# Lazarus Group’s Mata Framework Leveraged To Deploy TFlower Ransomware

**sygnia.co/mata-framework**

Over the past few years, North Korea has turned its offensive cyber operations into a major source of income. On February 17, 2021, the US
Department of Justice (DoJ) has indicted additional three North Korean (DPRK) military Reconnaissance General Bureau (RGB) personnel,
with participating in a cyber-attacks that has allegedly included destructive cyber-attacks and the theft and extortion of over USD1.3bn.

The charges filed relate to Lazarus Group’s (also known as Hidden Cobra) long-running cyber apparatus, financial theft and extortion,
including multiple extortion schemes, WannaCry malware and the cyber-attack on Sony Pictures. A key technical component associated with
Lazarus is the MATA malware framework, an advanced cross-platform malware framework, which was reported by Kaspersky on July 22,
2020, and by Netlab on December 19, 2019.

In a recent double extortion ransomware attack investigated by Sygnia, the threat actor leveraged a new and so far undocumented variant of
MATA. This MATA variant was used by the threat actor to distribute and execute the TFlower ransomware.

When put together, the Netlab and Kaspersky publications along with the recent Sygnia findings, the new research indicates a connection or
collaboration between the Lazarus Group and TFlower. While the nature of this collaboration is not yet clear and needs to be further validated,
it may reflect the continues effort by North Korea to scale its cyber extortion business, as a major source for currency generation, including by
collaborating with additional crime entities, creating such entities, “outsourcing” of capabilities, or selling of offensive tools to other groups.

This report details the connection between the North Korean MATA framework and TFlower, as well as the anatomy of the MATA backdoor and
a wider threat research which revealed over 200 MATA malware framework C2 certificates leveraged since May of 2019 across over 150 IP
addresses. The report also includes recommendation on detection and defending against MATA framework attacks.

## THE KEY FINDINGS IN THIS REPORT ARE:

**1. TFlower leverages or has ties to the MATA malware framework**

The MATA backdoor was leveraged to deploy the TFlower ransomware. The threat group consistently referred to themselves as the “TFlower
group”.

**2. The MATA malware framework is active and widespread**

Since at least May of 2019, MATA operators have continuously utilized new servers, with over 150 IPs linked to the frameworks’ C2. The
analysis indicates that the group has possibly deployed over 150 command and control servers over time, with the latest one identified on
February 4, 2021.

**3. The threat actor is highly capable and implements systematic detection evasion techniques**

Throughout the attack, the threat actor leveraged multiple tools including the MATA backdoor to systematically clear forensic evidence and
attempt to evade detection by identifying and tampering with security products.

## ANATOMY OF THE MATA BACKDOOR AND INFRASTRUCTURE

**The Backdoor**

The MATA backdoor consists of three file components: .EXE, .DLL and .DAT files, deployed in the “C:\Windows\System32” directory. All file
names and hashes are unique per infected host indicating automatically generated polymorphic malware. The components are as follows:

**1. Initial loader (EXE) — The malware is initially loaded by a .EXE file, which upon execution injects the .DLL loader component into an**
‘svchost.exe’ process and modifies the LSA Security Package registry key to achieve persistence.


-----

**oade (** **)** e oade dec ypts a d e ecutes t e pay oad co po e t sto ed t e e t s oaded by sass e e upo eboot to
achieve persistence.

**3. Payload (DAT) — The payload is an encrypted binary .DAT file which implements the backdoor functionality.**

Once deployed, the backdoor provides the threat actor with remote code execution capability on infected machines via C2 servers. Additional
functionality includes screen capture and network traffic tunneling.

## EXECUTION FLOW

The backdoor is deployed by executing the initial loader with the .DLL and .DAT file paths as arguments, injecting the .DLL file into
‘svchost.exe’ and loading the .DAT payload. The initial loader’s file name consists of 5 alphabetic characters, randomly generated on each of
the machines (‘[A-Za-z]{5}\.exe’).

Upon execution, the initial loader modifies the following registry value in order to achieve persistency: “HKLM\SYSTEM\
CurrentControlSet\Control\Lsa\Security Packages”. The value modified is part of a Windows API called ‘Security Support Provider’ (SSP),
which is used to extend the Windows authentication mechanism. After adding a .DLL stored in System32 to the ‘Security Packages’ value,
‘lsass.exe’ will automatically load the .DLL component on system startup or the next time the AddSecurityPackage Windows API function is
called.

The file name of the .DLL consists of six alphabetic characters, the middle two being “nm” matching the following pattern: ‘[A-Za-z]{2}nm[A-Zaz]{2}\.dll’. Similar to the .EXE component, the name is unique on each of the infected machines. The .DLL itself implements limited
functionality, and its main purpose is decrypting, loading and executing the final payload stored in the .DAT file.

The final payload stored in the .DAT file is a fully functional backdoor, establishing a command and control channel to the threat actors’
servers. Similarly to the other components, its name was unique on each of the infected machines and followed a specific pattern: ‘srms-[A-Zaz]{3}[0-9]{4,5}\.dat’.

**Execution Flow: From initial execution to persistence mechanism.**


-----

## COMMAND AND CONTROL INFRASTRUCTURE

Each of the samples identified by the Sygnia Incident Response team attempted to communicate to three command and control servers over
SSL using port 443. The C2 servers were found in an encrypted binary configuration blob hardcoded into the .DAT payload. Each of the
servers hosted a unique certificate, self-signed by the threat actor. Although the certificates on each of the servers were unique, they all shared
similar technical features:

1. Randomly generated, long Common Name.
2. The usage of three capital letters followed by 'Co .Ltd' in the Organization (O) and Organization Unit (OU) fields of both issuer and

subject.
3. Certificate serial number – 1000.
4. The “Validity: Not Before” timestamps of certificates tied to the same sample, are in close time proximity to one another. The “Validity: Not

Before” timestamps represent the start of the certificate validity period.

