JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [1] [2] [3] [4]

ID: S0044
Associated Software: Trojan.Sofacy, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp

Platforms: Windows

Version: 2.0

Associated Software Descriptions

Trojan.SofacyThis designation has been used in reporting both to refer to the threat group (Skeleton Key) and its associated malware.[9]
SednitThis designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.[4]

Techniques Used

EnterpriseT1115Clipboard DataA JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[5]
EnterpriseT1122Component Object Model HijackingJHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).[3][6]
EnterpriseT1132Data EncodingA JHUHUGIT variant encodes C2 POST data base64.[5]
EnterpriseT1068Exploitation for Privilege EscalationJHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[3][7]
EnterpriseT1008Fallback ChannelsJHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.[3]
EnterpriseT1107File DeletionThe JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[3][8]
EnterpriseT1037Logon ScriptsJHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[3][6]
EnterpriseT1050New ServiceJHUHUGIT has registered itself as a service to establish persistence.[3]
EnterpriseT1027Obfuscated Files or InformationMany strings in JHUHUGIT are obfuscated with a XOR algorithm.[2][3][6]
EnterpriseT1057Process DiscoveryJHUHUGIT obtains a list of running processes on the victim.[3][8]
EnterpriseT1055Process InjectionJHUHUGIT performs code injection injecting its own functions to browser processes.[2][8]
EnterpriseT1060Registry Run Keys / Startup FolderJHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[3]
EnterpriseT1105Remote File CopyJHUHUGIT can retrieve an additional payload from its C2 server. JHUHUGIT has a command to download files to the victim’s machine.[3][8][6]
EnterpriseT1085Rundll32JHUHUGIT is executed using rundll32.exe.[2][6]
EnterpriseT1053Scheduled TaskJHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.[3][7]
EnterpriseT1113Screen CaptureA JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.[5][6]
EnterpriseT1064ScriptingJHUHUGIT uses a .bat file to execute a .dll.[6]
EnterpriseT1071Standard Application Layer ProtocolJHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[3][8][5]
EnterpriseT1082System Information DiscoveryJHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[3][8]
EnterpriseT1016System Network Configuration DiscoveryA JHUHUGIT variant gathers network interface card information.[5]


Groups that use this software: