{
	"id": "be10260a-e821-4f79-804a-652733e1c87e",
	"created_at": "2026-04-06T00:08:32.357451Z",
	"updated_at": "2026-04-10T03:28:26.773755Z",
	"deleted_at": null,
	"sha1_hash": "9cea4a9950d1a6e9ea441baab474ab4cbef549cf",
	"title": "MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104381,
	"plain_text": "MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR |\r\nCISA\r\nPublished: 2020-08-31 · Archived: 2026-04-05 17:23:03 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security\r\nAgency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S.\r\nGovernment partners, CISA, FBI, and DoD identified a malware variant used by Chinese government cyber actors, which is\r\nknown as TAIDOOR. For more information on Chinese malicious cyber activity, please visit https[:]//www[.]us-cert.gov/china.\r\nFBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. CISA, FBI, and DoD are distributing this MAR\r\nto enable network defense and reduce exposure to Chinese government malicious cyber activity.\r\nThis MAR includes suggested response actions and recommended mitigation techniques. Users or administrators should flag\r\nactivity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA)\r\nor the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.\r\nMalicious binaries identified as a x86 and x64 version of Taidoor were submitted for analysis. Taidoor is installed on a\r\ntarget’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is\r\nstarted as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan\r\n(RAT).\r\nFor a downloadable copy of IOCs, see MAR-10292089-1.v2.stix.\r\nSubmitted Files (4)\r\n0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686 (svchost.dll)\r\n363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90 (svchost.dll)\r\n4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4 (ml.dll)\r\n6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57 (rasautoex.dll)\r\nDomains (2)\r\ncnaweb.mrslove.com\r\ninfonew.dubya.net\r\nIPs (1)\r\n210.68.69.82\r\nFindings\r\n4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 1 of 20\n\nTags\r\nbackdoorloadertrojan\r\nDetails\r\nName ml.dll\r\nSize 43520 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 6aa08fed32263c052006d977a124ed7b\r\nSHA1 9a6795333e3352b56a8fd506e463ef634b7636d2\r\nSHA256 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4\r\nSHA512 179e9d9ccbc268cc94a7f6d31f29cf0f7a163db829a4557865f3c1f98614f94ceb7b90273d33eb49ef569cfc9013b76c7de32d7511639a7ab\r\nssdeep 768:uGRVnBnwS5kBKsl4anxKFhx3W3kGmifmUED7Bn5f6dBywFmZb:fDeSnbx3okvxVwFI\r\nEntropy 5.864467\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAvira TR/Agent.aavma\r\nBitDefender Trojan.GenericKD.34284857\r\nClamAV Win.Packer.Taidoor-9209869-0\r\nComodo Malware\r\nCyren W32/Trojan.DRSK-8300\r\nESET a variant of Win32/Agent.ACFH trojan\r\nEmsisoft Trojan.GenericKD.34284857 (B)\r\nIkarus Trojan.Win32.Agent\r\nK7 Trojan ( 0056be3e1 )\r\nLavasoft Trojan.GenericKD.34284857\r\nMcAfee RDN/Generic trojan.ks\r\nMicrosoft Security Essentials Trojan:Win32/Taidoor.DA!MTB\r\nNANOAV Trojan.Win32.Dllhijacker.hqfyaa\r\nQuick Heal Trojan.Taidoor.S15351536\r\nSophos Mal/Taidoor-A\r\nSymantec Trojan Horse\r\nSystweak trojan-backdoor.taidoor\r\nTrendMicro Trojan.2826E77D\r\nTrendMicro House Call Trojan.2826E77D\r\nVirusBlokAda Trojan.Dllhijacker\r\nZillya! Trojan.Agent.Win32.1363180\r\nYARA Rules\r\nNo matches found.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 2 of 20\n\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-01-03 07:16:12-05:00\r\nImport Hash dbb469cb14550e6085a14b4b2d41ede9\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n62ab3bae7859f6f6dc68366d283ad53e header 1024 2.511204\r\n63550f7c47453c2809834382e228637d .text 23040 6.442964\r\na30bb3ac9b6694a8980c39c0267c9a83 .rdata 11264 4.926331\r\nad5814673b8579de78be5b6b929d2405 .data 3072 2.629944\r\n619ecca9c8d1073a0b90f5fffac42ec8 .rsrc 512 5.105029\r\n0f292021853e7ca76c4196bcbe9afdaf .reloc 4608 3.712197\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nRelationships\r\n4a0688baf9... Used 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\nDescription\r\nThis file is a 32-bit Windows DLL file. The file “ml.dll” is a Taidoor loader. The file utilizes the export function called\r\n“MyStart” to decrypt and load “svchost.dll” (8CF683B7D181591B91E145985F32664C), which was identified as Taidoor\r\nmalware. Taidoor is a traditional RAT.\r\nThe “MyStart” function looks for the file name “svchost.dll” in its running directory. If that file is located, the DLL will read\r\n“svchost.dll” into memory. After the file is read into memory, the DLL uses a RC4 encryption algorithm to decrypt the\r\ncontents of the file. The RC4 key used for decryption is, “ar1z7d6556sAyAXtUQc2”.