[ad_1]
A particular due to our Skilled Providers’ IR crew, ShadowServer, for historic context on C2 domains, and Thomas Roccia/Leandro Velasco for malware evaluation assist.
Government Abstract
Following a latest Incident Response, McAfee Enterprise‘s Superior Menace Analysis (ATR) crew labored with its Skilled Providers IR crew to assist a case that originally began as a malware incident however finally turned out to be a long-term cyber-attack.
From a cyber-intelligence perspective, one of many greatest challenges is having info on the ways, strategies, and procedures (TTPs) an adversary is utilizing after which conserving them updated. Inside ATR we usually monitor many adversaries for years and acquire and retailer information, starting from indicators of compromise (IOCs) to the TTPs.
On this report, ATR supplies a deep perception into this long-term marketing campaign the place we are going to map out our findings towards the Enterprise MITRE ATT&CK mannequin. There might be components which might be censored since we respect the confidentiality of the sufferer. We can even zoom in and have a look at how the interpretation to the MITRE Methods, historic context, and proof artifacts like PlugX and Winnti malware led to a hyperlink with one other marketing campaign, which we extremely belief to be executed by the identical adversary.
IOCs that might be shared are on the finish of this doc.
McAfee clients are protected against the malware/instruments described on this weblog. MVISION Insights clients can have the complete particulars, IOCs and TTPs shared by way of their dashboard. MVISION Endpoint, EDR and UCE platforms present signature and behavior-based prevention and detection functionality for most of the strategies used on this assault. A extra detailed weblog with particular suggestions on utilizing the McAfee portfolio and built-in associate options to defend towards this assault might be discovered right here.
Technical Evaluation
Preliminary An infection Vectors [TA0001]
Forensic investigations recognized that the actor established preliminary entry by compromising the sufferer’s internet server [T1190]. On the webserver, software program was put in to take care of the presence and storage of instruments [T1105] that will be used to collect details about the sufferer’s community [T1083] and lateral motion/execution of recordsdata [T1570] [T1569.002]. Examples of the instruments found are PSexec, Procdump, and Mimikatz.
Privilege Escalation and Persistence [TA0004, TA0003]
The adversary has been noticed utilizing a number of privilege escalation and persistence strategies in the course of the interval of investigation and presence within the community. We’ll spotlight a number of in every class.
Moreover using Mimikatz to dump credentials, the adversaries used two instruments for privilege escalations [T1068]. One of many instruments was “RottenPotato”. That is an open-source instrument that’s used to get a deal with to a privileged token, for instance, “NT AUTHORITYSYSTEM”, to have the ability to execute duties with System rights.
Instance of RottenPotato on elevating these rights:
Determine 1 RottenPotato
The second instrument found, “BadPotato”, is one other open-source instrument that can be utilized to raise consumer rights in the direction of System rights.
Determine 2 BadPotato
The BadPotato code might be discovered on GitHub the place it’s provided as a Visible Studio mission. We inspected the adversary’s compiled model utilizing DotPeek and hunted for artifacts within the code. Inspecting the File (COFF) header, we noticed the file’s compilation timestamp:
TimeDateStamp: 05/12/2020 08:23:47 – Date and time the picture was created
PlugX
One other main and attribute privilege escalation approach the adversary used on this long-term marketing campaign was the malware PlugX as a backdoor. PlugX makes use of the approach “DLL Sideloading” [T1574.002]. PlugX was noticed as normal the place a single (RAR) executable contained the three components:
Legitimate executable.
Related DLL with the hook in the direction of the payload.
Payload file with the config to speak with Command & Management Server (C2).
The adversary used both the standalone model or distributed three recordsdata on totally different property within the community to achieve distant management of these property. The samples found and analyzed have been speaking in the direction of two domains. Each domains have been registered in the course of the time of the marketing campaign.
One of many PlugX samples consisted of the next three components:
Filename
Hashes
HPCustPartic.exe
SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6
HPCustPartUI.dll
SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560
HPCustPartic.bin
SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775
The .exe file is a sound and signed executable and, on this case, an executable from HP (HP Buyer participation). We additionally noticed different legitimate executables getting used, starting from AV distributors to video software program. When the executable is run, the DLL subsequent to it’s loaded. The DLL is legitimate however comprises a small hook in the direction of the payload which, in our case, is the .bin file. The DLL hundreds the PlugX config and injects it right into a course of.
We executed the samples in a take a look at setup and dumped the reminiscence of the machine to conduct reminiscence evaluation with volatility. After the essential forensically sound steps, we ran the malfind plugin to detect attainable injected code in a course of. From the redacted output of the plugin, we noticed the next values for the method with attainable injected code:
Course of: svchost.exe Pid: 860 Deal with: 0xb50000
Course of: explorer.exe Pid: 2752 Deal with: 0x56a000
Course of: svchost.exe Pid: 1176 Deal with: 0x80000
Course of: svchost.exe Pid: 1176 Deal with: 0x190000
Course of: rundll32.exe Pid: 3784 Deal with: 0xd0000
Course of: rundll32.exe Pid: 3784 Deal with: 0x220000
One remark is the point out of the SVCHOST course of with a ProcessID worth of 1176 that’s talked about twice however with totally different addresses. That is just like the RUNDLL32.exe that’s talked about twice with PID 3785 and totally different addresses. One solution to determine what malware could have been used is to dump these processes with the related PID utilizing the procdump module, add them to a web based evaluation service and look forward to the outcomes. Since it is a very delicate case, we took a special method. Utilizing the very best of each worlds (volatility and Yara) we used a ruleset that consists of malware patterns noticed in reminiscence over time. Operating this ruleset over the information within the reminiscence dump revealed the next (redacted for the sake of readability) output:
Determine 3 Output Yarascan reminiscence dump
The output of the Yara rule scan (and there was far more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Additionally, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.
Investigating the dumps after dynamic evaluation, we noticed two domains used for C2 site visitors:
sery.brushupdata.com
dnssery.brushupdata.com
Specifically, we noticed the next hardcoded worth that is likely to be one other payload being downloaded:
sery.brushupdata.com/CE1BC21B4340FEC2B8663B69
The PlugX households we noticed used DNS [T1071.001] [T1071.004] because the transport channel for C2 site visitors, specifically TXT queries. Investigating the site visitors from our samples, we noticed the check-in-signature (“20 2A 2F 2A 0D”) that’s typical for PlugX community site visitors:
00000000: 47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45
00000010: 31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54
00000020: 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20
00000030: 2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43
00000040: 57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55
00000050: 71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D
Throughout our evaluation of the totally different PlugX samples found, the domains as talked about above stayed the identical, although the payload values have been totally different. For instance:
hxxp://sery.brushupdata.com/B4BBDCC029E119719F065622
hxxp://sery.brushupdata.com/07FDB1B97D22EE6AF2482B1B
hxxp://sery.brushupdata.com/273CDC0B9C6218BC1187556D
Different PlugX samples we noticed injected themselves into Home windows Media Participant and began a reference to the next two domains:
heart.asmlbigip.com
sec.asmlbigip.com
Good day Winnti
One other mechanism noticed was to begin a program as a service [T1543.003] on the Working System with the acquired System rights by utilizing the *Potato instruments. The file the adversary was utilizing gave the impression to be a backdoor that was utilizing the DLL file format (2458562ca2f6fabddae8385cb817c172).
The DLL is used to create a malicious service and its identify is “service.dll”. The identify of the created service, “SysmainUpdate”, is usurping the identify of the professional service “SysMain” which is said to the professional DLL sysmain.dll and in addition to the Superfetch service. The dll is run utilizing the command “rundll32.exe SuperFrtch.dll, #1”. The export perform has the identify “WwanSvcMain”.
The mannequin makes use of the persistence approach using svchost.exe with service.dll to put in a rogue service. It seems that the dll employs a number of mechanisms to fingerprint the focused system and keep away from evaluation within the sandbox, making evaluation harder. The DLL embeds a number of obfuscated strings decoded when working. As soon as the fingerprinting has been carried out, the malware will set up the malicious service utilizing the API RegisterServiceHandlerA then SetServiceStatus, and at last CreateEventA. An outline of the approach might be discovered right here.
