technical-indicators

# REFERENCE 
-----------------------
## Blog post: 
https://s1.ai/shadowpad


# TECHNICAL INDICATORS
-----------------------
## SHA256, File:

c602456fae02510ff182b45d4ffb69ee6aae11667460001241685807db2e29c3
ShadowPad
fb17b3886685887aeb8f7c3496c6f7ef06702ec1232567278286c2f8ec4351bb
ShadowPad
8065da4300e12e95b45e64ff8493d9401db1ea61be85e74f74a73b366283f27e
ShadowPad
5f1a21940be9f78a5782879ad54600bd67bfcd4d32085db7a3e8a88292db26cc
ShadowPad
aef610b66b9efd1fa916a38f8ffea8b988c20c5deebf4db83b6be63f7ada2cc0
ShadowPad
83025b94d64e778d9ab800152b239ddc5b19074779d164af89da564367f8aee0
ShadowPad
8504c06360f82b01b27aa1c484455e8a6ce9c332d38fe841325521d249514bfa
ShadowPad
7054683604a06df1ae15b29d860474f7b639bb9080f4a26c6c051f6c87bd6ac4
ShadowPad
284c664b4baff90444c4ed96cfcb4ef6d26cc7aedc46c1e996c359ecea95f697
ShadowPad
bf3de88459f85ddd85245e3f1ce3bba6568919bbe46a808ad5d94d5415014926
ShadowPad
4557e923602730aab7718b61eeaf3a93edd0339a3c89c8f7061b9818c2df5203
ShadowPad
d0893b19257877191499d369fd59d1887c33dca69824b1b50ca55b1db3ae15c7
ShadowPad
d48e671df571b76ee94c734bdd5272e12fcd1362f1d75138ff547bc2bc0c31ef
ShadowPad
0942f4a488899d5d78b31a0065e49c8689ccda88efc28186e29ee76861ba99da
ShadowPad
2e07d66155987216dc8cc095b48dd971415f0da261b5b26c58a0e3d34f446038
ShadowPad
9c28c1b2ff0a84c8b667f128626f28b173feb07481192e214b5a29b98964a7f9
ShadowPad
111b30c3808f316714ac480de1f5380814a253605b0ca489b3f4c24092f1b743
ShadowPad
be7b1f7f0b73b77fc8fe4c109ae5a675cc9f3f6c16d3a1d7b2a9c6ba5a52ef9a
ShadowPad
2edbe906df45a3e5bea9e0bce4e37d4e3c5cca303bca65d6a27e55a69b66d6fd
ShadowPad
831212d40c5120824508a645e54bf1b86f3be0cd19f87b8067e8b2fdea5c844e
ShadowPad
2c2b1d9b34df9364fd91a6551890b0fdc58a7e681713c682221a674d1116089a
ShadowPad
6625fd9f5c8a0d02858fbc160357989c29b9e9f75d3da4f33072bdb4c235fc9b
ShadowPad
a23bee7a0cc8f66c8aa85ef6e7f5e945bd1196aef486f8ededb410d57172bef6
ShadowPad
184c82fec8602f31f8c90727215b324de154154e6cac6d306c57a8fbd987e2db
ShadowPad
2a54577ad030472d6f0655297bb151501066e04cad6382b932ef689314e9f889
ShadowPad
3266f295e736ef46a627c1f708ecc0b19f099023f4c75a0ca912f09760c52623
ShadowPad
1818fdbef2f202d64135f61ce34986307d0ab314f2b2be531c63f254051e67f6
ShadowPad
2c86b21b2bcab21a09e0963a9f2e67ddefd7ff78838ef5a7d4be32715946adad
ShadowPad
a26979768fe16ba99bff4dbf66d5b157dbe9025764a98349a75c9fb15c60c9c6
ShadowPad
60a55d7eba045a6a4580dfbc9994c46a57ba5231267310e3cd271339588d931b
ShadowPad
97e79b215302cb9ecbe678c94ffd0d341440c30a5bd837f611ed4ac1f3be1e9e
ShadowPad
0c71fa8bc17b45502e3a0ad8d227576e5f206796b52df7ae5b0a09dc3df101d8
ShadowPad
31c0851389b6ef711fb03bf414818c81202ce9e93928e27811c5416045e04141
ShadowPad
8985091a2267b983f90402ebcfa385968f6df463bc8792441697b498b38d5589
ShadowPad
65bda66fb6e9a103273a22a03bcb83cd69806a50a524e405aa1be1d59699f5f1
