Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Milan

Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)
ID: S1015
Associated Software: James
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 06 Jun 2022
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
James (Citation: Accenture Lyceum Targets November 2021)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Milan has run `C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1` to discover local accounts.(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Milan can use HTTPS for communication with C2.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021)

.004 Application Layer Protocol: DNS

Milan has the ability to use DNS for C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Milan can use `cmd.exe` for discovery actions on a targeted system.(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Milan can use hardcoded domains as an input for domain generation algorithms.(Citation: Accenture Lyceum Targets November 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

Milan can delete files via `C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`.(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Milan can use a COM component to generate scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1036 .007 Masquerading: Double File Extension

Milan has used an executable named `companycatalog.exe.config` to appear benign.(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Milan can encode files containing information about the targeted system.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Milan can establish persistence on a targeted host with scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Groups That Use This Software

ID Name References
G1001 HEXANE

(Citation: Accenture Lyceum Targets November 2021) (Citation: Kaspersky Lyceum October 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.