{"description": "Enterprise techniques used by T9000, ATT&CK software S0098 (v1.1)", "name": "T9000 (S0098)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[T9000](https://attack.mitre.org/software/S0098) encrypts collected data using a single byte XOR key.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[T9000](https://attack.mitre.org/software/S0098) uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\\Intel\\Skype.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[T9000](https://attack.mitre.org/software/S0098) searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.010", "comment": "If a victim meets certain criteria, [T9000](https://attack.mitre.org/software/S0098) uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs \u2013 %APPDATA%\\Intel\\ResN32.dll and HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs \u2013 0x1.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "During the [T9000](https://attack.mitre.org/software/S0098) installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[T9000](https://attack.mitre.org/software/S0098) searches through connected drives for removable storage devices.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[T9000](https://attack.mitre.org/software/S0098) can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[T9000](https://attack.mitre.org/software/S0098) performs checks for various antivirus and security products during installation.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[T9000](https://attack.mitre.org/software/S0098) gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[T9000](https://attack.mitre.org/software/S0098) gathers and beacons the MAC and IP addresses during installation.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[T9000](https://attack.mitre.org/software/S0098) gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[T9000](https://attack.mitre.org/software/S0098) gathers and beacons the system time during installation.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[T9000](https://attack.mitre.org/software/S0098) uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\\Intel\\Skype.(Citation: Palo Alto T9000 Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by T9000", "color": "#66b1ff"}]}