{ "Event": { "analysis": "2", "date": "2020-05-08", "extends_uuid": "", "info": "[Threat Intel] Naikon\u2019s Aria", "protected": false, "publish_timestamp": "1780039899", "published": true, "threat_level_id": "1", "timestamp": "1772901992", "uuid": "7da78936-e9c1-4136-acef-e0fadbecce8b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Naikon\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740482111", "to_ids": false, "type": "link", "uuid": "2933fb03-2529-4fde-b988-a276f91761fb", "value": "https://securelist.com/naikons-aria/96899/" }, { "category": "Payload delivery", "comment": "AR aria-body dll No sample in VT\r\nLast check:08/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746696915", "to_ids": true, "type": "md5", "uuid": "cb3a53c6-13e0-40eb-bfbe-0ecce48029dc", "value": "c766e55c48a4b2e7f83bfb8b6004fc51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AR aria-body dll No sample in VT\r\nLast check:08/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746696938", "to_ids": true, "type": "md5", "uuid": "2dedb768-68f5-4425-9d39-3a1c1b9a4db1", "value": "2ce4d68a120d76e703298f27073e1682", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loaders and related Naikon malware", "deleted": false, "disable_correlation": false, "timestamp": "1746696939", "to_ids": true, "type": "md5", "uuid": "2c80956e-68b0-4277-891f-8ee50a344bcc", "value": "0ed1fa2720cdab23d969e60035f05d92", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loaders and related Naikon malware No sample in VT\r\nLast check:08/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746696983", "to_ids": true, "type": "md5", "uuid": "0ffbf27c-3ff9-41f2-8b74-f4c7f3642413", "value": "3516960dd711b668783ada34286507b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740482202", "uuid": "08f41798-a235-48d5-bde9-b4313061d953", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740482202", "to_ids": false, "type": "comment", "uuid": "52a93583-c954-4d29-ab7c-5e83d7663ab1", "value": "Rule to detect Naikon aria samples" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740482202", "to_ids": true, "type": "yara", "uuid": "7f2e96da-99e6-407d-becb-c7aafb536790", "value": "rule apt_ZZ_Naikon_ARstrings : Naikon \r\n{\r\n meta:\r\n copyright = \"Kaspersky\"\r\n description = \"Rule to detect Naikon aria samples\"\r\n hash = \"2B4D3AD32C23BD492EA945EB8E59B758\"\r\n date = \"2020-05-07\"\r\n version = \"1.0\"\r\n \r\n strings:\r\n $a1 = \"Terminate Process [PID=%d] succeeds!\" fullword wide\r\n $a2 = \"TerminateProcess [PID=%d] Failed:%d\" fullword wide\r\n $a3 = \"Close tcp connection returns: %d!\" fullword wide\r\n $a4 = \"Delete Directory [%s] returns:%d\" fullword wide\r\n $a5 = \"Delete Directory [%s] succeeds!\" fullword wide\r\n $a6 = \"Create Directory [%s] succeeds!\" fullword wide\r\n $a7 = \"SHFileOperation [%s] returns:%d\" fullword wide\r\n $a8 = \"SHFileOperation [%s] succeeds!\" fullword wide\r\n $a9 = \"Close tcp connection succeeds!\" fullword wide\r\n $a10 = \"OpenProcess [PID=%d] Failed:%d\" fullword wide\r\n $a11 = \"ShellExecute [%s] returns:%d\" fullword wide\r\n $a12 = \"ShellExecute [%s] succeeds!\" fullword wide\r\n $a13 = \"FindFirstFile [%s] Error:%d\" fullword wide\r\n $a14 = \"Delete File [%s] succeeds!