H1N1
ID: S0132
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[2] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
H1N1 kills and disables services for Windows Security Center, and Windows Defender.[2] |
| .004 | 妨碍防御: Disable or Modify System Firewall | |||
| Enterprise | T1132 | 数据编码 |
H1N1 obfuscates C2 traffic with an altered version of base64.[2] |
|
| Enterprise | T1080 | 污染共享内容 | ||
| Enterprise | T1027 | 混淆文件或信息 |
H1N1 uses multiple techniques to obfuscate strings, including XOR.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[2] |
| Enterprise | T1490 | 系统恢复抑制 |
H1N1 disable recovery options and deletes shadow copies from the victim.[2] |
|
| Enterprise | T1105 | 输入工具传输 |
H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[2] |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
H1N1 has functionality to copy itself to removable media.[2] |
|