Mafalda

Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. ^[1]

ID: S1060

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Massimiliano Romano, BT Security

Version: 1.1

Created: 26 January 2023

Last Modified: 11 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1134		Access Token Manipulation	Mafalda can use `AdjustTokenPrivileges()` to elevate privileges.^[2]
		.003	Make and Impersonate Token	Mafalda can create a token for a different user.^[2]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Mafalda can use HTTP for C2.^[1]
Enterprise	T1217		Browser Information Discovery	Mafalda can collect the contents of the `%USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState` file.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Mafalda can execute PowerShell commands on a compromised machine.^[2]
		.003	Command and Scripting Interpreter: Windows Command Shell	Mafalda can execute shell commands using `cmd.exe`.^[2]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Mafalda can encode data using Base64 prior to exfiltration.^[2]
Enterprise	T1005		Data from Local System	Mafalda can collect files and information from a compromised host.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	Mafalda can place retrieved files into a destination directory.^[1]
Enterprise	T1622		Debugger Evasion	Mafalda can search for debugging tools on a compromised host.^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Mafalda can decrypt files and data.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Mafalda can encrypt its C2 traffic with RC4.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Mafalda can send network system data and files to its C2 server.^[1]
Enterprise	T1133		External Remote Services	Mafalda can establish an SSH connection from a compromised host to a server.^[2]
Enterprise	T1083		File and Directory Discovery	Mafalda can search for files and directories.^[1]
Enterprise	T1070	.001	Indicator Removal: Clear Windows Event Logs	Mafalda can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.^[1]
Enterprise	T1105		Ingress Tool Transfer	Mafalda can download additional files onto the compromised host.^[2]
Enterprise	T1056		Input Capture	Mafalda can conduct mouse event logging.^[2]
Enterprise	T1112		Modify Registry	Mafalda can manipulate the system registry on a compromised host.^[2]
Enterprise	T1106		Native API	Mafalda can use a variety of API calls.^[1]
Enterprise	T1095		Non-Application Layer Protocol	Mafalda can use raw TCP for C2.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Mafalda has been obfuscated and contains encrypted functions.^[1]
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Mafalda can dump password hashes from `LSASS.exe`.^[2]
Enterprise	T1057		Process Discovery	Mafalda can enumerate running processes on a machine.^[1]
Enterprise	T1090	.001	Proxy: Internal Proxy	Mafalda can create a named pipe to listen for and send data to a named pipe-based C2 server.^[2]
Enterprise	T1012		Query Registry	Mafalda can enumerate Registry keys with all subkeys and values.^[2]
Enterprise	T1113		Screen Capture	Mafalda can take a screenshot of the target machine and save it to a file.^[1]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.^[1]^[2]
Enterprise	T1082		System Information Discovery	Mafalda can collect the computer name and enumerate all drives on a compromised host.^[1]^[2]
Enterprise	T1016		System Network Configuration Discovery	Mafalda can use the `GetAdaptersInfo` function to retrieve information about network adapters and the `GetIpNetTable` function to retrieve the IPv4 to physical network address mapping table.^[1]
Enterprise	T1049		System Network Connections Discovery	Mafalda can use the `GetExtendedTcpTable` function to retrieve information about established TCP connections.^[1]
Enterprise	T1033		System Owner/User Discovery	Mafalda can collect the username from a compromised host.^[2]
Enterprise	T1569	.002	System Services: Service Execution	Mafalda can create a remote service, let it run once, and then delete it.^[2]
Enterprise	T1205	.001	Traffic Signaling: Port Knocking	Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.^[1]^[2]
Enterprise	T1552	.004	Unsecured Credentials: Private Keys	Mafalda can collect a Chrome encryption key used to protect browser cookies.^[1]

Groups That Use This Software

ID	Name	References
G1013	Metador	^[1]^[2]

References

Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.

SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.

Mafalda

Enterprise Layer

Techniques Used

Groups That Use This Software

References