(Cisco) H1N1 is a loader malware variant that has been known to deliver Pony DLLs and Vawtrak executables to infected machines. Upon infection, H1N1 previously only provided loading and system information reporting capabilities.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2016-09-13 by Josh Reynolds from Cisco
Tool: H1N1 Loader
Names: H1N1 Loader, H1N1
Description: (Cisco) H1N1 is a loader malware variant that has been known to deliver Pony DLLs and Vawtrak executables to infected machines. Upon infection, H1N1 previously only provided loading and system information reporting capabilities.
Category: Malware
Type: Loader
Information: https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities
Mitre-attack: https://attack.mitre.org/software/S0132/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:H1N1
Last-card-change: 2020-04-23
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL h1n1 kills and disables services by using cmd.exe. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL h1n1 bypasses user access control by using a dll hijacking vulnerability in the windows update standalone installer (wusa.exe). | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL h1n1 bypasses user access control by using a dll hijacking vulnerability in the windows update standalone installer (wusa.exe). T1562.001 IMPAIR DEFENSES : DISABLE OR MODIFY TOOLS h1n1 kills and disables services for windows security center, and windows defender. T1562.004 IMPAIR DEFENSES : DISABLE OR MODIFY SYSTEM FIREWALL h1n1 kills and disables services for windows firewall. T1027 OBFUSCATED FILES OR INFORMATION h1n1 uses multiple techniques to obfuscate strings, including xor. | T1555.003 CREDENTIALS FROM PASSWORD STORES : CREDENTIALS FROM WEB BROWSERS h1n1 dumps usernames and passwords from firefox, internet explorer, and outlook. | T1105 INGRESS TOOL TRANSFER h1n1 contains a command to download and execute a file from a remotely hosted url using wininet http requests. | T1490 INHIBIT SYSTEM RECOVERY h1n1 disable recovery options and deletes shadow copies from the victim. |