DanBot
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
DanBot files have been named |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
DanBot can use a VBA macro to decode its payload prior to installation and execution.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
DanBot has the ability to execute arbitrary commands via |
| .005 | 命令与脚本解释器: Visual Basic |
DanBot can use a VBA macro embedded in an Excel file to drop the payload.[1] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .004 | 应用层协议: DNS |
DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.[1] |
||
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
DanBot has relied on victims' opening a malicious file for initial execution.[1][2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
DanBot can delete its configuration file after installation.[2] |
| Enterprise | T1105 | 输入工具传输 |
DanBot can download additional files to a targeted system.[1] |
|
| Enterprise | T1021 | .005 | 远程服务: VNC |
DanBot can use VNC for remote access to targeted systems.[2] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
DanBot has been distributed within a malicious Excel attachment via spearphishing emails.[1] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task | |