{"description": "Enterprise techniques used by Goopy, ATT&CK software S0477 (v1.1)", "name": "Goopy (S0477)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to communicate with its C2 over HTTP.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to communicate with its C2 over DNS.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to exfiltrate documents from infected systems.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has used a polymorphic decryptor to decrypt itself at runtime.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to exfiltrate data over the Microsoft Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to disable Microsoft Outlook's security policies to disable macro warnings.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.008", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to  enumerate the infected system's user name via GetUserNameW.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has had null characters padded in its malicious DLL payload.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[Goopy](https://attack.mitre.org/software/S0477)'s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has checked for the Google Updater process to ensure [Goopy](https://attack.mitre.org/software/S0477) was loaded properly.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to maintain persistence by creating scheduled tasks set to run every hour.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to enumerate the infected system's user name.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Goopy", "color": "#66b1ff"}]}