{"description": "Enterprise techniques used by BADFLICK, ATT&CK software S0642 (v1.0)", "name": "BADFLICK (S0642)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has compressed data using the aPLib compression library.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has uploaded files from victims' machines.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) can decode shellcode using a custom rotating XOR cipher.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has searched for files on the infected host.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has download files from its C2 server.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has captured victim computer name, memory space, and CPU details.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has captured victim IP address details.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[BADFLICK](https://attack.mitre.org/software/S0642) has delayed communication to the actor-controlled IP address by 5 minutes.(Citation: Accenture MUDCARP March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BADFLICK", "color": "#66b1ff"}]}