SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Desert Scorpion

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Desert Scorpion

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. ^[1]

ID: S0414

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 07 October 2019

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	BabyShark has used cmd.exe to execute commands.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	BabyShark has encoded data using certutil before exfiltration.^[1]
Enterprise	T1083		File and Directory Discovery	BabyShark has used `dir` to search for "programfiles" and "appdata".^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	BabyShark has cleaned up all files associated with the secondary payload execution.^[2]
Enterprise	T1105		Ingress Tool Transfer	BabyShark has downloaded additional files from the C2.^[2]
Enterprise	T1056	.001	Input Capture: Keylogging	BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.^[2]
Enterprise	T1057		Process Discovery	BabyShark has executed the `tasklist` command.^[1]
Enterprise	T1012		Query Registry	BabyShark has executed the `reg query` command for `HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default`.^[1]
Enterprise	T1082		System Information Discovery	BabyShark has executed the `ver` command.^[1]
Enterprise	T1016		System Network Configuration Discovery	BabyShark has executed the `ipconfig /all` command.^[1]
Enterprise	T1033		System Owner/User Discovery	BabyShark has executed the `whoami` command.^[1]

References

Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.