PhanDoor

Description

(AhnLab) Phandoor was used from January 2016 to the summer of 2017. It is characterized by having the string ‘S^%’ before the main character strings. (E.g. S^%s\cmd.exe, S^nehomegpa.dll) However, some variants found in 2017 did not contain its character string, ‘Anonymous?’

When Phandoor is executed, it initializes and tries to connect to C&C server. At this time, the string ‘Anonymous?’ is sent to check whether that the server is functioning properly.

After that, it receives commands from the C&C server such as to execute the cmd.exe file.

Names

Name
PhanDoor

Type

Backdoor

Information

https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20(3).pdf

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:Phandoor

Other Information

Uuid

33b662b7-1e05-4a52-bf0a-35358da6a780

Last Card Change

2020-04-23

Threat Intelligence Garden

Explorer

PhanDoor

PhanDoor

Description

Names

Category

Type

Information

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks