1. Home
  2. Software
  3. SampleCheck5000

SampleCheck5000

SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads. [1][2]

ID: S1168
Associated Software: SC5k
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 25 November 2024
Last Modified: 26 November 2024
Version Permalink

Associated Software Descriptions

Name Description
SC5k

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SampleCheck5000 can use the Exchange Web Services API for C2 communication.[2]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

SampleCheck5000 can gzip compress files uploaded to a shared mailbox used for C2 and exfiltration.[2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SampleCheck5000 can call cmd.exe to execute C2 command line strings.[1][2]
Enterprise T1074 .001 Data Staged: Local Data Staging

SampleCheck5000 can log the output from C2 commands in an encrypted and compressed format on disk prior to exfiltration.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

SampleCheck5000 can decode and decrypt command line strings and files received through C2.[1][2]
Enterprise T1567 Exfiltration Over Web Service

SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration.[1][2]
Enterprise T1105 Ingress Tool Transfer

SampleCheck5000 can download additional payloads to compromised hosts.[1][2]
Enterprise T1082 System Information Discovery

SampleCheck5000 can create unique victim identifiers by using the compromised system’s volume ID or computer name.[2]
Enterprise T1102 .002 Web Service: Bidirectional Communication

SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve C2 commands and payloads placed in Draft messages.[1][2]

Groups That Use This Software

ID Name References
G0049 OilRig

[1]

Campaigns

ID Name Description
C0042 Outer Space

[1]

References

  1. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  1. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.