SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography||
SodaMaster can use RC4 to encrypt C2 communications.
|.002||Encrypted Channel: Asymmetric Cryptography||
SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.
|Enterprise||T1105||Ingress Tool Transfer||
SodaMaster has the ability to download additional payloads from C2 to the targeted system.
SodaMaster can use
|Enterprise||T1027||Obfuscated Files or Information||
SodaMaster can use "stackstrings" for obfuscation.
SodaMaster can search a list of running processes.
SodaMaster has the ability to query the Registry to detect a key specific to VMware.
|Enterprise||T1082||System Information Discovery||
SodaMaster can enumerate the host name and OS version on a target system.
|Enterprise||T1033||System Owner/User Discovery||
SodaMaster can identify the username on a compromised host.
|Enterprise||T1497||.001||Virtualization/Sandbox Evasion: System Checks||
SodaMaster can check for the presence of the Registry key
|.003||Virtualization/Sandbox Evasion: Time Based Evasion||
SodaMaster has the ability to put itself to "sleep" for a specified time.