CHOPSTICK
February 14, 2024 ยท View on GitHub
| ID | X0035 |
| Type | Backdoor |
| Aliases | Xagent |
| Platforms | Windows |
| Year | 2015 |
| Associated ATT&CK Software | CHOPSTICK |
CHOPSTICK
Malware family of modular backdoors.
ATT&CK Techniques
See ATT&CK: CHOPSTICK - Techniques Used.
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Defense Evasion::Modify Registry (E1112) | CHOPSTICK may encrypt and store configuration data inside a registry key. [1] |
| Discovery::System Information Discovery (E1082) | CHOPSTICK collects information from the host including Windows version, CPU architecture, and UAC settings. [1] |
| Defense Evasion::Hidden Files and Directories (F0005) | CHOPSTICK creates a hidden file for temporary storage. [1] |
| Collection::Keylogging (F0002) | CHOPSTICK collects user keystrokes. [1] |
| Collection::Screen Capture (E1113) | CHOPSTICK takes snapshots of deskop and window contents. [1] |
| Command and Control::C2 Communication::Send Data (B0030.001) | CHOPSTICK sends data to the C2 server using HTTP POST requests. [1] |
MBC Behaviors
| Name | Use |
|---|---|
| Cryptography::Encrypt Data::RC4 (C0027.009) | CHOPSTICK encrypts the configuration block using RC4 encryption. [1] |
Indicators of Compromise
SHA256 Hashes
- 8ec464c36951aa028554be9ed7c7d9aa0bfcc9fa65a7874759afa853a18ecea7
References
[1] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf