/
Putter Panda_G0024.json
1 lines (1 loc) · 1.58 KB
/
Putter Panda_G0024.json
1
{"description": "Enterprise techniques used by Putter Panda, ATT&CK group G0024 v1.0", "name": "Putter Panda (G0024)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1089", "techniqueName": "Disabling Security Tools", "comment": "Malware used by [Putter Panda](https://attack.mitre.org/groups/G0024) attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe)."}, {"score": 1, "techniqueID": "T1055", "techniqueName": "Process Injection", "comment": "An executable dropped onto victims by [Putter Panda](https://attack.mitre.org/groups/G0024) aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe)."}, {"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "A dropper used by [Putter Panda](https://attack.mitre.org/groups/G0024) installs itself into the ASEP Registry key <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> with a value named McUpdate."}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "Droppers used by [Putter Panda](https://attack.mitre.org/groups/G0024) use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 \u2013 0xAF to obfuscate payloads."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Putter Panda", "color": "#ff6666"}]}