1. Home
  2. Software
  3. Misdat

Misdat

Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[1]

ID: S0083
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 September 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Misdat has collected files and data from a compromised host.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[1][2]
Enterprise T1547 启动或登录自动启动执行

Misdat has created registry keys for persistence, including HKCU\Software\dnimtsoleht\StubPath, HKCU\Software\snimtsOleht\StubPath, HKCU\Software\Backtsaleht\StubPath, HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}, and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}.[1]

Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Misdat is capable of providing shell functionality to the attacker to execute commands.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

Misdat network traffic is Base64-encoded plaintext.[1]
Enterprise T1083 文件和目录发现

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[1]
Enterprise T1106 本机API

Misdat has used Windows APIs, including ExitWindowsEx and GetKeyboardType.[1]

Enterprise T1027 .002 混淆文件或信息: Software Packing

Misdat was typically packed using UPX.[1]
Enterprise T1070 .004 移除指标: File Deletion

Misdat is capable of deleting the backdoor file.[1]
.006 移除指标: Timestomp

Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[1]
.009 移除指标: Clear Persistence

Misdat is capable of deleting Registry keys used for persistence.[1]
Enterprise T1614 .001 系统位置发现: System Language Discovery

Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call GetKeyboardType.[1]
Enterprise T1082 系统信息发现

The initial beacon packet for Misdat contains the operating system version of the victim.[1]
Enterprise T1105 输入工具传输

Misdat is capable of downloading files from the C2.[1]
Enterprise T1041 通过C2信道渗出

Misdat has uploaded files and data to its C2 servers.[1]
Enterprise T1095 非应用层协议

Misdat network traffic communicates over a raw socket.[1]

Campaigns

ID Name Description
C0016 Operation Dust Storm

[1]

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  1. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.