{"description": "Mobile techniques used by BRATA, ATT&CK software S1094 (v1.0)", "name": "BRATA (S1094)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can use both HTTP and WebSockets to communicate with the C2 server.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1532", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has compressed data with the `zlib` library before exfiltration.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1662", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can perform a factory reset.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has collected account information from compromised devices.(Citation: securelist_brata_0819)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1641", "showSubtechniques": true}, {"techniqueID": "T1641.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has injected string contents into the device clipboard.(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1407", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1627", "showSubtechniques": true}, {"techniqueID": "T1627.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has performed country and language checks.(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1646", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has exfiltrated data to the C2 server using HTTP requests.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1664", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.(Citation: securelist_brata_0819)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.002", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can turn off or fake turning off the screen while performing malicious activities.(Citation: securelist_brata_0819)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can remove installed antivirus applications as well as disable Google Play Protect.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can uninstall itself and remove traces of infection.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can log device keystrokes.(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can use tailored overlay pages to steal PINs for banking applications.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can insert a given string of text into a data field. [BRATA](https://attack.mitre.org/software/S1094) can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can track the device's location.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1461", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can request the user unlock the device, or remotely unlock the device.(Citation: securelist_brata_0819)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has masqueraded as legitimate WhatsApp updates and app security scanners.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has employed code obfuscation and encryption of configuration files.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406.002", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has utilized commercial software packers.(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1660", "comment": "[BRATA](https://attack.mitre.org/software/S1094) has been distributed using phishing techniques, such as push notifications from compromised websites.(Citation: securelist_brata_0819)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1663", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can view a device through VNC.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1513", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can capture and send real-time screen output.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "showSubtechniques": true}, {"techniqueID": "T1418.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can search for specifically installed security applications.(Citation: cleafy_brata_0122)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1426", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can retrieve Android system and hardware information.(Citation: securelist_brata_0819)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[BRATA](https://attack.mitre.org/software/S1094) can check to see if it has been installed in a virtual environment.(Citation: mcafee_brata_0421)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BRATA", "color": "#66b1ff"}]}