|Command and Scripting Interpreter
|Black Basta has used PowerShell scripts for discovery and to execute files over the network.
|Windows Command Shell
|Black Basta can use
cmd.exe to enable shadow copy deletion.
|Create or Modify System Process
|Black Basta can create a new service to establish persistence.
|Data Encrypted for Impact
|Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.
|The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.
|Black Basta has set the desktop wallpaper on victims’ machines to display a ransom note.
|File and Directory Discovery
|Black Basta can enumerate specific files for encryption.
|File and Directory Permissions Modification
|Linux and Mac File and Directory Permissions Modification
|The Black Basta binary can use
chmod to gain full permissions to targeted files.
|Safe Mode Boot
|Black Basta can reboot victim machines in safe mode with networking via
bcdedit /set safeboot network.
|Inhibit System Recovery
|Black Basta can delete shadow copies using vssadmin.exe.
|Masquerade Task or Service
|Black Basta has established persistence by creating a new service named
FAX after deleting the legitimate service by the same name.
|Match Legitimate Name or Location
|The Black Basta dropper has mimicked an application for creating USB bootable drivers.
|Black Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files.
|Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.
|Obfuscated Files or Information
|Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.
|Remote System Discovery
|Black Basta can use LDAP queries to connect to AD and iterate over connected workstations.
|Subvert Trust Controls
|The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.
|System Information Discovery
|Black Basta can enumerate volumes and collect system boot configuration and CPU information.
|System Service Discovery
|Black Basta can check whether the service name FAX is present.
|Black Basta has been downloaded and executed from malicious Excel files.
|Black Basta can make a random number of calls to the
kernel32.beep function to hinder log analysis.
|Black Basta can check system flags and libraries, process timing, and API’s to detect code emulation or sandboxing.
|Windows Management Instrumentation
|Black Basta has used WMI to execute files over the network.