Skip to content

S1015 Milan

Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.23

Item Value
ID S1015
Associated Names James
Version 1.0
Created 06 June 2022
Last Modified 31 August 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
James 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Milan has run C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1 to discover local accounts.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Milan can use HTTPS for communication with C2.231
enterprise T1071.004 DNS Milan has the ability to use DNS for C2 communications.231
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Milan can use cmd.exe for discovery actions on a targeted system.2
enterprise T1005 Data from Local System Milan can upload files from a compromised host.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Milan has saved files prior to upload from a compromised host to folders beginning with the characters a9850d2f.2
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Milan can use hardcoded domains as an input for domain generation algorithms.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Milan can delete files via C:\Windows\system32\cmd.exe /c ping -n 1 -w 3000 > Nul & rmdir /s /q.2
enterprise T1105 Ingress Tool Transfer Milan has received files from C2 and stored them in log folders beginning with the character sequence a9850d2f.2
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Milan can use a COM component to generate scheduled tasks.2
enterprise T1036 Masquerading Milan has used an executable named companycatalogue to appear benign.2
enterprise T1036.007 Double File Extension Milan has used an executable named companycatalog.exe.config to appear benign.2
enterprise T1106 Native API Milan can use the API DnsQuery_A for DNS resolution.3
enterprise T1027 Obfuscated Files or Information Milan can encode files containing information about the targeted system.23
enterprise T1572 Protocol Tunneling Milan can use a custom protocol tunneled through DNS or HTTP.3
enterprise T1012 Query Registry Milan can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Milan can establish persistence on a targeted host with scheduled tasks.21
enterprise T1082 System Information Discovery Milan can enumerate the targeted machine’s name and GUID.21
enterprise T1016 System Network Configuration Discovery Milan can run C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1 to discover network settings.2
enterprise T1033 System Owner/User Discovery Milan can identify users registered to a targeted machine.2

Groups That Use This Software

ID Name References
G1001 HEXANE 31