Spark
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Spark has used a custom XOR algorithm to decrypt the payload.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Spark has used HTTP POST requests to communicate with its C2 server to receive commands.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Spark has encoded communications with the C2 server with base64.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
Spark has been packed with Enigma Protector to obfuscate its contents.[1] |
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
Spark has checked the results of the |
| Enterprise | T1082 | 系统信息发现 |
Spark can collect the hostname, keyboard layout, and language from the system.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Spark has run the whoami command and has a built-in command to identify the user logged in.[1] |
|
| Enterprise | T1497 | .002 | 虚拟化/沙盒规避: User Activity Based Checks |
Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.[1] |
| Enterprise | T1041 | 通过C2信道渗出 | ||