Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

WinMM

WinMM is a full-featured, simple backdoor used by Naikon. [1]

ID: S0059
Aliases: WinMM
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1008Fallback ChannelsWinMM is usually configured with primary and backup domains for C2 communications.[1]
EnterpriseT1083File and Directory DiscoveryWinMM sets a WH_CBT Windows hook to search for and capture files on the victim.[1]
EnterpriseT1057Process DiscoveryWinMM sets a WH_CBT Windows hook to collect information on process creation.[1]
EnterpriseT1071Standard Application Layer ProtocolWinMM uses HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryWinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.[1]
EnterpriseT1033System Owner/User DiscoveryWinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system.[1]

Groups

Groups that use this software:

Naikon

References