admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]

ID: G0018
Aliases: admin@338
Version: 1.0

Alias Descriptions

NameDescription
admin@338[1]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account Discoveryadmin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download[1]
EnterpriseT1059Command-Line InterfaceFollowing exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[1]
EnterpriseT1083File and Directory Discoveryadmin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[1]
EnterpriseT1036Masqueradingadmin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[1]
EnterpriseT1069Permission Groups Discoveryadmin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download[1]
EnterpriseT1082System Information Discoveryadmin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[1]
EnterpriseT1016System Network Configuration Discoveryadmin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download[1]
EnterpriseT1049System Network Connections Discoveryadmin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download[1]
EnterpriseT1007System Service Discoveryadmin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download[1]

Software

IDNameTechniques
S0043BUBBLEWRAPStandard Application Layer Protocol, Standard Non-Application Layer Protocol, System Information Discovery
S0100ipconfigSystem Network Configuration Discovery
S0042LOWBALLCommonly Used Port, Remote File Copy, Standard Application Layer Protocol, Web Service
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104netstatSystem Network Connections Discovery
S0012PoisonIvyApplication Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0096SysteminfoSystem Information Discovery

References