{
	"id": "84c8bfc3-bba9-40eb-bd86-f7834bd19870",
	"created_at": "2026-04-06T00:09:07.915526Z",
	"updated_at": "2026-04-10T13:12:54.672962Z",
	"deleted_at": null,
	"sha1_hash": "ece7e007e71df2343d9fe0546daa543a4a75cf8d",
	"title": "Possible ShadowHammer Targeting (Low Confidence) – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1039312,
	"plain_text": "Possible ShadowHammer Targeting (Low Confidence) – One Night\r\nin Norfolk\r\nPublished: 2019-04-03 · Archived: 2026-04-05 18:11:25 UTC\r\nUpdate: The conclusions drawn below are likely incorrect (or, at the least, presented incorrectly). The post will\r\nremain up to preserve the data collected and in case additional OSINT information becomes available.\r\n——–\r\nLast week, this blog examined the first stage of an infection chain deployed through a supply chain attack. The\r\nmalware involved in this phase of the infection chain performed an MD5 hash of infected devices’ MAC\r\naddresses and compared them to MD5s in a hardcoded database. If a match was found, the malware called out to a\r\nhardcoded C2. Since then, multiple researchers have cracked these hashes and generated the underlying plaintext\r\nMACs.\r\nThe objectives of this supply chain attack remain unknown; however, this blog has identified one (low-confidence) possibility by comparing the plaintext MAC addresses with the Wigle database, a publicly available\r\nnetwork data repository: The MAC addresses involved may be associated with industrial processes, logistics, and\r\ntechnology.\r\nThe supporting data for this assessment is below, and this blog emphasizes that these are\r\nlow-confidence\r\nfindings based on a limited dataset; should more specific targeting and victimology become available, this post\r\nwill be revised (with the original content remaining intact for retrospective analysis).\r\nTechnical Findings\r\nThis assessment is derived from the following process:\r\n– A comparison was run for the first five (out of six) octets of the identified MAC addresses. A manufacturer will\r\noften ship devices with sequential MAC addresses to companies ordering in bulk; thus, a MAC address “near” a\r\nspecified value may belong to the same entity as the device with that value.\r\n– One MAC targeted by this adversary has an exact match in the Wigle database. This is unusual, given that the\r\ntargeted devices should, theoretically, be Windows machines. This address (00:11:6B:67:3A:C4) was located near\r\nan industrial center in Hong Kong, and three other addresses with the same “:C*” range were also identified in\r\nindustrial areas in Hong Kong, suggesting a consistent deployment pattern for this hardware.\r\n– A second MAC address “near” a targeted value was found near a logistics company and a shipping company in\r\nthe Philippines. A third was found “near” a technical institute in the United States.\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 1 of 9\n\n– While both the HK and Philippines MACs require a second MAC address to form a “target pair,” they both\r\nshare a commonality in that they require an AzureWave MAC as the pairing address.\r\n– Of these findings, the Hong Kong MAC address pattern is the most compelling, given the distribution of MAC\r\naddresses in a very close manufacturing proximity across multiple different industrial sites. The Philippines and\r\nU.S. data are sequentially weaker.