**Certificate Details: Example of malicious MATA C2 certificate.**
The certificate “Validity: Not Before” timestamp is especially interesting, because the samples were first deployed in the network just several
hours after the “Validity: Not Before” timestamp of their corresponding certificates. This could indicate that C2 servers are dynamically
deployed for a specific operation, and the certificates are issued accordingly.

To further validate the ties between the MATA framework and the suspicious certificates, we attempted to tie other confirmed command and
control servers to similar certificates. Out of 20 IPs found across 8 samples found in online repositories, 18 were confirmed to have historically
hosted certificates with similar patterns.

**MATA Samples: Relations between MATA samples and the identified certificates.**
Using the unique certificate patterns, Sygnia identified over 200 certificates and over 130 IP addresses affiliated with the MATA framework,
starting as early as 2019.

Further analysis identified that as of June, 2020 the threat actor slightly modified the self-signed certificates pattern. Specifically, the following
was changed:

1. Organization (O) and Organization Unit (OU) fields of both issuer and subject were changed to five random uppercase alphabetical

characters instead of three.


-----

eg t ate Co o a e a ues suc as goog e co, qq co a d edd t co e e used stead o t e a do st gs p e ous y
used.

At the time of publication, the latest certificates found were issued on February 4, 2021. The large number of certificates and C2 servers
deployed over such a prolonged period of time suggests a well-resourced group with robust operational capabilities, likely attacking multiple
targets simultaneously.

## RELATION TO THE MATA MALWARE FRAMEWORK AND ATTRIBUTION

The backdoor and its infrastructure share significant attributes with the MATA malware framework:

Over 95% of the functions in the .DLL loader component identified by Sygnia match functions in the MATA malware framework loader
identified by Kaspersky, indicating they are closely related.
The .DAT payload component identified by Sygnia writes its encrypted configuration to a registry key with a naming pattern of
“HKLM\Software\Microsoft\[A-Za-z]{3}Net”. The orchestrator instances identified by Kaspersky save their configuration in a registry key
with the same naming convention. The unencrypted configuration contains similar data to that mentioned in the Kaspersky report.
The same SSL certificate pattern described above was also identified in SSL certificates served by 21 out of 31 MATA framework C2 IP
addresses found within MATA framework malware samples reported by Netlab and Kaspersky.
Certificates for IPs embedded in samples identified by Netlab and Kaspersky were issued within a short timeframe. This indicates the C2
servers for each of the samples were deployed together. The same behavior was observed in the samples identified by Sygnia.

Several other vendors, including Kaspersky and Netlab, linked the MATA framework to the Lazarus group, a threat actor affiliated with the
North Korean government.

The MATA certificates “Validity: Not Before” timestamps are potentially indicative of the threat actor's work week, Monday to Saturday, as no
certificates were issued on Sunday. Furthermore, no certificates were issued between 16:00 to 22:00 UTC, correlating with nighttime in UTC
+9 or UTC +8 time zones. The vast majority of certificates were issued during working hours in the abovementioned time zones, suggesting
the threat actor is most likely operating from East-Asia.

**A histogram of certificates’ “Validity: Not Before” timestamps: showing the total number of certificates issued by hour in the day in a**
UTC+9 time zone.

## TFLOWER TIES TO THE MATA MALWARE FRAMEWORK

The TFlower ransomware campaign was covered by several technology news websites between September and November of 2019. However,
since then very little information has been made public about the ransomware group or its operations.

In a recent TFlower ransomware case investigated by Sygnia, the threat actors had already removed all instances of the ransomware
executable and it could not be recovered for reverse engineering. Nevertheless, forensic analysis performed identified several technical
indications linking the encryption with the TFlower group with high certainty.

Analysis of the encrypted machines identified that the ransomware executable was deployed and executed using the MATA backdoor.
Specifically, the path to the ransomware executable was found within the MATA backdoor memory space on encrypted machines. This raises
the possibility that the Lazarus Group, which is largely affiliated with the North Korean government, is either the group behind TFlower or has
some level of collaboration with it.

Alternatively, and although there are significant similarities to the TFlower ransomware, it is still possible that the threat actor was only
masquerading as the TFlower group.


-----

The ransomware encrypted files throughout the filesystem, without appending any special file extension. The “*TFlower” string was prepended
to the encrypted files.

The ransom note left on the machines affected by the ransomware was named “!_Notice_!.txt”. The ransom note itself is identical to ransom
notes identified in previous TFlower attacks.

## DEFENDING AGAINST MATA FRAMEWORK ATTACKS

The research into MATA framework operations was done primarily in the service of preventing future attacks. Our understanding of the threat
actors behind these malicious operations reveals a large dynamic operation which can prove difficult to contain or easily detect.

The following are specific tactical recommendations which compliment more general security measures that can protect against these types of
an attacks:

Configure Process Protected Light (PPL) protection to prevent non-digitally signed LSA plugins to be loaded into the lsass.exe process.
Proactively hunt for MATA malware framework IOCs and TTPs within the network, based on the MITRE ATT&CK breakdown and IOC
provided below, with emphasis on the following:
SSL traffic containing a self-signed certificate with the attributes described in the report.
Outbound network communications towards the internet originating from the lsass.exe process
Monitor for disabling of security products and log source tampering.