\r\nAfter the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of Taidoor, which is a DLL.\r\nThe loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs,\r\nKERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize.\r\nNext, the loader looks for the export “Start” in the Taidoor DLL and executes that function.\r\n363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\nTags\r\nremote-access-trojantrojan\r\nDetails\r\nName svchost.dll\r\nSize 158208 bytes\r\nType data\r\nMD5 8cf683b7d181591b91e145985f32664c\r\nSHA1 f0a20aaf4d2598be043469b69075c00236b7a89a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 3 of 20\n\nSHA256 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\nSHA512 b75401d591caee812c5c1a669ce03c47f78f1c40a2fa31cf58a0318ffbfc032b82cb1b6d2a599ce1b3547be5a404f55212156640b095f895a\r\nssdeep 3072:fRxYk0d5+6/kdGyfitoxNsUZE2XZ+4Duz6fCKmjjwF5PaT:JqkoiGiZxE4qRKqgIT\r\nEntropy 7.998691\r\nAntivirus\r\nAhnlab Data/BIN.EncPe\r\nAntiy Trojan/Win32.Taidoor\r\nAvira TR/Taidoor.BD\r\nBitDefender Trojan.Agent.EUMT\r\nClamAV Win.Packed.Taidoor-9209834-1\r\nCyren W32/Taidoor.A.enc!Camelot\r\nEmsisoft Trojan.Agent.EUMT (B)\r\nIkarus Trojan.Win32.Taidoor\r\nLavasoft Trojan.Agent.EUMT\r\nMcAfee Trojan-Taidoor\r\nMicrosoft Security Essentials Trojan:Win32/Taidoor.DC!MTB\r\nSophos Troj/Taidoor-A\r\nSymantec Trojan Horse\r\nTrendMicro Backdoo.7F53B305\r\nTrendMicro House Call Backdoo.7F53B305\r\nZillya! Trojan.Taidoor.Win32.6\r\nYARA Rules\r\nrule CISA_10292089_01 : rat loader TAIDOOR\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10292089\"\r\n       Date = \"2020-06-18\"    \r\n       Last_Modified = \"20200616_1530\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan Loader Rat\"\r\n       Family = \"TAIDOOR\"\r\n       Description = \"Detects Taidoor Rat Loader samples\"\r\n       MD5_1 = \"8cf683b7d181591b91e145985f32664c\"\r\n       SHA256_1 = \"363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\"\r\n       MD5_2 = \"6627918d989bd7d15ef0724362b67edd\"\r\n       SHA256_2 = \"0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686\"\r\n   strings:\r\n       $s0 = { 8A 46 01 88 86 00 01 00 00 8A 46 03 88 86 01 01 00 00 8A 46 05 88 86 02 01 00 00 8A 46 07 88 86 03\r\n01 00 00 }\r\n       $s1 = { 88 04 30 40 3D 00 01 00 00 7C F5 }\r\n       $s2 = { 0F BE 04 31 0F BE 4C 31 01 2B C3 2B CB C1 E0 04 0B C1 }\r\n       $s3 = { 8A 43 01 48 8B 6C 24 60 88 83 00 01 00 00 8A 43 03 }\r\n       $s4 = { 88 83 01 01 00 00 8A 43 05 88 83 02 01 00 00 8A 43 07 88 83 03 01 00 00 }\r\n       $s5 = { 41 0F BE 14 7C 83 C2 80 41 0F BE 44 7C 01 83 C0 80 C1 E2 04 0B D0 }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 4 of 20\n\n$s6 = { 5A 05 B2 CB E7 45 9D C2 1D 60 F0 4C 04 01 43 85 3B F9 8B 7E }\r\n   condition:\r\n       ($s0 and $s1 and $s2) or ($s3 and $s4 and $s5) or ($s6)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n363ea096a3... Used_By 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4\r\n363ea096a3... Connected_To cnaweb.mrslove.com\r\n363ea096a3... Connected_To 210.68.69.82\r\nDescription\r\nThis encrypted file has been identified as the Taidoor RAT loaded by “ml.dll”\r\n(6AA08FED32263C052006D977A124ED7B). After the loader has finished decrypting this file, the loader has a decrypted\r\nversion of Taidoor, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary\r\nto load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which this file will utilize.\r\nNext, the loader “ml.dll” (6AA08FED32263C052006D977A124ED7B) looks for the export “Start” in the Taidoor DLL and\r\nexecutes that function. Taidoor’s “Start” function kicks off by decrypting a multitude of import strings that it will use to\r\ndynamically import functions from the DLLs that have been loaded. A complex stream cipher is used to decrypt the\r\nencrypted strings utilized by this malware. The 85 strings include APIs and strings used by other structures, such as a\r\nstructure capable of allowing the malware to load external plugin payloads. The malware utilizes the following 7-byte key to\r\ngenerate a 256-byte initial stream cipher value: “19 34 F4 D2 E9 B3 0F”.\r\nNext, the algorithm pads the 256 initial cipher value out to 260 bytes utilizing 4-bytes already contained within the 256-byte\r\nblock (Figure 2). The algorithm performs the encryption 2-bytes at a time from the encrypted string blocks. It compresses\r\nthe 2-bytes into 1 byte before the decryption process by subtracting the first byte and second byte by 0x80h. The result of the\r\nperforming the subtraction on the first byte is then shifted left by four. Both values are then added together by using Boolean\r\naddition (OR) resulting in a single byte that is decrypted by the cipher.