| ID | X0035 |
| Aliases | Xagent |
| Platforms | Windows |
| Year | 2015 |
| Associated ATT&CK Software | CHOPSTICK |
Malware family of modular backdoors.
See ATT&CK: CHOPSTICK - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Modify Registry (E1112) | CHOPSTICK may encrypt and store configuration data inside a registry key. [1] |
| Discovery::System Information Discovery (E1082) | CHOPSTICK collects information from the host including Windows version, CPU architecture, and UAC settings. [1] |
| Defense Evasion::Hidden Files and Directories (F0005) | CHOPSTICK creates a hidden file for temporary storage. [1] |
| Collection::Keylogging (F0002) | CHOPSTICK collects user keystrokes. [1] |
| Collection::Screen Capture (E1113) | CHOPSTICK takes snapshots of deskop and window contents. [1] |
| Command and Control::C2 Communication::Send Data (B0030.001) | CHOPSTICK sends data to the C2 server using HTTP POST requests. [1] |
| Name | Use |
|---|---|
| Cryptography::Encrypt Data::RC4 (C0027.009) | CHOPSTICK encrypts the configuration block using RC4 encryption. [1] |
SHA256 Hashes
- 8ec464c36951aa028554be9ed7c7d9aa0bfcc9fa65a7874759afa853a18ecea7
[1] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf