Skip to content

S0337 BadPatch

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.1

Item Value
ID S0337
Associated Names
Version 1.1
Created 29 January 2019
Last Modified 17 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BadPatch uses HTTP for C2.1
enterprise T1071.003 Mail Protocols BadPatch uses SMTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.1
enterprise T1005 Data from Local System BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging BadPatch stores collected data in log files before exfiltration.1
enterprise T1083 File and Directory Discovery BadPatch searches for files with specific file extensions.1
enterprise T1105 Ingress Tool Transfer BadPatch can download and execute or update malware.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging BadPatch has a keylogging capability.1
enterprise T1113 Screen Capture BadPatch captures screenshots in .jpg format and then exfiltrates them.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery BadPatch uses WMI to enumerate installed security products in the victim’s environment.1
enterprise T1082 System Information Discovery BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. 1