Skip to content

S0627 SodaMaster

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.1

Item Value
ID S0627
Associated Names DARKTOWN, dfls, DelfsCake
Version 1.0
Created 21 June 2021
Last Modified 11 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
dfls 1
DelfsCake 1

Techniques Used

Domain ID Name Use
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SodaMaster can use RC4 to encrypt C2 communications.1
enterprise T1573.002 Asymmetric Cryptography SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.1
enterprise T1105 Ingress Tool Transfer SodaMaster has the ability to download additional payloads from C2 to the targeted system.1
enterprise T1106 Native API SodaMaster can use RegOpenKeyW to access the Registry.1
enterprise T1027 Obfuscated Files or Information SodaMaster can use “stackstrings” for obfuscation.1
enterprise T1057 Process Discovery SodaMaster can search a list of running processes.1
enterprise T1012 Query Registry SodaMaster has the ability to query the Registry to detect a key specific to VMware.1
enterprise T1082 System Information Discovery SodaMaster can enumerate the host name and OS version on a target system.1
enterprise T1033 System Owner/User Discovery SodaMaster can identify the username on a compromised host.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks SodaMaster can check for the presence of the Registry key HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe before proceeding to its main functionality.1
enterprise T1497.003 Time Based Evasion SodaMaster has the ability to put itself to “sleep” for a specified time.1

Groups That Use This Software

ID Name References
G0045 menuPass 1