Agent.btz
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
Agent.btz saves system information into an XML file that is then XOR-encoded.[2] |
| Enterprise | T1033 | 系统所有者/用户发现 |
Agent.btz obtains the victim username and saves it to a file.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.[2] |
|
| Enterprise | T1105 | 输入工具传输 |
Agent.btz attempts to download an encrypted binary from a specified domain.[2] |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.[2] |
|
| Enterprise | T1052 | .001 | 通过物理介质渗出: Exfiltration over USB |
Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1] |