## INDICATORS OF COMPROMISE

### REGISTRY VALUES (REGULAR EXPRESSIONS)

- Registry Key: “HKLM\\Software\\Microsoft\\[A-Za-z]{3}Net”

Registry Value Name: (default)
Registry Value Type: “REG_BINARY”
Registry Value Data: encrypted binary data

- Registry Key: “HKLM\\System\\CurrentControlSet\\control\\LSA”

Registry Value Name: “Security Packages”
R i t V l T “REG MULTI SZ”


-----

eg st y a ue ata [ a ]{ } [ a ]{ }

### FILE NAMES (REGULAR EXPRESSIONS)

- .EXE file component – “C:\\Windows\\System32\\[A-Za-z]{5}\.exe”

Highly susceptible to false positives

- .DLL file component – “C:\\Windows\\System32\\[A-Za-z]{2}nm[A-Za-z]{2}\.dll”

- .DAT file component – “C:\\Windows\\System32\\srms\-[A-Za-z]{3}\d+\.dat”

### FILES REFERENCED IN THE REPORT (MD5)

cef99063e85af8b065de0ffa9d26cb03
6de65fc57a4428ad7e262e980a7f6cc7
8910bdaaa6d3d40e9f60523d3a34f914
bea49839390e4f1eb3cb38d0fcaf897e
80c0efb9e129f7f9b05a783df6959812
403ad5ef66f3932e548e29e1b6a2cb4f
f05437d510287448325bac98a1378de1
22a968beda8a033eb31ae175b7e0a937

