Skip to content

Latest commit

 

History

History
127 lines (109 loc) · 10.7 KB

hupigon.md

File metadata and controls

127 lines (109 loc) · 10.7 KB
Raw
ID X0008
Aliases Delf, Emerleox, Logsnif, Graybird, Pcclient
Platforms Windows
Year 2013
Associated ATT&CK Software None

Hupigon

A family of backdoors.

ATT&CK Techniques

Name Use
Collection::Clipboard Data (T1115) Hupigon reads clipboard data. [3]
Defense Evasion::File and Directory Permissions Modification (T1222) Hupigon sets file attributes. [3]
Defense Evasion::Hide Artifacts::Hidden Window (T1564.003) Hupigon hides a graphical window. [3]
Discovery::Application Window Discovery (T1010) Hupigon enumerates GUI resources. [3]
Discovery::System Location Discovery (T1614) Hupigon gets geographical locations. [3]
Discovery::System Location Discovery::System Language Discovery (T1614.001) Hupigon gets keyboard layouts. [3]
Discovery::System Network Configuration Discovery (T1016) Hupigon gets local IPv4 addresses. [3]
Discovery::System Service Discovery (T1007) Hupigon queries service status. [3]
Execution::Shared Modules (T1129) Hupigon links many functions at runtime. [3]
Execution::System Services::Service Execution (T1569.002) Hupigon creates services. [3]
Impact::Service Stop (T1489) Hupigon stops services. [3]
Impact::System Shutdown/Reboot (T1529) Hupigon shutdowns systems. [3]
Persistence::Create or Modify System Process::Windows Service (T1543.003) Hupigon starts services. [3]
Privilege Escalation::Access Token Manipulation (T1134) Hupigon acquires debug privileges. [3]

Enhanced ATT&CK Techniques

Name Use
Defense Evasion::Process Injection (E1055) The malware injects itself into processes, such as cmd.exe and notepad.exe. [2]
Defense Evasion::Rootkit (E1014) Certain Hupigon variants may have rootkit functionality. [2]
Collection::Keylogging (F0002) Certain Hupigon variants may have keylogging functionality. [2]
Persistence::Registry Run Keys / Startup Folder (F0012) Hupigon drops the file "Systen.dll" and adds the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS DllName = "%System%\Systen.dll". [1]
Defense Evasion::Modify Registry (E1112) The malware adds entries to the registry. [1]
Collection::Keylogging::Polling (F0002.002) Hupigon logs keystrokes via polling. [3]
Collection::Screen Capture::WinAPI (E1113.m01) Hupigon captures screenshots. [3]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) Hupigon encodes data using XOR. [3]
Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) Hupigon encrypts data using DES. [3]
Discovery::Application Window Discovery::Window Text (E1010.m01) Hupigon gets graphical window text. [3]
Discovery::File and Directory Discovery (E1083) Hupigon enumerates files recursively. [3]
Discovery::File and Directory Discovery::Log File (E1083.m01) Hupigon accesses Windows event logs. [3]
Impact::Clipboard Modification (E1510) Hupigon replaces clipboard data. [3]
Discovery::System Information Discovery (E1082) Hupigon queries environment variables. [3]
Execution::Command and Scripting Interpreter (E1059) Hupigon accepts command line arguments. [3]
Persistence::Registry Run Keys / Startup Folder (F0012) Hupigon persists via Run registry key. [3]
Defense Evasion::Process Injection::Process Hollowing (E1055.012) Hupigon uses process replacement. [3]

MBC Behaviors

Name Use
Impact::Remote Access (B0022) The malware acts as a backdoor. [1]
Execution::Conditional Execution::Runs as Service (B0025.007) Hupigon runs as a service. [3]
Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions (B0001.034) Hupigon executes anti-debugging instructions. [3]
Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints (B0001.025) Hupigon checks for software breakpoints. [3]
Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) Hupigon checks for a time delay via GetTickCount. [3]
Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation (B0012.001) Hupigon contains obfuscated stack strings. [3]
Command And Control::C2 Communication::Receive Data (B0030.002) Hupigon receives data. [3]
Command And Control::C2 Communication::Send Data (B0030.001) Hupigon sends data. [3]
Communication::DNS Communication::Resolve (C0011.001) Hupigon resolves DNS. [3]
Communication::Interprocess Communication::Create Pipe (C0003.001) Hupigon creates two anonymous pipes. [3]
Communication::Interprocess Communication::Write Pipe (C0003.004) Hupigon writes pipes. [3]
Communication::Socket Communication::Create UDP Socket (C0001.010) Hupigon creates UDP sockets. [3]
Cryptography::Encrypt Data::3DES (C0027.004) Hupigon encrypts data using DES. [3]
Data::Compression Library (C0060) Hupigon linked against ZLIB. [3]
Data::Encode Data::XOR (C0026.002) Hupigon encodes data using XOR. [3]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001) Hupigon enumerates PE sections. [3]
File System::Copy File (C0045) Hupigon copies files. [3]
File System::Create Directory (C0046) Hupigon creates directories. [3]
File System::Delete Directory (C0048) Hupigon deletes directories. [3]
File System::Delete File (C0047) Hupigon deletes files. [3]
File System::Get File Attributes (C0049) Hupigon gets file attributes. [3]
File System::Move File (C0063) Hupigon moves files. [3]
File System::Read File (C0051) Hupigon reads files on Windows. [3]
File System::Set File Attributes (C0050) Hupigon sets file attributes. [3]
File System::Write File (C0052) Hupigon writes files on Windows. [3]
Memory::Allocate Memory (C0007) Hupigon allocates RWX memory. [3]
Operating System::Registry::Delete Registry Key (C0036.002) Hupigon deletes registry keys. [3]
Operating System::Registry::Delete Registry Value (C0036.007) Hupigon deletes registry values. [3]
Operating System::Registry::Query Registry Key (C0036.005) Hupigon queries or enumerates registry keys. [3]
Operating System::Registry::Query Registry Value (C0036.006) Hupigon queries or enumerates registry values. [3]
Operating System::Registry::Set Registry Key (C0036.001) Hupigon sets registry values. [3]
Process::Create Mutex (C0042) Hupigon creates mutexes. [3]
Process::Create Process (C0017) Hupigon creates processes on Windows. [3]
Process::Create Thread (C0038) Hupigon creates threads. [3]
Process::Set Thread Local Storage Value (C0041) Hupigon sets thread local storage values. [3]
Process::Suspend Thread (C0055) Hupigon suspends threads. [3]
Process::Terminate Process (C0018) Hupigon terminates processes. [3]

Indicators of Compromise

SHA256 Hashes

  • 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
  • 730e1337cf9ecf842a965ea458ee241c2a1e5b0ef1daccde87cd628eb4b37057

References

[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON

[2] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml

[3] capa v4.0, analyzed at MITRE on 10/12/2022