Skip to content

S1060 Mafalda

Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. 1

Item Value
ID S1060
Associated Names
Type MALWARE
Version 1.0
Created 26 January 2023
Last Modified 04 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Mafalda can use AdjustTokenPrivileges() to elevate privileges.2
enterprise T1134.003 Make and Impersonate Token Mafalda can create a token for a different user.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mafalda can use HTTP for C2.1
enterprise T1217 Browser Information Discovery Mafalda can collect the contents of the %USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState file.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Mafalda can execute PowerShell commands on a compromised machine.2
enterprise T1059.003 Windows Command Shell Mafalda can execute shell commands using cmd.exe.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Mafalda can encode data using Base64 prior to exfiltration.2
enterprise T1005 Data from Local System Mafalda can collect files and information from a compromised host.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Mafalda can place retrieved files into a destination directory.1
enterprise T1622 Debugger Evasion Mafalda can search for debugging tools on a compromised host.2
enterprise T1140 Deobfuscate/Decode Files or Information Mafalda can decrypt files and data.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Mafalda can encrypt its C2 traffic with RC4.1
enterprise T1041 Exfiltration Over C2 Channel Mafalda can send network system data and files to its C2 server.1
enterprise T1133 External Remote Services Mafalda can establish an SSH connection from a compromised host to a server.2
enterprise T1083 File and Directory Discovery Mafalda can search for files and directories.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Mafalda can delete Windows Event logs by invoking the OpenEventLogW and ClearEventLogW functions.1
enterprise T1105 Ingress Tool Transfer Mafalda can download additional files onto the compromised host.2
enterprise T1056 Input Capture Mafalda can conduct mouse event logging.2
enterprise T1112 Modify Registry Mafalda can manipulate the system registry on a compromised host.2
enterprise T1106 Native API Mafalda can use a variety of API calls.1
enterprise T1095 Non-Application Layer Protocol Mafalda can use raw TCP for C2.1
enterprise T1027 Obfuscated Files or Information Mafalda has been obfuscated and contains encrypted functions.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Mafalda can dump password hashes from LSASS.exe.2
enterprise T1057 Process Discovery Mafalda can enumerate running processes on a machine.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Mafalda can create a named pipe to listen for and send data to a named pipe-based C2 server.2
enterprise T1012 Query Registry Mafalda can enumerate Registry keys with all subkeys and values.2
enterprise T1113 Screen Capture Mafalda can take a screenshot of the target machine and save it to a file.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.12
enterprise T1082 System Information Discovery Mafalda can collect the computer name and enumerate all drives on a compromised host.12
enterprise T1016 System Network Configuration Discovery Mafalda can use the GetAdaptersInfo function to retrieve information about network adapters and the GetIpNetTable function to retrieve the IPv4 to physical network address mapping table.1
enterprise T1049 System Network Connections Discovery Mafalda can use the GetExtendedTcpTable function to retrieve information about established TCP connections.1
enterprise T1033 System Owner/User Discovery Mafalda can collect the username from a compromised host.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Mafalda can create a remote service, let it run once, and then delete it.2
enterprise T1205 Traffic Signaling -
enterprise T1205.001 Port Knocking Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.12
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys Mafalda can collect a Chrome encryption key used to protect browser cookies.1

Groups That Use This Software

ID Name References
G1013 Metador 12

References

  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  2. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.