S0142 StreamEx
StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. 1
| Item | Value |
|---|---|
| ID | S0142 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | StreamEx has the ability to remotely execute commands.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.1 |
| enterprise | T1083 | File and Directory Discovery | StreamEx has the ability to enumerate drive types.1 |
| enterprise | T1112 | Modify Registry | StreamEx has the ability to modify the Registry.1 |
| enterprise | T1027 | Obfuscated Files or Information | StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.1 |
| enterprise | T1057 | Process Discovery | StreamEx has the ability to enumerate processes.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | StreamEx uses rundll32 to call an exported function.1 |
| enterprise | T1082 | System Information Discovery | StreamEx has the ability to enumerate system information.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0009 | Deep Panda | 1 |