## C2 SERVER CERTIFICATES

**IP Address** **Common Name** **“Validity: Not Before” Timestamp** **Organization** **Org. Unit** **Serial** **SHA1**


198.180.198.6 vurrsaw.io 2019-0508T14:47:45Z

64.188.21.141 hnhxuapx.com 2019-0508T15:02:01Z

96.44.130.126 hcsqwnya.com 2019-0508T15:04:25Z

173.44.48.241 qtwxcvh.net 2019-0508T15:06:18Z

103.63.2.209 uwmujaweipw.org 2019-0508T15:13:25Z

180.235.135.216 bkhboekbadgl.com 2019-0508T15:15:22Z

104.143.37.87 ojpgynfdl.com 2019-0508T15:17:38Z

103.63.2.211 uprdhgfk.org 2019-0508T23:34:51Z

103.63.2.184 zgvjwjuhvfwdcjme.xyz 2019-0508T23:36:37Z

103.214.147.40 birtukgzz.io 2019-0511T00:10:59Z

23.227.196.5 psldvwtsnzvfb.org 2019-0511T00:12:03Z

46.21.153.87 owxdawjfqueu.xyz 2019-0511T00:12:27Z

66.70.153.86 loerteademmexwga.xyz 2019-0511T00:12:49Z

23.227.199.53 isqpeydiqi.io 2019-0518T06:27:03Z

23.254.119.12 kepktvwdzlqogsj.io 2019-0518T06:27:21Z


OVL Co.
Ltd

WRK
Co. Ltd

DKT Co.
Ltd

KIJ Co.
Ltd

NPP Co.
Ltd

FRK Co.
Ltd

QYZ Co.
Ltd

MFO
Co. Ltd

KMT
Co. Ltd

BMC
Co. Ltd

ZID Co.
Ltd

RZF Co.
Ltd

FHE Co.
Ltd

WSA
Co. Ltd

AVW
Co. Ltd


IDQ Co.
Ltd

SVA Co.
Ltd

MAO
Co. Ltd

HVO
Co. Ltd

JKW
Co. Ltd

OET
Co. Ltd

TFJ Co.
Ltd

RRJ Co.
Ltd

MZX
Co. Ltd

EJV Co.
Ltd

DAZ Co.
Ltd

WSR
Co. Ltd

III Co.
Ltd

VNT Co.
Ltd

WIN Co.
Ltd


1000 4fddb38848d0a3043d1

1000 4e8c2bbdac96d4df655

1000 64b628db142ee03dc99

1000 90a6731fcc1bf18eb47d

1000 61ebfbf45dd7360811b8

1000 91d4c3ed4336b4898be

1000 e9f88241ead0a454c54

1000 c1b5e79e754de08d680

1000 78cb2ff0073f15c6f70f8f

1000 9b3efb423d54fc96e8b5

1000 b4042f03686336d1305

1000 0a3c2caa53329160253

1000 ac9645de8cfc41c88bf3

1000 6ee218365ec9ff17eb0c

1000 b138f782e23bc07d239


-----

209.90.234.34 bnpnfvydxpw.xyz 2019-0518T06:27:40Z

104.219.237.202 tpvccdrqlwft.io 2019-0610T00:24:51Z

107.172.57.13 nolrfot.net 2019-0610T13:45:34Z

108.177.235.110 doywvaaqdhmtvm.io 2019-0613T08:10:38Z

23.95.67.143 cshveloxce.xyz 2019-0701T03:09:46Z

84.234.96.130 coejlawmj.net 2019-0701T03:10:19Z

172.93.201.204 vflwshpmrha.com 2019-0701T03:10:42Z

103.214.147.139 ogzphnvhgqfpqmlm.org 2019-0702T00:22:01Z

64.188.19.117 gchcboujclol.xyz 2019-0730T06:58:25Z

37.72.175.179 ojtkkwtzjggvz.xyz 2019-0730T06:58:47Z

23.81.246.179 gcjxswezjbdy.io 2019-0730T07:02:19Z

149.255.35.15 jgybtvupucgvyjo.com 2019-0731T06:22:39Z

104.143.37.55 ssmdtwssyz.xyz 2019-0731T06:32:31Z

107.172.210.172 paodrrdwyyfj.org 2019-0801T04:33:32Z

45.122.138.130 tejghhnxpbppafs.net 2019-0806T07:45:16Z

172.81.130.214 grlixnjkvtdtnvsc.io 2019-0806T07:45:38Z

104.143.37.54 izddauvlslqm.net 2019-0807T08:00:13Z

23.106.223.194 qgcrjrsxs.net 2019-0807T08:15:14Z

167.114.56.231 mgrvnwtaqrzsdrv.org 2019-0808T01:19:52Z

107.172.83.139 ctrbxoxyh.io 2019-0808T01:24:20Z

216.45.54.11 mwqvqgquzknal.com 2019-0808T01:24:47Z

193.29.187.46 krcasfshnmwu.io 2019-0809T13:44:14Z

104.227.244.140 gklkvcefc.xyz 2019-0810T02:11:10Z

111.90.151.30 wuonxoqii.xyz 2019-0810T02:24:38Z

103.16.229.232 lymhmczmdsbxsryi.io 2019-0823T13:20:06Z

185.136.163.171 zaqxdbmudwzbl.xyz 2019-0824T03:53:29Z


KOK
Co. Ltd

MGA
Co. Ltd

KTB Co.
Ltd

SCB Co.
Ltd

BUR
Co. Ltd

INK Co.
Ltd

YWX
Co. Ltd

JWA Co.
Ltd

LHL Co.
Ltd

EJW
Co. Ltd

XHQ
Co. Ltd

RBJ Co.
Ltd

LVV Co.
Ltd

PVP Co.
Ltd

CCO
Co. Ltd

MYD
Co. Ltd

AIZ Co.
Ltd

GNL Co.
Ltd

OVL Co.
Ltd

SDO
Co. Ltd

SBY Co.
Ltd

FIY Co.
Ltd

TIU Co.
Ltd

HFQ
Co. Ltd

XLP Co.
Ltd

EYF Co.
Ltd


AAN
Co. Ltd

BTH Co.
Ltd

IIS Co.
Ltd

KUA
Co. Ltd

VGA
Co. Ltd

TRK Co.
Ltd

MFA
Co. Ltd

OHC
