Skip to content


UPPERCUT is a backdoor that has been used by menuPass. 1

Item Value
ID S0275
Associated Names ANEL
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell UPPERCUT uses cmd.exe to execute commands on the victim’s machine.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.1
enterprise T1083 File and Directory Discovery UPPERCUT has the capability to gather the victim’s current directory.1
enterprise T1105 Ingress Tool Transfer UPPERCUT can download and upload files to and from the victim’s machine.1
enterprise T1113 Screen Capture UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.1
enterprise T1082 System Information Discovery UPPERCUT has the capability to gather the system’s hostname and OS version.1
enterprise T1016 System Network Configuration Discovery UPPERCUT has the capability to gather the victim’s proxy information.1
enterprise T1033 System Owner/User Discovery UPPERCUT has the capability to collect the current logged on user’s username from a machine.1
enterprise T1124 System Time Discovery UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.1

Groups That Use This Software

ID Name References
G0045 menuPass 1