Skip to content

S0354 Denis

Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.1

Item Value
ID S0354
Associated Names
Version 1.2
Created 30 January 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Denis has used DNS tunneling for C2 communications.123
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library Denis compressed collected data using zlib.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Denis has a version written in PowerShell.3
enterprise T1059.003 Windows Command Shell Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.13
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Denis encodes the data sent to the server in Base64.3
enterprise T1140 Deobfuscate/Decode Files or Information Denis will decrypt important strings used for C&C communication.3
enterprise T1083 File and Directory Discovery Denis has several commands to search directories for files.13
enterprise T1574 Hijack Execution Flow Denis replaces the nonexistent Windows DLL “msfte.dll” with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.3
enterprise T1574.002 DLL Side-Loading Denis exploits a security vulnerability to load a fake DLL and execute its code.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Denis has a command to delete files from the victim’s machine.13
enterprise T1105 Ingress Tool Transfer Denis deploys additional backdoors and hacking tools to the system.3
enterprise T1106 Native API Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.3
enterprise T1027 Obfuscated Files or Information Denis obfuscates its code and encrypts the API names.3
enterprise T1027.010 Command Obfuscation Denis has encoded its PowerShell commands in Base64.3
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.3
enterprise T1012 Query Registry Denis queries the Registry for keys and values.3
enterprise T1082 System Information Discovery Denis collects OS information and the computer name from the victim’s machine.23
enterprise T1016 System Network Configuration Discovery Denis uses ipconfig to gather the IP address from the system.3
enterprise T1033 System Owner/User Discovery Denis enumerates and collects the username from the victim’s machine.23
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.3

Groups That Use This Software

ID Name References
G0050 APT32 13