StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. ^[1]

ID: S0142

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	StreamEx has the ability to remotely execute commands.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.^[1]
Enterprise	T1083		File and Directory Discovery	StreamEx has the ability to enumerate drive types.^[1]
Enterprise	T1112		Modify Registry	StreamEx has the ability to modify the Registry.^[1]
Enterprise	T1027		Obfuscated Files or Information	StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.^[1]
Enterprise	T1057		Process Discovery	StreamEx has the ability to enumerate processes.^[1]
Enterprise	T1218	.011	Signed Binary Proxy Execution: Rundll32	StreamEx uses rundll32 to call an exported function.^[1]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.^[1]
Enterprise	T1082		System Information Discovery	StreamEx has the ability to enumerate system information.^[1]

Groups That Use This Software

ID	Name	References
G0009	Deep Panda	^[1]

References

Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.

StreamEx

Enterprise Layer

Techniques Used

Groups That Use This Software

References