| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.001 |
Local Account |
S-Type has run the command net user on a victim. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
S-Type uses HTTP for C2. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}. |
| enterprise |
T1547.009 |
Shortcut Modification |
S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
S-Type has provided the ability to execute shell commands on a compromised host. |
| enterprise |
T1136 |
Create Account |
- |
| enterprise |
T1136.001 |
Local Account |
S-Type may create a temporary user on the system named Lost_{Unique Identifier} with the password pond~!@6”{Unique Identifier}. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
S-Type uses Base64 encoding for C2 traffic. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
S-Type has uploaded data and files from a compromised host to its C2 servers. |
| enterprise |
T1008 |
Fallback Channels |
S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
S-Type has deleted files it has created on a compromised host. |
| enterprise |
T1070.009 |
Clear Persistence |
S-Type has deleted accounts it has created. |
| enterprise |
T1105 |
Ingress Tool Transfer |
S-Type can download additional files onto a compromised host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary. |
| enterprise |
T1106 |
Native API |
S-Type has used Windows APIs, including GetKeyboardType, NetUserAdd, and NetUserDel. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.002 |
Software Packing |
Some S-Type samples have been packed with UPX. |
| enterprise |
T1082 |
System Information Discovery |
The initial beacon packet for S-Type contains the operating system version and file system of the victim. |
| enterprise |
T1614 |
System Location Discovery |
- |
| enterprise |
T1614.001 |
System Language Discovery |
S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the GetKeyboardType API call. |
| enterprise |
T1016 |
System Network Configuration Discovery |
S-Type has used ipconfig /all on a compromised host. |
| enterprise |
T1033 |
System Owner/User Discovery |
S-Type has run tests to determine the privilege level of the compromised user. |
| enterprise |
T1007 |
System Service Discovery |
S-Type runs the command net start on a victim. |