{"description": "Enterprise techniques used by JHUHUGIT, ATT&CK software S0044 (v2.2)", "name": "JHUHUGIT (S0044)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) variants have communicated with C2 servers over HTTP and HTTPS.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Unit 42 Playbook Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.(Citation: ESET Sednit Part 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "showSubtechniques": true}, {"techniqueID": "T1037.001", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) has registered a Windows shell script under the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence.(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) uses a .bat file to execute a .dll.(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) has registered itself as a service to establish persistence.(Citation: ESET Sednit Part 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant encodes C2 POST data base64.(Citation: Unit 42 Playbook Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.(Citation: ESET Sednit Part 1)(Citation: ESET Sednit July 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.(Citation: ESET Sednit Part 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "The [JHUHUGIT](https://attack.mitre.org/software/S0044) dropper can delete itself from the victim. Another [JHUHUGIT](https://attack.mitre.org/software/S0044) variant has the capability to delete specified files.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) can retrieve an additional payload from its C2 server.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018) [JHUHUGIT](https://attack.mitre.org/software/S0044) has a command to download files to the victim\u2019s machine.(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "Many strings in [JHUHUGIT](https://attack.mitre.org/software/S0044) are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) obtains a list of running processes on the victim.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) performs code injection injecting its own functions to browser processes.(Citation: F-Secure Sofacy 2015)(Citation: Unit 42 Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) has registered itself as a scheduled task to run each time the current user logs in.(Citation: ESET Sednit Part 1)(Citation: ESET Sednit July 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant takes screenshots by simulating the user pressing the \"Take Screenshot\" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is executed using rundll32.exe.(Citation: F-Secure Sofacy 2015)(Citation: Talos Seduploader Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[JHUHUGIT](https://attack.mitre.org/software/S0044) obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum. Another [JHUHUGIT](https://attack.mitre.org/software/S0044) variant gathers the victim storage volume serial number and the storage device name.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant gathers network interface card information.(Citation: Unit 42 Playbook Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by JHUHUGIT", "color": "#66b1ff"}]}