ShadowPad
a77b04b1c809c837eafaa44b8457c230fdddd680c88990035439fc9ed2493804
ShadowPad
b238326c565ebdc89f81dfbf56520c9f62c07bc8a01fb06a66bd2a877859e7ba
ShadowPad
e5fe6c5aa57ec6f155c18860586f9113e90a5282a6ad58f5e72f108fcd6134c7
ShadowPad
c7958d9a05e1855ef78018fc802d49651d3b710765c2f749a66346886ba80df6
ShadowPad
fabc560816c6a19e5dda58dedb882bfc1135a01e7c4cfca41a5fd7415254f62f
ShadowPad
d98a7d077089656bd122ffe3a2ea637d75808e0f2ae476b1f90d05de3df76fa0
ShadowPad
68cd2b7ce57ec19684abc578a8be97efdaa4630d9d59f76bbd8543e48150009f
ShadowPad
0694b19035232ba8cbc0a990f582d153b28165e4ad9dc9a3a50eef8e9dedeb1c
ShadowPad
2e6ef72d05b395224a03a73a50eaee1c9dc682976c99dde5317b76938cb669a4
ShadowPad
244e22147cc1e37543159a95cf4674a61f290af305c1c1e37b69c45b444f9097
ShadowPad
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
ShadowPad
08d6bfe8a1ff1043df4aebfbb7d074de0923a665a7e8134fd702ee45454304f5
ShadowPad
bdd760d3a8fbff322adad4a9d903daae9544e3c73264650bf60b3fa9a69ac425
ShadowPad
2e0d7536e0f594daba62208cc70b250304632ce81f5edff02cb49714610f4753
ShadowPad
63a74b66685fb94d685cfdfadd10917c805239ea079b9431bb5e9c8a58e0ea4b
ShadowPad
319a06a39e5a1394710ec917f281a546d850386e80fdb56238456b68d5207a99
ShadowPad
fc117650688065deeb54e686f873359c2a56d23165567ab3f2a3b62498199fa9
ShadowPad
cd800542994ba71f92c151261462a7d6e1b004f8b3cffa8a62777ad7c9e2dd84
ShadowPad
9f9d96e99cef99cbfe8d02899919a7f7220f2273bb36a084642f492dd3e473da
ShadowPad
3ff1cf65dff231f05bd54df3fecad2545b159094ce59ce4bf4c668c904d2a5d7
ShadowPad
cfb67f1ab07279536c446c5bc4dfe8b9a3553594f3c18f12eac0a019adbdb5e5
ShadowPad
f0eed9e7aea91ee09ef8a2d9ff6d0584095956b5628458ac37da66342a686ebc
ShadowPad
6c06abb93084ad8c43e9f1661261904a0d6a610ca593bfca9e764920fbdf3678
ShadowPad
18d01a2742b1ffaea457b9a177d593a9acdacfc73bbcf9d87cae90a254f559ed
ShadowPad
37be65842e3fc72a5ceccdc3d7784a96d3ca6c693d84ed99501f303637f9301a
ShadowPad
2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
ShadowPad
5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90
ShadowPad
9439dee1dd20edd96bfa3908cda3bf49cb0e50f2a471f5657a2e974508acaca4
ShadowPad
ef0f5b39948bc1df8a56066a5f69debc609bb81a64bc30f25ee882e1a2470429
ShadowPad
f7231082241d9e332b45307e180f20e11041f59196715749c6a79a8be17fcdc0
ShadowPad
ec801e3baa02c7ad36a9b06512ac106d30ab3a2207a7cb1e543fbd076995d43d
ShadowPad
cbf31542df2568474ccabf36843253713623873294f3521661f88ccf8c859eca
ShadowPad
74224f3f82a1234efe68b97a0f30d5a8126ffa349a59eb8e91cca4792a0e04ca
ShadowPad
6ea1fd3511b0f78e56568921b2cb24aa363db1daa8c284778e24502376fdd693
ShadowPad
7b2dce42a19ae0612adea668ab1261c8cf31aab6c7da9948d478a45d0172292f
ShadowPad
85b0ada2836c76cc49b886dfe59d950a073e9d6d761581075bf904238306e8c4
ShadowPad
79f0e0a0f9c79a9206b9c2af222f026c384d3e0d761b0b42815453991bc05294
ShadowPad
