Skip to content

Latest commit

 

History

History
78 lines (64 loc) · 2.77 KB

application-window-discovery.md

File metadata and controls

78 lines (64 loc) · 2.77 KB
Raw
ID E1010
Objective(s) Discovery
Related ATT&CK Techniques Application Window Discovery (T1010)
Version 2.2
Created 4 December 2020
Last Modified 30 April 2024

Application Window Discovery

Malware may attempt to gain information about the operating system and applications running on a system by enumerating open application windows.

Methods

Name ID Description
Window Text E1010.m01 After finding an open application window, malware gets graphical window text.

Use in Malware

Name Date Method Description
Dark Comet 2008 E1010.m01 DarkComet gets graphical window texts. [1]
Gamut 2014 E1010.m01 Gamut gets graphical window texts. [1]
Hupigon 2013 E1010.m01 Hupigon gets graphical window texts. [1]
Kovter 2016 E1010.m01 Kovter gets graphical window texts. [1]
Rombertik 2015 E1010.m01 Rombertik gets graphical window texts. [1]
UP007 2016 E1010.m01 UP007 gets graphical window text. [1]

Detection

Tool: capa Mapping APIs
get graphical window text Application Window Discovery (E1010) user32.IsWindowVisible, user32.SendMessage, user32.GetForegroundWindow, user32.GetWindowText
Tool: CAPE Mapping APIs
browser_needed Application Window Discovery (E1010) FindWindowW, FindWindowExA, FindWindowExW, FindWindowA

E1010 Snippet

Discovery::Application Window Discovery SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db Location: 0x455A5D 
push    0x100   ; Maximum number of characters to get from window title, including trailing string terminator (in this case, 256).
lea     param_1, [esp + 0x4]
push    param_1 ; Buffer for receiving text from window
mov     param_1, dword ptr [ebx + 0x30]
push    param_1 ; Handle to window containing text
call    USER32.DLL::GetWindowTextA      ; Function call to fetch specified window title

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022