JHUHUGIT

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [1] [2] [3] [4]

ID: S0044
Associated Software: Trojan.Sofacy, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Trojan.Sofacy

This designation has been used in reporting both to refer to the threat group (Skeleton Key) and its associated malware.[5]

Seduploader

[4][6]

JKEYSKW

[4]

Sednit

This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.[4]

GAMEFISH

[4]

SofacyCarberp

[7]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[3][7][8]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[3]

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[3][6]

Enterprise T1115 Clipboard Data

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[8]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

JHUHUGIT uses a .bat file to execute a .dll.[6]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

JHUHUGIT has registered itself as a service to establish persistence.[3]

Enterprise T1132 .001 Data Encoding: Standard Encoding

A JHUHUGIT variant encodes C2 POST data base64.[8]

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).[3][6]

Enterprise T1068 Exploitation for Privilege Escalation

JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[3][9]

Enterprise T1008 Fallback Channels

JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[3][7]

Enterprise T1105 Ingress Tool Transfer

JHUHUGIT can retrieve an additional payload from its C2 server.[3][7] JHUHUGIT has a command to download files to the victim’s machine.[6]

Enterprise T1027 Obfuscated Files or Information

Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[2][3][6]

Enterprise T1057 Process Discovery

JHUHUGIT obtains a list of running processes on the victim.[3][7]

Enterprise T1055 Process Injection

JHUHUGIT performs code injection injecting its own functions to browser processes.[2][7]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.[3][9]

Enterprise T1113 Screen Capture

A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.[8][6]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

JHUHUGIT is executed using rundll32.exe.[2][6]

Enterprise T1082 System Information Discovery

JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[3][7]

Enterprise T1016 System Network Configuration Discovery

A JHUHUGIT variant gathers network interface card information.[8]

Groups That Use This Software

ID Name References
G0007 APT28

[4][1][10][11][12]

References