Skip to content

S0355 Final1stspy

Final1stspy is a dropper family that has been used to deliver DOGCALL.1

Item Value
ID S0355
Associated Names
Version 1.1
Created 31 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Final1stspy uses HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Final1stspy creates a Registry Run key to establish persistence.1
enterprise T1140 Deobfuscate/Decode Files or Information Final1stspy uses Python code to deobfuscate base64-encoded strings.1
enterprise T1027 Obfuscated Files or Information Final1stspy obfuscates strings with base64 encoding.1
enterprise T1057 Process Discovery Final1stspy obtains a list of running processes.1
enterprise T1082 System Information Discovery Final1stspy obtains victim Microsoft Windows version information and CPU architecture.1

Groups That Use This Software

ID Name References
G0067 APT37 1