| ID | X0002 |
| Aliases | None |
| Platforms | Windows |
| Year | 2007 |
| Associated ATT&CK Software | BlackEnergy |
An HTTP-based botnet used mostly for DDoS attacks. [1]
| Name | Use |
|---|---|
| Execution::Shared Modules (T1129) | Access PEB ldr_data (This capa rule had 1 match) [4] |
See ATT&CK: BlackEnergy - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Process Injection::Injection using Shims (E1055.m05) | Bypasses UAC using a Shim Database instructing SndVol.exe to execute cmd.exe instead, allowing for elevated execution [1] |
| Defense Evasion::Install Insecure or Malicious Configuration (B0047) | Configures the system to the TESTSIGNING boot configuration option to load its unsigned driver component [1] |
| Defense Evasion::Indicator Blocking (F0006) | Clears windows event logs and removes the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevent strings in the user32.dll.mui of the system [1] |
| Persistence::Modify Existing Service (F0011) | Locates an inactive driver service to Hijack and set it to start automatically [1] |
| Defense Evasion::Process Injection (E1055) | Injects its dll component into svchost.exe [1] |
| Discovery::System Information Discovery (E1082) | Uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor [ [1] |
| Collection::Keylogging (F0002) | Keylogger plugin allows for collection of keystrokes [2] |
| Collection::Screen Capture (E1113) | Screenshot plugin allows for collection of screenshots [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder [1] Persist via Run registry key (This capa rule had 1 match) [4] |
| Impact::Data Destruction (E1485) | BlackEnergy 2 variant contains a Destroy plugin that destroys data stored on victim hard drives by overwriting file contents [3] |
| Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | Encrypt data using RC4 via WinAPI (This capa rule had 1 match) [4] |
| Discovery::File and Directory Discovery (E1083) | Get common file path (This capa rule had 3 matches) [4] |
| Name | Use |
|---|---|
| Impact::Denial of Service (B0033) | Originally built to launch distributed denial of service attacks that can target more than one IP address per hostname [1] |
| Execution::Remote Commands (B0011) | Infected bots receive commands from botmaster to load plugins associated with botmaster's goals [1] |
| Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation (B0012.001) | Contain obfuscated stackstrings (This capa rule had 3 matches) [4] |
| Communication::HTTP Communication::Extract Body (C0002.011) | Extract HTTP body (This capa rule had 1 match) [4] |
| Communication::HTTP Communication::IWebBrowser (C0002.010) | Initialize IWebBrowser2 (This capa rule had 1 match) [4] |
| Cryptography::Cryptographic Hash (C0029) | Hash data via WinCrypt (This capa rule had 2 matches) [4] |
| Cryptography::Cryptographic Hash::MD5 (C0029.001) | Hash data with MD5 (This capa rule had 1 match) [4] |
| Cryptography::Cryptographic Hash::SHA1 (C0029.002) | Hash data using SHA1 (This capa rule had 1 match) [4] |
| Cryptography::Decrypt Data (C0031) | Encrypt or decrypt via WinCrypt (This capa rule had 1 match) [4] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | Encrypt data using RC4 via WinAPI (This capa rule had 1 match) [4] |
| Cryptography::Encryption Key (C0028) | Create new key via CryptAcquireContext (This capa rule had 1 match) [4] |
| Cryptography::Generate Pseudo-random Sequence::Use API (C0021.003) | Generate random numbers via WinAPI (This capa rule had 1 match) [4] |
| Discovery::Code Discovery::Enumerate PE Sections (B0046.001) | Enumerate PE sections (This capa rule had 1 match) [4] |
| Operating System::Registry::Query Registry Key (C0036.005) | Query or enumerate registry key (This capa rule had 1 match) [4] |
| Operating System::Registry::Query Registry Value (C0036.006) | Query or enumerate registry value (This capa rule had 7 matches) [4] |
| Process::Create Process (C0017) | Create process on Windows (This capa rule had 2 matches) [4] |
| Process::Terminate Process (C0018) | Terminate process via fastfail (This capa rule had 1 match) [4] |
SHA256 Hashes
- e791718c0141e3829608142fb0f0d35c9af270f78ae0b72fce2edd07a9684568
- d841d9092239fc029b10da01c19868749b0f6bd757926ff04674658468495808
- bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444
- 16d68b740b5d9aa60929e39fd616d31be2c8528d0f1e58db4cbb16976f7cd725
- af62f29ac01e8335bf41c02c1460ebafcbaf94956b1001f7d515eecf63cea4f2
- 47aea6a4e1da1fb8b454c038c21736bee53d59d095a4f5b866d5dd8158fead41
- 4b2efcda5269f4b80dc417a2b01332185f2fafabd8ba7114fa0306baaab5a72d
- b1ca89de93a1d9bf17cdbf8a3c61e7f52f275a3bcbbd285d35d6a40c45dde9bd
- 951e5623c20d4e9ab158fe105436389dbf61327b2c87b7fb36f8ad3ff5ad9bde
- f8b974cf978a3828aeb9b83fc48645da576e4b90dd47c2b82a46f6c14665a9e5
- 91f72808aaed45a76ff1044a23fd6df4b7ab7ace292725522518feb9c0b8574e
- 2aade7381aa87f55b7d7a5284d22be5472fd8cd966d216fd4445ca3a8bbb3ff3
- 01425582aa5001342b985270a365fd92d909be011384247e81872bff586fa142
- 9e9a6f1d046e0f5da10aa0e18bba248df4f818d342ed359c35fdb000f1354819
[1] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[2] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[3] https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
[4] capa v4.0, analyzed at MITRE on 10/12/2022