S0337 BadPatch
BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.
| Item |
Value |
| ID |
S0337 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.1 |
| Created |
29 January 2019 |
| Last Modified |
17 March 2020 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
BadPatch uses HTTP for C2. |
| enterprise |
T1071.003 |
Mail Protocols |
BadPatch uses SMTP for C2. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
BadPatch establishes a foothold by adding a link to the malware executable in the startup folder. |
| enterprise |
T1005 |
Data from Local System |
BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
BadPatch stores collected data in log files before exfiltration. |
| enterprise |
T1083 |
File and Directory Discovery |
BadPatch searches for files with specific file extensions. |
| enterprise |
T1105 |
Ingress Tool Transfer |
BadPatch can download and execute or update malware. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
BadPatch has a keylogging capability. |
| enterprise |
T1113 |
Screen Capture |
BadPatch captures screenshots in .jpg format and then exfiltrates them. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
BadPatch uses WMI to enumerate installed security products in the victim’s environment. |
| enterprise |
T1082 |
System Information Discovery |
BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. |
References