Skip to content

Latest commit

 

History

History
106 lines (91 loc) · 7.09 KB

up007.md

File metadata and controls

106 lines (91 loc) · 7.09 KB
Raw
ID X0033
Type Dropper
Aliases None
Platforms Windows
Year 2016
Associated ATT&CK Software None

UP007

UP007 is a dropper used in an espionage campaign targeting Hong Kong democracy activists. [1]

ATT&CK Techniques

Name Use
Initial Access::Phishing::Spearphishing Link (T1566.002) The malware is sent to the victim via a link. [1]
Defense Evasion::Deobfuscate/Decode Files or Information (T1140) The dropper writes files in encoded form and decodes files. [1]
Discovery::Query Registry (T1012) The malware queries the registry to detect AVs and queries or enumerates registry values. [1] [2]
Defense Evasion::Hijack Execution Flow::DLL Side-Loading (T1574.002) The malware loads multiple DLLs into memory. [1]
Command and Control::Ingress Tool Transfer (T1105) The malware downloads files from the C2. [1]
Command and Control::Application Layer Protocol::Web Protocols (T1071.001) The malware communicates to the C2 server using HTTP. [1]
Defense Evasion::File and Directory Permissions Modification (T1222) UP007 sets file attributes. [2]
Defense Evasion::Hide Artifacts::Hidden Window (T1564.003) UP007 hides a graphical window. [2]
Discovery::Application Window Discovery (T1010) UP007 finds a graphical window. [2]
Discovery::System Location Discovery (T1614) UP007 gets geographical locations. [2]
Execution::Shared Modules (T1129) UP007 links functions at runtime on Windows. [2]
Privilege Escalation::Access Token Manipulation (T1134) UP007 modifies access privileges. [2]

Enhanced ATT&CK Techniques

Name Use
Collection::Keylogging (F0002) The malware logs keystrokes to a file. [1]
Defense Evasion::Process Injection::Dynamic-link Library Injection (E1055.001) The malware loads multiple DLLs into memory. [1]
Command and Control::Ingress Tool Transfer (E1105) The malware downloads files from the C2. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) UP007 encodes data using XOR. [2]
Discovery::Application Window Discovery::Window Text (E1010.m01) UP007 gets graphical window text. [2]
Discovery::File and Directory Discovery (E1083) UP007 enumerates files on Windows. [2]
Discovery::System Information Discovery (E1082) UP007 queries environment variables. [2]
Execution::Command and Scripting Interpreter (E1059) UP007 accepts command line arguments. [2]

MBC Behaviors

Name Use
Command and Control::C2 Communication::Send Data (B0030.001) The malware sends hardened HTTP headers disguised as Microsoft Update traffic. [1]
Command and Control::C2 Communication::Receive Data (B0030.002) The malware receives payloads. [1]
Execution::Install Additional Program (B0023) The malware is a dropper that creates multiple files. [1]
Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) UP007 checks for a time delay via GetTickCount. [2]
Cryptography::Cryptographic Hash::SHA1 (C0029.002) UP007 hashes data using SHA1. [2]
Data::Checksum::CRC32 (C0032.001) UP007 hashes data with CRC32. [2]
Data::Encode Data::XOR (C0026.002) UP007 encodes data using XOR. [2]
File System::Create Directory (C0046) UP007 creates directories. [2]
File System::Delete File (C0047) UP007 deletes files. [2]
File System::Get File Attributes (C0049) UP007 gets file attributes. [2]
File System::Move File (C0063) UP007 moves files. [2]
File System::Read File (C0051) UP007 reads files on Windows. [2]
File System::Set File Attributes (C0050) UP007 sets file attributes. [2]
File System::Write File (C0052) UP007 writes files on Windows. [2]
Operating System::Environment Variable::Set Variable (C0034.001) UP007 sets environment variables. [2]
Operating System::Registry::Query Registry Value (C0036.006) UP007 queries or enumerates registry values. [2]
Operating System::Registry::Set Registry Key (C0036.001) UP007 sets registry values. [2]
Process::Create Process (C0017) UP007 creates a process on Windows. [2]
Process::Terminate Process (C0018) UP007 terminates processes. [2]

Indicators of Compromise

SHA256 Hashes

  • 5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d
  • ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30
  • 41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2
  • 2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd
  • 5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d
  • 5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab
  • ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00
  • b748b61ff6c3ea0c64f2359c44e022c629378aab6d7377e64c6ad0dcc5f78746 IP Addresses
  • 59.188.12[.]123

References

[1] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/

[2] capa v4.0, analyzed at MITRE on 10/12/2022