{ "Event": { "analysis": "1", "date": "2022-04-27", "extends_uuid": "", "info": "[Threat Intel] Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload", "protected": false, "publish_timestamp": "1772407487", "published": true, "threat_level_id": "2", "timestamp": "1772407484", "uuid": "c3518b95-ae77-4186-ae3b-190c9d98c57b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INDUSTROYER2\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Industroyer\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772345572", "to_ids": false, "type": "link", "uuid": "a4d90e4a-6123-4bab-bde3-4788741b05d3", "value": "https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772345820", "to_ids": false, "type": "link", "uuid": "0c41e20b-5596-425e-8004-6e3af2f42b7a", "value": "https://cdn.prod.website-files.com/645a4534705010e2cb244f50/64912ca9ce1ed295b0c57135_Nozomi-Networks-WP-Industroyer2.pdf" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772345861", "uuid": "2533eedf-9480-43da-973c-0ab43e394e69", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772345861", "to_ids": false, "type": "text", "uuid": "fd42f1fe-a536-484c-a2a5-cfc23b7d08b7", "value": "industroyer2_nn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772345861", "to_ids": false, "type": "comment", "uuid": "51ae347b-b7d5-44d4-97cc-ab27afb13033", "value": "Industroyer2 malware targeting power grid components" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772345861", "to_ids": true, "type": "yara", "uuid": "6717ae61-b5e4-4910-aa67-1e6f32b833d2", "value": "rule industroyer2_nn {\r\nmeta:\r\nauthor = \"Nozomi Networks Labs\"\r\nname = \"Industroyer2\"\r\ndescription = \"Industroyer2 malware targeting power grid components.\"\r\nactor = \"Sandworm\"\r\nhash = \"D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00\"\r\nstrings:\r\n$s1 = \"%02d:%lS\" wide ascii\r\n$s2 = \"PService_PPD.exe\" wide ascii\r\n$s3 = \"D:\\\\OIK\\\\DevCounter\" wide ascii\r\n$s4 = \"MSTR ->> SLV\" fullword wide ascii\r\n$s5 = \"MSTR <<- SLV\" fullword wide ascii\r\n$s6 = \"Current operation : %s\"\r\n$s7 = \"Switch value: %s\"\r\n$s8 = \"Unknown APDU format !!!\"\r\n$s9 = \"Length:%u bytes |\"\r\n$s10 = \"Sent=x%X | Received=x%X\"\r\n$s11 = \"ASDU:%u | OA:%u | IOA:%u |\"\r\n$s12 = \"Cause: %s (x%X) | Telegram type: %s (x%X)\"\r\ncondition:\r\n5 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352263", "uuid": "ff88bfa8-0450-44be-9c06-f946d5a4e06e", "Attribute": [ { "category": "Payload delivery", "comment": "Industroyer2", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352263", "to_ids": true, "type": "md5", "uuid": "0c2badac-3ff5-47c2-94d3-4e116a8d97d3", "value": "7c05da2e4612fca213430b6c93e76b06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352094", "to_ids": true, "type": "sha1", "uuid": "405de034-96d8-4e8d-8616-b34aaff47e3e", "value": "fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352094", "to_ids": true, "type": "sha256", "uuid": "d017f363-a50a-4864-bcde-decbe679c66a", "value": "d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351529", "to_ids": true, "type": "ssdeep", "uuid": "a9e69503-2e9b-4867-93f9-50b7a5b3ec04", "value": "768:9kQ2SkG1EqihRWlG4ya6kcqCHfv3uWvzPMinhgaXj7:9jo9kc3einhgaXv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351529", "to_ids": false, "type": "size-in-bytes", "uuid": "ef7df31e-4759-4314-8443-6ea40553a1c7", "value": "37888" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772351529", "to_ids": true, "type": "vhash", "uuid": "14fd9981-52a0-40bc-ac84-a43c4a6d7240", "value": "034046551d155az279z25z1039ze7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351529", "to_ids": true, "type": "filename", "uuid": "90474538-6746-4c67-90d9-1925e4bac0ed", "value": "d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351529", "to_ids": false, "type": "text", "uuid": "9c8c4898-2280-4456-966f-cbc6eeb2ec25", "value": "Industroyer2\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Znyonm!rfn\nVT Total Detection:45/72\nFirst Submission:2022-04-14T12:36:41.000000+00:00\nLast Submission:2025-12-15T13:19:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352286", "uuid": "c60c3713-c646-4479-bff7-a5743f8437ba", "Attribute": [ { "category": "Payload delivery", "comment": "Industroyer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352286", "to_ids": true, "type": "md5", "uuid": "e9db006f-f9ec-432d-bc49-aa8326990605", "value": "a193184e61e34e2bc36289deaafdec37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352096", "to_ids": true, "type": "sha1", "uuid": "4b6fe264-5685-4ba5-852d-6eada0c1dc48", "value": "94488f214b165512d2fc0438a581f5c9e3bd4d4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352096", "to_ids": true, "type": "sha256", "uuid": "65af987f-12a5-4a6a-9ba2-1725c91087b5", "value": "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351551", "to_ids": true, "type": "ssdeep", "uuid": "d82d272e-58aa-475d-aa23-8b565f010ff4", "value": "3072:McaprOfoaXmgD31r4VWBvRZoiTprUZNZ9VQ6s6W9:McuOJ2gD31QW51pgE6st9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351551", "to_ids": false, "type": "size-in-bytes", "uuid": "5b2e802b-a7c1-4c0b-bfa2-994145854b3d", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772351551", "to_ids": true, "type": "vhash", "uuid": "215e67c2-0d00-4dcf-aa83-22d5011c3534", "value": "115066655d1515556az4dvza6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351551", "to_ids": true, "type": "filename", "uuid": "1b4abcf6-e745-42fc-ac50-542ba7a9dadc", "value": "fxrhgtw.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 24/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351551", "to_ids": false, "type": "text", "uuid": "2dffcf5a-4ead-4dc1-8b86-19f4d3eaf033", "value": "Industroyer\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:57/72\nFirst Submission:2016-12-19T10:06:04.000000+00:00\nLast Submission:2026-02-28T06:57:02.000000+00:00" } ] } ] } }