ShadowPad Malware Analysis
Tags
cmtmf-attack-pattern: Process Injection
country: Afghanistan China India Japan South Korea Mongolia Vietnam Taiwan United States Of America U.S. Virgin Islands
attack-pattern: Dll Search Order Hijacking - T1574.001 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Process Injection - T1631 Software - T1592.002 Windows Service - T1543.003 Dll Search Order Hijacking - T1038 Process Injection - T1055
Show in Graph
Common Information
Type Value
UUID 202f29d9-b370-4acb-8031-fe6dcf3fe0d5
Fingerprint 1bf1e05baeaf1439
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 15, 2022, midnight
Added to db Aug. 13, 2023, 9:04 a.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline ShadowPad Malware Analysis
Title ShadowPad Malware Analysis
Detected Hints/Tags/Attributes 107/3/110
Source URLs
Redirection Url
Details Source https://www.secureworks.com/research/shadowpad-malware-analysis
URL Provider
Details Provider Source level domain
Details secureworks.com www.secureworks.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 370 https://www.secureworks.com/rss?feed=research 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4 
billing.epac.to
Details Domain 2 
vsmrcil.casacam.net
Details Domain 4 
exat.dnset.com
Details Domain 2 
dprouds.casacam.net
Details Domain 4 
secupdate.kozow.com
Details Domain 1 
goest.mrbonus.com
Details Domain 1 
phiinoc.dnsdyn.net
Details Domain 1 
stratorpriv.lubni23.com
Details Domain 1 
rolesnews.com
Details Domain 2 
www.cloudvn.info
Details Domain 3 
ti0wddsnv.wikimedia.vip
Details Domain 2 
yjij4bpade.nslookup.club
Details Domain 4 
6czumi0fbg.symantecupd.com
Details Domain 7 
live.musicweb.xyz
Details Domain 7 
obo.videocenter.org
Details Domain 1 
teamview.microsoft.msglocalmicro.com
Details Domain 2 
ts.ekaldhfl.club
Details Domain 1 
armypubs.army.mil
Details Domain 4 
assets.sentinelone.com
Details Domain 546 
www.recordedfuture.com
Details Domain 11 
jamestown.org
Details Domain 19 
www.pwc.co.uk
Details Domain 47 
go.recordedfuture.com
Details Domain 111 
www.justice.gov
Details Domain 1 
www.noticeofpleadings.net
Details Domain 8 
ndupress.ndu.edu
Details File 48 
applaunch.exe
Details File 68 
mscoree.dll
Details File 3 
hpqhvind.exe
Details File 4 
hpqhvsei.dll
Details File 14 
consent.exe
Details File 39 
secur32.dll
Details File 3 
tosbtkbd.exe
Details File 7 
tosbtkbd.dll
Details File 6 
bdreinit.exe
Details File 25 
log.dll
Details File 9 
oleview.exe
Details File 7 
iviewers.dll
Details File 10 
tsvipsrv.dll
Details File 7 
log.exe
Details File 165 
reg.exe
Details File 2125 
cmd.exe
Details File 1122 
svchost.exe
Details File 172 
dllhost.exe
Details File 4 
billing.ep
Details File 1 
cloudvn.inf
Details File 1 
microsoft.msg
Details File 2 
study_of_the_shadowpad_apt_backdoor_and_its_relation_to_plugx_en.pdf
Details File 4 
cds19-executive-s08-achievement-unlocked.pdf
Details File 24 
army.mil
Details File 1 
3-000-web-1.pdf
Details File 4 
chasing-shadows.html
Details File 1 
cta-2021-0616.pdf
Details File 3 
pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
Details File 9 
complaint.pdf
Details File 8 
ndupress.nd
Details File 1 
chinaperspectives-10.pdf
Details md5 1 
9d686ceed21877821ab6170a348cc073
Details md5 1 
27d889c351ac2f48d31b91d06061ec8d
Details md5 1 
17e812958704f4ced297731ce47de020
Details md5 1 
fac0b4fe5372d76607c36ccb51e6b7bb
Details md5 1 
17268032c7562fa9473bb85018cb1c2c
Details md5 1 
41ff21ea773b73812d91f91b68280ed3
Details md5 1 
1480d2856e4d57d0c8394ade835493db
Details md5 1 
40e7f1a18735819d6cf5f5cff0fb72f4
Details md5 1 
59961f8c3d8d6cfb7a378f58ff5c5f30
Details md5 1 
dfd3b637fc35e850138b33758934f3f7
Details md5 1 
0ddd78208c16e9f8174868bdf92eac9b
Details md5 1 
f977be4ebb0d06c9a19b37d8bbb37178
Details md5 1 
b40dec21d0c3061bef422bb946366cba
Details md5 1 
3520e591065d3174999cc254e6f3dbf5
Details md5 1 
bda94af893973fe675c35e5699d90521
Details md5 1 
c3292a51c1b92d7dd08518095bb851f8
Details md5 1 
b1a9afc937a6e7e0d09e5ccd8b2198f5
Details md5 2 
3e372906248b215ea0ee853cb4e29dd8
Details md5 1 
ffbadead054d1eac270f1a24d02e8a1f
Details md5 1 
06539163f71f8bd496db75ccb41db820
Details md5 1 
373eacf3ffd1b5722f9d3c1595092b4c
Details md5 1 
ea6be331b5fa349a2fa464b062043b0e
Details md5 1 
5fe99a8f8cbfe46832478aa9c9634ed6
Details md5 1 
299980c914250bac7522de849f6df24f
Details md5 1 
6538263d35b9bb438a9648e904ed7394
Details md5 1 
246d233f4fcda6f4c1ec1177dbad31b4
Details sha1 1 
f5b7ea5e705655a1bc08030b601443088a5af4dd
Details IPv4 2 
172.197.18.30
Details IPv4 2 
172.200.21.190
Details IPv4 2 
103.255.179.186
Details IPv4 2 
154.202.198.246
Details IPv4 1 
47.56.228.89
Details IPv4 2 
207.148.98.61
Details IPv4 1 
5.188.33.106
Details IPv4 1 
139.180.141.16
Details Threat Actor Identifier - APT 522 
APT41
Details Url 1 
https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
Details Url 2 
https://st.drweb.com/static/new-www/news/2020/october/study_of_the_shadowpad_apt_backdoor_and_its_relation_to_plugx_en.pdf
Details Url 3 
https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
Details Url 1 
https://armypubs.army.mil/epubs/dr_pubs/dr_a/arn33195-atp_7-100.3-000-web-1.pdf
Details Url 1 
https://assets.sentinelone.com/c/shadowpad?x=p42eqa
Details Url 1 
https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries
Details Url 1 
https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world
Details Url 1 
https://jamestown.org/program/the-peoples-liberation-army-strategic-support-force-update-2019
Details Url 3 
https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html
Details Url 1 
https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf
Details Url 1 
https://project2049.net/wp-content/uploads/2018/05/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
Details Url 2 
https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer
Details Url 1 
https://www.justice.gov/opa/press-release/file/1317216/download
Details Url 1 
https://www.noticeofpleadings.net/barium/files/complaint_and_summons/complaint.pdf
Details Url 1 
https://ndupress.ndu.edu/portals/68/documents/stratperspective/china/chinaperspectives-10.pdf
Details Url 1 
https://www.vice.com/en/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
Details Windows Registry Key 7 
HKLM\SOFTWARE\Classes\CLSID