{"description": "Mobile techniques used by Exodus, ATT&CK software S0405 (v1.0)", "name": "Exodus (S0405)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1532", "comment": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads  [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1404", "comment": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1509", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.001", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1422.001", "comment": "[Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1421", "comment": "[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1512", "comment": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Exodus", "color": "#66b1ff"}]}