The malware additionally decrypts and injects the payload in reminiscence. The next screenshot reveals the decryption routine.
Determine 4 Decryption routine
After we analyzed this distinctive routine, we found similarities and the point out of it in a publication that may be learn right here. The malware described within the article is attributed to the Winnti malware household. The working methodology and the code used within the DLL described within the article are similar to our evaluation and observations.
The method dump additionally revealed additional indicators. Firstly, it revealed artifacts associated to the DLL analyzed, “C:ProgramDataMicrosoftWindowsSuperfRtchSuperfRtch.dat”. We imagine that this dat file is likely to be the loaded payload.
Secondly, whereas investigating the method dump, we noticed actions from the backdoor which might be a part of the information exfiltration makes an attempt which we are going to describe in additional element on this evaluation report.
A redacted snippet of the code would seem like this:
Creating archive ***.rar
Including [data from location]
0%
OK
One other indicator of discovering Winnti malware was the next execution path we found within the command line dump of the reminiscence:
cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat
What we noticed right here was using a sound executable, the AES 256 decryption key of the payload (.dat file). On this case, the payload file was named utilizing an abbreviation of the sufferer firm’s identify. Sadly, the adversary had eliminated the payload file from the system. File carving didn’t work for the reason that disk/unallocated house was overwritten. Nonetheless, reconstructing traces from reminiscence revealed that we have been coping with the Winnti 4.0 malware. The malware was injected right into a SVCHOST course of the place a driver location pointed to the config file. We noticed within the course of dump the exfiltration of information on the system, resembling OS, Processor (structure), Area, Username, and so on.
One other clue that helped us was using DNS tunneling by Winnti which we found traces of in reminiscence. The hardcoded 208.67.222.222 resolves to a professional OpenDNS DNS server. The IP is pushed into the record generated by the malware at runtime. Initially of the malware, it populates the record with the system’s DNS, and the OpenDNS server is barely used as a backup to make sure that the C2 area is resolved.
One other indicator within the course of dump was the setup of the C2 connection together with the Person-Agent that has been noticed being utilized by Winnti 4.0 malware:
Mozilla/5.0 (Home windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Different Persistence Actions
WMI exercise [T1546.003] was additionally noticed to execute instructions on the programs.
From a persistence viewpoint, scheduled duties [T1053.005] and using legitimate accounts [T1078] acquired via using Mimikatz, or creating LSASS dumps, have been noticed being employed in the course of the size of the marketing campaign.
Lateral Motion
From a lateral motion perspective, the adversary used the obtained credentials to hop from asset to asset. In a single specific case, we noticed a well-recognized filename: “PsExec.exe”. This SysInternals instrument is usually noticed being utilized in lateral motion by adversaries, nonetheless, it will also be utilized by the sysadmins of the community. In our case, the PsExec executable had a file measurement of 9.6 MB the place the unique PsExec (relying on 32- or 64-bit model) had a most file measurement of 1.3 MB. An preliminary static inspection of the file resulted in a blob of code that was current within the executable which had a really excessive entropy rating (7.99). When working the file from the command line, the next output was noticed:
Determine 5 PsExec output
The error notification and the ‘Impacket’ key phrase tipped us off and, after digging round, we discovered extra. The faux PsExec is an open-source Python script that may be a PsExec various with shell/backdoor functionality. It makes use of a script from this location: hxxps://github.com/SecureAuthCorp/impacket/blob/grasp/examples/psexec.pyi. The file is massive because it incorporates a low-level protocol interplay from Impacket. The Python library mixed with the script code is compiled with py2exe. The file was compiled in the course of the time of the newest assault actions and signed with an expired certificates.
Knowledge Exfiltration
From what we noticed, the adversary had a long-term intention to remain current within the sufferer’s community. With excessive confidence, we imagine that the adversary was curious about stealing proprietary intelligence that might be used for navy or mental property/manufacturing functions.
The adversary used a number of strategies to exfiltrate the information. In some instances, batch (.bat) scripts have been created to collect info from sure community shares/folders and use the ‘rar’ instrument to compress them to a sure measurement [T1020] [T1030]. Instance of content material in a batch script:
C:Windowswebrar.exe a -[redacted] -r -v50000 [Target-directory]
On different events, guide variants of the above command have been found after utilizing the customized backdoor as described earlier.
