Register to stream ATT&CKcon 2.0 October 29-30


Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. [1]

ID: S0015
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Ixeshe is capable of executing commands via cmd. [2]
Enterprise T1043 Commonly Used Port Ixeshe has used TCP port 443 for C2. [2]
Enterprise T1005 Data from Local System Ixeshe can collect data from a local system. [2]
Enterprise T1001 Data Obfuscation Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests. [1] [2]
Enterprise T1083 File and Directory Discovery Ixeshe can list file and directory information. [2]
Enterprise T1107 File Deletion Ixeshe has a command to delete a file from the machine. [2]
Enterprise T1158 Hidden Files and Directories Ixeshe sets its own executable file's attributes to hidden. [2]
Enterprise T1036 Masquerading Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe. [2]
Enterprise T1057 Process Discovery Ixeshe can list running processes. [2]
Enterprise T1060 Registry Run Keys / Startup Folder Ixeshe can achieve persistence by adding itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key. [2]
Enterprise T1105 Remote File Copy Ixeshe can download and execute additional files. [2]
Enterprise T1071 Standard Application Layer Protocol Ixeshe uses HTTP for command and control. [1] [2]
Enterprise T1082 System Information Discovery Ixeshe collects the computer name of the victim's system during the initial infection. [2]
Enterprise T1016 System Network Configuration Discovery Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system. [2]
Enterprise T1033 System Owner/User Discovery Ixeshe collects the username from the victim’s machine. [2]
Enterprise T1007 System Service Discovery Ixeshe can list running services. [2]

Groups That Use This Software

ID Name References
G0005 APT12 [1] [3]