735e2a00695e17687fb7638c9e1e04f3de9d7c2969375b1de0d1751a9b64522c
ShadowPad
021858a878b8cb20b031817229e25b07daffd43be259df7f1bebde694a84f84d
ShadowPad
19c56de63092cb738317dfa55fbcfbada414582e388199d6e421384aefcc48d5
ShadowPad
1ea45a2c4e3d6d05d520f808d494f01ff53dc66174b7b57071f571bd00dde609
ShadowPad
0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb
ShadowPad
eced97254f1ece17f3c8b6c1b4d34db13524f20600cd4234f36646e3cf2ed940
ShadowPad
eedeca88eb4cc1f180bbbe30b8997b68fa909c6e9f134a6c113bf9e3d12df47e
ShadowPad
6d41ec99b441408f29531d203818c93bb107f49b64bec9458d8bf3d11e542917
ShadowPad
f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661
ShadowPad
f0854ec2496f9b4c634040bfac7381d6bc9926e9e89dc097b4684f73e1f6d9b3
ShadowPad
dd334b5c0dac76ae2ba0ff518d1f57a0954b326f9c165bb2780a754845473b75
ShadowPad
0b97a766316e814088c5ae7bc7558fac7ee1983d7e58b31988c794ced6ebb57e
ShadowPad
01adadb8bbd5e478e89e2ee2f7dedc75f5892025e6f54d96713dd33328887e43
ShadowPad
d9438cd2cdc83e8efad7b0c9a825466efea709335b63d6181dfdc57fb1f4a4e3
ShadowPad
ac6938e03f2a076152ee4ce23a39a0bfcd676e4f0b031574d442b6e2df532646
ShadowPad
d1cc1abbaa8d59d35d0a2d41d5644e2e449168feac4e6aa2abf1adeb58f0b30d
ShadowPad
3d53738ecd5a86847638c9ccdcb810031f2197f906e70067da06431dfa5850dc
ShadowPad
8e945739511059081549d2f6a09000e4f6331d055944a31019fe390fd37494a0
ShadowPad
c5f5d460546a73b5c2b22b8fb1a771e4bdc3c0df1ecec5f9375d9b47c45e5723
ShadowPad
cff3c1eed79adc859a3875a44dfe7b06c457a56d483d8b538b54d7874d53412e
ShadowPad
30a3d5dcc4eb66f558ccfa14de3e3ff0305693e1151f5e261be50b2cd8629250
ShadowPad
b0616a4fe817ee0cf0242d11b0c2da063bfecda8fd01bcc475d9196beed099d7
ShadowPad
cf5ecbec82bc4f5b40910fa0fba0d5eb8fd5b581122ebea3be0b95ba6d117d77
ShadowPad
9984d5b554b8dbfeffdb374e1c8eaf74af7109a0e6b924b00ad5b878d0188895
ShadowPad
397d44baf61789f21105b24def8b6c1a492db7e66714b05ce9fb3c25f693591d
ShadowPad
b5331eea1d13abaa13cdb56f0bb1fccdd335b8223a09f8eff3f68ef655568fa9
ShadowPad
a8eddbc68d7af544d9d8671ccac13c6ab5686fe6cd26ffc72420636a813ca4de
ShadowPad
cd45c541a375bd9db1b1243f729fdaf916941d417ced530861f33fa098bc5936
ShadowPad installer
138686d03d81c30d36c7ebee9018a5f2e6641d804d226d21243aea4635ab9a69
ShadowPad installer
bb28528e76649fb72e069b15a76f7c6ef520ae727408b3439856880a4488aa1f
ShadowPad installer
98b2732902387948c4b2ee4346b2a3f9d0fe588b886c89fe75c720f38a9e434d
ShadowPad installer
60fc4f0bf2fba3052e74ae714df061ea77383325c646b1c1c8e59b45ee2fe3eb
ShadowPad installer
e4ac9f5e4ab6b324e4dbb70feff4a17351c29ebce637d39d5a5197f07dd02b18
ShadowPad installer
711f4eee0e9bf954d5b9e5916f59c815a062d6d31ba2e1935b8ddf4f9f40902e
ShadowPad installer
2186eaf4533d9d0339e7e3709e08e27a06c0e1eb0af5f2f19be8a1d684612afb
ShadowPad installer
c0d2aaf266866900552c681ce63bfd4a3b09442a7742d7f20dcdbdd3ec9763aa
ShadowPad installer