When the information was gathered on a neighborhood system utilizing the backdoor, the recordsdata have been exfiltrated over the backdoor and the rar recordsdata have been deleted [T1070.004]. The place exterior going through property have been used, like an internet server, the information was saved in a location within the Web Data Providers (IIS) internet server and exfiltrated over HTTP utilizing GET requests in the direction of the precise file paths [T1041] [T1567] [T1071].
An instance of the [redacted] internet site visitors within the IIS logfiles:
Date /Time
Request
TCP Src port
Supply IP
Person-Agent
Redacted
GET /****/[redacted].rar
80
180.50.*.*
MINIXL
redacted
GET /****/[redacted].rar
80
209.58.*.*
MINIXL
The supply IP addresses found belonged to 2 totally different ISP/VPN suppliers based mostly in Hong-Kong.
The Person-Agent worth is an fascinating one, “MINIXL”. After we researched that worth, we found a weblog from Dell SecureWorks from 2015 that mentions the identical Person-Agent, but in addition plenty of the artifacts talked about from the weblog overlapped with the observations and TTPs of Operation Harvest https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/.
What we may retrieve from open-source databases is that using this specific Person-Agent may be very restricted and appears to originate from the APAC area.
Who did it?
That appears to be the one-million-dollar query to be requested. Inside McAfee, attribution will not be our most important focus, defending our clients is our precedence. What we do care about is that if we find out about these strategies throughout an investigation, can we map them out and assist our IR crew on the bottom, or a buyer’s IR crew, with the information that may assist decide which part of the assault the proof is pointing to and based mostly on historic information and intelligence, help in blocking the subsequent part and uncover extra proof?
We began by mapping out all MITRE ATT&CK Enterprise strategies and sub-techniques, added the instruments used, and did a comparability towards historic approach information from the business. We ended up with 4 teams that shared strategies and sub-techniques. The Winnti group was added by us since we found the distinctive encryption perform within the customized backdoor and indicators of using the Winnti malware.
Determine 6 ATT&CK approach comparability
The diagram reflecting our consequence insinuated that APT27 and APT41 are the most certainly candidates that overlap with the (sub-)strategies we noticed.
Since all these teams are in a sure time zone, we extracted all timestamps from the forensic investigation close to:
Registration of area
Compile timestamps of malware (contemplating deception)
Timestamps of command-line exercise
Timestamps of information exfiltration
Timestamps of malware interplay resembling creation, deletion, and so on.
After we transformed all these timestamps from UTC to the aforementioned teams’ time zones, we ended up with the beneath scheme on exercise:
Determine 7 Adversary’s time of operation
On this marketing campaign, we noticed how the adversary largely appears to work from Monday to Thursday and usually throughout workplace hours, albeit with the occasional exception.
Correlating ATT&CK (sub-)strategies, timestamps, and instruments like PlugX and Mimikatz should not the one proof indicators that may assist to determine a attainable adversary. Command-line syntax, particular code similarity, actor functionality over time versus different teams, and distinctive identifiers are on the high of the ‘pyramid of ache’ in menace intelligence. The underside a part of the pyramid is about hashes, URLs, and domains, areas which might be very risky and simple to alter by an adversary.
Determine 8 Pyramid of Ache
Past investigating these artifacts, we additionally took attainable geopolitical pursuits and potential deception into consideration when constructing our speculation. After we mapped out all of those, we believed that one of many two beforehand talked about teams have been chargeable for the marketing campaign we investigated.
Our focus was not about attribution although, however extra round the place the movement of the assault is, matches towards earlier assault flows from teams, and what strategies/instruments they’re utilizing to dam subsequent steps, or the place to find them. The extra particulars we will collect on the high of ‘the pyramid of ache’, the higher we will decide the seemingly adversary and its TTP’s.
That’s all People!
