Hidden Cobra is an APT hacking group mostly targeting against media organizations, aerospace, financial and critical infrastructure across the globe. The malware Hidden Cobra uses Remote Access Trojan (RAT) called Joanap and Server Message Block (SMB) worm called Brambul.
Indicator of Compromise
1. Check for file integrity. Possible indicators of compromise are hash values listed below:
181.1.253.234, 200.82.62.24, 81.243.151.226, 81.247.219.196, 138.204.211.197, 177.221.11.176, 177.221.11.233, 177.41.74.199, 179.107.219.90, 187.127.112.60, 187.127.115.206, 189.15.173.106, 103.227.174.79, 146.88.205.56, 113.57.34.213, 117.179.224.33, 181.234.231.152, 190.60.109.166, 196.204.141.76, 196.221.41.109, 1.186.218.107, 103.71.212.72, 106.51.226.188, 114.79.191.185, 117.213.169.79, 117.213.170.132, 117.213.170.252, 117.214.92.199, 117.254.85.138, 123.201.161.60, 157.49.171.35, 202.142.71.166, 49.206.100.19, 49.206.105.206, 59.92.69.202, 59.92.69.23, 59.92.69.254, 59.92.69.51, 59.92.70.122, 59.92.70.162, 59.92.70.164, 59.95.151.28, 59.97.22.192, 61.3.239.224, 2.182.31.181, 2.182.31.195, 2.182.31.84, 2.187.201.47, 82.212.93.217, 110.36.226.146, 203.130.24.202, 176.45.234.206, 176.45.248.239, 176.47.60.110, 188.49.198.65, 188.54.209.88, 188.54.251.115, 5.156.110.212, 5.156.137.47, 51.235.186.186, 90.148.206.252, 95.184.0.49, 95.218.39.84, 2.137.162.251, 124.43.35.86, 124.43.39.105, 124.43.41.213, 124.43.41.48, 124.43.42.30, 90.236.254.71, 1.160.139.122, 1.169.112.88, 1.170.194.142, 111.253.145.11, 111.255.198.92, 114.26.231.136, 114.36.15.80, 114.36.3.66, 114.39.179.133, 114.46.75.51, 122.121.9.203, 36.229.45.69, 36.231.179.65, 36.231.36.64, 36.235.81.169, 36.238.65.99, 41.224.255.67
Log Source Requirements