Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	1
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Goopy - S0477 (eac3d77f-2b7b-4599-ba74-948dc16633ad)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	2
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2