{"description": "Enterprise techniques used by Bazar, ATT&CK software S0534 (v2.0)", "name": "Bazar (S0534)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can identify administrator accounts on an infected host.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has the ability to identify domain administrator accounts.(Citation: NCC Group Team9 June 2020)(Citation: DFIR Ryuk's Return October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can use HTTP and HTTPS over ports 80 and 443 in C2 communications.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1197", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has been downloaded via Windows BITS functionality.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can create or add files to Registry Run Keys to establish persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can use Winlogon Helper DLL to establish persistence.(Citation: Zscaler Bazar September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can establish persistence by writing shortcuts to the Windows Startup folder.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can execute a PowerShell script received from C2.(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can launch cmd.exe to perform reconnaissance commands.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can retrieve information from the infected machine.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can decrypt downloaded payloads. [Bazar](https://attack.mitre.org/software/S0534) also resolves strings and other artifacts at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can use [Nltest](https://attack.mitre.org/software/S0359) tools to obtain information about the domain.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can implement DGA using the current date as a seed variable.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can send C2 communications with XOR encryption.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can use TLS in C2 communications.(Citation: Zscaler Bazar September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has the ability to use an alternative C2 server if the primary server fails.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can enumerate the victim's desktop.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.(Citation: NCC Group Team9 June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can delete its loader using a batch file in the Windows temporary folder.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[Bazar](https://attack.mitre.org/software/S0534)'s loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as [Cobalt Strike](https://attack.mitre.org/software/S0154).(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can create a task named to appear benign.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "The [Bazar](https://attack.mitre.org/software/S0534) loader has named malicious shortcuts \"adobe\" and mimicked communications software.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "The [Bazar](https://attack.mitre.org/software/S0534) loader has used dual-extension executable files such as PreviewReport.DOC.exe.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1104", "comment": "The [Bazar](https://attack.mitre.org/software/S0534) loader is used to download and execute the [Bazar](https://attack.mitre.org/software/S0534) backdoor.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can use various APIs to allocate memory and facilitate code execution/injection.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can enumerate shared drives on the domain.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has a variant with a packed payload.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can hash then resolve API calls at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has used XOR, RSA2, and RC4 encrypted files.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has been spread via emails with embedded malicious links.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can identity the current process on a compromised host.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can inject code through calling VirtualAllocExNuma.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can inject into a target process including Svchost, Explorer, and cmd using process hollowing.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.013", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can inject into a target process using process doppelg\u00e4nging.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can query Windows\\CurrentVersion\\Uninstall for installed applications.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can enumerate remote systems using  Net View.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can create a scheduled task for persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can query the Registry for installed applications.(Citation: Cybereason Bazar July 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Bazar](https://attack.mitre.org/software/S0534) has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can fingerprint architecture, computer name, and OS version on the compromised host. [Bazar](https://attack.mitre.org/software/S0534) can also check if the Russian language is installed on the infected machine and terminate if it is found.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can collect the IP address and NetBIOS name of an infected machine.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can identify the username of the infected user.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can collect the time on the compromised host.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can attempt to overload sandbox analysis by sending 1550 calls to printf.(Citation: Cybereason Bazar July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can use a timer to delay execution of core functionality.(Citation: NCC Group Team9 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Bazar](https://attack.mitre.org/software/S0534) downloads have been hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Bazar](https://attack.mitre.org/software/S0534) can execute a WMI query to gather information about the installed antivirus engine.(Citation: Cybereason Bazar July 2020)(Citation: DFIR Ryuk's Return October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bazar", "color": "#66b1ff"}]}