Skip to content

Hide Navigation Hide TOC

APT2 (0ca45163-e223-4167-b1af-f088ed14a93d)

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'

Cluster A Galaxy A Cluster B Galaxy B Level
APT2 (0ca45163-e223-4167-b1af-f088ed14a93d) Threat Actor Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 1
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 2
httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 3
pngdowner (fb4313ea-1fb6-4766-8b5c-b41fd347e4c5) Malpedia pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 3
pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
3PARA RAT (59fb0222-0e7d-4f5f-92ac-e68012fb927d) RAT 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 4H RAT (d8aad68d-a68f-42e1-b755-d5f383b73401) RAT 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4