\r\nUsing a simple Exclusive OR (XOR) operation, the 260-byte block is shuffled and modified to produce the byte that is used\r\nto decrypt the newly compressed byte. The byte being decrypted is then placed back into the 260-byte cipher block buffer.\r\nThis effectively produces a recurrent block shifting effect where the 260-byte cipher block value changes as a result of the\r\nsequence of bytes it receives. This is an effective method of thwarting heuristic or brute force attacks.\r\nTaidoor also uses the AES algorithm to decrypt a \"1616 byte\" configuration file. This configuration file contains the\r\ncommand and control (C2) servers and possibly another encryption key used later. The AES key used in hex is, “2B 7E 15\r\n16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C” IV: “00”.\r\n--Begin C2--\r\ncnaweb.mrslove.com\r\n210.68.69.82\r\n--End C2--\r\nAfter completing this decryption function Taidoor iterates through the System Event Log. Looking specifically for event IDs\r\n6005 (event service started) and 6006 (event service stopped). After completing its decryption functions, Taidoor tries to\r\nconnect to its C2 server. Once Taidoor and the C2 server finish the TCP handshake, Taidoor waits for at least one byte of\r\ndata to be sent from the C2 server. This byte or bytes are not checked by Taidoo, anything can be sent.\r\nAfter Taidoor has confirmed it has received at least one byte of data form the server, Taidoor sends a custom formatted\r\npacket over port 443. Note: this packet does not follow TLS protocol, and is easily identifiable. The initial packet sent from\r\nTaidoor to the C2 server in this case always starts with “F::” followed by the encryption key that Taidoor, and the C2 server\r\nwill use to encrypt all following communications.\r\nAfter sending the encryption key to the C2 server, Taidoor expects the server to respond with “200 OK\\r\\n\\r\\n”. Note: This\r\nresponse is over port 443, but is not encrypted, it is sent in clear text.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 5 of 20\n\nAfter Taidoor has successfully connected to its C2, it creates a Windows INI configuration file, and copies cmd.exe into the\r\nsystem temp folder.\r\n--Begin Windows INI file created--\r\nC:\\ProgramData\\Microsoft\\~svc_.TMp\r\n--End Windows INI file created--\r\n--Begin contents of INI file--\r\n[Micros]\r\nsource=c:\\temp\\cmd.exe\r\n--End contents of INI file--\r\nNote: Taidoor does not have a function built it that enables it to persist past a system reboot. It appears from the memory\r\ndump of the infected system, it was installed as a service DLL by some other means.\r\nThe malware author never removed the symbol file for the “ml.dll” build. This artifact provides additional information that\r\nthe malware author intended this binary to do, “DllHijackPlushInject”.\r\n--Begin symbol file artifact--\r\nc:\\Users\\user\\Desktop\\DllHijackPlushInject\\version\\Release\\MemoryLoad.pdb\r\n--End symbol file artifact--\r\nThe following IDA script can be used to decrypt all the encrypted strings and demonstrate how a sequence of bytes is\r\nencrypted utilizing the initial 260 byte cipher block generated from the key value “19 34 F4 D2 E9 B3 0F”:\r\n--Begin IDA script--\r\nimport os\r\nimport sys\r\nimport idaapi\r\ncwd = os.getcwd()\r\ncwd = '/Users/terminator/PycharmProjects/rc4_test//'\r\ncipherblock = []\r\npb_fname = cwd + \"//\" + 'pristine_block.bin'\r\nes_fname = cwd + \"//\" + 'encrypted_strings.bin'\r\nsecure_strings_func = 0x10003cb7\r\nencrypted_strings_block = 0x1001c434\r\nenc_string_size = 2875\r\nglobal_decrypted_stringz = []\r\ntry:\r\nfh = open(pb_fname, 'rb')\r\nread_bitez = fh.read()\r\nfh.close()\r\nexcept Exception as e:\r\nprint(\"Couldnt read filename. Reading from code (Attempt)\")\r\nprint(\"Cipher Block len: \" + str(len(cipherblock)))\r\nfor idx in read_bitez: # convert them to ords to do the math!\r\nidx = ord(idx)\r\ncipherblock.append(idx)\r\ndef decrypt(encrypted_string, cipherblock): # **CALL THIS FUNC to decrypt stuff!