BoomBox
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
BoomBox has the ability to mask malicious data strings as PDF files.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
BoomBox can decrypt AES-encrypted files downloaded from C2.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
BoomBox can establish persistence by writing the Registry value |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1480 | 执行保护 |
BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
BoomBox can search for specific files and directories on a machine.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
BoomBox can encrypt data using AES prior to exfiltration.[1] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
BoomBox has gained execution through user interaction with a malicious file.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 | |
| Enterprise | T1082 | 系统信息发现 |
BoomBox can enumerate the hostname, domain, and IP of a compromised host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
BoomBox can enumerate the username on a compromised host.[1] |
|
| Enterprise | T1102 | 网络服务 |
BoomBox can download files from Dropbox using a hardcoded access token.[1] |
|
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.[1] |
| .003 | 账号发现: Email Account |
BoomBox can execute an LDAP query to discover e-mail accounts for domain users.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
BoomBox has the ability to download next stage malware components to a compromised system.[1] |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
BoomBox can upload data to dedicated per-victim folders in Dropbox.[1] |