Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. [1]

ID: S1060
Platforms: Windows
Contributors: Massimiliano Romano, BT Security
Version: 1.1
Created: 26 January 2023
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Mafalda can use AdjustTokenPrivileges() to elevate privileges.[2]

.003 Make and Impersonate Token

Mafalda can create a token for a different user.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mafalda can use HTTP for C2.[1]

Enterprise T1217 Browser Information Discovery

Mafalda can collect the contents of the %USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState file.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mafalda can execute PowerShell commands on a compromised machine.[2]

.003 Command and Scripting Interpreter: Windows Command Shell

Mafalda can execute shell commands using cmd.exe.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Mafalda can encode data using Base64 prior to exfiltration.[2]

Enterprise T1005 Data from Local System

Mafalda can collect files and information from a compromised host.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Mafalda can place retrieved files into a destination directory.[1]

Enterprise T1622 Debugger Evasion

Mafalda can search for debugging tools on a compromised host.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Mafalda can decrypt files and data.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mafalda can encrypt its C2 traffic with RC4.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Mafalda can send network system data and files to its C2 server.[1]

Enterprise T1133 External Remote Services

Mafalda can establish an SSH connection from a compromised host to a server.[2]

Enterprise T1083 File and Directory Discovery

Mafalda can search for files and directories.[1]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Mafalda can delete Windows Event logs by invoking the OpenEventLogW and ClearEventLogW functions.[1]

Enterprise T1105 Ingress Tool Transfer

Mafalda can download additional files onto the compromised host.[2]

Enterprise T1056 Input Capture

Mafalda can conduct mouse event logging.[2]

Enterprise T1112 Modify Registry

Mafalda can manipulate the system registry on a compromised host.[2]

Enterprise T1106 Native API

Mafalda can use a variety of API calls.[1]

Enterprise T1095 Non-Application Layer Protocol

Mafalda can use raw TCP for C2.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Mafalda has been obfuscated and contains encrypted functions.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Mafalda can dump password hashes from LSASS.exe.[2]

Enterprise T1057 Process Discovery

Mafalda can enumerate running processes on a machine.[1]

Enterprise T1090 .001 Proxy: Internal Proxy

Mafalda can create a named pipe to listen for and send data to a named pipe-based C2 server.[2]

Enterprise T1012 Query Registry

Mafalda can enumerate Registry keys with all subkeys and values.[2]

Enterprise T1113 Screen Capture

Mafalda can take a screenshot of the target machine and save it to a file.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.[1][2]

Enterprise T1082 System Information Discovery

Mafalda can collect the computer name and enumerate all drives on a compromised host.[1][2]

Enterprise T1016 System Network Configuration Discovery

Mafalda can use the GetAdaptersInfo function to retrieve information about network adapters and the GetIpNetTable function to retrieve the IPv4 to physical network address mapping table.[1]

Enterprise T1049 System Network Connections Discovery

Mafalda can use the GetExtendedTcpTable function to retrieve information about established TCP connections.[1]

Enterprise T1033 System Owner/User Discovery

Mafalda can collect the username from a compromised host.[2]

Enterprise T1569 .002 System Services: Service Execution

Mafalda can create a remote service, let it run once, and then delete it.[2]

Enterprise T1205 .001 Traffic Signaling: Port Knocking

Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.[1][2]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Mafalda can collect a Chrome encryption key used to protect browser cookies.[1]

Groups That Use This Software

ID Name References
G1013 Metador