| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
RainyDay can use HTTP in C2 communications. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
RainyDay can use the Windows Command Shell for execution. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
RainyDay can use services to establish persistence. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
RainyDay can use tools to collect credentials from web browsers. |
| enterprise |
T1555.004 |
Windows Credential Manager |
RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials. |
| enterprise |
T1005 |
Data from Local System |
RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
RainyDay can decrypt its payload via a XOR key. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
RainyDay can use RC4 to encrypt C2 communications. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
- |
| enterprise |
T1567.002 |
Exfiltration to Cloud Storage |
RainyDay can use a file exfiltration tool to upload specific files to Dropbox. |
|
|
|
|
| enterprise |
T1008 |
Fallback Channels |
RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working. |
| enterprise |
T1083 |
File and Directory Discovery |
RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.002 |
DLL Side-Loading |
RainyDay can use side-loading to run malicious executables. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
RainyDay has the ability to uninstall itself by deleting its service and files. |
| enterprise |
T1105 |
Ingress Tool Transfer |
RainyDay can download files to a compromised host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
RainyDay has named services and scheduled tasks to appear benign including “ChromeCheck” and “googleupdate.” |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
RainyDay has used names to mimic legitimate software including “vmtoolsd.exe” to spoof Vmtools. |
| enterprise |
T1106 |
Native API |
The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
RainyDay can use TCP in C2 communications. |
| enterprise |
T1027 |
Obfuscated Files or Information |
RainyDay has downloaded as a XOR-encrypted payload. |
| enterprise |
T1057 |
Process Discovery |
RainyDay can enumerate processes on a target system. |
| enterprise |
T1090 |
Proxy |
RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
RainyDay can use scheduled tasks to achieve persistence. |
| enterprise |
T1113 |
Screen Capture |
RainyDay has the ability to capture screenshots. |
| enterprise |
T1007 |
System Service Discovery |
RainyDay can create and register a service for execution. |