ioc[.]one - OSINT Cyber Threat Intelligence Database

China Chopper still active 9 years later

Tags

country:	Lebanon
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Defacement - T1491 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Msbuild - T1127.001 Multi-Hop Proxy - T1090.003 Network Security Appliances - T1590.006 Powershell - T1059.001 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Connection Proxy - T1090 Multi-Hop Proxy - T1188 Powershell - T1086 Remote Access Tools - T1219 Rundll32 - T1085 Web Shell - T1100

Show in Graph

Common Information

Type	Value
UUID	22d53d9c-8ab8-42ad-b5cd-0b972aacc52f
Fingerprint	b4a19d128521d1a9
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 27, 2019, 11:01 a.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Vulnerability Information
Title	China Chopper still active 9 years later
Detected Hints/Tags/Attributes	115/3/103

Source URLs

	Redirection	Url
Details	Source	https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html

URL Provider

Details	Provider	Source level domain
Details	talosintelligence.com	blog.talosintelligence.com

Attributes

Details	Type	#Events	Value
Details	CVE	19	cve-2018-8440
Details	CVE	2	cve-2015-0062
Details	CVE	37	cve-2015-1701
Details	CVE	17	cve-2016-0099
Details	Domain	285	microsoft.net
Details	Domain	358	pastebin.com
Details	Domain	20	is.gd
Details	Domain	904	snort.org
Details	Domain	2	fid.hognoob.se
Details	Domain	2	uio.hognoob.se
Details	File	1	c:\output_directory\files.rar
Details	File	1	id.tmp
Details	File	149	msbuild.exe
Details	File	1	c:\windows\temp\document.cs
Details	File	1	c:\windows\temp\downloader.png
Details	File	1	c:\windows\temp\downloader.dat
Details	File	3	random.tmp
Details	File	1208	powershell.exe
Details	File	1	c:\windows\help\help\helper.ps1
Details	File	1	c:\working_directory\db.csv
Details	File	226	certutil.exe
Details	File	3	radm.exe
Details	File	1	c:\users\usera\appdata\local\temp\radm.exe
Details	File	14	init.ps1
Details	File	27	invoke-mimikatz.ps1
Details	File	2	c:\1.txt
Details	File	3	get-passhashes.ps1
Details	File	26	procdump64.exe
Details	File	478	lsass.exe
Details	File	1	getpassword.exe
Details	File	6	c:\windows\system32\icacls.exe
Details	File	3	c:\windows\system32\takeown.exe
Details	File	1	c:\windows\temp c:\windows\system32\netsh.exe
Details	File	2	c:\windows\temp\lsass.exe
Details	File	1	c:\directoryofcompromisedapp\alpc-tasksched-lpe.dll
Details	File	2	outputfile.txt
Details	File	1	replacestudio32.exe
Details	Github username	5	mattifestation
Details	Github username	1	klionsec
Details	Github username	3	clymb3r
Details	sha256	1	9065755708be18d538ae1698b98201a63f735e3d8a597419588a16b0a72c249a
Details	sha256	1	c5bbb7644aeaadc69920de9a31042920add12690d3a0a38af15c8c76a90605ef
Details	sha256	1	b84cdf5f8a4ce4492dd743cb473b1efe938e453e43cdd4b4a9c1c15878451d07
Details	sha256	1	58b2590a5c5a7bf19f6f6a3baa6b9a05579be1ece224fccd2bfa61224a1d6abc
Details	sha256	1	b1785560ad4f5f5e8c62df16385840b1248fe1be153edd0b1059db2308811048
Details	sha256	1	fe6b06656817e288c2a391cbe8f5c7f1fa0f0849d9446f9350adf7100aa7b447
Details	sha256	1	28cbc47fe2975fbde7662e56328864e28fe6de4b685d407ad8a2726ad92b79e5
