OopsIE
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
OopsIE uses the command prompt to execute commands on the victim's machine.[1][2] |
| .005 | 命令与脚本解释器: Visual Basic |
OopsIE creates and uses a VBScript as part of its persistent execution.[1][2] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
OopsIE compresses collected files with GZipStream before sending them to its C2 server.[1] |
| .003 | 归档收集数据: Archive via Custom Method |
OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.[1] |
||
| Enterprise | T1030 | 数据传输大小限制 |
OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
OopsIE encodes data in hexadecimal format over the C2 channel.[1] |
| Enterprise | T1027 | 混淆文件或信息 |
OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[1][2] |
|
| .002 | Software Packing |
OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[1] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
OopsIE has the capability to delete files and scripts from the victim's machine.[2] |
| Enterprise | T1082 | 系统信息发现 |
OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[2] |
|
| Enterprise | T1124 | 系统时间发现 |
OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[2] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query |
| Enterprise | T1105 | 输入工具传输 |
OopsIE can download files from its C2 server to the victim's machine.[1][2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
OopsIE can upload files from the victim's machine to its C2 server.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
OopsIE creates a scheduled task to run itself every three minutes.[1][2] |