ATT&CK v12 is now live! Check out the updates here

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Heyoka Backdoor

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

Heyoka Backdoor

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.^[1]^[2]

ID: S0400

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 29 July 2019

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	RobbinHood uses cmd.exe on the victim's computer.^[1]
Enterprise	T1486		Data Encrypted for Impact	RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.^[1]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.^[1]
Enterprise	T1070	.005	Indicator Removal: Network Share Connection Removal	RobbinHood disconnects all network shares from the computer with the command `net use * /DELETE /Y`.^[1]
Enterprise	T1490		Inhibit System Recovery	RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.^[1]
Enterprise	T1489		Service Stop	RobbinHood stops 181 Windows services on the system before beginning the encryption process.^[1]

References

Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.

Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.