y5qa5B
20.04.2016 Views
Share Embed Flag

y5qa5B

y5qa5B

y5qa5B

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
piyokango

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement<br />

An example of the insight obtained via examining strings in the .data section with IDA Pro reveals some of the <br />

text strings used to represent the use of keys that do not correspond to a simple letter or number (such as <br />

) that may be used when keylogging functionality is activated. <br />

IOC’s<br />

C2: 180.169.28.58:8080 <br />

MD5 (spearphish): 7d4f8341b58602a17184bc5c07311e8b <br />

MD5 (RTF): c674ae90f686d831cffc223a55782a93 <br />

MD5 (IEChecker.exe): 46c7d064a34c4e02bb2df56e0f8470c0 <br />

SHA-­‐256: (Spearphish): bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1 <br />

SHA-­‐256 (RTF): af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d <br />

SHA-­‐256 (IEChecker.exe): 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6 <br />

Connections to Historical and Ongoing Threat Campaign Activity: Uyghur NGO, Tibetans<br />

The C2 is 180.169.28[.]58 TCP/8080 and is located in Shanghai, China. This IP address has been associated with <br />

a dynamic DNS provider, and has resolved as goodnewspaper.f3322[.]org and xinxin20080628.3322[.]org in <br />

the past. <br />

10 Proprietary and Confidential Information of Arbor Networks, Inc.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!