03b7b511716c074e9f6ef37318638337fd7449897be999505d4a3219572829b4
ShadowPad installer
92d224568617795959723e2cc22d6e244d225c2210758f08965d5844f24feed8
log.dll loader
56e2d6e518b61fdb31e9b4bd405976522599858b538310047117ebce9191e03b
log.dll loader
a8e5a1b15d42c4da97e23f5eb4a0adfd29674844ce906a86fa3554fc7e58d553
log.dll loader
531e54c055838f281d19fed674dbc339c13e21c71b6641c23d8333f6277f28c0
log.dll loader
e93a9e59ee2c1a18cee75eedcbe968ed552d5c62ec6546c8a1c1f1ae2019844e
log.dll loader
5a151aa75fbfc144cb48595a86e7b0ae0ad18d2630192773ff688ae1f42989b7
log.dll loader
c72436969d708905901ac294d835abb1c4513f8f26cb16c060d2fd902e1d5760
log.dll loader
e4fdb279a4792ad516592076ce9a6a40c803af84bcc2e2e4f9ee48df6af9e88b
Whitebird
f45c6f8695fbc6e537cea15142f062a0d21c4a556c5fc1f7a2f3ee661b036ffc
Whitebird
3b2e7a5419ad947cf04248446515b0a7c30ef3f4141c64c242343c5730cfa565
Whitebird
851010b875a2ae5c68e85c7d549082539e427b0e9f0c5efef92e1396c6d8a0ae
Whitebird
11f38b6a69978dad95c9b1479db9a8729ca57329855998bd41befc364657d654
Icefog
4cea56dc6b700d4b169c70c960deccab060f76b7d348c0f68a6bd4930de662f0
PoshC2
23dfce597a6afef4a1fffd0e7cf89eba31f964f3eabcec1545317efeb25082ed
FunnySwitch
fb0fdd18922977263f78becdedddab7a03c8de16a5431c7b4602e5be13110fa3
FunnySwitch
b45baac2ae9c5fdfbf56131451962826a95d56f641af8ca1b74738c2eb939a76
FunnySwitch
86100e3efa14a6805a33b2ed24234ac73e094c84cf4282426192607fb8810961
CrossWalk
9e27f110fc824d8b85855538c3320e8ea436e82737d686fcecb512b6f872e172
CrossWalk
a92c840286962b4049d6f514bea4d25491dc0b419af50c519dd5a95e45401999
PCShare
0fc362215293b5a264c9a523b5ba6c32afcb0c4ffe86e64aa8a2635cfc291a61
PCShare
4c6a45d08cb649b5486d9719634f903b3561e7820eda31bd50d811a01bd3481b
PCShare
b668f9e213282cd1b941ab8d6dd5f3dd3266011ae16c0795ca86d12a57c095cc
PCShare
425d2a6416a59943428e8727d2ad6247eb8342c35c4bd1d5b80df25d6fbcae94
PCShare
e2f25dd460306f49e7f45f982df7e8ea08b955ed16639f24a2e45c125ac9e3ea
PCShare
9f9fde45784f93c18ea998d90aa6791905c81061d974416dd722071fbd54688e
PCShare
5802823e50e9aca0d765fa198383f74ca18859b1181cfc3f72f62667bca67dc2
PCShare
da28f7b3fb4bb157ad5b374a39644527bc125a2b06f7946f36acfcf16754fe87
PCShare
7b2ee37915d9e4325d5372a9524b543919c3698abf735e0c61e0e5cdb81f0cc8
Spyder
3235e64e6bd9e0d6fd152859a258fed7fe189eca7539a335a6e9f2833fe34820
Spyder
38051b399f29a0c39c22668d62c110a5bb8ffbc8d0ef4b59aca13e8d6c18d2eb
Spyder
60e20c926a37535af2dd7af42366791a2c25bb444b2148afef247a7feef98631
Spyder
9061f16b2213a4278838416199d0b6839a92d9673477dd24ed119be297792d8e
Spyder
d49b9e94187add8acf9c64583aa313c198f070e2b1f8ca335a21024e6d33f161
Spyder
7d80715c889029c2926ec76f991e999ec71063c657eb6912cff302737c5549ca
Spyder
4cfb1243e8b9e64424f3de3d2144ee512dadd07ba921e0ced38e58e836347c7e
Spyder
1496d62ba1b6fd6cfb85546fbfab57f75b0b3c6915dcce22cfaea9c51a9bd85e
Spyder

