metaMain
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
metaMain has used XOR-based encryption for collected files before exfiltration.[1] |
| Enterprise | T1005 | Data from Local System |
metaMain can collect files and system information from a compromised host.[1][2] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
metaMain has stored the collected system files in a working directory.[1][2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.[1][2] |
| Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
metaMain registered a WMI event subscription consumer called "hard_disk_stat" to establish persistence.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
metaMain can upload collected files and data to its C2 server.[2] |
|
| Enterprise | T1083 | File and Directory Discovery |
metaMain can recursively enumerate files in an operator-provided directory.[1][2] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL | |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
metaMain has deleted collected items after uploading the content to its C2 server.[1][2] |
| .006 | Indicator Removal: Timestomp |
metaMain can change the |
||
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1056 | Input Capture | ||
| .001 | Keylogging | |||
| Enterprise | T1112 | Modify Registry |
metaMain can write the process ID of a target process into the |
|
| Enterprise | T1106 | Native API |
metaMain can execute an operator-provided Windows command by leveraging functions such as |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
metaMain can establish an indirect and raw TCP socket-based connection to the C2 server.[1][2] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
| Enterprise | T1057 | Process Discovery |
metaMain can enumerate the processes that run on the platform.[1][2] |
|
| Enterprise | T1055 | Process Injection |
metaMain can inject the loader file, Speech02.db, into a process.[1] |
|
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
metaMain can create a named pipe to listen for and send data to a named pipe-based C2 server.[2] |
| Enterprise | T1620 | Reflective Code Loading |
metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.[1] |
|
| Enterprise | T1113 | Screen Capture | ||
| Enterprise | T1082 | System Information Discovery |
metaMain can collect the computer name from a compromised host.[2] |
|
| Enterprise | T1033 | System Owner/User Discovery |
metaMain can collect the username from a compromised host.[2] |
|
| Enterprise | T1205 | .001 | Traffic Signaling: Port Knocking |
metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.[1] |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Checks |
metaMain has delayed execution for five to six minutes during its persistence establishment process.[2] |