Pages

Friday 2 March 2012

Chinese Threat Actor Part 3


Sin Digoo Identified

Another email mentioned in Joe's blog was jeno_1980@hotmail.com which is linked to xxgchappy@vip.sina.com





Espionage Domains

Malware reported on umu1.echosky.biz


Malware reported on www.dellpc.us - December 2007



BlackHat Domains

Archive on socialup.net reveals ICQ info of Jeno aka Tawnya aka xxgchappy

http://web.archive.org/web/20100106025256/http://www.socialup.net/contacts.php

ICQ 567950703



The ICQ search leads to a blackhatworld profile with handle "xxgchappy" and a domain makewithmoney.com

Domain name: makewithmoney.com

Creation date: 18 Nov 2009 02:17:06

Expiration date: 18 Nov 2010 02:17:06

Registrant Contact:
personal
eric charles ()

Fax:
Santa Cruz 1156 High Street
california, california 95064
US

Administrative Contact:
personal
eric charles (jeno_1980@hotmail.com)
+1.831459019
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064
US



Twitter

https://twitter.com/leedoctor




http://www.blackhatworld.com/blackhat-seo/members/73099-xxgchappy.html



http://www.v7n.com/forums/social-networking/161752-wts-cheap-digg-service-0-1-per-digg.html


Jeno promoted his socialup.net in chinese forums





The profile mentions www.hnsj.org as his website





Whois record of hnsj.org

Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com


Personal Domains

Search on hnsj.org revealed some interesting information. The domain is related to mobile phone sales and the name of the company is Henan Mobile Network.




Archive

http://web.archive.org/web/20100109050932/http://www.hnsj.org/article.php?id=4




QQ number 55356626 is posted as contact on HNSJ.ORG



xxgchappy promoted hnsj.org on his baidu blog

http://hi.baidu.com/%BA%D3%C4%CF%CA%D6%BB%FA%CD%F8/home






His baidu profile mentions further details

http://passport.baidu.com/?business&aid=6&un=xxgchappy#0


Further search reveals other QQ and Phone contacts

http://bbs.shangdu.com/t/20080831/01004001126/126-1.htm

2008 post

慧慧数码旗舰店

http://shop36037986.taobao.com ( Shop doesn't exist now)

各种智能手机专卖
淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。
百脑汇2楼2b16
QQ:55356626
旺旺:慧慧数码旗舰店
13949001667
我们的专业,值得信赖。

Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang

http://www.hahait.com/h41328



Company Name:Henan phone network 
Tel:0371-66900779
Company Address:Longhai Road, No. 188 Central Plains Communications Digital City A420
Contact:Mr. Zhang
Fax:
E-mail:
Company QQ:Click to chat878,972,156   Click to chat390,363,752   Click to chat55,356,626  
Website:http://www.hahait.com/41328
Scope of business:Phone Samsung LG Nokia    

QQ 878972156

QQ 390363752

QQ 55356626


The QQ number is linked to a post on a car forum dated 2005

http://www.xcar.com.cn/bbs/viewthread.php?tid=6300657

http://www.xcar.com.cn/bbs/viewthread.php?tid=1576356

爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779


Whois Record- XIUXING.INFO

Domain ID:D13719670-LRMS
Domain Name:XIUXING.INFO
Created On:09-Jun-2006 06:16:29 UTC

Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Organization:i-tobuy.com
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com


xiuxing.info is a forum related to Buddhism.



Jeno mentions his buddhism website on his profile along the same QQ number used in HNSJ.org






Tawyna  Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent


Personal Details

QQ number 55356626 Profile




The personal email "xxgchappy@vip.sina.com" is also mentioned on a Shellcode article written by Jeno at Xfocus, a famous chinese hacking forum dated 2003.




转自:http://www.xfocus.net
创建时间:2003-08-31
文章属性:原创
文章提交:jeno (xxgchappy_at_vip.sina.com)

作者:jeno
Email: jeno@vip.371.net
Time: 2003-8-31

Xfocus Profile

https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35525


DOB 1980-10-1

The name Jeno and DOB 1980 makes the email Jeno_1980@hotmail.com which is used as registrant email.


Kaixin001 Chinese Social Network

xxgchappy@vip.sina.com is the registrant email of chinese social network Kaixin001.

http://www.kaixin001.com/home/17206761.html


Personal details mentioned on Kaixin profile.

Name - 张长河 Zhang Chang-he

Living in Zhengzhou, Henan Province, China.


QQ number 55356626 leads to a personal blog revealing his pic

http://55356626.qzone.qq.com



Conclusion

Jeno registered all the domains associated with espionage and considering his xfocus and rootkit.com profile we can zero on Jeno or he is some way associated with the group.

 
Update 16 Feb 2013

http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked


Journals published by Zhang Chang-he (2005-2011)

http://www.cnki.net/KCMS/detail/search.aspx?dbcode=CJFQ&sfield=au&skey=%E5%BC%A0%E9%95%BF%E6%B2%B3&code=22840348;20139954;21141875;




Windows Rootkit

http://www.cnki.net/KCMS/detail/detail.aspx?QueryID=5&CurRec=2&recid=&filename=XXGC200702023&dbname=cjfd2007&dbcode=CJFQ&pr=&urlid=&yx=

http://www.docin.com/p-49869286.html 


Analysis of Windows Startup

http://www.cnki.net/kcms/detail/detail.aspx?filename=XXGC200903027&dbcode=CJFQ&dbname=CJFD2009

http://www.docin.com/p-253321277.html


Security Analysis of PCI device

http://www.docin.com/p-279253540.html


Capturing File Transferred or Printed Based on SMB in LAN

http://www.cnki.net/kcms/detail/detail.aspx?filename=WJSJ200606039&dbcode=CJFQ&dbname=cjfd2006


No comments:

Post a Comment