metaMain
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
metaMain can use HTTP for C2 communications.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
metaMain has used XOR-based encryption for collected files before exfiltration.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
metaMain has stored the collected system files in a working directory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
metaMain registered a WMI event subscription consumer called "hard_disk_stat" to establish persistence.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
metaMain can support an HKCMD sideloading start method.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
metaMain has deleted collected items after uploading the content to its C2 server.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| .006 | Indicator Removal: Timestomp |
metaMain can change the `CreationTime`, `LastAccessTime`, and `LastWriteTime` file time attributes when executed with `SYSTEM` privileges.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
metaMain has the ability to log keyboard events.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
metaMain's module file has been encrypted via XOR.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
metaMain can create a named pipe to listen for and send data to a named pipe-based C2 server.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1205 | .001 | Traffic Signaling: Port Knocking |
metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
metaMain has delayed execution for five to six minutes during its persistence establishment process.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.