SameCoin
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
SameCoin can overwrite designated files on targeted systems with random bytes.[1] |
|
| Enterprise | T1491 | .001 | Defacement: Internal Defacement |
SameCoin can alter the victim’s background to display an image showing the name of Hamas’s military wing.[1] |
| Enterprise | T1083 | File and Directory Discovery |
SameCoin can list all system files and can avoid wiping specific directories such as Program Files, Windows, and Users.[1] |
|
| Enterprise | T1534 | Internal Spearphishing |
SameCoin can send its Setup.exe file as an attachment to other addresses in the same compromised organization.[1] |
|
| Enterprise | T1570 | Lateral Tool Transfer |
SameCoin can copy its wiper executable to remote machines within the same Active Directory.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
SameCoin has named files to appear legitimate such as "MicrosoftEdge.exe."[1] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
SameCoin has the ability to set a scheduled task for execution.[1] |
| Enterprise | T1679 | Selective Exclusion |
SameCoin can avoid overwriting file names that contain "desktop.ini" and "conf.conf." [1] |
|
| Enterprise | T1614 | System Location Discovery |
SameCoin can attempt to connect to the Israel Home Front Command site, oref.org[.]il, which is only reachable from within Israel to verify the target's location.[1] |
|
| Mobile | T1662 | Data Destruction |
SameCoin can use |
|
| Mobile | T1420 | File and Directory Discovery |
SameCoin can use libexampleone.so to list files to be deleted.[1] |
|