Skip to content

S0264 OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. 1

Item Value
ID S0264
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OopsIE uses HTTP for C2 communications.12
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility OopsIE compresses collected files with GZipStream before sending them to its C2 server.1
enterprise T1560.003 Archive via Custom Method OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell OopsIE uses the command prompt to execute commands on the victim’s machine.12
enterprise T1059.005 Visual Basic OopsIE creates and uses a VBScript as part of its persistent execution.12
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding OopsIE encodes data in hexadecimal format over the C2 channel.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging OopsIE stages the output from command execution and collected files in specific folders before exfiltration.1
enterprise T1030 Data Transfer Size Limits OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.1
enterprise T1140 Deobfuscate/Decode Files or Information OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.1
enterprise T1041 Exfiltration Over C2 Channel OopsIE can upload files from the victim’s machine to its C2 server.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion OopsIE has the capability to delete files and scripts from the victim’s machine.2
enterprise T1105 Ingress Tool Transfer OopsIE can download files from its C2 server to the victim’s machine.12
enterprise T1027 Obfuscated Files or Information OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.12
enterprise T1027.002 Software Packing OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task OopsIE creates a scheduled task to run itself every three minutes.12
enterprise T1082 System Information Discovery OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.2
enterprise T1124 System Time Discovery OopsIE checks to see if the system is configured with “Daylight” time and checks for a specific region to be set for the timezone.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks OopsIE performs several anti-VM and sandbox checks on the victim’s machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.2
enterprise T1047 Windows Management Instrumentation OopsIE uses WMI to perform discovery techniques.2

Groups That Use This Software

ID Name References
G0049 OilRig 1


Back to top