Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Javali has used embedded VBScript to download malicious payloads from C2.[1] |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.[1] |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Javali can use DLL side-loading to load malicious DLLs into legitimate executables.[1] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Javali can use large obfuscated libraries to hinder detection and analysis.[1] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Javali has been delivered as malicious e-mail attachments.[1] |
.002 | Phishing: Spearphishing Link |
Javali has been delivered via malicious links embedded in e-mails.[1] |
||
Enterprise | T1057 | Process Discovery |
Javali can monitor processes for open browsers and custom banking applications.[1] |
|
Enterprise | T1218 | .007 | Signed Binary Proxy Execution: Msiexec |
Javali has used the MSI installer to download and execute malicious payloads.[1] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Javali has achieved execution through victims clicking links to malicious websites.[1] |
.002 | User Execution: Malicious File |
Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.[1] |
||
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Javali can read C2 information from Google Documents and YouTube.[1] |