…t of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host. [29] [30] [31] [32] G0067 APT37 APT37 collects the computer name, the BIOS model, and execution path. [33] G0082 APT38 APT38 has attempted to get detail…

…edon Group A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server. [33] S0493 GoldenSpy GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006. [34] S0588 GoldMax GoldMax can exfiltrate files over the existing C…

…Duke 's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla …

…ystems. Analytic 1 - Detecting Malicious Email Attachments Creating Files (EventCode=11 OR source="/var/log/audit/audit.log" type="open")| where (file_type IN ("exe", "vbs", "js", "docm", "lnk"))| where (process_path="C:\Users\ \Downloads\ " OR process_path="/home/ /Downloads/ ")…

…pts and performs PowerShell commands. [8] [9] [10] G0016 APT29 APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke . APT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade d…

…unications. [49] S0020 China Chopper China Chopper 's server component executes code sent via HTTP POST commands. [50] S0023 CHOPSTICK Various implementations of CHOPSTICK communicate with C2 over HTTP. [51] S0054 CloudDuke One variant of CloudDuke uses HTTP and HTTPS for C2. [52…

…ests to C2. [68] S0020 China Chopper China Chopper 's server component executes code sent via HTTP POST commands. [69] S0023 CHOPSTICK Various implementations of CHOPSTICK communicate with C2 over HTTP. [70] S0660 Clambling Clambling has the ability to communicate over HTTP. [71]…

…lay an RTF document to the user to enable execution of Cobalt Strike stage shellcode. [36] S0198 NETWIRE NETWIRE has been executed through luring victims into opening malicious documents. [126] [75] [127] G0133 Nomadic Octopus Nomadic Octopus as attempted to lure victims into cli…

…to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line. [112] G0093 GALLIUM GALLIUM used the Windows command shell to execute commands. [113] G0047 Gamaredon Group Gamaredon Group has used various batch scripts to esta…

The codes in this table are no longer in active use, but still have the meaning assigned them when they were established in the Standard. This index lists all deprecated code elements of ISO 639-3. Viewing by name will enable you to browse for any name associated with a specific …

…cified list of extensions. [173] [31] S0587 Penquin Penquin can use the command code do_vslist to send file names, size, and status to C2. [174] S0643 Peppy Peppy can identify specific files for exfiltration. [64] S0048 PinchDuke PinchDuke searches for files created within a cert…

…ete its configuration file. [89] S1179 Exbyte Exbyte will self-delete if a hard-coded configuration file is not found. [43] S0181 FALLCHILL FALLCHILL can delete malware and associated artifacts from the victim. [90] S0512 FatDuke FatDuke can secure delete its DLL. [91] S0267 FELI…

…USTTRAP DUSTTRAP restores the .text section of compromised DLLs after malicious code is loaded into memory and before the file is closed. [12] S0568 EVILNUM EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack. [13] S0696 Flagpro Flagpro can c…

…tars distributed on that website" is written, maybe you could provide the exact code and the section? I'm also curious to understand how you see a "commercial purpose" in my avatar use in Wikimedia Phabricator. Thanks for your help! -- AKlapper (WMF) talk 21:12, 13 April 2015 (UT…

… directories. [97] S1111 DarkGate Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue . [105] G0012 Darkhotel Darkhotel has used malware that searched for files with specific patterns. [106] S0673 DarkWatchman DarkWatchman has the ability to …