Nicely, probably not. Whereas correlating the noticed (sub-)strategies, the malware households and code, we found one other focused assault towards an identical goal in the identical nation with the main motivation of gathering intelligence. Within the following diagram we performed a high-level comparability of the instruments being utilized by the adversary:
Determine 9 Instruments comparability
Though a number of the instruments are distinctive to every marketing campaign, if considered over time with once they have been used, it is sensible. It demonstrates the event of the actor and use of newer instruments to conduct lateral motion and to acquire the required stage of consumer rights on programs.
General, we noticed the identical modus operandi. As soon as an preliminary foothold was established, the adversary would deploy PlugX initially to create a number of backdoors within the sufferer’s community in case they have been found early on. After that, utilizing Mimikatz and dumping lsass, they have been seeking to get legitimate accounts. As soon as legitimate accounts have been acquired, a number of instruments together with a few of their very own instruments have been used to achieve details about the sufferer’s community. From there, a number of shares/servers have been accessed, and data gathered. That info was exfiltrated as rar recordsdata and positioned on an internet-facing server to cover within the ‘regular’ site visitors. We characterize that within the following graphic:
Determine 10 Assault movement
Within the 2019/2020 case we additionally noticed using a malware pattern that we’d classify as a part of the Winnti malware household. We found a few recordsdata that have been executed by the next command:
Begin Ins64.exe E370AA8DA0 Jumper64.dat
The Winnti loader ‘Ins64.exe’ makes use of the worth ‘E370AA8DA0’ to decrypt the payload from the .dat file utilizing the AES-256-CTR decryption algorithm and begins to execute.
After executing this command and analyzing the reminiscence, we noticed a course of injection in one of many svchost processes whereby one specific file was loaded from the next path:
C:programdatamicrosoftwindowscachesieupdate.dll
Determine 11 Reminiscence seize
The malware began to open up each UDP and TCP ports to attach with a C2 server.
UDP Port 20502
TCP Port 20501
Determine 12 Community connections to C2
Capturing the site visitors from the malware we noticed the next for example:
Determine 13 Winnti HTTP site visitors to C2
The packet information was personalized and despatched via a POST request with a number of headers in the direction of the C2. Within the above screenshot the numbers after “POST /” have been randomly generated.
The Person-Agent is an efficient community indicator to determine the Winnti malware since it’s utilized in a number of variants:
Mozilla/5.0 (Home windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Certainly, the identical Person Agent worth was found within the Winnti pattern in Operation Harvest and appears to be typical for this malware household.
The cookie worth consists of 4 Dword hex values that comprise details about the personalized packet measurement utilizing a XOR worth.
We discovered extra concerning the packet construction of Winnti from this hyperlink.
Making use of what we discovered concerning the handshake, we noticed the next in our site visitors pattern:
Dword worth 0 = 52 54 00 36
Dword worth 1 = 3e ff 06 b2
Dword worth 2 = 99 6d 78 fe
Dword worth 3 = 08 00 45 00
Dword worth 4 = 00 34 00 47
Preliminary handshake order:
Primarily based on our cross-correlation with samples and different OSINT assets, we imagine with a excessive confidence that this was a Winnti 4.0 pattern that connects with a confirmed Winnti C2 server.
The recognized C2 server was 185.161.211.97 TCP/80.
Timeline of Occasions
When analyzing the timestamps from this investigation, like we did for operation Harvest, we got here to the beneath overview:
Determine 14 Beijing working hours case 2019/2020
Once more, we noticed that the adversary was working Monday to Friday throughout workplace hours within the Beijing time-zone.
Conclusion
Operation Harvest has been a long-term operation whereby an adversary maintained entry for a number of years to exfiltrate information. The exfiltrated information would have both been a part of an mental property theft for financial functions and/or would have supplied insights that will be useful in case of navy interventions. The adversaries made use of strategies fairly often noticed in this sort of assault but in addition used distinctive new backdoors or variants of present malware households. Combining all forensic artifacts and cross-correlation with historic and geopolitical information, we’ve excessive confidence that this operation was executed by an skilled APT actor.
After mapping out all information, TTP’s and so on., we found a really robust overlap with a marketing campaign noticed in 2019/2020. Lots of the (in-depth) technical indicators and strategies match. Additionally placing it into perspective, and over time, it demonstrates the adversary is adapting expertise and evolving the instruments and strategies getting used.
