Operation Winnti

APT41 long-running supply chain and gaming industry espionage campaign. Includes OpSMN and PlugX malware deployment.

Start date

1 January 2011

End date

—

Techniques

Indicators of compromise

210

93 sha25659 domain22 sha122 md513 ip1 url

Attributed actors

APT41· primary

Techniques (28)

collection1

T1560.001Archive via Utility

command-and-control4

T1573.001Symmetric Cryptography

T1090.001Internal Proxy

T1105Ingress Tool Transfer

T1071.001Web Protocols

credential-access1

T1003.001LSASS Memory

defense-impairment2

T1574.002DLL Side-Loading

T1070.001Clear Windows Event Logs

discovery3

T1057Process Discovery

T1082System Information Discovery

T1083File and Directory Discovery

execution3

T1059.003Windows Command Shell

T1059.001PowerShell

T1053.005Scheduled Task

exfiltration1

T1041Exfiltration Over C2 Channel

initial-access4

T1078Valid Accounts

T1566.001Spearphishing Attachment

T1190Exploit Public-Facing Application

T1195.002Compromise Software Supply Chain

lateral-movement3

T1021.001Remote Desktop Protocol

T1021.002SMB/Windows Admin Shares

T1550.002Pass the Hash

persistence5

T1078Valid Accounts

T1547.001Registry Run Keys / Startup Folder

T1574.002DLL Side-Loading

T1543.003Windows Service

T1053.005Scheduled Task

privilege-escalation6

T1078Valid Accounts

T1547.001Registry Run Keys / Startup Folder

T1574.002DLL Side-Loading

T1055Process Injection

T1543.003Windows Service

T1053.005Scheduled Task

stealth5

T1078Valid Accounts

T1140Deobfuscate/Decode Files or Information

T1070.004File Deletion

T1055Process Injection

T1027Obfuscated Files or Information

Indicators of compromise (210)