\r\nOn the other hand, the data in general may be a result of statistical bias due to factors (such as stronger industrial\r\nWiFi networks being more likely to be collected during drive-by scanning). In addition, multiple “matching”\r\nranges identified with this methodology do not appear to conform to this hypothesis- perhaps because they are\r\npersonal/home networks and randomly appear in the dataset.\r\nImages for data supporting this hypothesis are below, and all results identified from the “Five Octet” methodology\r\nare included at the end of this post. As this blog does not use image plugins, right click and open any image in a\r\nnew tab to enlarge it.\r\nExact HK Industrial match and one “near match” in a second industrial area\r\nTwo “near matches” in industrial areas of Hong Kong\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 2 of 9\n\nPhilippines “close match” near shipping and logistics companies\r\nPotential “matching range” near Arkansas Tech University\r\nRaw Data from Wigle API\r\n“{‘success’: True, ‘totalResults’: 28, ‘search_after’: 118257320, ‘first’: 1, ‘last’: 28, ‘resultCount’: 28, ‘results’:\r\n[{‘trilat’: 22.50274086, ‘trilong’: 114.12863922, ‘ssid’: ‘CKSY’, ‘qos’: 0, ‘transid’: ‘20170809-00000’,\r\n‘firsttime’: ‘2017-08-08T09:00:00.000Z’, ‘lasttime’: ‘2017-08-09T19:00:00.000Z’, ‘lastupdt’: ‘2017-08-\r\n09T19:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:A6′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’,\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 3 of 9\n\n‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 11, ‘encryption’: ‘wpa2’,\r\n‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ’32’, ‘road’: ‘????????? Lung Sum Avenue’, ‘city’: ”,\r\n‘postalcode’: ‘DD91 3876’}, {‘trilat’: 22.31105614, ‘trilong’: 114.22225952, ‘ssid’: ‘TC’, ‘qos’: 3, ‘transid’:\r\n‘20170319-00000’, ‘firsttime’: ‘2017-03-19T18:00:00.000Z’, ‘lasttime’: ‘2018-02-08T06:00:00.000Z’, ‘lastupdt’:\r\n‘2018-02-08T06:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:CA’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 2, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘????????? Tsun Yip Street’, ‘city’: ”,\r\n‘postalcode’: ‘350’}, {‘trilat’: 0, ‘trilong’: 0, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20170801-00000’, ‘firsttime’:\r\n‘2017-07-30T17:00:00.000Z’, ‘lasttime’: ‘2001-01-01T00:00:00.000Z’, ‘lastupdt’: ‘2017-08-01T19:00:00.000Z’,\r\n‘netid’: ’00:11:6B:67:3A:EE’, ‘name’: None, ‘type’: ‘data’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: None,\r\n‘region’: None, ‘housenumber’: None, ‘road’: None, ‘city’: None, ‘postalcode’: None}, {‘trilat’: 22.3789463,\r\n‘trilong’: 114.18728638, ‘ssid’: ‘LevelOne’, ‘qos’: 0, ‘transid’: ‘20160529-00000’, ‘firsttime’: ‘2016-05-\r\n27T20:00:00.000Z’, ‘lasttime’: ‘2016-05-29T04:00:00.000Z’, ‘lastupdt’: ‘2016-05-29T04:00:00.000Z’, ‘netid’:\r\n’00:11:6B:67:3A:F8′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘Y’, ‘bcninterval’: 0, ‘freenet’: ‘?’,\r\n‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 11, ‘encryption’: ‘wep’, ‘country’: ‘CN’, ‘region’: ‘HK’,\r\n‘housenumber’: ”, ‘road’: ‘???????????? Sha Tin Centre Street’, ‘city’: ”, ‘postalcode’: ”}, {‘trilat’: 22.28162575,\r\n‘trilong’: 114.15449524, ‘ssid’: ‘Style Asia’, ‘qos’: 3, ‘transid’: ‘20150601-00000’, ‘firsttime’: ‘2015-05-\r\n29T11:00:00.000Z’, ‘lasttime’: ‘2016-03-30T09:00:00.000Z’, ‘lastupdt’: ‘2016-03-30T09:00:00.000Z’, ‘netid’:\r\n’00:11:6B:67:3A:FE’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’,\r\n‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’,\r\n‘housenumber’: ”, ‘road’: ‘???????????? Hollywood Road’, ‘city’: ‘??????’, ‘postalcode’: ‘2F’}, {‘trilat’:\r\n22.28442383, ‘trilong’: 114.15369415, ‘ssid’: ‘LevelOne’, ‘qos’: 6, ‘transid’: ‘20160910-00000’, ‘firsttime’:\r\n‘2016-09-10T22:00:00.000Z’, ‘lasttime’: ‘2017-05-30T07:00:00.000Z’, ‘lastupdt’: ‘2017-05-30T07:00:00.000Z’,\r\n‘netid’: ’00:11:6B:67:3A:36′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 2, ‘encryption’: ‘unknown’, ‘country’: ‘CN’,\r\n‘region’: ‘HK’, ‘housenumber’: ‘6’, ‘road’: ”, ‘city’: ‘??????’, ‘postalcode’: ‘1F’}, {‘trilat’: 22.29932022,\r\n‘trilong’: 114.17218781, ‘ssid’: ‘SSHAO’, ‘qos’: 0, ‘transid’: ‘20160506-00000’, ‘firsttime’: ‘2016-05-\r\n06T22:00:00.000Z’, ‘lasttime’: ‘2016-05-06T08:00:00.000Z’, ‘lastupdt’: ‘2016-05-06T08:00:00.000Z’, ‘netid’:\r\n’00:11:6B:67:3A:96′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’,\r\n‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’,\r\n‘housenumber’: ”, ‘road’: ‘????????? Nathan Road’, ‘city’: ”, ‘postalcode’: ”}, {‘trilat’: 22.33806419, ‘trilong’:\r\n114.20014191, ‘ssid’: ‘PROADVLTD’, ‘qos’: 3, ‘transid’: ‘20170420-00000’, ‘firsttime’: ‘2017-04-\r\n20T23:00:00.000Z’, ‘lasttime’: ‘2017-05-18T21:00:00.000Z’, ‘lastupdt’: ‘2017-05-18T21:00:00.000Z’, ‘netid’:\r\n’00:11:6B:67:3A:9A’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’,\r\n‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’,\r\n‘housenumber’: ‘210-212’, ‘road’: ‘????????? Choi Hung Road’, ‘city’: ”, ‘postalcode’: ‘350’}, {‘trilat’:\r\n22.29611397, ‘trilong’: 114.16808319, ‘ssid’: ‘LevelOne’, ‘qos’: 1, ‘transid’: ‘20160403-00000’, ‘firsttime’:\r\n‘2016-04-03T17:00:00.000Z’, ‘lasttime’: ‘2016-05-07T08:00:00.000Z’, ‘lastupdt’: ‘2016-05-07T08:00:00.000Z’,\r\n‘netid’: ’00:11:6B:67:3A:0E’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘Y’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wep’, ‘country’: ‘CN’,\r\n‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘???????????? Gateway Boulevard’, ‘city’: ”, ‘postalcode’: ”}, {‘trilat’:\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 4 of 9\n\n22.31484985, ‘trilong’: 114.1884613, ‘ssid’: ‘13765786’, ‘qos’: 5, ‘transid’: ‘20160831-00000’, ‘firsttime’:\r\n‘2016-08-31T17:00:00.000Z’, ‘lasttime’: ‘2017-07-21T03:00:00.000Z’, ‘lastupdt’: ‘2017-07-21T03:00:00.000Z’,\r\n‘netid’: ’00:11:6B:67:3A:12′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 6, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’,\r\n‘region’: ‘HK’, ‘housenumber’: ’33’, ‘road’: ‘???????????? To Kwa Wan Road’, ‘city’: ”, ‘postalcode’: ‘350’},\r\n{‘trilat’: 22.29891968, ‘trilong’: 114.17376709, ‘ssid’: ‘Avion Sports’, ‘qos’: 0, ‘transid’: ‘20160512-00000’,\r\n‘firsttime’: ‘2016-05-10T10:00:00.000Z’, ‘lasttime’: ‘2016-05-12T20:00:00.000Z’, ‘lastupdt’: ‘2016-05-\r\n12T20:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:8A’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’,\r\n‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’,\r\n‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ’39’, ‘road’: ‘???????????? Carnarvon Road’, ‘city’: ”,\r\n‘postalcode’: ”}, {‘trilat’: 22.32107162, ‘trilong’: 114.19041443, ‘ssid’: ‘sanwo’, ‘qos’: 0, ‘transid’: ‘20160316-\r\n00000’, ‘firsttime’: ‘2016-03-16T22:00:00.000Z’, ‘lasttime’: ‘2016-03-16T09:00:00.000Z’, ‘lastupdt’: ‘2016-03-\r\n16T09:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:C4′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’,\r\n‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 6, ‘encryption’: ‘wpa2’,\r\n‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘??????????????? East Kowloon Corridor’, ‘city’: ”,\r\n‘postalcode’: ‘350’}, {‘trilat’: 22.36852264, ‘trilong’: 114.11871338, ‘ssid’: ‘14465805AA ‘, ‘qos’: 