Register to stream ATT&CKcon 2.0 October 29-30


BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[1]

ID: S0337
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port BadPatch uses port 26 for C2 communications. [1]
Enterprise T1005 Data from Local System BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx. [1]
Enterprise T1074 Data Staged BadPatch stores collected data in log files before exfiltration. [1]
Enterprise T1083 File and Directory Discovery BadPatch searches for files with specific file extensions. [1]
Enterprise T1056 Input Capture BadPatch has a keylogging capability. [1]
Enterprise T1060 Registry Run Keys / Startup Folder BadPatch establishes a foothold by adding a link to the malware executable in the startup folder. [1]
Enterprise T1105 Remote File Copy BadPatch can download and execute or update malware. [1]
Enterprise T1113 Screen Capture BadPatch captures screenshots in .jpg format and then exfiltrates them. [1]
Enterprise T1063 Security Software Discovery BadPatch uses WMI to enumerate installed security products in the victim’s environment. [1]
Enterprise T1071 Standard Application Layer Protocol BadPatch uses HTTP and SMTP for C2. [1]
Enterprise T1082 System Information Discovery BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine. [1]
Enterprise T1497 Virtualization/Sandbox Evasion BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. [1]