S1156 Manjusaka
Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, Manjusaka consists of multiple components, only one of which (a command and control module) is freely available.1
| Item | Value |
|---|---|
| ID | S1156 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 September 2024 |
| Last Modified | 06 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Manjusaka has used HTTP for command and control communication.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Manjusaka can execute arbitrary commands passed to it from the C2 controller via cmd.exe /c.1 |
| enterprise | T1555 | Credentials from Password Stores | Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.1 |
| enterprise | T1555.003 | Credentials from Web Browsers | Manjusaka gathers credentials from Chromium-based browsers.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Manjusaka communication includes a client-created session cookie with base64-encoded information representing information from the victim system.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Manjusaka data exfiltration takes place over HTTP channels.1 |
| enterprise | T1083 | File and Directory Discovery | Manjusaka can gather information about specific files on the victim system.1 |
| enterprise | T1113 | Screen Capture | Manjusaka can take screenshots of the victim desktop.1 |
| enterprise | T1082 | System Information Discovery | Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.1 |
| enterprise | T1016 | System Network Configuration Discovery | Manjusaka gathers information about current network connections, local and remote addresses associated with them, and associated processes.1 |