Co. Ltd

YTF Co.
Ltd

RYT Co.
Ltd

OWZ
Co. Ltd

PIL Co.
Ltd

ZQU
Co. Ltd

QIR Co.
Ltd

HFQ
Co. Ltd

XOR
Co. Ltd

QZA
Co. Ltd

UPF Co.
Ltd

GGJ
Co. Ltd

CIB Co.
Ltd

RET Co.
Ltd

MRT
Co. Ltd

CGP
Co. Ltd

BXJ Co.
Ltd

CTB Co.
Ltd

UFF Co.
Ltd


1000 e9321bdc979ae55a60e

1000 8384997d8a807c34a15

1000 fde0767ca94148a1bea

1000 7faf0d0f46ea2698b88d

1000 9f71d3a47cba2dacff5da

1000 45f2465cc4d8157e41c4

1000 7c1ce4cb7776cad2850

1000 bfde0d8d8c1303b6cc66

1000 fb2f3ffd2ac88dd628761

1000 471e268f24b938c8bda

1000 c39fa61ef4210f6726fb2

1000 eb847b373aa9284a220

1000 45f62d44f95a2b520b95

1000 66209d6585aa2ad80b7

1000 ed96ea65fc7d34ed0a7

1000 15c96db7785d5e6866e

1000 a64b42eefc9b08ac06b

1000 5360a98e4282da4206d

1000 7c08dc40e773bc4b8cc

1000 0b189512af2b498fac0b

1000 1d5f886442d231b10fe6

1000 c7137530011eb2d0fcab

1000 d44c7ed99abd47db577

1000 f84213fd940f019505e5

1000 cad779915537cfed7c37

1000 5d0dc50f102bc9ced23e


-----

54.38.11.132 zcclzrwtysvclql.com 2019-0826T02:27:33Z


WKN
Co. Ltd

DCI Co.
Ltd

NEN
Co. Ltd

RLC Co.
Ltd

UOH
Co. Ltd

PKM
Co. Ltd

LYG Co.
Ltd

BKQ
Co. Ltd

IVP Co.
Ltd

LZW
Co. Ltd

FUN
Co. Ltd

UOH
Co. Ltd

LXK Co.
Ltd

MDP
Co. Ltd

LWI Co.
Ltd

UZX Co.
Ltd

BGK
Co. Ltd

JJH Co.
Ltd

RQR
Co. Ltd

KFT Co.
Ltd

MDW
Co. Ltd

RIO Co.
Ltd

KQA
Co. Ltd

RRB
Co. Ltd

GNF
Co. Ltd


1000 55207654884899dece8

1000 caec7c0a802e4de75a6

1000 a4463133c2ec834d92f

1000 8730613623c457bb19f

1000 3ce1f8ace1a954a28d9

1000 febb999755a880203e8

1000 d18ff190c769cf2bcf32a

1000 0d5cab6893e98032518

1000 249d865fe438695d587

1000 19b6ad2fdf309c1090c7

1000 3e7fdd91198b48f0eae8

1000 399040a20e3891f1332

1000 4ffbc2b68bd9eaeb7d3f

1000 8660990c02e30933a64

1000 a7fcd5d5c2c57fd8a63f2

1000 88093735c7abdbeef29

1000 cae2fe70b7f98e4b3039

1000 a151b18c72f9833e8ac

1000 304261dcb04ce0fdd93

1000 14772f979839e3edab5

1000 c768b27d57e658efd6e

1000 6e55d351c22a077ce30

1000 8fdf10dd4f32dd546594

1000 b6aff0910dae32ccd833

1000 73e580ef0d8bcc4b9102


51.38.234.8,
103.16.229.233,
37.72.175.135

23.227.199.21,
95.174.65.244


eavqdrkdt.net 2019-0830T03:46:47Z

qwxniwspl.io 2019-0903T00:56:01Z


CSJ Co.
Ltd

AYT Co.
Ltd

PVP Co.
Ltd

BMB
Co. Ltd

ZZC Co.
Ltd

EML Co.
Ltd

LLN Co.
Ltd

TJB Co.
Ltd

HLR Co.
Ltd

DWV
Co. Ltd

DRU
Co. Ltd

WGE
Co. Ltd

ISQ Co.
Ltd

MZN
Co. Ltd

GAK
Co. Ltd

FTP Co.
Ltd

DYH
Co. Ltd

MKT
Co. Ltd

HUY
Co. Ltd

YRX Co.
Ltd

INK Co.
Ltd

JPF Co.
Ltd

EVQ
Co. Ltd

HGJ Co.
Ltd

ZCO
Co. Ltd


23.227.196.116 kchinrxificfl.xyz 2019-0920T09:31:27Z

74.121.190.121 qxyyyexemohemmil.com 2019-0920T13:43:28Z

192.210.213.178 mevgtruvd.com 2019-0920T13:47:08Z

69.61.74.29 nkirlyzy.io 2019-0930T00:38:09Z

172.93.189.77 yduyyoxu.io 2020-0212T00:09:54Z

69.12.84.100 pqzajmdqhv.com 2020-0219T11:04:18Z

108.177.235.217 xvoomesesmxiysfs.io 2020-0219T11:36:19Z

104.168.62.33 ceagmjgpkkoohis.io 2020-0219T12:46:59Z

216.189.145.107 lzmaahdnkcy.net 2020-0219T12:47:19Z

192.169.6.12 mxiiemkadyx.xyz 2020-0219T12:48:00Z

104.219.237.210 ijlzzyuqtwvgzm.io 2020-0219T12:57:15Z

149.255.35.25 zeyftccfvta.xyz 2020-0220T02:10:13Z

172.93.184.62 cncvphssdmswy.io 2020-0220T02:30:56Z

23.227.199.69 hjnusrcxfsx.net 2020-0220T02:37:14Z

104.232.71.7 oaekzlcss.io 2020-0220T02:59:24Z

216.189.145.108 msutdedouhrvlipw.com 2020-0220T05:46:46Z

111.90.148.22 zxaqjnoq.com 2020-0220T05:57:14Z

23.108.57.232 rbhllcdq.com 2020-0220T07:10:56Z

37.72.175.196 sonhmvsyqtj.com 2020-0221T02:38:37Z

107.175.127.234 vtjmxqzyjdnfr.com 2020-0221T02:39:04Z

