Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
BADFLICK has compressed data using the aPLib compression library.[2] |
Enterprise | T1005 | Data from Local System | ||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BADFLICK can decode shellcode using a custom rotating XOR cipher.[2] |
|
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.[2] |
Enterprise | T1082 | System Information Discovery |
BADFLICK has captured victim computer name, memory space, and CPU details.[2] |
|
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1204 | .002 | User Execution: Malicious File |
BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.[2] |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.[2] |