SHA122

7d9b2a9b65a55ecd9c2867f1ea21821d52459d4bconfirmed

ca9e770eac54b3b7046e6efdee6e1ebe88a8905fconfirmed

79daceed3c07eaeac39c69b5c40e03cedcaaacedconfirmed

08afbd47ce5f4e296d375b3a2d069993e09c090fconfirmed

f0460290bd8668e94a4c5ad86aa1c487466e8e9dconfirmed

1a20d3333e220f6fe2980dff119705c0ddc59604confirmed

27976ef26939f0c58a5e2edb222c80761a41e2cfconfirmed

cef549547a567db2020af80b1d8e0163f9aa4d65confirmed

72f3c2155c625784c41cf50bfde4d8dc63424c8econfirmed

4857e755573822aeef32730a5302cd89c88031dbconfirmed

5486fd254451d90f2f6acdbfa3330444f98dde68confirmed

1eddc0e76f1dd787091cfdcf98a058dd4319fd34confirmed

51891247e3caa4e4f8f71b2eaf8ba47602dc0be1confirmed

e30014454ec9678426afb3e8e972dc3d063f1358confirmed

ee83355a6fd69caaedaaa5ef5e44683c0cddf553confirmed

894923f6346506300db5477a8f0057745239cc3bconfirmed

49e0fb0f7bd276afea3f13bcac9dd945c148f6bdconfirmed

972da237b66a1239555bd06588039f8b8c03fbe5confirmed

60aef3264dd2263791afd59652ef4228bac79a29confirmed

5e23c5b5f21c0a6f894d636cd4f4469bf28b53baconfirmed

f6918d589408209600f1a1ac57f5f610f5bfc90bconfirmed

64093d8dbf2e108c73fb5f96bbf0c2fcd8975c94confirmed

SHA25693

c46bfed74f17b114664adb658c7a10389eceb3c35edbaa472197d32b66bea7adconfirmed

47053e77580ef64ca39058f72986c6ff46a81c092027e240916c8bdb42cdfcb6confirmed

92f960ddcfa6ed39289e28f03bb36cd2b6b513f3c3c21ef31ee5f9a8238a8a01confirmed

a679d46a8ce8da6135b0dec9b2632ae41d01629a17f3183f9bcb76debfcecba5confirmed

d173811a545ba495934cb293460bc86b0c6681c2cd98de52b6b10c63e4d3abb3confirmed

970415694f5b1952a45b7c3c776292877738e32b42b23d97e1b5361e0eaf97deconfirmed

d1e1a66afb0e33d865776758abb5869fae5b3deab58e6a9f996253bdaf02a91fconfirmed

35541d4f586a97d5f4cd0c43436df0cee2944a1a650dd7b9d3f14a63e7f20c8aconfirmed

7c754b0bec42a85f78393082b011e07fb0e964437c0c5c690ccf51d5508ab8b6confirmed

0e3d6da65139e01a8f9be0ee63b4510123fc9f644100b00535f7f3b1611ab2ceconfirmed

ca0acc09b6b17271bcda7f67eaf9b9a8d8227408e7fd6b0def0f99e501bc179aconfirmed

d11884d05b679e494d8d997784e2d11648946b66d2f04daf3813e57fd1a156fcconfirmed

33f8cfb672ab39e7ef1986848b293ade35e08480a8f7d2cbe96195357fb39cfbconfirmed

29c43ec1a4c4fc823028ee0e5b4ce9e6e5e1217766ee430f663538a60ccf13d4confirmed

8ac94fb63d023242e62d08ef7552beed720845266ea884c8d992d2533b81cf12confirmed

62bd0c6eca0c4d562de0d83bbc7ce63fe9bfb3ac149e9a449dd44e2e3165c9dcconfirmed

ddccba1aa87ec9d12a896bed96d2d16465b4b63baefd4580828372971881be00confirmed

21cbd6ba2f1787ebdeac8e6098a94e0e3f8d760bf7277f0e30229d9362cd7689confirmed

ad1e7e12607ccdda70197a9cc0fc3df7fb74db540d1a1764da9da7347cbd73e3confirmed

f4bf952b5b922a431ad15e4b9a9bc7011a999241187ca93811cec3cdd0a87351confirmed

b63407714c73d022b748411df888ccabcca082cf87bc32d53c6a9cfd55f46bdaconfirmed

7d8da529d439e31b917661ae7421ee99b132e995cc78156fdd6e1f7df43ac07cconfirmed

7339fe6a7799ab8369d0dbafed9d7f3b6c81d164b00ec5d3a17d6c69ea52b141confirmed

18c42f98affc8f053d0a20e9bc85786f1cc8c33bd5f7c0080687b5aa8c97f1d7confirmed

7a0fdc652e0ce4d84e9a6fd89343e6d71756c0a8f537276d3aed7388264ddb16confirmed

2491fcac659f72cf9f0247e6444f1024e3f93b8684d9129fee61b7fe27ae4848confirmed

eee4b1c4621b0ca355dc677652dfd6449f1f230565da8cb5db59fa195e8f553fconfirmed

0e258047b5883e8e8841f8649352478bf1ad4362c53b8be082cf701380694fc5confirmed

9df413b0da7355bbb203c294ed64c06ec68ab4a00221c8e9a0e635a40a08576dconfirmed

df6e40fb0bea1d00c86e0bca493d05a9318ba8e27b015bcadb2fc1d82fa8af04confirmed

823e09d204e3c4d57abcbb23c1db50b0db3d8d4eecde72b0ffefa2f0b6abe904confirmed

e82f0bfa09fa9d855a73ae82ca56566c5b59074fa2ad4aad1f6870d5331eede8confirmed

4a7e8d72dbaf30ebe2328771381912df9387deea6e240f3ad046ba1154250680confirmed

6aa66eef38c6fcc2d9ab8034723acdaf2af0195749ff713dddaf414d2caea45fconfirmed

90745e366f46b1065c56a1a3e262e9e1f0f26baf05b6d29e4758dabdc2570d76confirmed

