WinMM

WinMM is a full-featured, simple backdoor used by Naikon. [1]

ID: S0059
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1008Fallback ChannelsWinMM is usually configured with primary and backup domains for C2 communications.
EnterpriseT1083File and Directory DiscoveryWinMM sets a WH_CBT Windows hook to search for and capture files on the victim.
EnterpriseT1057Process DiscoveryWinMM sets a WH_CBT Windows hook to collect information on process creation.
EnterpriseT1071Standard Application Layer ProtocolWinMM uses HTTP for C2.
EnterpriseT1082System Information DiscoveryWinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.
EnterpriseT1033System Owner/User DiscoveryWinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system.

Groups

Groups that use this software:

Naikon

References