Register to stream ATT&CKcon 2.0 October 29-30

UPPERCUT

UPPERCUT is a backdoor that has been used by menuPass. [1]

ID: S0275
Associated Software: ANEL
Type: MALWARE
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
ANEL [1]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface UPPERCUT uses cmd.exe to execute commands on the victim’s machine. [1]
Enterprise T1083 File and Directory Discovery UPPERCUT has the capability to gather the victim's current directory. [1]
Enterprise T1105 Remote File Copy UPPERCUT can download and upload files to and from the victim’s machine. [1]
Enterprise T1113 Screen Capture UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server. [1]
Enterprise T1071 Standard Application Layer Protocol UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers. [1]
Enterprise T1032 Standard Cryptographic Protocol Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address. [1]
Enterprise T1082 System Information Discovery UPPERCUT has the capability to gather the system’s hostname and OS version. [1]
Enterprise T1016 System Network Configuration Discovery UPPERCUT has the capability to gather the victim's proxy information. [1]
Enterprise T1033 System Owner/User Discovery UPPERCUT has the capability to collect the current logged on user’s username from a machine. [1]
Enterprise T1124 System Time Discovery UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine. [1]

Groups That Use This Software

ID Name References
G0045 menuPass [1]

References