'
  • XAS_GATE = '/updates/'

The code is completely left as found on the original server, including the log files.

ESET has the complete source code of XAgent, read their report here: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

About

Fancy Bear Source Code

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages