Skip to content

S0084 Mis-Type

Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012. 1

Item Value
ID S0084
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 19 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Mis-Type may create a file containing the results of the command cmd.exe /c net user {Username}.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mis-Type network traffic can communicate over HTTP.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Mis-Type uses cmd.exe to run commands for enumerating the host.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Mis-Type may create a temporary user on the system named “Lost_{Unique Identifier}.”1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Mis-Type uses Base64 encoding for C2 traffic.1
enterprise T1008 Fallback Channels Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.12
enterprise T1095 Non-Application Layer Protocol Mis-Type network traffic can communicate over a raw socket.1
enterprise T1082 System Information Discovery The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.1
enterprise T1016 System Network Configuration Discovery Mis-Type may create a file containing the results of the command cmd.exe /c ipconfig /all.1
enterprise T1033 System Owner/User Discovery Mis-Type runs tests to determine the privilege level of the compromised user.1

Groups That Use This Software

ID Name References
G0031 Dust Storm 1

References

Back to top