Skip to content

S0015 Ixeshe

Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. 1

Item Value
ID S0015
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Ixeshe uses HTTP for command and control.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Ixeshe can achieve persistence by adding itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Ixeshe is capable of executing commands via cmd.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.12
enterprise T1005 Data from Local System Ixeshe can collect data from a local system.2
enterprise T1083 File and Directory Discovery Ixeshe can list file and directory information.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Ixeshe sets its own executable file’s attributes to hidden.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Ixeshe has a command to delete a file from the machine.2
enterprise T1105 Ingress Tool Transfer Ixeshe can download and execute additional files.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.2
enterprise T1057 Process Discovery Ixeshe can list running processes.2
enterprise T1082 System Information Discovery Ixeshe collects the computer name of the victim’s system during the initial infection.2
enterprise T1016 System Network Configuration Discovery Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim’s system.2
enterprise T1033 System Owner/User Discovery Ixeshe collects the username from the victim’s machine.2
enterprise T1007 System Service Discovery Ixeshe can list running services.2

Groups That Use This Software

ID Name References
G0005 APT12 13