Skip to content

S0635 BoomBox

BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.1

Item Value
ID S0635
Associated Names
Version 1.0
Created 03 August 2021
Last Modified 18 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.1
enterprise T1087.003 Email Account BoomBox can execute an LDAP query to discover e-mail accounts for domain users.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BoomBox has used HTTP POST requests for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BoomBox can establish persistence by writing the Registry value MicroNativeCacheSvc to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.1
enterprise T1140 Deobfuscate/Decode Files or Information BoomBox can decrypt AES-encrypted files downloaded from C2.1
enterprise T1480 Execution Guardrails BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage BoomBox can upload data to dedicated per-victim folders in Dropbox.1
enterprise T1083 File and Directory Discovery BoomBox can search for specific files and directories on a machine.1
enterprise T1105 Ingress Tool Transfer BoomBox has the ability to download next stage malware components to a compromised system.1
enterprise T1036 Masquerading BoomBox has the ability to mask malicious data strings as PDF files.1
enterprise T1027 Obfuscated Files or Information BoomBox can encrypt data using AES prior to exfiltration.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 BoomBox can use RunDLL32 for execution.1
enterprise T1082 System Information Discovery BoomBox can enumerate the hostname, domain, and IP of a compromised host.1
enterprise T1033 System Owner/User Discovery BoomBox can enumerate the username on a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File BoomBox has gained execution through user interaction with a malicious file.1
enterprise T1102 Web Service BoomBox can download files from Dropbox using a hardcoded access token.1

Groups That Use This Software

ID Name References
G0016 APT29 1