{"description": "Enterprise techniques used by Agent.btz, ATT&CK software S0092 (v1.1)", "name": "Agent.btz (S0092)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Agent.btz](https://attack.mitre.org/software/S0092) saves system information into an XML file that is then XOR-encoded.(Citation: ThreatExpert Agent.btz)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1052", "showSubtechniques": true}, {"techniqueID": "T1052.001", "comment": "[Agent.btz](https://attack.mitre.org/software/S0092) creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.(Citation: Securelist Agent.btz)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Agent.btz](https://attack.mitre.org/software/S0092) attempts to download an encrypted binary from a specified domain.(Citation: ThreatExpert Agent.btz)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[Agent.btz](https://attack.mitre.org/software/S0092) drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.(Citation: ThreatExpert Agent.btz)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Agent.btz](https://attack.mitre.org/software/S0092) collects the network adapter\u2019s IP and MAC address as well as IP addresses of the network adapter\u2019s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.(Citation: ThreatExpert Agent.btz)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Agent.btz](https://attack.mitre.org/software/S0092) obtains the victim username and saves it to a file.(Citation: ThreatExpert Agent.btz)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Agent.btz", "color": "#66b1ff"}]}