185.62.56.107 puqzedk.org 2020-0224T01:00:54Z

172.93.220.108 mlntnbeikyak.io 2020-0304T06:59:53Z


-----

209.127.18.108 kjjceey.com 2020-0320T00:14:15Z

172.93.220.56 xvilcubqyxvpb.net 2020-0320T00:28:03Z

23.82.141.172 yfbfgjwuxj.xyz 2020-0320T00:39:22Z

111.90.146.128 wswlmnrhscgj.com 2020-0320T06:59:12Z

185.62.58.207 bvwaewachdyzpb.org 2020-0320T23:48:59Z

67.43.239.146 uxusbtddbwgsz.org 2020-0321T05:44:21Z

104.143.36.33 zyfaywwrmxup.org 2020-0323T00:11:04Z

172.93.188.47 adehikjeb.net 2020-0409T01:39:35Z

185.62.56.106 blrewrclad.net 2020-0409T08:23:39Z

67.43.239.181 duiywos.xyz 2020-0409T08:32:31Z

103.214.147.39 rcvhlergjktdrh.io 2020-0410T08:04:25Z

172.93.188.62 gqaoxbpozicjt.xyz 2020-0411T00:05:22Z

107.175.172.129 wcdqdwte.com 2020-0420T05:51:18Z

104.217.163.61 adokqkcduaguzmq.org 2020-0420T08:45:48Z

37.72.168.228 obptezoyre.com 2020-0420T09:50:22Z

69.30.240.60 huqgniblte.com 2020-0421T06:27:17Z

64.188.26.168 kudmgivpvuejmgog.io 2020-0421T06:35:15Z

172.93.189.176 empttzk.org 2020-0506T00:25:34Z

185.62.56.47 nrkzktvgeoergf.net 2020-0526T00:06:31Z

104.200.67.160 efqajqygqvo.io 2020-0526T00:06:48Z

103.214.147.138 pqvrtrikotcz.net 2020-0526T00:38:29Z

96.9.210.193 jbqkxbwfqpmxf.net 2020-0526T23:38:08Z

172.93.165.49 ykkywgzfjpf.io 2020-0608T06:27:46Z

107.172.30.141 mlgemilyaaxztct.net 2020-0608T23:44:21Z

23.81.246.107 ffjdolvvxagjqn.com 2020-0608T23:53:35Z

172.87.222.6 znjpebeqb.org 2020-0609T01:25:22Z


IHV Co.
Ltd

GUW
Co. Ltd

UKE Co.
Ltd

HKQ
Co. Ltd

VRZ Co.
Ltd

JLR Co.
Ltd

GRE
Co. Ltd

FVL Co.
Ltd

FYV Co.
Ltd

HFD Co.
Ltd

GNS
Co. Ltd

TVH Co.
Ltd

GTN
Co. Ltd

IYX Co.
Ltd

PRY Co.
Ltd

WIP Co.
Ltd

NBM
Co. Ltd

DCT Co.
Ltd

EXO
Co. Ltd

IRL Co.
Ltd

SBG
Co. Ltd

KRW
Co. Ltd

LIO Co.
Ltd

COF
Co. Ltd

WNQ
Co. Ltd

XAD Co.
Ltd


DRU
Co. Ltd

VSV Co.
Ltd

DTE Co.
Ltd

SCD
Co. Ltd

JPO Co.
Ltd

ZHL Co.
Ltd

FLD Co.
Ltd

RJS Co.
Ltd

SCR
Co. Ltd

OGA
Co. Ltd

CAO
Co. Ltd

FNX Co.
Ltd

AYN Co.
Ltd

LVC Co.
Ltd

SNJ Co.
Ltd

EHG
Co. Ltd

UBE
Co. Ltd

BBJ Co.
Ltd

HTD
Co. Ltd

YAZ Co.
Ltd

KJT Co.
Ltd

GST
Co. Ltd

VLP Co.
Ltd

JUK Co.
Ltd

ZIZ Co.
Ltd

UXJ Co.
Ltd


1000 76f753e777c8ed6ee3d

1000 8901a2243f441855864

1000 acc8172dea21a5684f0

1000 02c646ec8b88dcdc381

1000 e602553c2ac94f007afc

1000 2cbbf4952add12302ca

1000 927eea1b33cfe8c0069

1000 e12c332b4f0e11b0de8e

1000 91e4a8f0176a0b2bd4fa

1000 827b83175168959baa5

1000 128b37f254e92e2d91f9

1000 0547a8718765b8e8338

1000 8b41da1b919fafcbb600

1000 99a79ad26ac0c9a96c8

1000 92c50351b2fa5982f2a0

1000 74e2bc16b2eb69669ef

1000 f651db5f19216d2a036f

1000 c001c42aba2d922ca04

1000 7b66a217fcf61df2fe30a

1000 1290181d055156147ee

1000 fe6615d6e40d45524ff3

1000 169584fe26f50c8b0f37

1000 19fd3b8a96452ba9a1c

1000 95038b25dcb22160a39

1000 1899971acdc871d1161

1000 994bd84833827c17754


-----

104.223.79.148 w3.org 2020-0618T06:44:44Z

104.232.98.4 schema.org 2020-0618T06:47:10Z

108.170.13.91 launchpadlibrarian.net 2020-0618T06:47:42Z

192.111.149.132 google.com 2020-0618T07:15:58Z

192.227.248.173 tmall.com 2020-0618T07:17:02Z

172.93.187.203 qq.com 2020-0618T07:17:37Z

23.82.141.50 baidu.com 2020-0618T23:53:21Z

173.209.43.7 sohu.com 2020-0619T00:17:43Z

172.93.165.195 login.tmall.com 2020-0619T03:30:12Z

104.232.98.18 a104.232.98.18.deploy.static.akamaitechnologies.com 2020-0711T02:31:34Z

149.255.35.19 a149.255.35.19.deploy.static.akamaitechnologies.com 2020-0711T02:35:04Z

111.90.146.88 a111.90.146.88.deploy.static.akamaitechnologies.com 2020-0711T02:38:27Z

