The sub-techniques beta is now live! Read the release blog post for more info.


BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[1]

ID: S0337
Platforms: Windows
Version: 1.0
Created: 29 January 2019
Last Modified: 23 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port

BadPatch uses port 26 for C2 communications.[1]

Enterprise T1005 Data from Local System

BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.[1]

Enterprise T1074 Data Staged

BadPatch stores collected data in log files before exfiltration.[1]

Enterprise T1083 File and Directory Discovery

BadPatch searches for files with specific file extensions.[1]

Enterprise T1056 Input Capture

BadPatch has a keylogging capability.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[1]

Enterprise T1105 Remote File Copy

BadPatch can download and execute or update malware.[1]

Enterprise T1113 Screen Capture

BadPatch captures screenshots in .jpg format and then exfiltrates them.[1]

Enterprise T1063 Security Software Discovery

BadPatch uses WMI to enumerate installed security products in the victim’s environment.[1]

Enterprise T1071 Standard Application Layer Protocol

BadPatch uses HTTP and SMTP for C2.[1]

Enterprise T1082 System Information Discovery

BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information.[1]