\r\nstring_len = len(encrypted_string)\r\nstring_len = string_len / 2\r\nthrottle = 0\r\nda_string = \"\"\r\nwhile True:\r\ncipherblock, decoded_byte = decrypt_it(cipherblock, encrypted_string, throttle)\r\ntry:\r\ncharr = chr(decoded_byte)\r\nif throttle:\r\nda_string += charr\r\nexcept Exception as e:\r\npass\r\nthrottle += 1 # INCREMENT before doing the compare\r\nif throttle == string_len:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 6 of 20\n\nglobal_decrypted_stringz.append(da_string)\r\nreturn da_string\r\ndef decrypt_it(cipherblock, encoded_data, throttle):\r\nebx = 128 # *0x80\r\necx = throttle\r\necx = ecx + ecx\r\neax = encoded_data[ecx]\r\necx = encoded_data[ecx + 1]\r\neax = eax - ebx\r\necx = ecx - ebx\r\neax = eax \u003c\u003c 4\r\neax = eax | ecx\r\ncipherblock, decoded_byte = outter_shuffle_func(cipherblock, eax)\r\nreturn cipherblock, decoded_byte\r\ndef outter_shuffle_func(cipherblock, encoded_bite):\r\n# before inner func\r\ncipherblock = inner_shuffle_func(cipherblock)\r\n# after inner func\r\neax = cipherblock[258]\r\necx = cipherblock[eax]\r\neax = cipherblock[260]\r\neax = cipherblock[eax]\r\nedx = cipherblock[257]\r\nedi = cipherblock[256]\r\nedx = cipherblock[edx]\r\nedi = cipherblock[edi]\r\necx = eax + ecx\r\neax = cipherblock[259]\r\neax = cipherblock[eax]\r\necx = eax + ecx\r\neax = 255\r\necx = ecx \u0026 eax\r\necx = cipherblock[ecx]\r\ncl = cipherblock[ecx]\r\nedx = edx + edi\r\nedx = edx \u0026 eax\r\ncl = cipherblock[edx] ^ cl # **actual manipulation here\r\nal = encoded_bite\r\ncl = cl ^ al\r\ncipherblock[260] = al\r\ncipherblock[259] = cl\r\nal = cl\r\ndecoded_byte = al\r\nreturn cipherblock, decoded_byte\r\ndef wrap_around_strip(da_byte):\r\nda_byte_str = str(hex(da_byte))\r\nda_byte_str = da_byte_str.split(\"x\")\r\nda_byte_str = da_byte_str[1]\r\nstr_length = len(da_byte_str)\r\nif str_length \u003e 2:\r\ngot_em = \"0x\"\r\ngot_em += da_byte_str[str_length - 2]\r\ngot_em += da_byte_str[str_length - 1]\r\ngot_em = int(got_em, 16)\r\nreturn got_em\r\nreturn da_byte\r\ndef add_bites(a, b):\r\nfor_return = a + b\r\nfor_return = wrap_around_strip(for_return)\r\nreturn for_return\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 7 of 20\n\ndef inner_shuffle_func(cipherblock_orig): # *SHUFFLE The cipher block here!\r\ncipherblock = []\r\nfor idx in cipherblock_orig: # lets make a copy!\r\ncipherblock.append(idx)\r\nal = cipherblock[256]\r\nesi = cipherblock[260]\r\ndl = cipherblock[esi]\r\nal = al \u0026 0xffffff\r\nedi = al\r\nbl = cipherblock[edi]\r\nda_byte = cipherblock[257]\r\nda_byte = add_bites(da_byte, bl)\r\ncipherblock[257] = da_byte\r\nal += 1\r\ncipherblock[256] = al\r\neax = cipherblock[257]\r\nal = cipherblock[eax]\r\ncipherblock[esi] = al\r\nesi = cipherblock[259]\r\nbl = cipherblock[esi]\r\nedi = cipherblock[257]\r\ncipherblock[edi] = bl\r\nesi = cipherblock[256]\r\neax = cipherblock[259]\r\nbl = cipherblock[esi]\r\ncipherblock[eax] = bl\r\neax = cipherblock[256]\r\ncipherblock[eax] = dl\r\neax = dl\r\nal = cipherblock[eax]\r\ntemp_byte = cipherblock[258]\r\ntemp_byte = add_bites(temp_byte, al)\r\ncipherblock[258] = temp_byte\r\nreturn cipherblock\r\ndef decode_from_addr(target_addr, label_loc, pointer_addr, label_them):\r\ninit_bitez = []\r\nord_bitez = []\r\nwhile True:\r\ntemp_bite = idaapi.get_byte(target_addr)\r\nif not temp_bite:\r\nbreak\r\ninit_bitez.append(temp_bite)\r\ntarget_addr += 1\r\nfor idx in init_bitez:\r\nord_bitez.append(idx)\r\ncipher_block_copy = []\r\nfor idx in cipherblock:\r\ncipher_block_copy.append(idx)\r\ndec_string = decrypt(ord_bitez, cipher_block_copy)\r\nif label_them:\r\nSetColor(label_loc, CIC_ITEM, 0xc7c7ff)\r\nMakeComm(label_loc, dec_string)\r\nSetColor(pointer_addr, CIC_ITEM, 0xc7c7ff)\r\nMakeComm(pointer_addr, dec_string)\r\nprint(dec_string)\r\ndef find_initial_loc(target_addr):\r\naddr = target_addr\r\ngive_up = 5\r\nattempts = 0\r\nwhile True:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 8 of 20\n\naddr = idc.PrevHead(addr)\r\nif GetMnem(addr) == \"push\" and \"off_\" in GetOpnd(addr, 0):\r\nstring_addr = GetOperandValue(addr, 0)\r\nprint(\"Found String Loc: \" + str(hex(string_addr)))\r\npointer_addr = idaapi.get_dword(string_addr)\r\nprint(hex(pointer_addr))\r\ndecode_from_addr(pointer_addr, addr, string_addr, 1)\r\nreturn string_addr\r\nattempts += 1\r\nif attempts == give_up:\r\nreturn 0\r\nenc_stringz_data = []\r\ntry:\r\nfh = open(es_fname)\r\nda_data = fh.read()\r\nfh.close()\r\nfor idx in da_data:\r\nx = ord(idx)\r\nenc_stringz_data.append(x)\r\nexcept Exception as e:\r\nprint(\"Couldnt read encrypted strings file. Reading from Malware!