Pages

Wednesday 11 September 2013

Chinese Threat Actor Part 7

According to the HTRAN report published by Dell, gxdet.com is one the command control domains used by threat actor.

http://www.secureworks.com/cyber-threat-intelligence/threats/htran/


conn.gxdet.com - 112.64.213.249:443

ddbb.gxdet.com - 112.64.213.249:443


Other subdomains associated with the domain gxdet.com

*.gxdet.com
bbs.gxdet.com
conn.gxdet.com
db.gxdet.com
ddbb.gxdet.com
home.gxdet.com
info.gxdet.com
mail.gxdet.com
mailsrv.gxdet.com
news.gxdet.com
soft.gxdet.com
sports.gxdet.com
tcp.gxdet.com
tech.gxdet.com
webmail.gxdet.com
www.gxdet.com

WHOIS


Domain:    gxdet.com - Whois History
Cache Date:    2010-02-11
Registrar:    ENOM, INC.
Server:    whois.enom.com
Created:    2008-07-14
Updated:    2008-07-18
Expires:    2010-07-14

Reverse Whois:    Click on an email address we found in this whois record
to see which other domains the registrant is associated with:
xixipai@hotmail.com 20051xue@sina.com

Registration Service Provided By: Chinese DQ Network Tech Corp.
Contact: xixipai@hotmail.com
   
Domain name: gxdet.com

Registrant Contact:
   Zhang san
   Zhang San ()
      Fax:
   beijing
   beijing, Beijing 100000
   CN

Administrative Contact:
   Zhang san
   Zhang San (20051xue@sina.com)
   +86.1033333333
   Fax: +86.1044444444
   beijing
   beijing, Beijing 100000
   CN

Technical Contact:
   Zhang san
   Zhang San (20051xue@sina.com)
   +86.1033333333
   Fax: +86.1044444444
   beijing
   beijing, Beijing 100000
   CN

Status: Locked

Name Servers:

   dns1.name-services.com
   dns2.name-services.com
   dns3.name-services.com
   dns4.name-services.com
   dns5.name-services.com


In the month of March 2010, Threat actor noticed his mistake that he used his personal email for domain registration. He then changed the registrant email to henfinder@gmail.com.

July 2008 - Feb 2010  Zhang San (20051xue@sina.com) 

Mar 2010 - July 2010   Tom Hanson (henfinder@gmail.com)



Actor Attribution

The Sina email "20051xue@sina.com" is the registrant email of Sina community where the registrant posted on a tech forum, Video, Astrology forum and finally a Micro blog where he posted his picture.

http://blog.sina.com.cn/u/1145193935






http://club.tech.sina.com.cn/default.php?s=user&a=profile&uid=1145193935



Sina Video




http://club.astro.sina.com.cn/thread-171861-1-1.html



20051xue   Newbie    Posted :2005 -07-26 11:31    Show author
Post 39 Posts: 0 Joined :2005-3-8    PM       
Large in small
4

Of course!
sign this thing is not allowed, but every time I look up, never really had. Anyway, my wife is a lion (818), I am Capricorn (107), the two married four years, and loving too are almost never fight, I live in the compound who recognized that we are the most loving couple.

The most interesting part is his Weibo personal blog where he mentions that he is Alumni of Tsinghua University and follow them, born on Jan 7, 1974 Capricorn and lives in Haidian District, Beijing.



http://weibo.com/1145193935/

Basic information

Nickname - Riding a white deer visit mountains

Location - Haidian District, Beijing

Gender - Male

Birthday - January 7, 1974, Capricorn

Job Information

Education Information -  Tsinghua University








200051Xue is using Samsung Galaxy S III android phone and he posted one of the picture of his daughter. The geo location listed in the pic was Han Jiachuan Road, Beijing, Haidan District.


He posted his personal picture in the album.