104.227.235.12 ubuntu.mirror.digitalpacific.com.au 2020-0713T06:15:19Z

108.177.235.244 mirror.aarnet.edu.au 2020-0713T06:16:44Z

192.210.213.111 mirror.waia.asn.au 2020-0713T06:18:31Z

63.141.234.106 live.com 2020-0730T01:56:36Z

45.128.156.27 reddit.com 2020-0730T01:57:33Z

101.99.91.178 ubuntu.melbourneitmirror.net 2020-0730T02:07:09Z

173.254.204.68 ubuntu.mirror.datamossa.io 2020-0730T02:08:19Z

111.90.138.218 netflix.com 2020-0806T09:02:26Z

89.45.4.247 xinhuanet.com 2020-0806T09:04:00Z

104.232.98.19 vk.com 2020-0806T09:04:53Z

193.34.167.10 okezone.com 2020-0806T10:24:30Z

107.173.28.8 csdn.net 2020-0806T10:25:30Z

204.12.225.21 myshopify.com 2020-0806T10:26:26Z

103.15.28.243 instagram.com 2020-0810T14:31:12Z


IMH Co.
Ltd

XPK Co.
Ltd

SRR
Co. Ltd

ZETIK
Co. Ltd

BWJWM
Co. Ltd

HSWMV
Co. Ltd

SQDLR
Co. Ltd

OIBDB
Co. Ltd

RKVLG
Co. Ltd

GTB Co.
Ltd

COM
Co. Ltd

IMN Co.
Ltd

CEV Co.
Ltd

HEJ Co.
Ltd

LSA Co.
Ltd

YQHXF
Co. Ltd

AADTE
Co. Ltd

DFJ Co.
Ltd

GQW
Co. Ltd

VFWBR
Co. Ltd

NUAXE
Co. Ltd

LCMBK
Co. Ltd

RCVKL
Co. Ltd

OKCOV
Co. Ltd

OOWSC
Co. Ltd

HUTEV
Co. Ltd


YZQ
Co. Ltd

OQO
Co. Ltd

YWY
Co. Ltd

JBXMI
Co. Ltd

UMDGH
Co. Ltd

AXWPM
Co. Ltd

SLZJO
Co. Ltd

AUZIC
Co. Ltd

UYNCH
Co. Ltd

UXQ
Co. Ltd

RPW
Co. Ltd

TSB Co.
Ltd

HIE Co.
Ltd

CXD
Co. Ltd

QTL Co.
Ltd

RFMQT
Co. Ltd

OPGDQ
Co. Ltd

NYB
Co. Ltd

GUI Co.
Ltd

RTXGR
Co. Ltd

JDOTY
Co. Ltd

AMJUR
Co. Ltd

BWRNV
Co. Ltd

JRVNW
Co. Ltd

DTJHT
Co. Ltd

HSSYX
Co. Ltd


1000 38fce40e0e6c028ac905

1000 2b3e68a625a88fffb50b

1000 7993ab274ba47b8a312

1000 8fab75e9930a614b80a

1000 a3f893a132566f84d43a

1000 486431e2d9024c44fde

1000 e46da2ddb96d4d712f0

1000 57bbceafe392c51480e

1000 320dd14d32cba4ce255

1000 471756a047748e931e0

1000 eb64df15cb2ca5e6fca6

1000 4d1a23a6d25dbb4d37d

1000 3c822a64fdef9fd200dc4

1000 83cfb13531f9a8a81ea9

1000 19a02f2453b15df76ecd

1000 b2ee5568161b0876ab2

1000 88773b940710b631a44

1000 dbe39ba1d753f1a0a02

1000 9df88128e675307d274

1000 03532ad6ed73f731f038

1000 519ad7e0cea23556b59

1000 9e984ad780434af4582

1000 f2070d2c6aedc6ac0b5a

1000 06dbfb0ba7f155e40d73

1000 8c73fd5aa03b9259882

1000 f60cb35c79241267f1ea


-----

64.188.26.168 mirror.intergrid.com.au 2020-0817T07:14:05Z

69.30.240.60 mirror.internode.on.net 2020-0817T07:16:12Z

144.217.41.76 alipay.com 2020-0817T08:44:46Z

103.16.229.232 mirror.launtel.net.au 2020-0820T12:18:09Z

107.152.213.117 mirror.netspace.net.au 2020-0821T00:45:04Z

104.232.98.17 mirror.overthewire.com.au 2020-0821T03:34:54Z

172.93.178.108 mirror.realcompute.io 2020-0821T03:36:10Z

172.87.222.3 yqeifkv.io 2020-0831T06:51:03Z

23.94.139.92 yqpbbyoize.com 2020-0831T06:51:58Z

172.241.27.117 bsdfjujierqeeog.org 2020-0831T06:52:34Z

96.8.118.110 aliexpress.com 2020-0907T06:24:17Z

199.188.103.123 qnadslfndgo.com 2020-0911T00:16:33Z

172.93.165.23 stackoverflow.com 2020-0916T07:02:58Z

23.106.160.40 zhanqi.tv 2020-0917T00:13:55Z

199.188.103.115 twitch.tv 2020-0917T00:16:33Z

67.43.239.213 panda.tv 2020-0917T00:18:04Z

149.56.200.203 force.com 2020-0917T00:27:18Z

103.15.29.59 adjvwucfivllsv.org 2020-0928T23:50:56Z

172.93.165.19 livejasmin.com 2020-0929T00:18:03Z

103.214.147.209 chaturbate.com 2020-1103T02:55:39Z

54.39.204.190 adobe.com 2020-1126T00:27:14Z

101.99.91.247 apple.com 2020-1126T00:28:28Z

104.168.148.216 msn.com 2020-1214T08:35:15Z

185.45.193.30 sogou.com 2020-1214T09:52:49Z

172.93.165.155 wordpress.com 2020-1217T10:29:45Z

107.174.240.14 yy.com 2021-0125T03:03:22Z


LMT Co.
Ltd

JEO Co.
Ltd

JYRPP
Co. Ltd

AYG Co.
Ltd

LDV Co.
Ltd

FAM Co.
Ltd

GIF Co.
Ltd

TBD Co.
Ltd

VFQ Co.
Ltd

OLG
Co. Ltd

CFCIU
Co. Ltd

ASC Co.
Ltd

UIBGK
Co. Ltd

CZOWK
Co. Ltd

YZQVY
Co. Ltd

LRWUT
Co. Ltd

PFEOW
Co. Ltd

LWR
Co. Ltd

YKLEC
Co. Ltd

SIVDX
Co. Ltd

SGSPC
Co. Ltd

DJNOC
Co. Ltd

EMJYR
Co. Ltd

NTTQF
Co. Ltd

AVGPZ
Co. Ltd

MZXEQ
Co. Ltd


YEJ Co.
Ltd

XXL Co.
Ltd

SESTG
Co. Ltd

ZYH Co.
Ltd