bf1ac8ab322891defe755552c198891ff28fb2fa57fd36a8b1b5a6b649fbc027confirmed

d929406819df0faaf297e2b2e4253724a9f6fafaafa239c4b90db5ab6e58bd83confirmed

f1c61fd84e925eb42d681755395f20b1adedd4ee43c58e974a32604e953cbbfdconfirmed

dec864735d2017b52accdd5285d24131ee556f9266156c62a83cde0ae8dbd095confirmed

1616adcdb750330cdad6223d26311244ce21080fce5ff03203261302d1031249confirmed

d72b78c634d9e1c24c90da7badb54a1243573c49dffe43ddb6a14db586b2aaf8confirmed

2fa4b025c74dec27d2640d441db27601e6d1c7717db90b7e9915f6ef5db92fa3confirmed

1b0cd7bbd5188798f0bbcebb06afb54f6455a680b061bf32fa43d28e829837b0confirmed

316f052a09f1f121cfe70491697048db32612c4a2c4f007748fda9a2b0e56c20confirmed

3087f00b5ef2941ebf3005e9ed46c134a601c629d8dd26e83b25b3e3a4106f77confirmed

1ada845dbf89024f4eee8409880ce21ece2262db3ad5129d2eed33a76d177d39confirmed

6c8347ec0c0a26a8942342e4031cf823332a8637d9a4e7f31bad725edc04a395confirmed

4466f22fd87e4d7fc875c7e073131cf81635fac48ba0fa7bbcf37f8a2dd0563econfirmed

f571b27da6fc097bfc7a989fb9b752320f45ded7505125c558851ddd68f01688confirmed

18df4e50d2db8e352755bab86e2aa04ce9dcf2a83bf3e03135abae00ab3d16c2confirmed

ca6540211b309620c38db716b29d282492c4842d5d6e167ecc3b0707431c491fconfirmed

890137121b159b0de4b287627a8710605327f8aa0b2e657362b05b793881d87econfirmed

da198b32b61d0a5765d2961b1f4a20592a90bd919835bd5cf1f64329ef388a61confirmed

f8d6b5995ae855e9cd89194faf0c2f683f8e2d83376bcd4f2da55904d411368cconfirmed

4a4e729b5a2212bdcba4314594cbdf8fcbec7146bb1f47b3c99ad6d183bceb38confirmed

bdb451dd67a1101f8437a2f4231abac37d8bcc4b7c7b85bc74ace83e31aaa156confirmed

e9bfcfe6d1bbfabca1d8c0896b1bcf452000bed161c1eba95bbae2256993f3abconfirmed

e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089confirmed

aa17bce6d8c469ce22ba29f79d2754db5d44096862d7a13be9324121c04a5343confirmed

b21a5ac48502ff75057f9773bf31abd970ef6c75a2c0ea1c871dd4e81ec5a994confirmed

f97ba6bdd7893af406d500634d5982184d278b46d392a0f7ad7d7bade0c47fc0confirmed

5f41b896d76c04677ac400262aae06727771d408b598e870827c2c8f4aac061cconfirmed

288e9ac646b5c42666717326943fcfe90d206a2b29b6bcd46dd0b4a5db683689confirmed

f255321e7331ec856bcbf816f4a38371c2311b00d531fdff541fb18496cc0eddconfirmed

2fde6617eaca9e178bd4de52fd55d4bcf211632c004703f31efbd541b3d16319confirmed

246feb48f0a8e11b1c0d6cfb1a6fcbcb3b1b6014dc825367e67976cc31d29c37confirmed

959630cb90c5e3810a8a02c771f37b46388204d2d99a436463cd87411f961ba0confirmed

e13c06fa97a3f502edc3aee62b0f6aee174d5ced7a5d0a4dffc7323a9c993347confirmed

ec198eb746eb1d87315e4ce2cb0d960246da4824f4925d340201288947537bfaconfirmed

cf15e587ef51527660947510b53f2a7b28da4b5ea02e39ff24c04e7156210612confirmed

a8f50d0f0c41e83dc3697b6668013e8cff990e5b98b99170c24c57281ff43e09confirmed

7c09b14a34114e5b6861530ac19ab1aaadf9e8c9a7fbbde96542c21175b094e0confirmed

b9140df8a58f02469f9f5789e1a39e476381855820730c997580f3a49fff1148confirmed

87e4096e3989ae5f047d1ede355e5e95b2eb4ce2fc8fb42a7d8a39f3224d41abconfirmed

8f9e875825f498cee1ef74c57829cd367a8b3089fe4e8918449711fa3af0f984confirmed

2e90ec6594eb5fda2cfb6d46b91e13e9ee3f8941de31b57f366dbe254ee9fc32confirmed

8dcae5e7f13d190ff492687ddca33342450fdef868fbfa92d2ac7b32ffbf7365confirmed

c6791c74cf345c38ff10f04d36c11ad2953eb39bbc95df837dd4bf77176d6322confirmed

7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9bconfirmed

52ce11b571aacf298c10d6dce47a60c199f6f58a76b901583bde65d86886cf1fconfirmed

0798740771dc8f40a5a45a2f58aeab479e2ead6682d67b24fafc46a7ab40c128confirmed

9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fbconfirmed

06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279baconfirmed

1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9dconfirmed

d6011662c2d1a18c50b02dc6ec5d9650c34bd67083038a9d56d9e0c98b100730confirmed

2c3032b2b19b19369a37c7d60cd850c4208ec042ef32c9870b701f333734ae56confirmed

