Skip to content

Hide Navigation Hide TOC

ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)

Cluster A Galaxy A Cluster B Galaxy B Level
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2