{"id":15847,"date":"2019-07-19T11:45:21","date_gmt":"2019-07-19T19:45:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9592\/"},"modified":"2019-07-19T11:45:21","modified_gmt":"2019-07-19T19:45:21","slug":"news-9592","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9592\/","title":{"rendered":"Analysis of a New HawkEye Variant"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>Threat Analysis by FortiGuard Labs<\/i><\/b><\/p>\n<h2>Background<\/h2>\n<p>FortiGuard Labs recently captured a malware being spread by a phishing email. After a quick analysis, I discovered that it was a new variant of the HawkEye malware.<\/p>\n<p>HawkEye is known as a keylogger and an application credential stealing malware. Over past few years, we have seen it spread by email, and carried in MS Word documents, Excel files, PowerPoint files, and RTF files. In this analysis, I am going to provide an overview of what this new variant can do to a victim\u2019s system.<\/p>\n<h2>Distribution and Download<\/h2>\n<p>Here is the email content, masquerading as an airline ticket confirmation, which asks the targeted victim to click on a link.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"HawkEye Phishing Email\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. The email content<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It was designed so that a victim downloads a 7z file from the link shown in figure 1 that contains this new variant of HawkEye and runs it on the victim\u2019s system.<\/p>\n<p>Unfortunately, on initial analysis the URL was not available and I received a \u201c404 Not Found\u201d message in the browser.<\/p>\n<p>Browsing to its main page. It turned out to be an FTP service, containing several related network folders about this campaign, with most containing the same malware sample (Figure 2).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_204344819.img.png\" alt=\"main page of HawkEye malware campaign\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Screenshot of the main page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After the downloaded 7z file was decompressed, we retrieved the EXE file \u201cTICKET%2083992883992AIR8389494VERVED37783PDF.exe\u201d, which is the new variant of HawkEye.<\/p>\n<h2>Start HawkEye<\/h2>\n<p>Once HawkEye started, it spawned a suspended child process, \u201cRegAsm.exe\u201d, from the Microsoft .Net framework installation directory \u2013 which is a tool for Assembly Registration. Meanwhile, HawkEye extracted a PE file into its memory and then moved the PE file into \u201cRegAsm.exe\u201d. The dynamically extracted PE file is the main program of HawkEye. It\u2019s called \u201cHawkEye_RegAsm,\u201d to differentiate these files in the analysis. HawkEye_RegAsm began running after resuming running \u201cRegAsm.exe\u201d after being suspended.<\/p>\n<p>HawkEye_RegAsm is a .Net written program, which is packed by ConfuserEx v1.0.0 to protect itself. This creates a big challenge for analysts to read its code and analyze it. The code was actually totally obfuscated, as shown in figure 3.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_1292971459.img.png\" alt=\"Obfuscated Entry function of HawkEye_RegAsm\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Obfuscated Entry function of HawkEye_RegAsm<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After sleeping 10 seconds, HawkEye_RegAsm starts its work on the victim\u2019s system. Through analysis so far, it appears to mainly perform the following functions:<\/p>\n<p style=\"margin-left: 40.0px;\">1&gt; Set up clipboard logger<br \/> 2&gt; Set up keyboard logger<br \/> 3&gt; Spawn another two child processes \u201cvbc.exe\u201d, both from the .Net framework directory as well.<br \/> 4&gt; Send collected data to an email address using SMTP from time to time (every 10 minues).<\/p>\n<p>HawkEye_RegAsm starts a thread to perform the above tasks, and then every 10 minutes it sends its collected information to its Yandex email address.<\/p>\n<p>HawkEye_RegAsm sets up a clipboard and keyboard logger using Windows-native APIs (such as SetWindowsHookEx, SetClipboardViewer, etc.) Its local functions can record victim\u2019s behaviors when the victim types on the keyboard as well as when copying data into the system clipboard.<\/p>\n<p>Figure 4 shows an example of the information that HawkEye_RegAsm collected from its keyboard and clipboard logger, as well as the software title from when the event occurred.