Orz
ID: S0229
ⓘ
Associated Software: AIRBREAK
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 2.2
Created: 18 April 2018
Last Modified: 19 April 2022
Associated Software Descriptions
| Name | Description |
|---|---|
| AIRBREAK |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 | ||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Orz can execute shell commands.[1] Orz can execute commands with JavaScript.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1027 | 混淆文件或信息 |
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[1] |
|
| Enterprise | T1070 | 移除指标 |
Orz can overwrite Registry settings to reduce its visibility on the victim.[1] |
|
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 |
Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.[1] |
| Enterprise | T1082 | 系统信息发现 |
Orz can gather the victim OS version and whether it is 64 or 32 bit.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
Orz has used Technet and Pastebin web pages for command and control.[1] |
| Enterprise | T1518 | 软件发现 | ||
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.[1] |
Groups That Use This Software
References
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.