← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
menuPass Returns with New Malware and New Attacks
WHITE Stone Panda AlienVault 2017-02-21 Modified: 2017-06-14
71
IOCs
HIGH VOLUME
In 2016, from September through November, an APT campaign known as “menuPass” targeted Japanese academics working in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese manufacturing organizations. In addition to using PlugX and Poison Ivy (PIVY), both known to be used by the group, they also used a new Trojan called “ChChes” by the Japan Computer Emergency Response Team Coordination Center (JPCERT). In contrast to PlugX and PIVY, which are used by multiple campaigns, ChChes appears to be unique to this group. An analysis of the malware family can be found later in this blog.
PlugXpivypoison ivyChChesmenuPasswordoffice
Indicators of Compromise (40 / 71 total)
All FileHash-SHA256 hostname FileHash-MD5 FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 f251485a62e104dfd8629dc4d2dfd572ebd0ab554602d682a28682876a47e773 2017-02-21
FileHash-SHA256 a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24 2017-02-21
FileHash-SHA256 7eeaa97d346bc3f8090e5b742f42e8900127703420295279ac7e04d06ebe0a04 2017-02-21
FileHash-SHA256 ae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145 2017-02-21
FileHash-SHA256 9edf191c6ca1e4eddc40c33e2a2edf104ce8dfff37b2a8b57b8224312ff008fe 2017-02-21
FileHash-SHA256 e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e 2017-02-21
FileHash-SHA256 c6b8ed157eed54958da73716f8db253ba5124a0e4b649f08de060c4aa6531afc 2017-02-21
FileHash-SHA256 4521a74337a8b454f9b80c7d9e57b4c9580567f84e513d9a3ce763275c55e691 2017-02-21
FileHash-SHA256 4cc0adf4baa1e3932d74282affb1a137b30820934ad4f80daceec712ba2bbe14 2017-02-21
FileHash-SHA256 2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910 2017-02-21
FileHash-SHA256 45d804f35266b26bf63e3d616715fc593931e33aa07feba5ad6875609692efa2 2017-02-21
FileHash-SHA256 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3 2017-02-21
FileHash-SHA256 316e89d866d5c710530c2103f183d86c31e9a90d55e2ebc2dda94f112f3bdb6d 2017-02-21
FileHash-SHA256 b20ce00a6864225f05de6407fac80ddb83cd0aec00ada438c1e354cdd0d7d5df 2017-02-21
FileHash-SHA256 e88f5bf4be37e0dc90ba1a06a2d47faaeea9047fec07c17c2a76f9f7ab98acf0 2017-02-21
FileHash-SHA256 fadf362a52dcf884f0d41ce3df9eaa9bb30227afda50c0e0657c096baff501f0 2017-02-21
FileHash-SHA256 9a6692690c03ec33c758cb5648be1ed886ff039e6b72f1c43b23fbd9c342ce8c 2017-02-21
FileHash-SHA256 76721d08b83aae945aa00fe69319f896b92c456def4df5b203357cf443074c03 2017-02-21
FileHash-SHA256 19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b 2017-02-21
FileHash-SHA256 d26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed 2017-02-21
FileHash-SHA256 efa0b414a831cbf724d1c67808b7483dec22a981ae670947793d114048f88057 2017-02-21
FileHash-SHA256 f0002b912135bcee83f901715002514fdc89b5b8ed7585e07e482331e4a56c06 2017-02-21
FileHash-SHA256 dcff19fc193f1ba63c5dc6f91f00070e6912dcec3868e889fed37102698b554b 2017-02-21
FileHash-SHA256 cb0c8681a407a76f8c0fd2512197aafad8120aa62e5c871c29d1fd2a102bc628 2017-02-21
FileHash-SHA256 44a7bea8a08f4c2feb74c6a00ff1114ba251f3dc6922ea5ffab9e749c98cbdce 2017-02-21
FileHash-SHA256 c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d 2017-02-21
FileHash-SHA256 2965c1b6ab9d1601752cb4aa26d64a444b0a535b1a190a70d5ce935be3f91699 2017-02-21
FileHash-SHA256 e90064884190b14a6621c18d1f9719a37b9e5f98506e28ff0636438e3282098b 2017-02-21
FileHash-SHA256 66e677b081e0361020cda4f218a501497faad1f6c0897f26c25ca51c4a5dad40 2017-02-21
FileHash-SHA256 f1ca9998ca9078c27a6dab286dfe25fcdfb1ad734cc2af390bdcb97da1214563 2017-02-21
FileHash-SHA256 9f01dd2b19a1032e848619428dd46bfeb6772be2e78b33723d2fa076f1320c57 2017-02-21
FileHash-SHA256 6c7e85e426999579dd6a540fcd827b644a79cda0ad50211d585a0be513571586 2017-02-21
FileHash-SHA256 412120355d9ac8c37b5623eea86d82925ca837c4f8be4aa24475415838ecb356 2017-02-21
FileHash-SHA256 bc2f07066c624663b0a6f71cb965009d4d9b480213de51809cdc454ca55f1a91 2017-02-21
FileHash-SHA256 6605b27e95f5c3c8012e4a75d1861786fb749b9a712a5f4871adbad81addb59e 2017-02-21
FileHash-SHA256 5961861d2b9f50d05055814e6bfd1c6291b30719f8a4d02d4cf80c2e87753fa1 2017-02-21
FileHash-SHA256 92dbbe0eff3fe0082c3485b99e6a949d9c3747afa493a0a1e336829a7c1faafb 2017-02-21
FileHash-SHA256 5412cddde0a2f2d78ec9de0f9a02ac2b22882543c9f15724ebe14b3a0bf8cbda 2017-02-21
FileHash-SHA256 312dc69dd6ea16842d6e58cd7fd98ba4d28eefeb4fd4c4d198fac4eee76f93c3 2017-02-21
FileHash-SHA256 fd6a956a7708708cddff78c8505c7db73d7c4e961da8a3c00cc5a51171a92b7b 2017-02-21
References (1)
↗ http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/