S0626 P8RAT
P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.1
| Item | Value |
|---|---|
| ID | S0626 |
| Associated Names | HEAVYPOT, GreetCake |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 June 2021 |
| Last Modified | 14 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| HEAVYPOT | 1 |
| GreetCake | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | P8RAT can send randomly-generated data as part of its C2 communication.1 |
| enterprise | T1105 | Ingress Tool Transfer | P8RAT can download additional payloads to a target system.1 |
| enterprise | T1057 | Process Discovery | P8RAT can check for specific processes associated with virtual environments.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.1 |
| enterprise | T1497.003 | Time Based Evasion | P8RAT has the ability to “sleep” for a specified time to evade detection.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0045 | menuPass | 1 |