Skip to content

Hide Navigation Hide TOC

Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)

Cluster A Galaxy A Cluster B Galaxy B Level
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 2
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2