| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
SVCReady can communicate with its C2 servers via HTTP. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.005 |
Visual Basic |
SVCReady has used VBA macros to execute shellcode. |
| enterprise |
T1005 |
Data from Local System |
SVCReady can collect data from an infected host. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.015 |
Component Object Model Hijacking |
SVCReady has created the HKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19} Registry key for persistence. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
SVCReady can send collected data in JSON format to its C2 server. |
| enterprise |
T1105 |
Ingress Tool Transfer |
SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
SVCReady has named a task RecoveryExTask as part of its persistence activity. |
| enterprise |
T1106 |
Native API |
SVCReady can use Windows API calls to gather information from an infected host. |
| enterprise |
T1027 |
Obfuscated Files or Information |
SVCReady can encrypt victim data with an RC4 cipher. |
| enterprise |
T1120 |
Peripheral Device Discovery |
SVCReady can check for the number of devices plugged into an infected host. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
SVCReady has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents. |
| enterprise |
T1057 |
Process Discovery |
SVCReady can collect a list of running processes from an infected host. |
| enterprise |
T1012 |
Query Registry |
SVCReady can search for the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Registry key to gather system information. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
SVCReady can create a scheduled task named RecoveryExTask to gain persistence. |
| enterprise |
T1113 |
Screen Capture |
SVCReady can take a screenshot from an infected host. |
| enterprise |
T1518 |
Software Discovery |
SVCReady can collect a list of installed software from an infected host. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
SVCReady has used rundll32.exe for execution. |
| enterprise |
T1082 |
System Information Discovery |
SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of systeminfo.exe. |
| enterprise |
T1033 |
System Owner/User Discovery |
SVCReady can collect the username from an infected host. |
| enterprise |
T1124 |
System Time Discovery |
SVCReady can collect time zone information. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
SVCReady has relied on users clicking a malicious attachment delivered through spearphishing. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
SVCReady has the ability to determine if its runtime environment is virtualized. |
| enterprise |
T1497.003 |
Time Based Evasion |
SVCReady can enter a sleep stage for 30 minutes to evade detection. |
| enterprise |
T1047 |
Windows Management Instrumentation |
SVCReady can use WMI queries to detect the presence of a virtual machine environment. |