| enterprise |
T1547 |
Boot or Logon Autostart Execution |
Misdat has created registry keys for persistence, including HKCU\Software\dnimtsoleht\StubPath, HKCU\Software\snimtsOleht\StubPath, HKCU\Software\Backtsaleht\StubPath, HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}, and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Misdat is capable of providing shell functionality to the attacker to execute commands. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Misdat network traffic is Base64-encoded plaintext. |
| enterprise |
T1005 |
Data from Local System |
Misdat has collected files and data from a compromised host. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Misdat has uploaded files and data to its C2 servers. |
| enterprise |
T1083 |
File and Directory Discovery |
Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Misdat is capable of deleting the backdoor file. |
| enterprise |
T1070.006 |
Timestomp |
Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file. |
| enterprise |
T1070.009 |
Clear Persistence |
Misdat is capable of deleting Registry keys used for persistence. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Misdat is capable of downloading files from the C2. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary. |
| enterprise |
T1106 |
Native API |
Misdat has used Windows APIs, including ExitWindowsEx and GetKeyboardType. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Misdat network traffic communicates over a raw socket. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.002 |
Software Packing |
Misdat was typically packed using UPX. |
| enterprise |
T1082 |
System Information Discovery |
The initial beacon packet for Misdat contains the operating system version of the victim. |
| enterprise |
T1614 |
System Location Discovery |
- |
| enterprise |
T1614.001 |
System Language Discovery |
Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call GetKeyboardType. |