StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.[1] |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1112 | Modify Registry | ||
Enterprise | T1027 | Obfuscated Files or Information |
StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[1] |
|
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[1] |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
Enterprise | T1082 | System Information Discovery |
StreamEx has the ability to enumerate system information.[1] |
ID | Name | References |
---|---|---|
G0009 | Deep Panda |