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_243687817.img.png\" alt=\"clipboard and keyboard data HawkEye malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Example of collected Clipboard and Keyboard data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Collecting Credentials from Saved Credential Storage<\/h2>\n<p>HawkEye_RegAsm performs a similar task as to the RegAsm.exe. It spawns two suspended child processes, \u201cvbc.exe\u201d, which are from the same directory as RegAsm.exe. HawkEye dynamically extracts two PE files into its memory, which are then copied into the two newly created child processes of \u201cvbc.exe\u201d. It also modifies its ThreadContext data (It calls the API, SetThreadContext) and makes its entry point to the transfered PE file. When \u201cvbc.exe\u201d resumes running it can be executed. It\u2019s a trick that malware often performs to camouflage itself behind of a normal process.<\/p>\n<p>The two \u201cvbc.exe\u201d processes collect credentials from the victim\u2019s system. One is used to collect the credentials of browsers. The other one focuses on email clients and IM clients to steal credentials and profiles. Both PE files injected into \u201cvbc.exe\u201d have the same code framework. They first call a function to collect credentials and save them in memory, and second, it reads the collected data, formats it, and saves it to a tmp file from its command line parameter.<\/p>\n<p>Figure 5 shows HawkEye calling the CreateProcess API to start one of the two \u201cvbc.exe\u201d processes, with the parameter shown below in the \u201cLocals\u201d sub-tab. You can see the full path of \u201cvbc.exe\u201d. \u201c\/stext\u00a0&quot;&quot;C:Users*********AppDataLocalTemptmpBE3D.tmp&quot;&quot;&quot; is the parameter passed to it. The tmp file name is random and different from the two \u201cvbc.exe\u201d processes, which temporarily saves collected credentials.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_1192118013.img.png\" alt=\"break when calling CreateProcess HawkEye malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Break on when calling CreateProcess to start a \u201cvbc.exe\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The two PE files are not packer protected and not .Net written program.<\/p>\n<p>The first \u201cvbs.exe\u201d collects credentials from victim\u2019s browsers and the system credential manager for IE.<\/p>\n<p>In my analysis, this variant of HawkEye focuses on the following browsers:<\/p>\n<p style=\"margin-left: 40.0px;\"><b>Microsoft Internet Explorer, Google Chrome, Apple Safari, Opera, Mozilla Sunbird, Mozilla Firefox, Mozilla Portable Thunderbird, Mozilla SeaMonkey, YandexBrowser, Vivaldi browser, and more.<\/b><\/p>\n<p>Figure 6 shows some strings defined in the ASM code of the browsers that the HawkEye malware wants to collect credentials from.\u00a0<\/p>\n<p>The collected credentials are then saved into the tmp file from its command line parameter. HawkEye_RegAsm keeps checking this tmp file, and once the credentials are collected, it is done. HawkEye_RegAsm then reads the entire data of this tmp file into its memory and the deletes it immediately.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_1479759491.img.png\" alt=\"browser information defined in HawkEye malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6.  Browsers\u2019 information defined in the first PE file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The second PE file in \u201cvbc.exe\u201dcollects profile and credential information of the email and IM software client installed on a victim\u2019s machine.<\/p>\n<p>The clients it targets are:<\/p>\n<p style=\"margin-left: 40.0px;\"><b>Qualcomm Eudora, Mozilla Thunderbird, MS Office Outlook, IncrediMail, Groupmail, MSNMessenger, Yahoo!Pager\/Yahoo!Messenger and Windows Mail.<\/b><\/p>\n<p>Below is an example list that HawkEye stole from the Chrome browser on my test machine. As you can see, it includes login URL, Browser name, User name, Password, Created time, and the full path of the file where the collected information came from.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_76774162.img.png\" alt=\"example list HawkEye malware steals\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_1845677817.img.png\" alt=\"saved server address from HawkEye malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. \u201cvbc.exe\u201d saves collected server address information to tmp file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The second PE file in \u201cvbc.exe\u201d not only collects the client\u2019s login username and password, but also profile information, such as the recipent Server address, recipient Server Port, protocol Type (POP3), SMTP Server, SMTP Port, etc. Figure 7 shows a screenshot of Ollydbg when \u201cvbc.exe\u201d was about to write the collected recipient Server addresses into its tmp file. It writes one line once. The same tmp file is finally read by HawkEye_RegAsm and then deleted.