Skip to content

Hide Navigation Hide TOC

Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)

You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the "Aurora Exploit". The code has recently gone public and it was also added to the Metasploit framework. This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers. The exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was previously deleted, causing the code to reference a memory location over which the attacker has control and in which the attacker dropped his malicious code.

Cluster A Galaxy A Cluster B Galaxy B Level
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia 1
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia 1
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3