\")\r\naddr_throttle = encrypted_strings_block\r\nwhile len(enc_stringz_data) \u003c enc_string_size:\r\nx = idaapi.get_byte(addr_throttle)\r\nenc_stringz_data.append(x)\r\nencrypted_stringz = [] # *list of lists\r\ntemp_string = []\r\nfor idx in enc_stringz_data:\r\nif idx:\r\ntemp_string.append(idx)\r\nif not idx:\r\nif len(temp_string):\r\nencrypted_stringz.append(temp_string)\r\ntemp_string = []\r\ndecrypted_stringz = []\r\ndebug_it = False\r\nif debug_it:\r\nfor enc_string in encrypted_stringz:\r\ncipher_block_copy = []\r\nfor idx in cipherblock:\r\ncipher_block_copy.append(idx)\r\ndec_string = decrypt(enc_string, cipher_block_copy)\r\ndecrypted_stringz.append(dec_string)\r\nprint(\"----------------------\")\r\nfor idx in decrypted_stringz:\r\nprint(idx)\r\nprint(\"Complete\")\r\naddresses_to = []\r\nfor addr in XrefsTo(secure_strings_func):\r\nprint(\"---------\")\r\nprint(hex(addr.frm))\r\nfind_initial_loc(addr.frm)\r\nprint(\"---------\")\r\nprint(\"\\n\")\r\naddresses_to.append(addr.frm)\r\nprint(\"IDA IDB Labeled. Decrypted Strings Below:\")\r\nprint(\"-----------------------------\")\r\nfor idx in global_decrypted_stringz:\r\nprint idx\r\n--End IDA script--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 9 of 20\n\nString decrypted by the IDA script are displayed below:\r\n--Begin decrypted strings--\r\nkernel32.dll\r\nInitializeCriticalSection\r\nGetLocalTime\r\nLeaveCriticalSection\r\nGetModuleFileNameA\r\nSleep\r\nExpandEnvironmentStringsA\r\nGetSystemTime\r\nSystemTimeToFileTime\r\nGetTickCount\r\nCreatePipe\r\nDuplicateHandle\r\nGetCurrentProcess\r\nDisconnectNamedPipe\r\nTerminateProcess\r\nPeekNamedPipe\r\nReadFile\r\nCreateFileA\r\nSetFileTime\r\nOpenProcess\r\nGetFileTime\r\nWaitForSingleObject\r\nWriteFile\r\nDeleteFileA\r\nGetCurrentProcessId\r\nGetAdaptersInfo\r\nadvapi32.dll\r\nRegOpenKeyExA\r\nRegQueryValueExA\r\nRegCloseKey\r\nOpenEventLogA\r\nReadEventLogA\r\nCloseEventLog\r\nRegDeleteValueA\r\nRegCreateKeyExA\r\nRegNotifyChangeKeyValue\r\nCan't open update file.\r\nFile too small.\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nRValue\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nRValue\r\n%temp%\\~lpz.zp\r\nCan't find plug file\r\nCan't find plug file\r\nCan't load more plug\r\nLoad Dll Plug Failed\r\n%s\\uaq*.dll\r\n\\services.exe\r\nCreate File Failed\r\nCreate File Failed\r\nrundll32.exe\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nRValue\r\nRValue\r\n%SystemRoot%\\system32\\cmd.exe\r\nsource\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 10 of 20\n\nMicros\r\nCmdPage\r\nInfoPage\r\ncmd.exe\r\nsource\r\nMicros\r\navp.exe\r\nshell process Terminated\r\nReadShellThread closed\r\nCreate result file failed\r\nCreate result file failed\r\nCreateProcess Error: %d\r\nCreateProcess Error: %d\r\nCreateProcess succ\r\nOpen file Failed\r\nFile Size is 0\r\nOpen file Failed\r\nCreate File Failed\r\nCreate File Failed\r\nno shell\r\n\\services.exe\r\n200\r\nF::\r\n200 OK\r\n--End decrypted strings--\r\nScreenshots\r\nFigure 1 - Screenshot of the following strings that are used as imports.\r\nFigure 2 - Screenshot of the complex stream cipher padding the initial cipher value.\r\nFigure 3 - Screenshot of the complex steam cipher compressing 2-bytes into 1-byte.\r\ncnaweb.mrslove.com\r\nTags\r\ncommand-and-control\r\nPorts\r\n443 TCP\r\nWhois\r\nQueried whois.publicdomainregistry.com with \"mrslove.com\"...\r\nDomain Name: MRSLOVE.COM\r\nRegistry Domain ID: 70192241_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.publicdomainregistry.com\r\nRegistrar URL: www.publicdomainregistry.com\r\nUpdated Date: 2020-02-26T08:01:27Z\r\nCreation Date: 2001-05-02T02:10:12Z\r\nRegistrar Registration Expiration Date: 2021-05-02T02:10:12Z\r\nRegistrar: PDR Ltd. d/b/a PublicDomainRegistry.com\r\nRegistrar IANA ID: 303\r\nDomain Status: OK https://icann.org/epp#OK\r\nRegistry Registrant ID: Not Available From Registry\r\nRegistrant Name: changeip operations\r\nRegistrant Organization: changeip.com\r\nRegistrant Street: 1200 brickell ave\r\nRegistrant City: miami\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 11 of 20\n\nRegistrant State/Province: florida\r\nRegistrant Postal Code: 33131\r\nRegistrant Country: US\r\nRegistrant Phone: +1.800791337\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: noc@changeip.com\r\nRegistry Admin ID: Not Available From Registry\r\nAdmin Name: changeip operations\r\nAdmin Organization: changeip.com\r\nAdmin Street: 1200 brickell ave\r\nAdmin City: miami\r\nAdmin State/Province: florida\r\nAdmin Postal Code: 33131\r\nAdmin Country: US\r\nAdmin Phone: +1.800791337\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: noc@changeip.com\r\nRegistry Tech ID: Not Available From Registry\r\nTech Name: changeip operations\r\nTech Organization: changeip.com\r\nTech