{ "Event": { "analysis": "1", "date": "2022-04-25", "extends_uuid": "", "info": "[Threat Intel] INDUSTROYER.V2: Old Malware Learns New Tricks", "protected": false, "publish_timestamp": "1772407504", "published": true, "threat_level_id": "2", "timestamp": "1772407500", "uuid": "0f2e8d5c-1583-4451-99a4-f4f78414c1b5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INDUSTROYER2\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772338605", "to_ids": false, "type": "link", "uuid": "241bb8ff-a295-4f9b-9581-2632c275b8e3", "value": "https://cloud.google.com/blog/topics/threat-intelligence/industroyer-v2-old-malware-new-tricks/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772338709", "uuid": "fdd229e7-9bf0-47ec-a6d6-7c5e07e5571e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772338709", "to_ids": false, "type": "text", "uuid": "0f9dc5f7-8b11-4cfa-860b-97c7c1e67496", "value": "MTI_Hunting_INDUSTROYERv2_Bytes" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772338709", "to_ids": false, "type": "comment", "uuid": "ed77c5f0-ee13-49ac-b23e-c4a8739063bb", "value": "Searching for executables containing bytecode associated with the INDUSTROYER.V2 malware family" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772338709", "to_ids": true, "type": "yara", "uuid": "267450ea-a7f4-4ca3-a8c5-5374b66a11bd", "value": "rule MTI_Hunting_INDUSTROYERv2_Bytes {\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"04-09-2022\"\r\n description = \"Searching for executables containing bytecode associated with the INDUSTROYER.V2 malware family.\"\r\n strings:\r\n $bytes = {8B [2] 89 [2] 8B 0D [4] 89 [2] 8B 15 [4] 89 [2] A1 [4] 89 [2] 8B 0D [4] 89 [2] 8A 15 [4] 88 [2] 8D [2] 5? 8B [2] E8}\r\n condition:\r\n filesize < 3MB and\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n $bytes\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772338741", "uuid": "37a0167c-72ab-49d9-9e8d-dd8ea80c787a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772338741", "to_ids": false, "type": "text", "uuid": "11110502-b04b-4faf-ac81-39830cf08dc7", "value": "MTI_Hunting_INDUSTROYERv2_Strings" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772338741", "to_ids": false, "type": "comment", "uuid": "671ac7e6-def2-4502-b3cb-0c0b813de8aa", "value": "Searching for executables containing strings associated with the INDUSTROYER.V2 malware family" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772338741", "to_ids": true, "type": "yara", "uuid": "9b4c0126-ebf1-4d3a-baca-1141c7e85db9", "value": "rule MTI_Hunting_INDUSTROYERv2_Strings {\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"04-09-2022\"\r\n description = \"Searching for executables containing strings associated with the INDUSTROYER.V2 malware family.\" \r\n strings:\r\n $a1 = \"M%X - %02d:%02d:%02d\" nocase ascii wide\r\n $a2 = \"%02hu:%02hu:%02hu:%04hu\" nocase ascii wide\r\n $a3 = \"%s M%X \" nocase ascii wide\r\n $a4 = \"%s: %d: %d\" nocase ascii wide\r\n $a5 = \"%s M%X %d (%s)\" nocase ascii wide\r\n $a6 = \"%s M%X SGCNT %d\" nocase ascii wide\r\n $a7 = \"%s ST%X %d\" nocase ascii wide\r\n $a8 = \"Current operation : %s\" nocase ascii wide\r\n $a9 = \"Sent=x%X | Received=x%X\" nocase ascii wide\r\n $a10 = \"ASDU:%u | OA:%u | IOA:%u | \" nocase ascii wide\r\n $a11 = \"Cause: %s (x%X) | Telegram type: %s (x%X\" nocase ascii wide\r\n $b1 = \"Length:%u bytes | \" nocase ascii wide\r\n $b2 = \"Unknown APDU format !!!\" nocase ascii wide\r\n $b3 = \"MSTR ->> SLV\" nocase ascii wide\r\n $b4 = \"MSTR <<- SLV\" nocase ascii wide\r\n condition:\r\n filesize < 3MB and\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (1 of ($a*) and 1 of ($b*))\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352218", "uuid": "12e59770-5259-4fe6-b14a-2a9e3c98b573", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352218", "to_ids": true, "type": "md5", "uuid": "17936556-def3-49d2-9e50-ead6268a5297", "value": "7c05da2e4612fca213430b6c93e76b06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352091", "to_ids": true, "type": "sha1", "uuid": "96598364-f3fb-4cf4-b907-9b2144083e09", "value": "fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352091", "to_ids": true, "type": "sha256", "uuid": "7867f87c-4ff4-458a-8d8b-55415414d672", "value": "d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351484", "to_ids": true, "type": "ssdeep", "uuid": "23212913-ff42-4381-940d-accba8a4db6f", "value": "768:9kQ2SkG1EqihRWlG4ya6kcqCHfv3uWvzPMinhgaXj7:9jo9kc3einhgaXv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351484", "to_ids": false, "type": "size-in-bytes", "uuid": "9c398be7-1de4-4fa8-af65-44dffbf49fc7", "value": "37888" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772351484", "to_ids": true, "type": "vhash", "uuid": "1150eec2-7ac0-4b17-a1ef-4d99162cc08b", "value": "034046551d155az279z25z1039ze7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351484", "to_ids": true, "type": "filename", "uuid": "e9e58a4b-23d1-4cfd-9be6-6eece6228fe1", "value": "d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351484", "to_ids": false, "type": "text", "uuid": "0b1c2bda-f8bd-427b-965b-dcca812fbd56", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Znyonm!rfn\nVT Total Detection:45/72\nFirst Submission:2022-04-14T12:36:41.000000+00:00\nLast Submission:2025-12-15T13:19:45.000000+00:00" } ] } ] } }