Name | Description |
---|---|
Trojan.Sofacy |
This designation has been used in reporting both to refer to the threat group (Skeleton Key) and its associated malware.[5] |
Seduploader | |
JKEYSKW | |
Sednit |
This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.[4] |
GAMEFISH | |
SofacyCarberp |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[3][7][8] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[3] |
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
JHUHUGIT has registered a Windows shell script under the Registry key |
Enterprise | T1115 | Clipboard Data |
A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[8] |
|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
JHUHUGIT has registered itself as a service to establish persistence.[3] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({{3543619C-D563-43f7-95EA-4DA7E1CC396A}}).[3][6] |
Enterprise | T1068 | Exploitation for Privilege Escalation |
JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[3][9] |
|
Enterprise | T1008 | Fallback Channels |
JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.[3] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[3][7] |
Enterprise | T1105 | Ingress Tool Transfer |
JHUHUGIT can retrieve an additional payload from its C2 server.[3][7] JHUHUGIT has a command to download files to the victim’s machine.[6] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[2][3][6] |
|
Enterprise | T1057 | Process Discovery |
JHUHUGIT obtains a list of running processes on the victim.[3][7] |
|
Enterprise | T1055 | Process Injection |
JHUHUGIT performs code injection injecting its own functions to browser processes.[2][7] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.[3][9] |
Enterprise | T1113 | Screen Capture |
A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.[8][6] |
|
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
Enterprise | T1082 | System Information Discovery |
JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key |
|
Enterprise | T1016 | System Network Configuration Discovery |
A JHUHUGIT variant gathers network interface card information.[8] |
ID | Name | References |
---|---|---|
G0007 | APT28 |