<\/p>\n<p>On my test machine, I only installed MS Outlook with one account. My test account and server profile were collected and put in the structure shown below, which would normally be sent to the attacker\u2019s email box.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_1384395689.img.png\" alt=\"information sent to cyber attacker via HawkEye malware\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Sending Collected Data to the Attacker via SMTP<\/h2>\n<p>Ok. Now let\u2019s go back to the main process of HawkEye_RegAsm, which controls all tasks of HawkEye and sends the victim\u2019s credentials. In its main program, it calls Thread.Sleep(600000), and pauses while collecting credentials every 10 minutes. That is, it reports the collected data to attacker the once every 10 minutes.<\/p>\n<p>It first sends an HTTP request, <i><a href=\"http:\/\/bot.whatismyipaddress.com\">http:\/\/bot.whatismyipaddress.com<\/a><\/i>, to ask for my machine\u2019s public IP. This is a way to ensure that the victim\u2019s machine is able to access the internet. If it did not reply with a public IP, it stops sending collected data to the email box. In addition, the IP appears in the email subject so it can identify victims.<\/p>\n<p>The attacker\u2019s email is in Yandex.mail, whose email account and password are used when sending collected data through the Yandex SMTP server. That\u2019s why I was able to get the attacker\u2019s email credentials while tracking the main program. You can see the screenshot in figure 8 when I was debugging it.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_427750407.img.png\" alt=\"sending emails to attackers email via HawkEye malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Sending collected data to the attacker\u2019s email box<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Every ten minutes it sends packets such as that shown in Figure 9 to tell the attacker about what it has collected from the victim\u2019s machine using the keylogger, clipboard, browser credentials, and IM and email client credentials and profiles. \u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_374828311.img.png\" alt=\"sending information to Yandex email over SMTP \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Sending collected data to the attacker\u2019s Yandex email address over SMTP<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image_193993900.img.png\" alt=\"attacker&#39;s harvest of personal information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Glancing at an attacker\u2019s harvest<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Visiting the attacker\u2019s account, we can see what the attacker has harvested, as shown in figure 10.<\/p>\n<h2>Solutions<\/h2>\n<p>The original URL in the email has been rated as \u201c<b>Malicious Websites<\/b>\u201c by the FortiGuard Web Filtering service. The decompressed exe file is detected as \u201c<b>AutoIt\/Injector.EAH!tr<\/b>\u201d by the FortiGuard Antivirus service.<\/p>\n<h2>Sample SHA256<\/h2>\n<p>[TICKET%2083992883992AIR8389494VERVED37783PDF.exe]<br \/> 3E7AD2A554F89B2A5E52E5C4843111342182DA4409A038CF800570B65A13F875<\/p>\n<p>[Ticketmasterconfirmation3883948383948394.7z]<br \/> BBB46F812126FAEB543B02D143EF450887A043185AF98210D8F827924B31CF7A<\/p>\n<p>[TKT8839483993993fligh booking ticket confirmationupdate.7z]<br \/> F2B921726D728037F9BA0C63FB6C31F77983C3A6E3938B46C411E80C218A2E84<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/bvahQO2GhEc\/hawkeye-malware-analysis.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/hawkeye-malware-analysis\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>FortiGuard Labs recently identified a new variant of HawkEye malware being spread by a phishing email. Read more about the analysis here.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/bvahQO2GhEc&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15847","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15847"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15847\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}