Skip to content

S0142 StreamEx

StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. 1

Item Value
ID S0142
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell StreamEx has the ability to remotely execute commands.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.1
enterprise T1083 File and Directory Discovery StreamEx has the ability to enumerate drive types.1
enterprise T1112 Modify Registry StreamEx has the ability to modify the Registry.1
enterprise T1027 Obfuscated Files or Information StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.1
enterprise T1057 Process Discovery StreamEx has the ability to enumerate processes.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 StreamEx uses rundll32 to call an exported function.1
enterprise T1082 System Information Discovery StreamEx has the ability to enumerate system information.1

Groups That Use This Software

ID Name References
G0009 Deep Panda 1