Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

PUNCHBUGGY

PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)
ID: S0196
Associated Software: ShellTea
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 18 Apr 2018
Last Modified: 19 Sep 2023

Associated Software Descriptions

Name Description
ShellTea (Citation: Morphisec ShellTea June 2019)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

PUNCHBUGGY can gather user names.(Citation: Morphisec ShellTea June 2019)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PUNCHBUGGY has been observed using a Registry Run key.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PUNCHBUGGY has used PowerShell scripts.(Citation: Morphisec ShellTea June 2019)

.006 Command and Scripting Interpreter: Python

PUNCHBUGGY has used python scripts.(Citation: Morphisec ShellTea June 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

PUNCHBUGGY has saved information to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019)

Enterprise T1546 .009 Event Triggered Execution: AppCert DLLs

PUNCHBUGGY can establish using a AppCertDLLs Registry key.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1070 .004 Indicator Removal: File Deletion

PUNCHBUGGY can delete files written to disk.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

PUNCHBUGGY can gather AVs registered in the system.(Citation: Morphisec ShellTea June 2019)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

PUNCHBUGGY can load a DLL using Rundll32.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Groups That Use This Software

ID Name References
G0061 FIN8

(Citation: FireEye Fin8 May 2016)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.