Skip to content

Latest commit

 

History

History
263 lines (229 loc) · 7.34 KB

README.adoc

File metadata and controls

263 lines (229 loc) · 7.34 KB
Raw

Q2 2020 report — Indicators of Compromise

Table of Contents

These plain text indicators of compromise are an annex to ESET’s quarterly Threat Report for Q2 2020.

The full Threat Report is available on WeLiveSecurity in PDF format at the follow URL:

Mustang Panda

ESET detection names

Win32/Korplug.PZ

SHA-1 hashes

3319A0AF253D487FF8F137DD0F7F0CB3DC94F729
DB4A2F4BA2AADA8BF12E5D840A0D5921012DBD07

Digital certificate

Serial number: 4bb0b5a8d5b5b0d58e9c5733
Thumbprint: 794e2af8affb7d78ff654d2dd780e39fd682e152
CN = Wuhan Aixinsen Technology Co., Ltd.
O = Wuhan Aixinsen Technology Co., Ltd.
L = Wuhan
S = Hubei
C = CN
Valid from: Wednesday, 8 January 2020 11:07:22
Valid to: Friday, 8 January 2021 11:07:22

C&C servers

42.99.117[.]95
news.169mt[.]com

Operation In(ter)ception Update

ESET detection names

Win32/Interception
Win64/Interception
VBA/TrojanDownloader.Agent.SKO

SHA-1 hashes

617C42943DCD973235E2227D3AE88F330A2944D0
D69BA2099A9483FC2691D500FCFFF2E1FC382C2D
9757D92DCB5FC253783E8A1D2702BF0F1196D4AB

Files and folders

Aerojet RocketDyne Job and Salary Information- Human Resource Manger_PC_Version.7z
лист НДІХП.doc
Northrop Grumman.doc
javacpld.exe
C:\Intel\GfxCPL.exe
C:\Intel\hidasvc.exe
C:\OneDrive\OneDriveSync.exe

Network indicators

https://www.advantims[.]com/Sync.xsl
https://www.c-section[.]com/ng.docx
https://www.c-section[.]com/GfxCPL.xsl
https://www.apl-tec[.]com/ExportImport/Export/All.pdf
https://www.apl-tec[.]com/WebAPL/img/contact.jpg
https://qfclindia[.]com/img/panel.png
https://qfclindia[.]com/login/about-us.docx

Winnti Group

ESET detection names

LNK/TrojanDropper.Agent.BK
MSIL/ShellcodeRunner.A
MSIL/ShellcodeRunner.B
MSIL/ShellcodeRunner.C
MSIL/ShellcodeRunner.D
Win32/Korplug.PW
Win64/Motnug.K
Win64/Motnug.R
Win64/Motnug.S
Win64/Agent.ZZ

SHA-1 hashes

0F1F2431ECCCB980F7D93B9AF52139D0D508510F
281C1B196CD992906D8583E64011DC28D9C52E3C
1B1A867A950C0CD4AACA930E4978F8C47287EC63
724B2E24872BE445ED2F914B252F8CCF580E9C71
EB2FB8F0E14CB68B45B4DB7ACC05AD22A151D19D
ED0D4BAA22DFADF41484955A823AAA095470E6D7
A6FC4834B9DBA46ACE3055C7214D65AE39BBF920
4A5E5ED953EE8BC0FF438192E6235F205304BBCE
DBA010496A7BE2E5DE1F923FFDFC19BF345B650B
9E0F7A78CDBC83B9086DF1B4AEF6E06DF2B98A27
6224F4E73D49AD40D67E41AB22086239B153B6C8
42811D5A48200361E72ADD7D50D7511EE22B3BB1
9D1940ED48190277C9D98DDBD7E4EA63ADE5CEAE
9AC922E2A445E039EE3DDD6DE102A20824476326
AE9E6EC5489492210ECAD274475710F1456631EF
5C142A6A8B555C52E4C6A9AE2DE52DFAA4AB7644
Winnti Group packed PeddleCheap
8B8D2EB8DE66890F4C0950CCB3FFF95B0F42B9E1
B48BEB5E49976294287B1D6910D7445DB83E5CF2

Files and folders

International English Language Testing System certificate.pdf.lnk
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
oci.dll
C:\Windows\System32\spool\prtprocs\x64\winprint.dll
svchast.exe
work.exe
OfficeUpdate.exe
C:\PerfLogs\svchost.exe
C:\PerfLogs\kiir.dll
C:\perflogs\aspnet_cas.exe
C:\PerfLogs\mscoreei.tlb
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.tlb
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\NetFx40_IIS_schema.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbs.exe
C:\PerfLogs\NetFx40_IIS_schema.config
C:\PerfLogs\Resolution.exe
C:\perflogs\vbs.exe
C:\Windows\system32\dhcp.exe
uDWM.tmp
66DF3DFG.tmp
mscoreei.tlb
hd.exe
Ulsassx64.exe

Network indicators

8.9.11[.]130
45.76.6[.]149
45.76.31[.]159
107.191.60[.]153
124.156.138[.]199
149.28.75[.]141
149.28.78[.]89
103.79.76[.]205
107.174.45[.]134
high.micorsoff[.]com
ns.mircosoftbox[.]com
6q4qp9trwi.dnslookup[.]services
http://sixindent.epizy[.]com/inter.php
http://goodhk.azurewebsites[.]net/inter.php
https://docs.google[.]com/document/d/1tRuDARmS6VLJIQ4R9rGqL1gFWOnkyLw5FE-9gwsrwm8
https://docs.google[.]com/document/d/1LLU09rtIknFkLu2PeUJNlMh0vWAm7nGGjM9K9Bxnbi

SSL certificate

Serial number: d04591134c09d426
Thumbprint: b8cff709950cfa86665363d9553532db9922265c
CN = 10.200.206.100
O = Internet Widgits Pty Ltd
ST = Some-State
C = US
Valid from: 2017-11-23 02:08:55
Valid to:  2027-11-21 02:08:55

Code signing certificates

Serial number: 112195a147c06211d2c4b82b627e3d07bf09
Thumbprint: 91e256ac753efe79927db468a5fa60cb8a835ba5
CN = ZEALOT DIGITAL INTERNATIONAL CORPORATION
O = ZEALOT DIGITAL INTERNATIONAL CORPORATION
L = Kaohsiung City
S = Taiwan
C = TW
Valid from:‎ Thursday, ‎August ‎20, ‎2015 9:43:53 AM
Valid to:‎ Monday, ‎September ‎19, ‎2016 9:43:53 AM
Serial number: 7e748cdde5b67111bfe43346900e043d
Thumbprint: 4d7af6c12794acebdb9254da7839bd0e6ae9133c
CN = 21ViaNet Broadband Limited
OU = CloudEx Department
OU = Digital ID Class 3 - Microsoft Software Validation v2
O = 21ViaNet Broadband Limited
L = Beijing
S = Beijing
C = CN
Valid from: ‎Friday, ‎January ‎15, ‎2010 2:00:00 AM
Valid to: ‎Tuesday, ‎January ‎15, ‎2013 1:59:59 AM

Hardware cryptocurrency wallets targeted by scammers

ESET detection names

JS/ExtenBro.CryptoSteal.*
Android/FakeApp.LI
Android/FakeApp.LM

Chrome addons

egpclopembbljpmifeohhpchacfmienk
epbafoeegabblfebgialknoklomcdcog
fbcnandddcicamlihombjhlijadopgbk
gcnehcoagbchkmplookbmpbkacmejpkd
gdeonaknmgmojbmdllhfkplfkagebkib
gdlhhmjmdjmlfpnnbgfcebkienknfkei
hafkepickjhnomjepannhjcgdmhdhjdc
hgknndaldoddbpkbfgkdlbellagpimio
hjciidhdblhkjpopafjbbdfjaknfopfl
hmlkfjjokellkejakdcndcdknhmmconk
jhmmdcocjepheielbkgehfgeainjiokj
lidnfimcehcmkfmloggkocgglkegkgjh
lfdkkfclehfafopgfcdmoailhahalphd
lplaikpmjcnpgaleiplfnmdpcffdpdjg

Android applications

com.ledger20.ledgerapps
com.ledger.lives.mobileapps
com.keepkey20.ledgerapps

Firefox addons

https://addons.cdn.mozilla.net/user-media/addons/2644453/ledger_nano-2.2.1-fx.xpi?filehash=sha256%3Ac296c7c11162a947775ea79ac74f183c9077a16efd9f245d1ced33b999029b0b
https://addons.cdn.mozilla.net/user-media/addons/2637065/trust_wallet-1.9-fx.xpi?filehash=sha256%3A56cab47d0f34ea3841689edf1d41c0ada9ceac2cc6f95b8d3ee57f486017c15f
https://addons.cdn.mozilla.net/user-media/addons/2648902/atomic_wallet-2.4.3-an+fx.xpi?filehash=sha256%3A31ec1e501fc3810b1df94d9f97b982fdbc1d8bbfe05d302d9b6a3a76c0517e67
https://addons.cdn.mozilla.net/user-media/addons/2644883/atomic_wallet-2.15.4-fx.xpi?filehash=sha256%3Ab67b229812d0c51b57e305d6f3e3c2578de4becb3eebccdc3ce11353fb6e4b89
https://addons.cdn.mozilla.net/user-media/addons/2650892/tezbox_tezos_wallet-20.0.1-fx.xpi?filehash=sha256%3A701cfc301e23a59156624f593839e03a5ad73a98fe75788dc020e295583b7686
https://addons.cdn.mozilla.net/user-media/addons/2645150/atomic_wallet-1.0.2-fx.xpi?filehash=sha256%3A7394786dfc4c3ab9c47d79ddf0e93465f50333e4781e7512d677e8aa954f4d83
https://addons.cdn.mozilla.net/user-media/addons/2651929/leafwallet_easy_to_use_eos_wallet-1.2.8-fx.xpi?filehash=sha256%3A682a56a9b218197f0ebbbef424a9e1d00e74b2518bf430ff62380cfa28eb5a5b
https://addons.cdn.mozilla.net/user-media/addons/2636409/nano_ledger_wallet-2.4.44-an+fx.xpi?filehash=sha256%3A921e62261a0fd69e850eaba45e4a71fefb65e2d5e84b41a59435f8e01fb95ad9
https://addons.cdn.mozilla.net/user-media/addons/2645428/ledger_nano-1.2.1-an+fx.xpi?filehash=sha256%3Aff078f920bf3d0b3880c0cfb77a4acbf7d91e0048b8df414b6976b2fd7ca06ba