0, ‘transid’:\r\n‘20150306-00000’, ‘firsttime’: ‘2015-03-06T10:00:00.000Z’, ‘lasttime’: ‘2015-03-06T07:00:00.000Z’, ‘lastupdt’:\r\n‘2015-03-06T05:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:CC’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘????????? Sha Tsui Road’, ‘city’: ”,\r\n‘postalcode’: ”}, {‘trilat’: 22.2802639, ‘trilong’: 114.18432617, ‘ssid’: ‘Dr. Ann Pei’, ‘qos’: 4, ‘transid’:\r\n‘20170924-00000’, ‘firsttime’: ‘2017-09-18T13:00:00.000Z’, ‘lasttime’: ‘2018-12-31T10:00:00.000Z’, ‘lastupdt’:\r\n‘2018-12-31T10:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:FA’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ‘555’, ‘road’: ‘???????????? Hennessy Road’, ‘city’: ”,\r\n‘postalcode’: ‘HYSAN PLACE 12F’}, {‘trilat’: 22.3334713, ‘trilong’: 114.14431, ‘ssid’: ‘SNMF’, ‘qos’: 6,\r\n‘transid’: ‘20151223-00000’, ‘firsttime’: ‘2015-12-23T20:00:00.000Z’, ‘lasttime’: ‘2017-02-20T07:00:00.000Z’,\r\n‘lastupdt’: ‘2017-02-20T07:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:4E’, ‘name’: None, ‘type’: ‘infra’, ‘comment’:\r\nNone, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 11,\r\n‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘????????? Lai Po Road’, ‘city’:\r\n”, ‘postalcode’: ”}, {‘trilat’: 22.30311394, ‘trilong’: 114.17094421, ‘ssid’: ‘TUL9A’, ‘qos’: 4, ‘transid’:\r\n‘20160305-00000’, ‘firsttime’: ‘2016-03-05T23:00:00.000Z’, ‘lasttime’: ‘2016-10-27T10:00:00.000Z’, ‘lastupdt’:\r\n‘2016-10-27T10:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:0A’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘???????????? Austin Road’, ‘city’: ”,\r\n‘postalcode’: ”}, {‘trilat’: 22.31733513, ‘trilong’: 114.16204071, ‘ssid’: ‘TIMBERLAND’, ‘qos’: 6, ‘transid’:\r\n‘20150317-00000’, ‘firsttime’: ‘2015-03-17T19:00:00.000Z’, ‘lasttime’: ‘2017-04-07T11:00:00.000Z’, ‘lastupdt’:\r\n‘2017-04-07T11:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:4C’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘????????? Cherry Street’, ‘city’: ”,\r\n‘postalcode’: ”}, {‘trilat’: 22.31178284, ‘trilong’: 114.17047882, ‘ssid’: ‘LevelSix’, ‘qos’: 1, ‘transid’: ‘20151103-\r\n00000’, ‘firsttime’: ‘2015-11-03T20:00:00.000Z’, ‘lasttime’: ‘2015-11-05T06:00:00.000Z’, ‘lastupdt’: ‘2015-11-\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 5 of 9\n\n05T06:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:7A’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’,\r\n‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’,\r\n‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ‘503’, ‘road’: ‘????????? Nathan Road’, ‘city’: ”, ‘postalcode’:\r\n‘KIL 3348’}, {‘trilat’: 22.33692169, ‘trilong’: 114.14710236, ‘ssid’: ‘LevelOne’, ‘qos’: 0, ‘transid’: ‘20150329-\r\n00000’, ‘firsttime’: ‘2015-03-29T17:00:00.000Z’, ‘lasttime’: ‘2015-03-29T07:00:00.000Z’, ‘lastupdt’: ‘2015-03-\r\n29T05:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:C6′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘Y’,\r\n‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 11, ‘encryption’: ‘wep’,\r\n‘country’: ‘CN’, ‘region’: ‘HK’, ‘housenumber’: ”, ‘road’: ‘???????????? Tung Chau West Street’, ‘city’: ”,\r\n‘postalcode’: ”}, {‘trilat’: 22.28608894, ‘trilong’: 114.15213776, ‘ssid’: ‘mywardrobe’, ‘qos’: 7, ‘transid’:\r\n‘20150321-00000’, ‘firsttime’: ‘2015-03-21T15:00:00.000Z’, ‘lasttime’: ‘2018-12-29T00:00:00.000Z’, ‘lastupdt’:\r\n‘2018-12-29T00:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:F6′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 6, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ”, ‘road’: ‘????????? Wing Lok Street’, ‘city’: ‘?????? Hong\r\nKong’, ‘postalcode’: ‘1F’}, {‘trilat’: 22.31841469, ‘trilong’: 114.17137909, ‘ssid’: None, ‘qos’: 0, ‘transid’:\r\n‘20181121-00000’, ‘firsttime’: ‘2018-11-21T20:00:00.000Z’, ‘lasttime’: ‘2018-11-22T00:00:00.000Z’, ‘lastupdt’:\r\n‘2018-11-22T00:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:92′, ‘name’: None, ‘type’: ‘????’, ‘comment’: None,\r\n‘wep’: ‘?’