1. Home
  2. Software
  3. Milan

Milan

Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.[1][2]

ID: S1015
Associated Software: James
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 06 June 2022
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
James

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Milan can upload files from a compromised host.[1]
Enterprise T1036 伪装

Milan has used an executable named companycatalogue to appear benign.[1]
.007 Double File Extension

Milan has used an executable named companycatalog.exe.config to appear benign.[1]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

Milan can use hardcoded domains as an input for domain generation algorithms.[3]
Enterprise T1572 协议隧道

Milan can use a custom protocol tunneled through DNS or HTTP.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Milan can use cmd.exe for discovery actions on a targeted system.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Milan can use HTTPS for communication with C2.[1][2][3]
.004 应用层协议: DNS

Milan has the ability to use DNS for C2 communications.[1][2][3]
Enterprise T1074 .001 数据分段: Local Data Staging

Milan has saved files prior to upload from a compromised host to folders beginning with the characters a9850d2f.[1]
Enterprise T1106 本机API

Milan can use the API DnsQuery_A for DNS resolution.[2]
Enterprise T1012 查询注册表

Milan can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.[3]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Milan can encode files containing information about the targeted system.[1][2]
Enterprise T1070 .004 移除指标: File Deletion

Milan can delete files via C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q.[1]
Enterprise T1082 系统信息发现

Milan can enumerate the targeted machine's name and GUID.[1][3]
Enterprise T1033 系统所有者/用户发现

Milan can identify users registered to a targeted machine.[1]
Enterprise T1016 系统网络配置发现

Milan can run C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1 to discover network settings.[1]
Enterprise T1087 .001 账号发现: Local Account

Milan has run C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1 to discover local accounts.[1]
Enterprise T1105 输入工具传输

Milan has received files from C2 and stored them in log folders beginning with the character sequence a9850d2f.[1]
Enterprise T1559 .001 进程间通信: Component Object Model

Milan can use a COM component to generate scheduled tasks.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Milan can establish persistence on a targeted host with scheduled tasks.[1][3]

Groups That Use This Software

ID Name References
G1001 HEXANE

[2][3]

References

  1. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  2. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  1. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.