The sub-techniques beta is now live! Read the release blog post for more info.


UPPERCUT is a backdoor that has been used by menuPass. [1]

ID: S0275
Associated Software: ANEL
Platforms: Windows
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Associated Software Descriptions

Name Description
ANEL [1]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

UPPERCUT uses cmd.exe to execute commands on the victim’s machine.[1]

Enterprise T1083 File and Directory Discovery

UPPERCUT has the capability to gather the victim's current directory.[1]

Enterprise T1105 Remote File Copy

UPPERCUT can download and upload files to and from the victim’s machine.[1]

Enterprise T1113 Screen Capture

UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.[1]

Enterprise T1071 Standard Application Layer Protocol

UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.[1]

Enterprise T1032 Standard Cryptographic Protocol

Some versions of UPPERCUT have used the hard-coded string "this is the encrypt key" for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.[1]

Enterprise T1082 System Information Discovery

UPPERCUT has the capability to gather the system’s hostname and OS version.[1]

Enterprise T1016 System Network Configuration Discovery

UPPERCUT has the capability to gather the victim's proxy information.[1]

Enterprise T1033 System Owner/User Discovery

UPPERCUT has the capability to collect the current logged on user’s username from a machine.[1]

Enterprise T1124 System Time Discovery

UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0045 menuPass [1]