(Trend Micro) The IXESHE malware binary allowed the attackers to easily take over and maintain complete control of victims’ systems to do the following: • List all services, processes, and drives • Terminate processes and services • Download and upload files • Start processes and services • Get victims’ user names • Get a machine’s name and domain name • Download and execute arbitrary files • Cause a system to pause or sleep for a specified number of minutes • Spawn a remote shell • List all current files and directories
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: IXESHE
Names: IXESHE
Description: (Trend Micro) The IXESHE malware binary allowed the attackers to easily take over and maintain complete control of victims’ systems to do the following: • List all services, processes, and drives • Terminate processes and services • Download and upload files • Start processes and services • Get victims’ user names • Get a machine’s name and domain name • Download and execute arbitrary files • Cause a system to pause or sleep for a specified number of minutes • Spawn a remote shell • List all current files and directories
Category: Malware
Type: Reconnaissance, Backdoor, Info stealer, Exfiltration
Information: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf
Mitre-attack: https://attack.mitre.org/software/S0015/
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:IXESHE
Last-card-change: 2020-04-22
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL ixeshe is capable of executing commands via cmd. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER ixeshe can achieve persistence by adding itself to the hkcu\software\microsoft\windows\currentversion\run registry key. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER ixeshe can achieve persistence by adding itself to the hkcu\software\microsoft\windows\currentversion\run registry key. | T1564.001 HIDE ARTIFACTS : HIDDEN FILES AND DIRECTORIES ixeshe sets its own executable file's attributes to hidden. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION ixeshe has used registry values and file names associated with adobe software, such as acrord32.exe. | T1082 SYSTEM INFORMATION DISCOVERY ixeshe collects the computer name of the victim's system during the initial infection. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY ixeshe enumerates the ip address, network proxy settings, and domain name from a victim's system. | T1132.001 DATA ENCODING : STANDARD ENCODING ixeshe uses custom base64 encoding schemes to obfuscate command and control traffic in the message body of http requests. |