## COMMAND & CONTROL

### ShadowPad C&C Servers - IP addresses:
1.56.32[.]13
101.78.177[.]244
103.19.3[.]17
103.19.3[.]43
103.19.3[.]44
103.243.181[.]105
103.255.179[.]186
112.121.178[.]90
114.67.230[.]197
117.16.142[.]35
117.16.142[.]9
118.31.3[.]116
125.65.40[.]163
128.14.173[.]60
129.211.135[.]27
154.202.198[.]246
154.223.179[.]14
172.104.43[.]172
172.193.44[.]8
172.197.18[.]30
172.200.21[.]190
172.200.21[.]83
172.209.2[.]254
172.216.17[.]254
178.209.42[.]117
207.148.98[.]61
218.253.85[.]247
220.231.208[.]212
220.231.209[.]192
23.236.77[.]175
23.236.77[.]177
43.240.127[.]171
45.76.220[.]137
61.172.235[.]23
61.172.253[.]16
61.172.253[.]36
61.172.253[.]9
80.0.49[.]209

### ShadowPad C&C Servers - domains:

6czumi0fbg.symantecupd[.]com
account.heatidc[.]com
addpaper.freeddns[.]com
ashcrack.freetcp[.]com
b.gnisoft[.]com
bguha.serveuser[.]com
billing.epac[.]to
cigy2jft92.kasprsky[.]info
connecter.publicvm[.]com
cpanel.htecnews[.]net
deadsec[.]tw
dns-c.ahnlabin[.]com
dnsgogle[.]com
dprouds.casacam[.]net
email_gov_mn.pop-corps[.]com
exat.dnset[.]com
fackb00k2us.dynamic-dns[.]net
filename.onedumb[.]com
forums.tripmerry[.]com
giga.gnisoft[.]com
goods.kankuedu[.]org
ias.goog1eweb[.]com
indialifeshop[.]com
info.kavalabonline[.]com
ixrails[.]com
lab.symantecsafe[.]org
microsoft_update.pop-corps[.]com
mynews.myftp[.]biz
news.tibetonline[.]info
notped[.]com
paniesx[.]com
phonebook.casacam[.]net
platform.freetcp[.]com
queryinfo.mrbonus[.]com
secupdate.kozow[.]com
soft.mssysinfo[.]xyz
ssl.ahnlabinc[.]com
ssl2.ahnlabinc[.]com
svn-dns.ahnlabinc[.]com
techniciantext[.]com
ttareyice.jkub[.]com
unaecry.zzux[.]com
update.ilastname[.]com
updateinfo.kozow[.]com
video.rtechs[.]org
vsmrcil.casacam[.]net
widesea.zyns[.]com
www.cloudvn[.]info
www.ertufg[.]com
www.facebook2us.dynamic-dns[.]net
www.ncdle[.]net
www.nmbthg[.]com
www.officescan_update.mypop3[.]org
www.operatingbox[.]com
www.pneword[.]net
www.trendupdate.dns05[.]com
www.wizardprocessor[.]com
www.yandex2unitedstated.dns04[.]com
www.yandex2us.dns04[.]com

