SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]
ID: S0272
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.[1] |
| Enterprise | T1083 | File and Directory Discovery |
NDiskMonitor can obtain a list of all files and directories as well as logical drives.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
NDiskMonitor can download and execute a file from given URL.[1] |
|
| Enterprise | T1082 | System Information Discovery |
NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork |
References
×