“the attacker uses the taskkill command to force ( / f flag is used ) termination of multiple applications. figure 1 : using apache struts 2 exploit to deliver command to forcefully terminating qqprotect. exe process among these applications we can see qihoo 360 ’ s 360 total secu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
81%
“new struts 2 campaign compiles its own c # downloader, leverages a user profile page as its c & c server this article is the complete analysis of a new campaign that f5 threat researchers discovered and tweeted about on june 14. on june 10, f5 threat researchers discovered a new …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.002Software Packing
64%
“##feinet. com / space - uid - 97643. html. this url links to a user profile page with text that seems to be base64 - encoded. figure 8 : malware request sent to fetch the user profile page figure 9 : the user profile page, holding text that seems to be base64 - encoded. trying to…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
59%
“t use. instead, we dumped the malware process memory and extracted the relevant malicious file memory to a separate file that was unpacked and easy to analyze. using a. net decompiler, we were able to easily browse the unpacked malware code, which revealed some interesting findin…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1496Resource Hijacking
53%
“terminated, denied from all permissions and their relevant files will be changed to super hidden. figure 15 : checkprocess function deals with processes that may interfere with the mining action indications of compromise the following files are created by the malware on the explo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1496.001Compute Hijacking
53%
“which decodes the string in the user profile page when decoding the string using the same mechanism we got the following text : “ - a cryptonight - o stratum + tcp : / / pool. supportxmr. com : 3333 - u 44873xameckc4wr21adrm5fnofhkzjsvj6cbadtgftreen94jp2xfqz74pmriqoyhnbu2cce32wlx…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
47%
“t use. instead, we dumped the malware process memory and extracted the relevant malicious file memory to a separate file that was unpacked and easy to analyze. using a. net decompiler, we were able to easily browse the unpacked malware code, which revealed some interesting findin…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1070Indicator Removal
44%
“deleting traces once the malware is downloaded to the exploited system, the attacker injects a command to run the malicious file. figure 5 : attacker injects command to run the malicious file after running the malware, the attacker tries to delete the operation traces, including …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Attackers continue to find new and creative ways to carry out malicious crypto-mining operations, employing multiple exploits in a single campaign.