Details	sha256	11	c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
Details	sha256	1	dbe8ada2976ee00876c8d61e5a92cf9c980ae4b3fce1d9016456105a2680776c
Details	sha256	1	d76c3d9bb0d8e0152db37bcfe568c5b9a4cac00dd9c77c2f607950bbd25b30e0
Details	sha256	1	46c3e073daa4aba552f553b914414b8d4419367df63df8a0d2cf4db2d835cdbd
Details	sha256	1	96f478f709f4f104822b441ae3fa82c95399677bf433ac1a734665f374d28c84
Details	sha256	1	02d635f9dfc80bbd9e8310606f68120d066cec7db8b8f28e19b3ccb9f4727570
Details	sha256	1	1c3d492498d019eabd539a0774adfc740ab62ef0e2f11d13be4c00635dccde33
Details	sha256	1	219644f3ece78667293a035daf7449841573e807349b88eb24e2ba6ccbc70a96
Details	sha256	1	4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
Details	sha256	1	a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
Details	sha256	1	919270ef1c58cc032bb3417a992cbb676eb15692f16e608dcac48e536271373a
Details	sha256	1	fe2f0494e70bfa872f1aea3ec001ad924dd868e3621735c5a6c2e9511be0f4b0
Details	sha256	1	2e0a9986214c4da41030aca337f720e63594a75754e46390b6f81bae656c2481
Details	sha256	1	f3a869c78bb01da794c30634383756698e320e4ca3f42ed165b4356fa52b2c32
Details	sha256	1	b46080a2446c326cc5f574bdd34e20daad169b535adfda97ba83f31a1d0ec9ab
Details	sha256	1	ab06f0445701476a3ad1544fbea8882c6cb92da4add72dc741000bc369db853f
Details	sha256	1	ee31b75be4005290f2a9098c04e0c7d0e7e07a7c9ea1a01e4c756c0b7a342374
Details	sha256	1	d1c67e476cfca6ade8c79ac7fd466bbabe3b2b133cdac9eacf114741b15d8802
Details	IPv4	15	192.168.0.10
Details	IPv4	3	188.166.74.218
Details	IPv4	1	78.155.201.168
Details	IPv4	1	69.165.64.100
Details	IPv4	1	59.188.255.184
Details	IPv4	1	154.211.12.153
Details	IPv4	1	185.234.218.248
Details	IPv4	1	101.78.142.74
Details	IPv4	2	107.181.160.197
Details	IPv4	1	107.182.28.64
Details	IPv4	2	139.180.199.167
Details	IPv4	1	172.96.241.10
Details	IPv4	1	185.228.83.51
Details	IPv4	1	198.13.42.229
Details	IPv4	1	202.144.193.177
Details	IPv4	1	43.245.222.57
Details	IPv4	4	45.55.211.79
Details	Url	2	http://188.166.74.218/radm.exe
Details	Url	1	https://pastebin.com/raw/hd7bmj33
Details	Url	1	http://78.155.201.168:8667/6hqjb0spqqbfbhjd/init.ps1
Details	Url	3	https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1
Details	Url	5	http://is.gd/oeofui
Details	Url	1	https://raw.githubusercontent.com/klionsec/commontools/master/get-passhashes.ps1
Details	Url	1	https://raw.githubusercontent.com/clymb3r/powershell/master/invoke-mimikatz/invoke-mimikatz.ps1
Details	Url	1	http://101.78.142.74:8001/xavg/javae.exe
Details	Url	1	http://107.181.160.197/win/3p/checking.ps1
Details	Url	1	http://107.182.28.64/t0.txt
Details	Url	2	http://139.180.199.167:1012/update.ps1
Details	Url	1	http://172.96.241.10:80/a
Details	Url	1	http://185.228.83.51/config.c
Details	Url	2	http://188.166.74.218/untitled.exe
Details	Url	1	http://198.13.42.229:8667/6hqjb0spqqbfbhjd/init.ps1
Details	Url	1	http://202.144.193.177/1.ps1
Details	Url	1	http://43.245.222.57:8667/6hqjb0spqqbfbhjd/init.ps1
Details	Url	2	http://fid.hognoob.se/download.exe
Details	Url	1	http://uio.hognoob.se:63145/cfg.ini
Details	Url	1	http://fid.hognoob.se/hidregsvc.exe
Details	Url	2	http://45.55.211.79/.cache/untitled.exe