{"description": "Enterprise techniques used by Mispadu, ATT&CK software S1122 (v1.0)", "name": "Mispadu (S1122)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) creates a link in the startup folder for persistence.(Citation: ESET Security Mispadu Facebook Ads 2019) [Mispadu](https://attack.mitre.org/software/S1122) adds persistence via the registry key `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.(Citation: Metabase Q Mispadu Trojan 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Mispadu](https://attack.mitre.org/software/S1122)\u2019s dropper uses VBS files to install payloads and perform execution.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has obtained credentials from mail clients via NirSoft MailPassView.(Citation: SCILabs Malteiro 2021)(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020)(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can steal credentials from Google Chrome.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) decrypts its encrypted configuration files prior to execution.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) contains a copy of the OpenSSL library to encrypt C2 traffic.(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can sends the collected financial data to the C2 server.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) searches for various filesystem paths to determine what banking applications are installed on the victim\u2019s machine.(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can log keystrokes on the victim's machine.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)(Citation: SCILabs URSA/Mispadu Evolution 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.(Citation: ESET Security Mispadu Facebook Ads 2019)\n\n[Mispadu](https://attack.mitre.org/software/S1122) also uses encoded configuration files and has encoded payloads using Base64.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)(Citation: SCILabs Malteiro Threat Overlap 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has been spread via malicious links embedded in emails.(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can enumerate the running processes on a compromised host.(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Mispadu](https://attack.mitre.org/software/S1122)'s binary is injected into memory via `WriteProcessMemory`.(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has the ability to capture screenshots on compromised hosts.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can list installed security products in the victim\u2019s environment.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) utilizes malicious Google Chrome browser extensions to steal financial data.(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has been installed via MSI installer.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) uses RunDLL32 for execution via its injector DLL.(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) collects the OS version, computer name, and language ID.(Citation: ESET Security Mispadu Facebook Ads 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) checks and will terminate execution if the compromised system\u2019s language ID is not Spanish or Portuguese.(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) has relied on users to execute malicious files in order to gain execution on victim machines.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Mispadu](https://attack.mitre.org/software/S1122) can run checks to verify if it is running within a virtualized environments including Hyper-V, VirtualBox or VMWare and will terminate execution if the computer name is \u201cJOHN-PC.\u201d(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mispadu", "color": "#66b1ff"}]}