Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

JHUHUGIT

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)
ID: S0044
Associated Software: JKEYSKW GAMEFISH Seduploader SofacyCarberp Sednit Trojan.Sofacy
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 31 May 2017
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
JKEYSKW (Citation: FireEye APT28 January 2017)
GAMEFISH (Citation: FireEye APT28 January 2017)
Seduploader (Citation: FireEye APT28 January 2017)(Citation: Talos Seduploader Oct 2017)
SofacyCarberp (Citation: Unit 42 Sofacy Feb 2018)
Sednit This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.(Citation: FireEye APT28 January 2017)
Trojan.Sofacy This designation has been used in reporting both to refer to the threat group (Skeleton Key) and its associated malware.(Citation: Symantec APT28 Oct 2018)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Unit 42 Playbook Dec 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.(Citation: ESET Sednit Part 1)

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

JHUHUGIT uses a .bat file to execute a .dll.(Citation: Talos Seduploader Oct 2017)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

JHUHUGIT has registered itself as a service to establish persistence.(Citation: ESET Sednit Part 1)

Enterprise T1132 .001 Data Encoding: Standard Encoding

A JHUHUGIT variant encodes C2 POST data base64.(Citation: Unit 42 Playbook Dec 2017)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Many strings in JHUHUGIT are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.(Citation: ESET Sednit Part 1)(Citation: ESET Sednit July 2015)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

JHUHUGIT is executed using rundll32.exe.(Citation: F-Secure Sofacy 2015)(Citation: Talos Seduploader Oct 2017)

Groups That Use This Software

ID Name References
G0007 APT28

(Citation: FireEye APT28 January 2017) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) (Citation: US District Court Indictment GRU Oct 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.