On a separate be aware, we noticed using the Winnti malware. We intentionally point out the time period ‘malware’ as a substitute of group. The Winnti malware is thought for use by a number of actors. Inside each nation-state cyber-offensive exercise, there might be a division/unit chargeable for the creation of the instruments/malware, and so on. We strongly imagine that’s precisely what we observe right here as effectively. PlugX, Winnti and another customized instruments all level to a bunch that had entry to the identical instruments. Whether or not we put identify ‘X’ or ‘Y’ on the adversary, we strongly imagine that we’re coping with a Chinese language actor whose long-term goals are persistence of their victims’ networks and the acquisition of the intelligence wanted to make political/strategic or manufacturing choices.
MITRE ATT&CK Methods
Method ID
Method Title
Context Marketing campaign
T1190
Exploit Public-facing utility
Adversary exploited a web-facing server with utility
T1105
Ingress Device switch
Instruments have been transferred to a compromised web-facing server
T1083
File & Listing Discovery
Adversary browsed a number of places to seek for the information they have been after.
T1570
Lateral Device Switch
Adversary transferred instruments/backdoors to take care of persistence
T1569.002
System Providers: Service Execution
Adversary put in customized backdoor as a service
T1068
The exploitation of Privilege Escalation
Adversary used Rotten/Dangerous Potato to raise consumer rights by abusing API calls within the Working System.
T1574.002
Hijack Execution Move: DLL Facet-Loading
Adversary used PlugX malware that’s well-known for DLL-Facet-Loading utilizing a sound executable, a DLL with the hook in the direction of a payload file.
T1543.003
Create or Modify System Course of: Home windows Service
Adversary launched backdoor and a few instruments as a Home windows Service together with including of registry keys
T1546.003
Occasion-Triggered Execution: WMI Occasion Subscription
WMI was used for working instructions on distant programs
T1053.005
Scheduled process
Adversary ran scheduled duties for persistence of sure malware samples
T1078
Legitimate accounts
Utilizing Mimikatz and dumping of lsass, the adversary gained credentials within the community
T1020
Automated exfiltration
The PlugX malware exfiltrated information in the direction of a C2 and acquired instructions to collect extra details about the sufferer’s compromised host.
T1030
Knowledge switch measurement limits
Adversary restricted the dimensions of rar recordsdata for exfiltration
T1070.004
Indicator elimination on host
The place at first of the marketing campaign the adversary was sloppy, over the last months of exercise they grew to become extra cautious and began to take away proof
T1041
Exfiltration over C2 channel
Adversary used a number of C2 domains to work together with compromised hosts.
T1567
Exfiltration over Net Service
Gathered info was saved as ‘rar’ recordsdata on the internet-facing server, whereafter they have been downloaded by a selected ip vary.
T1071.004
Software layer protocol: DNS
Utilizing DNS tunneling for the C2 site visitors of the PlugX malware
Indicators of Compromise (IOCs)
Observe: the indications shared are for use in a historic and timeline-based context, starting from 2016 to March 2021.
Operation Harvest:
PlugX C2:
sery(.)brushupdata(.)com
Dnssery(.)brushupdata(.)com
Heart(.)asmlbigip(.)com
Instruments:
Mimikatz
PsExec
RottenPotato
BadPotato
Operation 2019/2020
PlugX malware:
f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498
26e448fe1105b5dadae9b7607e3cca366c6ba8eccf5b6efe67b87c312651db01
e9033a5db456af922a82e1d44afc3e8e4a5732efde3e9461c1d8f7629aa55caf
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe
Winnti:
800238bc27ca94279c7562f1f70241ef3a37937c15d051894472e97852ebe9f4
c3c8f6befa32edd09de3018a7be7f0b7144702cb7c626f9d8d8d9a77e201d104
df951bf75770b0f597f0296a644d96fbe9a3a8c556f4d2a2479a7bad39e7ad5f
Winnti C2: 185.161.211.97
Instruments:
PSW64 6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6
NTDSDumpEx 6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96
NBTSCAN c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
NetSess ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d
Smbexec e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee
Wmiexec 14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8
Mimikatz
RAR command-line
TCPdump
x3Cimg peak=”1″ width=”1″ type=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]