BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[1]

ID: S0337
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1043Commonly Used PortBadPatch uses port 26 for C2 communications.[1]
EnterpriseT1005Data from Local SystemBadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.[1]
EnterpriseT1074Data StagedBadPatch stores collected data in log files before exfiltration.[1]
EnterpriseT1083File and Directory DiscoveryBadPatch searches for files with specific file extensions.[1]
EnterpriseT1056Input CaptureBadPatch has a keylogging capability.[1]
EnterpriseT1060Registry Run Keys / Startup FolderBadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[1]
EnterpriseT1105Remote File CopyBadPatch can download and execute or update malware.[1]
EnterpriseT1113Screen CaptureBadPatch captures screenshots in .jpg format and then exfiltrates them.[1]
EnterpriseT1063Security Software DiscoveryBadPatch uses WMI to enumerate installed security products in the victim’s environment.[1]
EnterpriseT1071Standard Application Layer ProtocolBadPatch uses HTTP and SMTP for C2.[1]
EnterpriseT1082System Information DiscoveryBadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.[1]
EnterpriseT1497Virtualization/Sandbox EvasionBadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information.[1]