Street: 1200 brickell ave\r\nTech City: miami\r\nTech State/Province: florida\r\nTech Postal Code: 33131\r\nTech Country: US\r\nTech Phone: +1.800791337\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: noc@changeip.com\r\nName Server: ns1.changeip.com\r\nName Server: ns2.changeip.com\r\nName Server: ns3.changeip.com\r\nName Server: ns4.changeip.com\r\nName Server: ns5.changeip.com\r\nDNSSEC: Unsigned\r\nRegistrar Abuse Contact Email: abuse-contact@publicdomainregistry.com\r\nRegistrar Abuse Contact Phone: +1.2013775952\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\ncnaweb.mrslove.com Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\nDescription\r\nsvchost.dll (8cf683b7d181591b91e145985f32664c) attempts to connect to the following domain.\r\n210.68.69.82\r\nTags\r\ncommand-and-control\r\nPorts\r\n443 TCP\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 12 of 20\n\nWhois\r\nQueried whois.apnic.net with \"210.68.69.82\"...\r\n% Information related to '210.68.0.0 - 210.68.255.255'\r\n% Abuse contact for '210.68.0.0 - 210.68.255.255' is 'hostmaster@twnic.net.tw'\r\ninetnum:        210.68.0.0 - 210.68.255.255\r\nnetname:        SEEDNET\r\ndescr:         Digital United Inc.\r\ndescr:         9F, No. 125, Song Jiang Road\r\ndescr:         Taipei, Taiwan\r\ncountry:        TW\r\nadmin-c:        JC256-AP\r\ntech-c:         JC256-AP\r\nmnt-by:         MAINT-TW-TWNIC\r\nmnt-irt:        IRT-TWNIC-AP\r\nstatus:         ALLOCATED PORTABLE\r\nlast-modified: 2018-12-12T06:04:02Z\r\nsource:         APNIC\r\nirt:            IRT-TWNIC-AP\r\naddress:        Taipei, Taiwan, 100\r\ne-mail:         hostmaster@twnic.net.tw\r\nabuse-mailbox: hostmaster@twnic.net.tw\r\nadmin-c:        TWA2-AP\r\ntech-c:         TWA2-AP\r\nauth:         # Filtered\r\nremarks:        Please note that TWNIC is not an ISP and is not empowered\r\nremarks:        to investigate complaints of network abuse.\r\nmnt-by:         MAINT-TW-TWNIC\r\nlast-modified: 2015-10-08T07:58:24Z\r\nsource:         APNIC\r\nperson:         Jonas Chou\r\nnic-hdl:        JC256-AP\r\ne-mail:         Jonaschou@fareastone.com.tw\r\naddress:        2F, No.218, Rueiguang Road\r\naddress:        Taipei, 114, R.O.C\r\nphone:         +886-2-7700-8888\r\nfax-no:         +886-2-7700-8888\r\ncountry:        TW\r\nmnt-by:         MAINT-TW-TWNIC\r\nlast-modified: 2012-12-18T10:10:01Z\r\nsource:         APNIC\r\n% Information related to '210.68.69.80 - 210.68.69.87'\r\ninetnum:        210.68.69.80 - 210.68.69.87\r\nnetname:        42888423-TW\r\ndescr:         Taipei Taiwan\r\ncountry:        TW\r\nadmin-c:        NN3251-TW\r\ntech-c:         NN3251-TW\r\nmnt-by:         MAINT-TW-TWNIC\r\nremarks:        This information has been partially mirrored by APNIC from\r\nremarks:        TWNIC. To obtain more specific information, please use the\r\nremarks:        TWNIC whois server at whois.twnic.net.\r\nchanged:        DavidLin1@fareastone.com.tw 20180330\r\nstatus:         ASSIGNED NON-PORTABLE\r\nsource:         TWNIC\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 13 of 20\n\nperson:         NULL\r\naddress:        N/A Taiwan\r\ncountry:        TW\r\ne-mail:         joy25488@gmail.com\r\nnic-hdl:        NN3251-TW\r\nchanged:        hostmaster@twnic.net.tw 20180331\r\nsource:         TWNIC\r\n% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4)\r\nRelationships\r\n210.68.69.82 Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\nDescription\r\nsvchost.dll (8cf683b7d181591b91e145985f32664c) attempts to connect to the following IP address.\r\n6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57\r\nTags\r\nloadertrojan\r\nDetails\r\nName rasautoex.dll\r\nSize 50176 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 4ec8e16d426a4aaa57c454c58f447c1e\r\nSHA1 5c89629e5873072a9ca3956b67cf7b5080312c80\r\nSHA256 6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57\r\nSHA512 284e0dff33f4ffb6d55f2fdb1de81d5644fb2671aa358dfb72b34a50632f708b7b071202202efec0b48bc0f622c6947f8ccf0818ebaff7277ed\r\nssdeep 768:DN5oCkAI3effi5djegTXLzAl78S3ge0eYUi3EaQkDdXptOKeosAmMotwEX1:DN5oCk1eyTXn+qXUi3pptJMwE\r\nEntropy 5.681253\r\nAntivirus\r\nAhnlab Trojan/Win64.Loader\r\nAvira TR/Agent.ojanf\r\nBitDefender Trojan.GenericKD.34284956\r\nClamAV Win.Packer.Taidoor-9209869-0\r\nComodo Malware\r\nCyren W64/Kryptik.AVM\r\nESET a variant of Win64/Agent.ACK trojan\r\nEmsisoft Trojan.GenericKD.34284956 (B)\r\nIkarus Trojan.Win64.Agent\r\nK7 Trojan ( 0056be3d1 )\r\nLavasoft Trojan.GenericKD.34284956\r\nMcAfee RDN/Generic trojan.ks\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 14 