BadPatch
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[1] |
| Enterprise | T1113 | 屏幕捕获 |
BadPatch captures screenshots in .jpg format and then exfiltrates them.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .003 | 应用层协议: Mail Protocols | |||
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
BadPatch stores collected data in log files before exfiltration.[1] |
| Enterprise | T1083 | 文件和目录发现 |
BadPatch searches for files with specific file extensions.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. [1] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
BadPatch uses WMI to enumerate installed security products in the victim’s environment.[1] |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |