{
	"id": "8e6a50b7-7262-4999-bbaa-3591ba3807ec",
	"created_at": "2026-04-06T01:29:21.573204Z",
	"updated_at": "2026-04-10T13:11:50.581368Z",
	"deleted_at": null,
	"sha1_hash": "2b4e8c200897e9c96f4d563a486931351a9905b3",
	"title": "GitHub - br-data/2019-winnti-analyse: Scripts and rulesets for analysing the Winnti malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58905,
	"plain_text": "GitHub - br-data/2019-winnti-analyse: Scripts and rulesets for\r\nanalysing the Winnti malware\r\nBy hakantan\r\nArchived: 2026-04-06 00:32:23 UTC\r\nWinnti analysis\r\nFor a number of years now, a group of professional hackers has been busy spying on businesses all over the world:\r\nWinnti. It is believed to be a digital mercenary group controlled by China. For the first time, in a joint\r\ninvestigation, German public broadcasters BR and NDR are shedding light on how the hackers operate and how\r\nwidespread they are.\r\nRead the full article on hackers for hire, conducting industrial espionage, here:\r\nBR24: Attacking the Heart of the German Industry.\r\nBackground\r\nThe search for affected company networks is mostly build around so-called campaign identifiers. In some\r\ninstances, Winnti operators wrote the names of their targets directly into the malware, obfuscated with a rolling\r\nXOR cipher. In a first step, we tried to verify the information we were provided with, using a (not very good)\r\npython script. We then used yara rules to hunt for Winnti samples. The yara rules we used are included in this\r\nrepo, hopefully they prove useful to other researchers.\r\nAnother way of finding networks with Winnti infections is this Nmap script by the Thyssenkrupp CERT.\r\nAnalysis\r\nAn execellent script for extracting the configuration details from a Winnti sample was written by Moritz Contag.\r\nHe thankfully allowed us to share it. Here is how to use it:\r\nRequirements\r\nThe script requires lief in version 0.9 to be installed and thus is currently tied to Python 2.7. The dependency\r\ncan be installed running pip on the command line:\r\npip2 install -r requirements.txt\r\nUsage\r\nhttps://github.com/br-data/2019-winnti-analyse/\r\nPage 1 of 3\n\nTo extract the configuration of multiple Winnti samples, simply pass the directory to the script. The script will also\r\nrecurse into subdirectory and blindly try to parse each file it encounters.\r\nThe script does not try to identify Winnti samples and might produce incoherent output if the sample looks too\r\ndifferent. Currently, it tries to parse configuration information stored in the executable's overlay as well as inline\r\nconfigurations indicated by a special marker. Further, it also tries to repair broken or \"encrypted\" files before\r\nprocessing them.\r\nIt is recommended to name the samples according to their, e.g., SHA-256 hash for better identification.\r\nTo scan a directory called samples , simply invoke the script as follows:\r\n$ python2 parse.py ./samples\r\n----------------------------------------------------------------------------------------------------\r\n./9c3415507b38694d65262e28f73c3fade5038e455b83d41060f024403c26c9ee: Parsed configuration (overlay).\r\n- Size: 0x50E\r\n- Type: exe\r\n- Configuration:\r\n+0x000: \"\"\r\n+0x304: \"1\"\r\n+0x324: \"shinetsu\"\r\n+0x356: 4B A0 D6 05\r\n+0x3C2: \"HpInsightEx.dll\"\r\n+0x3E2: \"kb25489.dat\"\r\n+0x402: \"HPSupportService\"\r\n+0x442: \"HP Insight Extension Support\"\r\n+0x50A: A9 A1 A5 A6\r\n----------------------------------------------------------------------------------------------------\r\n./585fa6bbc8bc9dbd8821a0855432c911cf828e834ec86e27546b46652afbfa5e: Parsed configuration (overlay).\r\n- Size: 0x048\r\n- Type: dll exe\r\n- Exports: #3\r\n GetFilterVersion\r\n HttpFilterProc\r\n TerminateFilter\r\n- Configuration:\r\n+0x000: \"DEHENSV533-IIS\"\r\n+0x020: \"de.henkelgroup.net\"\r\nhttps://github.com/br-data/2019-winnti-analyse/\r\nPage 2 of 3\n\n+0x044: 99 DE DF E0\r\nAcknowledgments\r\nMoritz Contag for writing the great script and allowing us to share it\r\nSilas Cutler who helped us a great deal to corroborate our findings\r\nContact\r\nBR Data is a data-driven investigative unit at the German public broadcaster Bayerischer Rundfunk. We are a\r\nteam of journalists, developers and data scientist. We specialize in data- and document-driven research and\r\ninteractive storytelling.\r\nPlease send us your questions and feedback:\r\nTwitter: @br_data\r\nE-Mail: data@br.de\r\nSource: https://github.com/br-data/2019-winnti-analyse/\r\nhttps://github.com/br-data/2019-winnti-analyse/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/br-data/2019-winnti-analyse/"
	],
	"report_names": [
		"2019-winnti-analyse"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438961,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b4e8c200897e9c96f4d563a486931351a9905b3.pdf",
		"text": "https://archive.orkl.eu/2b4e8c200897e9c96f4d563a486931351a9905b3.txt",
		"img": "https://archive.orkl.eu/2b4e8c200897e9c96f4d563a486931351a9905b3.jpg"
	}
}