of 20\n\nMicrosoft Security Essentials Trojan:Win32/Taidoor.DA!MTB\r\nNANOAV Trojan.Win64.Mlw.hqmqtg\r\nQuick Heal Trojan.Taidoor.S15351536\r\nSophos Mal/Taidoor-A\r\nSymantec Trojan Horse\r\nTACHYON Trojan/W64.Dllhijacker.50176\r\nTrendMicro Trojan.161033AF\r\nTrendMicro House Call Trojan.161033AF\r\nVirusBlokAda Trojan.Win64.Dllhijacker\r\nZillya! Trojan.Agent.Win64.5841\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-01-04 02:11:55-05:00\r\nImport Hash 956b48719c7be61f48572c8fa464e00c\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na9b389fc8171131551c6570d2395de57 header 1024 2.619293\r\n8dabe7bfc2ee6b9819f554b2694c98eb .text 26624 6.217867\r\n8e63e6b885c3d270ccfb7607b9662601 .rdata 14848 4.618383\r\nd44f2a519c2649244a8c87581872b483 .data 4096 2.280898\r\n0aa4114597794059e1d4a2c246c7d7a5 .pdata 2048 4.331432\r\n7197f896bddfd6e434b1d5703bf0c5a2 .rsrc 512 5.097979\r\n54bb45b94c64d3717b1be8194fb4a6a7 .reloc 1024 3.689756\r\nDescription\r\nThis file is a 64-bit Windows DLL file. The file \"rasautoex.dll\" is a Taidoor loader and will decrypt and execute the 64-bit\r\nversion of Taidoor “svchost.dll\" (6627918d989bd7d15ef0724362b67edd) in memory.\r\n0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686\r\nTags\r\nremote-access-trojantrojan\r\nDetails\r\nName svchost.dll\r\nSize 183808 bytes\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 15 of 20\n\nType data\r\nMD5 6627918d989bd7d15ef0724362b67edd\r\nSHA1 21e29034538bb4e3bc922149ef4312b90b6b4ea3\r\nSHA256 0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686\r\nSHA512 83ee751b15d8fd8477b8ecf8d33a4faf30b75aceb90c0e58ebf9dbbfc1d354f7e772f126b8462fd5897a4015a6f5e324d34900ff7319e8cc79\r\nssdeep 3072:7PR4kaQOrd41zdruwiAyr/Ta1XxKH3zVrWvcfWslmOLdXFKY8SIMjUPpF5:3aQLgwiAyr/TiXxMsvcrxbnjUPP5\r\nEntropy 7.999011\r\nAntivirus\r\nAhnlab Data/BIN.EncPe\r\nAntiy Trojan/Win32.Taidoor\r\nAvira TR/Taidoor.AO\r\nBitDefender Trojan.Agent.EUMT\r\nClamAV Win.Malware.Agent-9376986-0\r\nCyren W32/Taidoor.A.enc!Camelot\r\nEmsisoft Trojan.Agent.EUMT (B)\r\nIkarus Trojan.Win32.Taidoor\r\nLavasoft Trojan.Agent.EUMT\r\nMcAfee Trojan-Taidoor\r\nMicrosoft Security Essentials Trojan:Win32/Taidoor.DB!MTB\r\nSophos Troj/Taidoor-A\r\nSymantec Trojan Horse\r\nTrendMicro Backdoo.4FA5823A\r\nTrendMicro House Call Backdoo.4FA5823A\r\nYARA Rules\r\nrule CISA_10292089_01 : rat loader TAIDOOR\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10292089\"\r\n       Date = \"2020-06-18\"    \r\n       Last_Modified = \"20200616_1530\"\r\n       Actor = \"n/a\"\r\n       Category = \"Trojan Loader Rat\"\r\n       Family = \"TAIDOOR\"\r\n       Description = \"Detects Taidoor Rat Loader samples\"\r\n       MD5_1 = \"8cf683b7d181591b91e145985f32664c\"\r\n       SHA256_1 = \"363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\"\r\n       MD5_2 = \"6627918d989bd7d15ef0724362b67edd\"\r\n       SHA256_2 = \"0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686\"\r\n   strings:\r\n       $s0 = { 8A 46 01 88 86 00 01 00 00 8A 46 03 88 86 01 01 00 00 8A 46 05 88 86 02 01 00 00 8A 46 07 88 86 03\r\n01 00 00 }\r\n       $s1 = { 88 04 30 40 3D 00 01 00 00 7C F5 }\r\n       $s2 = { 0F BE 04 31 0F BE 4C 31 01 2B C3 2B CB C1 E0 04 0B C1 }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 16 of 20\n\n$s3 = { 8A 43 01 48 8B 6C 24 60 88 83 00 01 00 00 8A 43 03 }\r\n       $s4 = { 88 83 01 01 00 00 8A 43 05 88 83 02 01 00 00 8A 43 07 88 83 03 01 00 00 }\r\n       $s5 = { 41 0F BE 14 7C 83 C2 80 41 0F BE 44 7C 01 83 C0 80 C1 E2 04 0B D0 }\r\n       $s6 = { 5A 05 B2 CB E7 45 9D C2 1D 60 F0 4C 04 01 43 85 3B F9 8B 7E }\r\n   condition:\r\n       ($s0 and $s1 and $s2) or ($s3 and $s4 and $s5) or ($s6)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n0d0ccfe7cd... Connected_To infonew.dubya.net\r\nDescription\r\nThis encrypted file has been identified as the Taidoor RAT loaded by “rasautoex.dll\"\r\n(4ec8e16d426a4aaa57c454c58f447c1e). This file contains the same functionality and encryption keys as the 32-bit version\r\n“svchost.dll” (8CF683B7D181591B91E145985F32664C).\r\nThis file calls out to a different C2. This C2 was also observed in memory of the infected system provided for analysis.\r\n--Begin C2--\r\ninfonew.dubya.net\r\n--End C2--\r\nThe malware author never removed the symbol file for “rasautoex.dll” as with the 32-bit version. However, this artifact\r\nprovides some additional information that the malware author intended this binary to do, “MemLoad(pass symantec)”.