SharpStage
SharpStage is a .NET malware with backdoor capabilities.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
SharpStage can use WMI for execution.[1][2] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
SharpStage has decompressed data received from the C2 server.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
SharpStage can execute arbitrary commands with PowerShell.[1][2] |
| .003 | 命令与脚本解释器: Windows Command Shell |
SharpStage can execute arbitrary commands with the command line.[1][2] |
||
| Enterprise | T1113 | 屏幕捕获 |
SharpStage has the ability to capture the victim's screen.[1][2] |
|
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.[2] |
| Enterprise | T1082 | 系统信息发现 |
SharpStage has checked the system settings to see if Arabic is the configured language.[2] |
|
| Enterprise | T1102 | 网络服务 |
SharpStage has used a legitimate web service for evading detection.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
SharpStage has the ability to download and execute additional payloads via a DropBox API.[1][2] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
SharpStage has a persistence component to write a scheduled task for the payload.[1] |