| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
metaMain can use HTTP for C2 communications. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.003 |
Archive via Custom Method |
metaMain has used XOR-based encryption for collected files before exfiltration. |
| enterprise |
T1005 |
Data from Local System |
metaMain can collect files and system information from a compromised host. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
metaMain has stored the collected system files in a working directory. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
metaMain can decrypt and load other modules. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.003 |
Windows Management Instrumentation Event Subscription |
metaMain registered a WMI event subscription consumer called “hard_disk_stat” to establish persistence. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
metaMain can upload collected files and data to its C2 server. |
| enterprise |
T1083 |
File and Directory Discovery |
metaMain can recursively enumerate files in an operator-provided directory. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.002 |
DLL Side-Loading |
metaMain can support an HKCMD sideloading start method. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
metaMain has deleted collected items after uploading the content to its C2 server. |
| enterprise |
T1070.006 |
Timestomp |
metaMain can change the CreationTime, LastAccessTime, and LastWriteTime file time attributes when executed with SYSTEM privileges. |
| enterprise |
T1105 |
Ingress Tool Transfer |
metaMain can download files onto compromised systems. |
| enterprise |
T1056 |
Input Capture |
metaMain can log mouse events. |
| enterprise |
T1056.001 |
Keylogging |
metaMain has the ability to log keyboard events. |
| enterprise |
T1112 |
Modify Registry |
metaMain can write the process ID of a target process into the HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid Registry value as part of its reflective loading activity. |
| enterprise |
T1106 |
Native API |
metaMain can execute an operator-provided Windows command by leveraging functions such as WinExec, WriteFile, and ReadFile. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
metaMain can establish an indirect and raw TCP socket-based connection to the C2 server. |
| enterprise |
T1027 |
Obfuscated Files or Information |
metaMain‘s module file has been encrypted via XOR. |
| enterprise |
T1057 |
Process Discovery |
metaMain can enumerate the processes that run on the platform. |
| enterprise |
T1055 |
Process Injection |
metaMain can inject the loader file, Speech02.db, into a process. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.001 |
Internal Proxy |
metaMain can create a named pipe to listen for and send data to a named pipe-based C2 server. |
| enterprise |
T1620 |
Reflective Code Loading |
metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file. |
| enterprise |
T1113 |
Screen Capture |
metaMain can take and save screenshots. |
| enterprise |
T1082 |
System Information Discovery |
metaMain can collect the computer name from a compromised host. |
| enterprise |
T1033 |
System Owner/User Discovery |
metaMain can collect the username from a compromised host. |
| enterprise |
T1205 |
Traffic Signaling |
- |
| enterprise |
T1205.001 |
Port Knocking |
metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.003 |
Time Based Evasion |
metaMain has delayed execution for five to six minutes during its persistence establishment process. |