YGO
Co. Ltd

EAW
Co. Ltd

MVR
Co. Ltd

SBQ
Co. Ltd

URM
Co. Ltd

IDP Co.
Ltd

YRQEK
Co. Ltd

UFJ Co.
Ltd

MPNCO
Co. Ltd

NCQAQ
Co. Ltd

NKNHX
Co. Ltd

UASTD
Co. Ltd

RVAFN
Co. Ltd

FRN
Co. Ltd

WZDSA
Co. Ltd

EZDPF
Co. Ltd

OLBRG
Co. Ltd

MVTDV
Co. Ltd

ZJVKY
Co. Ltd

QUMVO
Co. Ltd

BTEJQ
Co. Ltd

PCKPK
Co. Ltd


1000 412903b69697ad696b8

1000 fd4904bfd24de6da6be7

1000 eca6dbf704151283a21

1000 0e32a40bb83fec79614

1000 19d8925e334d4116f4e

1000 1aab7a644e2de9b545e

1000 91cc94e09af78085095

1000 cc2f66f648430deb60a1

1000 79d255f36da1ef71a366

1000 b869ae4b3f11c9e7dd93

1000 c5818365ccd628750e6

1000 7e413302ef862b5c417

1000 700cd13b53c8bb66fd5

1000 5fa1dd26de5449f41605

1000 9443af2bb8c281edc3d4

1000 c67dca446f3dd6fb4336

1000 bb53ba1e90f27896a6e

1000 8118c44807033688476

1000 46eea848d03a4faed9e

1000 22994c02534f74b442f6

1000 8309da5cdafbaa578ea

1000 9083fab3637a60404bc

1000 6656150ffdca1a739972

1000 5cd0febfea57a9d4a846

1000 bbedc28ef631eef2d339

1000 f9acf669ccf7a443d1df5


-----

172.241.27.207 whatsapp.com 2021-0125T06:55:17Z

67.219.150.3 medium.com 2021-0126T01:31:50Z

192.169.6.139 amazonaws.com 2021-0126T03:07:12Z

74.222.26.164 imgur.com 2021-0128T06:41:09Z

193.34.167.183 bbc.com 2021-0128T06:51:11Z

63.141.224.90 imdb.com 2021-0128T08:07:54Z

3.239.189.175 ettoday.net 2021-0128T08:08:54Z


VFHDF
Co. Ltd

BWVOU
Co. Ltd

NXHQN
Co. Ltd

QMOPZ
Co. Ltd

WHPAW
Co. Ltd

XUNQT
Co. Ltd

JZQOD
Co. Ltd

XHIGN
Co. Ltd

UCVED
Co. Ltd

AFKIE
Co. Ltd

RZFVM
Co. Ltd

VKQIE
Co. Ltd

QFP
Co. Ltd

TEZ Co.
Ltd


1000 2dce7f5ae09d1315ae0

1000 882ce7cd5405cafab60a

1000 5ff8e100f48ed75cc0a8a

1000 60852dcc1bbbd974154

1000 a07d545c850c2897537

1000 f18d9d4670b051c2645

1000 d16a7642d2519fcd103

1000 e02961445c52cb9a2aa

1000 875370a44ec1e53430b

1000 64cf462b1ff8cf77143ee

1000 796068fe57f59d2d2532

1000 c9ed6bcd81b64a9c925

1000 24c6b220ea7a2b5de58

1000 0a25f29bd5d6639057e


54.39.204.190,
23.94.37.55


cnn.com 2021-0129T07:33:48Z


TXJBZ
Co. Ltd

OYZQK
Co. Ltd

ATDHB
Co. Ltd

JCAFF
Co. Ltd

MQFPB
Co. Ltd

HPCIS
Co. Ltd

ZYSOL
Co. Ltd

HTMSC
Co. Ltd

ZBGRS
Co. Ltd

ORXOQ
Co. Ltd

NPTWC
Co. Ltd

YEDHB
Co. Ltd

HDQ
Co. Ltd

TJY Co.
Ltd


144.168.224.235 freepik.com 2021-0130T10:43:37Z

194.15.112.193 spotify.com 2021-0130T10:54:39Z

172.245.86.29 walmart.com 2021-0130T10:55:40Z

107.174.20.79 etsy.com 2021-0203T06:56:01Z

23.227.202.105 ixlwyqfdrdcyift.com 2021-0204T08:37:41Z

104.243.143.78 jrwmngzk.net 2021-0204T08:39:41Z

Showing 1 to 158 of 158 entries

## MITRE ATT&CK BREAKDOWN

1. Persistence

T1053.005 - Scheduled Task/Job: Scheduled Task
T1547.005 - Boot or Logon Autostart Execution: Security Support Provider

2. Defense Evasion

T1036.005 - Masquerading: Match Legitimate Name or Location
T1055.001 - Process Injection: Dynamic-link Library Injection
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1070.003 - Indicator Removal on Host: Clear Command History
T1070.004 - Indicator Removal on Host: File Deletion
T1112 - Modify Registry
T1562 - Impair Defenses

3. Credential Access

T1552.001 - Unsecured Credentials: Credentials in Files

4. Lateral Movement

T1021.001 - Remote Services: Remote Desktop Protocol
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1021.004 - Remote Services: SSH

5. Collection


-----

3 Sc ee Captu e

6. Command and Control

T1008 - Fallback Channels
T1572 - Protocol Tunneling
T1573.001 - Encrypted Channel: Symmetric Cryptography

7. Impact

T1486 - Data Encrypted for Impact

_Contributors: Amitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman and Boaz Wasserman._

Tag(s): [Threat Report,](https://blog.sygnia.co/tag/threat-report) [Incident Response,](https://blog.sygnia.co/tag/incident-response) [Threat Research,](https://blog.sygnia.co/tag/threat-research) [Threat Hunting,](https://blog.sygnia.co/tag/threat-hunting) [Ransomware](https://blog.sygnia.co/tag/ransomware)


-----