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’:\r\n‘unknown’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ”, ‘road’: ‘????????? Fa Yuen Street’, ‘city’: ”,\r\n‘postalcode’: ‘KIL 3348’}, {‘trilat’: 22.49234962, ‘trilong’: 114.13929749, ‘ssid’: ‘LevelOne’, ‘qos’: 0, ‘transid’:\r\n‘20181220-00000’, ‘firsttime’: ‘2018-12-21T11:00:00.000Z’, ‘lasttime’: ‘2019-01-10T03:00:00.000Z’, ‘lastupdt’:\r\n‘2019-01-10T03:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:1C’, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘Y’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 11,\r\n‘encryption’: ‘wep’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ”, ‘road’: ‘????????? San Wan Road’, ‘city’: ”,\r\n‘postalcode’: ”}, {‘trilat’: 22.27951431, ‘trilong’: 114.18489075, ‘ssid’: ‘15567007AA’, ‘qos’: 6, ‘transid’:\r\n‘20170713-00000’, ‘firsttime’: ‘2017-07-13T21:00:00.000Z’, ‘lasttime’: ‘2019-01-13T17:00:00.000Z’, ‘lastupdt’:\r\n‘2019-01-13T17:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:58′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None,\r\n‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’:\r\n‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ’29-31′, ‘road’: “”????????? Jardine’s Bazaar””, ‘city’: ”,\r\n‘postalcode’: ‘HYSAN PLACE 12F’}, {‘trilat’: 22.28288269, ‘trilong’: 114.15284729, ‘ssid’: ‘White Beard Fish\r\n\u0026 Chips’, ‘qos’: 0, ‘transid’: ‘20181229-00000’, ‘firsttime’: ‘2018-12-29T13:00:00.000Z’, ‘lasttime’: ‘2018-12-\r\n29T00:00:00.000Z’, ‘lastupdt’: ‘2018-12-29T00:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:3E’, ‘name’: None,\r\n‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’:\r\nFalse, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ’62’, ‘road’: ‘????????????\r\nHollywood Road’, ‘city’: ‘?????? Hong Kong’, ‘postalcode’: ‘1F’}, {‘trilat’: 22.30578995, ‘trilong’:\r\n114.17168427, ‘ssid’: ‘LevelOne’, ‘qos’: 0, ‘transid’: ‘20181229-00000’, ‘firsttime’: ‘2018-12-\r\n29T11:00:00.000Z’, ‘lasttime’: ‘2018-12-29T00:00:00.000Z’, ‘lastupdt’: ‘2018-12-29T00:00:00.000Z’, ‘netid’:\r\n’00:11:6B:67:3A:D2′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘Y’, ‘bcninterval’: 0, ‘freenet’: ‘?’,\r\n‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 8, ‘encryption’: ‘wep’, ‘country’: ‘CN’, ‘region’: ”,\r\n‘housenumber’: ”, ‘road’: ‘????????? Nathan Road’, ‘city’: ”, ‘postalcode’: ”}, {‘trilat’: 22.29627609, ‘trilong’:\r\n114.17272949, ‘ssid’: ‘VANS’, ‘qos’: 0, ‘transid’: ‘20181204-00000’, ‘firsttime’: ‘2001-01-01T08:00:00.000Z’,\r\n‘lasttime’: ‘2018-12-28T23:00:00.000Z’, ‘lastupdt’: ‘2018-12-28T23:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:6E’,\r\n‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’:\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 6 of 9\n\n‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ’36-44′,\r\n‘road’: ‘????????? Nathan Road’, ‘city’: ”, ‘postalcode’: ”}, {‘trilat’: 22.28248596, ‘trilong’: 114.15182495,\r\n‘ssid’: ‘ATRIA 2.0’, ‘qos’: 4, ‘transid’: ‘20170206-00000’, ‘firsttime’: ‘2017-02-06T19:00:00.000Z’, ‘lasttime’:\r\n‘2019-02-17T03:00:00.000Z’, ‘lastupdt’: ‘2019-02-17T03:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:DC’, ‘name’:\r\nNone, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’,\r\n‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ”, ‘road’: ”,\r\n‘city’: ‘?????? Hong Kong’, ‘postalcode’: ‘1F’}, {‘trilat’: 22.50578308, ‘trilong’: 114.12594604, ‘ssid’: ‘Po Lam’,\r\n‘qos’: 2, ‘transid’: ‘20170522-00000’, ‘firsttime’: ‘2017-05-22T19:00:00.000Z’, ‘lasttime’: ‘2019-03-\r\n30T02:00:00.000Z’, ‘lastupdt’: ‘2019-03-30T02:00:00.000Z’, ‘netid’: ’00:11:6B:67:3A:2A’, ‘name’: None,\r\n‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’:\r\nFalse, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘CN’, ‘region’: ”, ‘housenumber’: ”, ‘road’: ‘????????? Po\r\nWan Road’, ‘city’: ”, ‘postalcode’: ‘DD91 3669’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 68120635, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 9.74241638, ‘trilong’: 118.73323059, ‘ssid’: ‘jam’, ‘qos’: 0, ‘transid’: ‘20170105-00000’, ‘firsttime’:\r\n‘2001-01-01T08:00:00.000Z’, ‘lasttime’: ‘2017-07-08T04:00:00.000Z’, ‘lastupdt’: ‘2017-07-08T04:00:00.000Z’,\r\n‘netid’: ’30:5A:3A:BA:05:D5′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’, ‘country’: ‘PH’,\r\n‘region’: ‘Palawan’, ‘housenumber’: ”, ‘road’: ‘Malvar Street’, ‘city’: ‘Puerto Princesa’, ‘postalcode’: ‘5300’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 76384412, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 45.51959229, ‘trilong’: -73.59568024, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20180216-00000’, ‘firsttime’:\r\n‘2018-02-15T05:00:00.000Z’, ‘lasttime’: ‘2018-02-16T03:00:00.000Z’, ‘lastupdt’: ‘2018-02-16T03:00:00.000Z’,\r\n‘netid’: ’54:27:1E:B9:1C:F7′, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘CA’,\r\n‘region’: ‘Qu??bec’, ‘housenumber’: ‘5059’, ‘road’: ‘Avenue du Parc’, ‘city’: ‘Montr??al’, ‘postalcode’: ‘H2V\r\n4E9’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 19869683, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 37.74716187, ‘trilong’: -122.45939636, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20140914-00000’, ‘firsttime’:\r\n‘2014-09-13T20:00:00.000Z’, ‘lasttime’: ‘2014-09-15T00:00:00.000Z’, ‘lastupdt’: ‘2014-09-14T22:00:00.000Z’,\r\n‘netid’: ’68:5D:43:AD:C6:27′, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘US’,\r\n‘region’: ‘CA’, ‘housenumber’: ‘408’, ‘road’: ‘Dewey Boulevard’, ‘city’: ‘SF’, ‘postalcode’: ‘94116’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 80485480, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 35.29733276, ‘trilong’: -93.13150787, ‘ssid’: ‘ANGEL’, ‘qos’: 0, ‘transid’: ‘20140901-00000’,\r\n‘firsttime’: ‘2014-09-01T21:00:00.000Z’, ‘lasttime’: ‘2014-09-02T09:00:00.000Z’, ‘lastupdt’: ‘2014-09-\r\n02T07:00:00.000Z’, ‘netid’: ’80:56:F2:79:9E:44′, ‘name’: None, ‘type’: ‘infra’, ‘comment’: None, ‘wep’: ‘2’,\r\n‘bcninterval’: 0, ‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 1, ‘encryption’: ‘wpa2’,\r\n‘country’: ‘US’, ‘region’: ‘AR’, ‘housenumber’: ”, ‘road’: ‘North Arkansas Avenue’, ‘city’: ‘Russellville’,\r\n‘postalcode’: ‘72802’}]}”\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 7 of 9\n\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 83769987, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 43.11547089, ‘trilong’: -80.73469543, ‘ssid’: None, ‘qos’: 2, ‘transid’: ‘20161013-00000’, ‘firsttime’:\r\n‘2016-10-12T00:00:00.000Z’, ‘lasttime’: ‘2016-11-19T14:00:00.000Z’, ‘lastupdt’: ‘2016-11-19T14:00:00.000Z’,\r\n‘netid’: ‘A4:02:B9:69:24:A9’, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘CA’,\r\n‘region’: ‘Ontario’, ‘housenumber’: ”, ‘road’: ‘Juliana Drive’, ‘city’: ‘Woodstock’, ‘postalcode’: ‘N4S7V9’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 42713788, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 43.2630806, ‘trilong’: -77.61564636, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20141025-00000’, ‘firsttime’:\r\n‘2014-10-25T04:00:00.000Z’, ‘lasttime’: ‘2014-10-25T20:00:00.000Z’, ‘lastupdt’: ‘2014-10-25T19:00:00.000Z’,\r\n‘netid’: ‘C4:85:08:8D:22:8C’, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘US’,\r\n‘region’: ‘NY’, ‘housenumber’: ”, ‘road’: ‘Beach Avenue’, ‘city’: ”, ‘postalcode’: ‘14612’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 82784865, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 37.78665161, ‘trilong’: -122.44406128, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20150621-00000’, ‘firsttime’:\r\n‘2015-06-06T10:00:00.000Z’, ‘lasttime’: ‘2015-06-21T16:00:00.000Z’, ‘lastupdt’: ‘2015-06-21T16:00:00.000Z’,\r\n‘netid’: ‘C4:85:08:9F:DB:93’, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘US’,\r\n‘region’: ‘CA’, ‘housenumber’: ”, ‘road’: ‘Pine Street’, ‘city’: ‘SF’, ‘postalcode’: ‘94115’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 102513635, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 42.99957657, ‘trilong’: -71.43035889, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20181014-00000’, ‘firsttime’:\r\n‘2018-08-28T19:00:00.000Z’, ‘lasttime’: ‘2018-10-14T08:00:00.000Z’, ‘lastupdt’: ‘2018-10-14T08:00:00.000Z’,\r\n‘netid’: ‘D8:50:E6:99:8D:4F’, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘US’,\r\n‘region’: ‘NH’, ‘housenumber’: ”, ‘road’: ‘I 93’, ‘city’: ‘Manchester’, ‘postalcode’: ‘03104’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 109625063, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 25.04739952, ‘trilong’: 121.51049805, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20190301-00000’, ‘firsttime’:\r\n‘2019-03-01T06:00:00.000Z’, ‘lasttime’: ‘2019-03-01T20:00:00.000Z’, ‘lastupdt’: ‘2019-03-01T20:00:00.000Z’,\r\n‘netid’: ‘F0:03:8C:37:00:8D’, ‘name’: None, ‘type’: ‘????’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’:\r\n‘TW’, ‘region’: ‘?????????’, ‘housenumber’: ‘3’, ‘road’: ‘???????????????’, ‘city’: ”, ‘postalcode’: ‘10043’}]}”\r\n“{‘success’: True, ‘totalResults’: 1, ‘search_after’: 18904691, ‘first’: 1, ‘last’: 1, ‘resultCount’: 1, ‘results’:\r\n[{‘trilat’: 50.21075058, ‘trilong’: 15.82189369, ‘ssid’: None, ‘qos’: 0, ‘transid’: ‘20130202-00000’, ‘firsttime’:\r\n‘2001-01-01T07:00:00.000Z’, ‘lasttime’: ‘2013-02-02T15:00:00.000Z’, ‘lastupdt’: ‘2013-02-02T13:00:00.000Z’,\r\n‘netid’: ‘F0:03:8C:CD:8D:25’, ‘name’: None, ‘type’: ‘data’, ‘comment’: None, ‘wep’: ‘?’, ‘bcninterval’: 0,\r\n‘freenet’: ‘?’, ‘dhcp’: ‘?’, ‘paynet’: ‘?’, ‘userfound’: False, ‘channel’: 0, ‘encryption’: ‘unknown’, ‘country’: ‘CZ’,\r\n‘region’: ‘Severov??chod’, ‘housenumber’: ”, ‘road’: ‘Go????rova t????da’, ‘city’: ‘Hradec Kr??lov??’,\r\n‘postalcode’: ‘50002’}]}”\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 8 of 9\n\nSource: https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nhttps://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/"
	],
	"report_names": [
		"possible-shadowhammer-targeting-low-confidence"
	],
	"threat_actors": [],
	"ts_created_at": 1775434147,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ece7e007e71df2343d9fe0546daa543a4a75cf8d.pdf",
		"text": "https://archive.orkl.eu/ece7e007e71df2343d9fe0546daa543a4a75cf8d.txt",
		"img": "https://archive.orkl.eu/ece7e007e71df2343d9fe0546daa543a4a75cf8d.jpg"
	}
}