y5qa5B
y5qa5B
y5qa5B
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement<br />
An example of the insight obtained via examining strings in the .data section with IDA Pro reveals some of the <br />
text strings used to represent the use of keys that do not correspond to a simple letter or number (such as <br />
) that may be used when keylogging functionality is activated. <br />
IOC’s<br />
C2: 180.169.28.58:8080 <br />
MD5 (spearphish): 7d4f8341b58602a17184bc5c07311e8b <br />
MD5 (RTF): c674ae90f686d831cffc223a55782a93 <br />
MD5 (IEChecker.exe): 46c7d064a34c4e02bb2df56e0f8470c0 <br />
SHA-‐256: (Spearphish): bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1 <br />
SHA-‐256 (RTF): af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d <br />
SHA-‐256 (IEChecker.exe): 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6 <br />
Connections to Historical and Ongoing Threat Campaign Activity: Uyghur NGO, Tibetans<br />
The C2 is 180.169.28[.]58 TCP/8080 and is located in Shanghai, China. This IP address has been associated with <br />
a dynamic DNS provider, and has resolved as goodnewspaper.f3322[.]org and xinxin20080628.3322[.]org in <br />
the past. <br />
10 Proprietary and Confidential Information of Arbor Networks, Inc.