b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2confirmed

0e21bf36ce80687d69caf537ea2a77cd8ef3210fb845256f56b5096efb0f7177confirmed

eb8d20f3241a702409ef153b9f71c3af4e4f4557371265b86f4edd075c36cb91confirmed

fef59f6fc920a7a0ce7f67ec88d7d081a23d5c00aa93a646caa06e0a23bb7639confirmed

fcc252231ec72ef03fb1309f415fb3f39db5f625925d7b01b8f851f33f506342confirmed

f3ccc986dc4922514432440612331e74b1677995258291dd1fb068314e413a75confirmed

f37762bb2199c20d0c5ea0a21774f60bef1fabd7966ee9dc9c67514d5e7ed239confirmed

DOMAIN59

pornsee.tvconfirmed

new.googlecustomservice.comconfirmed

fuckeryoumm.nmb.betconfirmed

googlesoftservice.netconfirmed

wmi.ns01.usconfirmed

cdn.uk.igooglefiles.comconfirmed

facebooknavigation.comconfirmed

news.aolonline.ccconfirmed

helpdesk.lnip.orgconfirmed

googlerenewals.netconfirmed

tmp.googlecustomservice.comconfirmed

fly.pad62.comconfirmed

www.googlecustomservice.comconfirmed

uk.igooglefiles.comconfirmed

igooglefiles.comconfirmed

wps.daj8.meconfirmed

jp.googlerenewals.netconfirmed

fuckchina.govnb.comconfirmed

www.uk.igooglefiles.comconfirmed

ftp.googlecustomservice.comconfirmed

xn--360tmp-k02m.new.googlecustomservice.comconfirmed

xn--360tmp-k02m.googlecustomservice.comconfirmed

wpsup.daj8.meconfirmed

hk.uk.igooglefiles.comconfirmed

services.darkhero.orgconfirmed

luckhairs.comconfirmed

bot.googlecustomservice.comconfirmed

tools.googleupdateinfo.comconfirmed

tho.pad62.comconfirmed

microsafes.no-ip.orgconfirmed

us.igooglefiles.comconfirmed

cdn.igooglefiles.comconfirmed

backup.aolonline.ccconfirmed

www.92al.comconfirmed

aolonline.ccconfirmed

us.uk.igooglefiles.comconfirmed

tcp.wy01.comconfirmed

tools.daji8.meconfirmed

uk.uk.igooglefiles.comconfirmed

101.55.29.17confirmed

kr.942m.comconfirmed

tank.hja63.comconfirmed

lead1.uk.igooglefiles.comconfirmed

xn--360tmp-k02m.www.googlecustomservice.comconfirmed

tiwwter.netconfirmed

vnew.googlecustomservice.comconfirmed

googlecustomservice.comconfirmed

news.facebooknavigation.comconfirmed

game.googlecustomservice.comconfirmed

mess.googlerenewals.netconfirmed

find2find.comconfirmed

tho.hja63.comconfirmed

signup.facebooknavigation.comconfirmed

news.googlesoftservice.netconfirmed

a2.fafafazq.comconfirmed

xn--360tmp-k02m.tmp.googlecustomservice.comconfirmed

bot.new.googlecustomservice.comconfirmed

www.trendmicro-update.orgconfirmed

show.uk.igooglefiles.comconfirmed

MD522

032a234eda612f8474e8dc97829674e8confirmed

437ea3b450fd1043b20553996c8e9e00confirmed

58c66b3ddbc0df9810119bb688ea8fb0confirmed

159ad2c7a57687363d27c27bc60f6374confirmed

5b2484ad1f74f2c19ff0d29e63c773d8confirmed

937e9a04f082f9f9d5ca6e9a481a8e6fconfirmed

2f10e8bbdc38a8ff342e38b0f1e9cc52confirmed

0f8fd146ae53c0f0499c8e1ea44d267bconfirmed

50955f8198bf37025d40a7cdcee7978cconfirmed

802890514844f6bab0cb2004c52025d6confirmed

a4b2a6883ba0451429df29506a1f6995confirmed

832d56ab2950db6032eda77de2fbe0cdconfirmed

a49066ad92a47a2744d142e8c5de892econfirmed

d10a1967eee1eadcc010dc89dc2b8925confirmed

c7d0ec5b742ee497b9ee536f23586949confirmed

879ce99e253e598a3c156258a9e81457confirmed

e831913787541c94d5d6a25235ce7d84confirmed

b120dab999c4c3edd3628ffca76bc82cconfirmed

5b1852311cc9f5ccdddf35a9c473ab27confirmed

3086c619b43e5bdd20188ad594de8c41confirmed

3301341e7e769c92aefb07e4bec15ad2confirmed

4ed9366aed62527c69f61de7bb595af6confirmed

IP13

67.198.161.252confirmed

174.139.203.18confirmed

67.198.161.251confirmed

174.139.62.61confirmed

174.139.62.60confirmed

174.139.62.58confirmed

174.139.203.22confirmed

160.16.243.129confirmed

67.198.161.250confirmed

61.195.98.245confirmed

174.139.203.34confirmed

174.139.203.20confirmed

174.139.203.27confirmed

URL1

http://54.245.195.101/shell.execonfirmed