Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

JHUHUGIT

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [1] [2] [3] [4]

ID: S0044
Aliases: JHUHUGIT, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
JHUHUGIT[4]
Seduploader[4]
JKEYSKW[4]
Sednit[4]
GAMEFISH[4]
SofacyCarberp[7]

Techniques Used

DomainIDNameUse
EnterpriseT1115Clipboard DataA JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[5]
EnterpriseT1122Component Object Model HijackingJHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).[3]
EnterpriseT1132Data EncodingA JHUHUGIT variant encodes C2 POST data base64.[5]
EnterpriseT1068Exploitation for Privilege EscalationJHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[3][6]
EnterpriseT1008Fallback ChannelsJHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.[3]
EnterpriseT1107File DeletionThe JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[3][7]
EnterpriseT1037Logon ScriptsJHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[3]
EnterpriseT1050New ServiceJHUHUGIT has registered itself as a service to establish persistence.[3]
EnterpriseT1027Obfuscated Files or InformationMany strings in JHUHUGIT are obfuscated with a XOR algorithm.[2][3]
EnterpriseT1057Process DiscoveryJHUHUGIT obtains a list of running processes on the victim.[3][7]
EnterpriseT1055Process InjectionJHUHUGIT performs code injection injecting its own functions to browser processes.[2][7]
EnterpriseT1060Registry Run Keys / Startup FolderJHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[3]
EnterpriseT1105Remote File CopyJHUHUGIT can retrieve an additional payload from its C2 server.[3][7]
EnterpriseT1085Rundll32JHUHUGIT is executed using rundll32.exe.[2]
EnterpriseT1053Scheduled TaskJHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.[3][6]
EnterpriseT1113Screen CaptureA JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.[5]
EnterpriseT1071Standard Application Layer ProtocolJHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[3][7][5]
EnterpriseT1082System Information DiscoveryJHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[3][7]
EnterpriseT1016System Network Configuration DiscoveryA JHUHUGIT variant gathers network interface card information.[5]

Groups

Groups that use this software:

APT28

References