Whitebird C&C Servers:
pracute.camdvr[.]org
inbsnl.ddns[.]info
indian.mefound[.]com
lexuz.x24hr[.]com

IceFog C&C Server:
trendiis.sixth[.]biz

PoshC2 C&C Server:
my.kankuedu[.]org

FunnySwitch C&C Servers:
7hln9yr3y6.symantecupd[.]com
db311secsd.kasprsky[.]info

CrossWalk C&C Servers:
d89o0gm35t.livehost[.]live

PCShare C&C Servers:
locker.camdvr[.]org
chock.mywire[.]org

Spyder C&C Servers:
SIDC.everywebsite[.]us
SNOC.hostingupdate[.]club
wntc.livehost[.]live
hccadkml89.dnslookup[.]services
koran.junlper[.]com
nted.tg9f6zwkx[.]icu

SHA1 of Certificates on some of Tick’s C&C servers:
0a71519f5549b21510410cdf4a85701489676ddb
2d2d79c478e92a7de25e661ff1a68de0833b9d9b

SHA1 of Certificates on some of the servers used by Operation RedKanku:
b41948daacd4c081a58a14aa51c37af21738447b

SHA1 of Certificates on some of the servers used by Fishmonger:
89edcffc66eda3aeb75e140816702f9ac73a75f0


## MITRE ATT&CK - OBSERVED TTPs:

Privilege Escalation
T1055 - Process Injection
ShadowPad has injected an install module into a newly created process.

Privilege Escalation
T1055.001 - Dynamic-link Library Injection
ShadowPad has injected a DLL into svchost.exe.

Defense Evasion
T1027 - Obfuscated Files or Information
ShadowPad has encrypted a virtual file system and various files.

Defense Evasion
T1070 - Indicator Removal on Host
ShadowPad has deleted arbitrary Registry values.

Defense Evasion
T1112 - Modify Registry
ShadowPad maintains a configuration block and virtual file system in the Registry.

Discovery
T1016 - System Network Configuration Discovery
ShadowPad has collected the domain name of the victim system.

Discovery
T1033 - System Owner/User Discovery
ShadowPad has collected the username of the victim system.

Discovery
T1057 - Process Discovery
ShadowPad has collected the PID of a malicious process.

Discovery
T1082 - System Information Discovery
ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.

Discovery
T1124 - System Time Discovery
ShadowPad has collected the current date and time of the victim system.

Command and Control
T1071.001 - Application Layer Protocol: Web Protocols
ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.

Command and Control
T1071.002 - Application Layer Protocol: File Transfer Protocols
ShadowPad has used FTP for C2 communications.

Command and Control
T1071.004 - Application Layer Protocol: DNS
ShadowPad has used DNS tunneling for C2 communications.

Command and Control
T1095 - Non-Application Layer Protocol
ShadowPad has used UDP for C2 communications.

Command and Control
T1105 - Ingress Tool Transfer
ShadowPad has downloaded code from a C2 server.

Command and Control
T1132.002 - Data Encoding: Non-Standard Encoding
ShadowPad has encoded data as readable Latin characters.

Command and Control
T1140 - Deobfuscate/Decode Files or Information
ShadowPad has decrypted a binary blob to start execution.

Command and Control
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
ShadowPad uses a DGA that is based on the day of the month for C2 servers.

Exfiltration
T1029 - Scheduled Transfer
ShadowPad has sent data back to C2 every 8 hours.