\" fullword wide\r\n $a15 = \"CreateFile [%s] Error:%d\" fullword wide\r\n $a16 = \"DebugAzManager\" fullword ascii\r\n $a17 = \"Create Directroy [%s] Failed:%d\" fullword wide\r\n \r\n $m1 = \"TCPx86.dll\" fullword wide ascii\r\n $m2 = \"aria-body\" nocase wide ascii\r\n \r\n condition:\r\n uint16(0) == 0x5A4D and\r\n filesize < 450000 and\r\n (2 of ($a*) and 1 of ($m*))\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740482202", "to_ids": false, "type": "text", "uuid": "494224cf-7475-4ce6-b004-92422bbf3e19", "value": "apt_ZZ_Naikon_ARstrings : Naikon" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740482240", "uuid": "7625c83a-b6d1-49ed-bb21-869d821240d4", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740482240", "to_ids": false, "type": "comment", "uuid": "63cb417c-5336-4d95-9a5e-8935b829df57", "value": "Naikon typo" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740482240", "to_ids": true, "type": "yara", "uuid": "902ae879-0324-447f-b8fb-00ceee7ba73b", "value": "rule apt_ZZ_Naikon_codebase : Naikon \r\n{\r\n meta:\r\n report = \"Naikon New AR Backdoor Deployment to Southeast Asia\"\r\n description = \"Naikon typo\"\r\n author = \"Kaspersky\"\r\n copyright = \"Kaspersky\"\r\n version = \"1.0\"\r\n date = \"2018-06-28\"\r\n last_modified = \"2018-06-28\"\r\n \r\n strings:\r\n $a1 = \"Create Directroy [%s] Failed:%d\" wide\r\n \r\n condition:\r\n uint16(0) == 0x5A4D and\r\n filesize < 450000 and\r\n $a1\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740482240", "to_ids": false, "type": "text", "uuid": "71d36111-9878-469b-9506-a12d105d4a24", "value": "apt_ZZ_Naikon_codebase : Naikon" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815398", "uuid": "12f68f32-ee95-43b2-a9b9-e97887a68e6e", "Attribute": [ { "category": "Payload delivery", "comment": "Loaders and related Naikon malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815398", "to_ids": true, "type": "md5", "uuid": "f28be271-1588-4996-bb11-43bfd814745d", "value": "0ed1fa2720cdab23d969e60035f05d92", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loaders and related Naikon malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746696939", "to_ids": true, "type": "sha1", "uuid": "ab0ee6c7-95eb-4aad-9913-f52ca3200c90", "value": "d7d4eefa9d045bd8ef835785c7280b1a0c4554ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loaders and related Naikon malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746696939", "to_ids": true, "type": "sha256", "uuid": "1a712c8f-d5ad-4436-8af4-78bf5244c47b", "value": "4ed71d24bb9aa710af722faad53ff95d10aa7b831cda616ee18e67e3802f2706", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746696939", "to_ids": true, "type": "ssdeep", "uuid": "db620c7d-3042-477a-a185-652806557361", "value": "3072:yEthIvedewq8OJIPdF66u5jCsRfXwu/GGkWd8DcyQ:/th+6fi57Bwu/NkWCwyQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746696939", "to_ids": false, "type": "size-in-bytes", "uuid": "c8e69eb0-22b9-41ff-9093-40f69d27fd1c", "value": "121344" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746696939", "to_ids": true, "type": "vhash", "uuid": "956d294d-7db7-4ebf-8f32-786140e85403", "value": "015086050d060d0f75155az46!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746696939", "to_ids": true, "type": "filename", "uuid": "9ec8739f-281b-4a76-914c-c5f94538cf35", "value": "0ed1fa2720cdab23d969e60035f05d92.virus" }, { "category": "Other", "comment": "Checked: 08/05/2025\nLast-scan\t: 15/05/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746696939", "to_ids": false, "type": "text", "uuid": "73ec6d3d-cf32-42de-814c-00b0151bc691", "value": "Loaders and related Naikon malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:52/73\nFirst Submission:2024-05-09T16:25:44.000000+00:00\nLast Submission:2024-05-09T16:25:44.000000+00:00" } ] } ] } }