\r\n--Begin symbol file artifact--\r\nC:\\Users\\user\\Desktop\\MemLoad(pass symantec)\\version\\x64\\Release\\MemoryLoad.pdb\r\n--End symbol file artifact--\r\ninfonew.dubya.net\r\nTags\r\ncommand-and-control\r\nWhois\r\nQueried whois.publicdomainregistry.com with \"dubya.net\"...\r\nDomain Name: DUBYA.NET\r\nRegistry Domain ID: 1861808123_DOMAIN_NET-VRSN\r\nRegistrar WHOIS Server: whois.publicdomainregistry.com\r\nRegistrar URL: www.publicdomainregistry.com\r\nUpdated Date: 2020-04-02T07:01:52Z\r\nCreation Date: 2014-06-06T17:44:43Z\r\nRegistrar Registration Expiration Date: 2021-06-06T17:44:43Z\r\nRegistrar: PDR Ltd. d/b/a PublicDomainRegistry.com\r\nRegistrar IANA ID: 303\r\nDomain Status: OK https://icann.org/epp#OK\r\nRegistry Registrant ID: Not Available From Registry\r\nRegistrant Name: changeip operations\r\nRegistrant Organization: changeip.com\r\nRegistrant Street: 1200 brickell ave\r\nRegistrant City: miami\r\nRegistrant State/Province: florida\r\nRegistrant Postal Code: 33131\r\nRegistrant Country: US\r\nRegistrant Phone: +1.800791337\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 17 of 20\n\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: noc@changeip.com\r\nRegistry Admin ID: Not Available From Registry\r\nAdmin Name: changeip operations\r\nAdmin Organization: changeip.com\r\nAdmin Street: 1200 brickell ave\r\nAdmin City: miami\r\nAdmin State/Province: florida\r\nAdmin Postal Code: 33131\r\nAdmin Country: US\r\nAdmin Phone: +1.800791337\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: noc@changeip.com\r\nRegistry Tech ID: Not Available From Registry\r\nTech Name: changeip operations\r\nTech Organization: changeip.com\r\nTech Street: 1200 brickell ave\r\nTech City: miami\r\nTech State/Province: florida\r\nTech Postal Code: 33131\r\nTech Country: US\r\nTech Phone: +1.800791337\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: noc@changeip.com\r\nName Server: ns1.changeip.com\r\nName Server: ns2.changeip.com\r\nName Server: ns3.changeip.com\r\nName Server: ns4.changeip.com\r\nName Server: ns5.changeip.com\r\nDNSSEC: Unsigned\r\nRegistrar Abuse Contact Email: abuse-contact@publicdomainregistry.com\r\nRegistrar Abuse Contact Phone: +1.2013775952\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\nRelationships\r\ninfonew.dubya.net Connected_From 0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686\r\nDescription\r\nsvchost.dll (6627918d989bd7d15ef0724362b67edd) attempts to connect to the following domain.\r\nRelationship Summary\r\n4a0688baf9... Used 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\n363ea096a3... Used_By 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4\r\n363ea096a3... Connected_To cnaweb.mrslove.com\r\n363ea096a3... Connected_To 210.68.69.82\r\ncnaweb.mrslove.com Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\n210.68.69.82 Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90\r\n0d0ccfe7cd... Connected_To infonew.dubya.net\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 18 of 20\n\ninfonew.dubya.net Connected_From 0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686\r\nMitigation\r\nalert tcp 210.68.69.82 any \u003c\u003e $HOME_NET any (msg:\" Malicious traffic \"; sid:#########; rev:1; classtype:tcp‐event;)\r\nalert tcp 156.238.3.162 any \u003c\u003e $HOME_NET any (msg:\"Malicious traffic\"; sid:#########; rev:1; classtype:tcp‐event;)\r\nalert udp any any 53 \u003c\u003e $HOME_NET any (msg:\"Attempt to connect to malicious domain\";\r\ncontent:\"|03|www|07|infonew|05|dubya|03|net|00|\"; sid:#########; rev:1;)\r\nalert udp any any 53 \u003c\u003e $HOME_NET any (msg:\"Attempt to connect to malicious domain\";\r\ncontent:\"|03|www|06|cnaweb|07|mrslove|03|com|00|\"; sid:#########; rev:1;)\r\nNote: At the time of analysis, one of the domains resolved to the IP address 156.238.3.162.\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 19 of 20\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nAugust 3, 2020: Initial Version|August 3, 2020: Corrected Snort rules|August 31, 2020: Updated\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a"
	],
	"report_names": [
		"ar20-216a"
	],
	"threat_actors": [
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-10T02:00:04.928222Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-10T02:00:03.176186Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-10T02:00:05.41593Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775791706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cea4a9950d1a6e9ea441baab474ab4cbef549cf.pdf",
		"text": "https://archive.orkl.eu/9cea4a9950d1a6e9ea441baab474ab4cbef549cf.txt",
		"img": "https://archive.orkl.eu/9cea4a9950d1a6e9ea441baab474ab4cbef549cf.jpg"
	}
}