H1N1
ID: S0132
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[2] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[2] |
| Enterprise | T1132 | Data Encoding |
H1N1 obfuscates C2 traffic with an altered version of base64.[2] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
H1N1 kills and disables services for Windows Security Center, and Windows Defender.[2] |
| .004 | Impair Defenses: Disable or Modify System Firewall | |||
| Enterprise | T1105 | Ingress Tool Transfer |
H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[2] |
|
| Enterprise | T1490 | Inhibit System Recovery |
H1N1 disable recovery options and deletes shadow copies from the victim.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
H1N1 uses multiple techniques to obfuscate strings, including XOR.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1091 | Replication Through Removable Media |
H1N1 has functionality to copy itself to removable media.[2] |
|
| Enterprise | T1080 | Taint Shared Content | ||