| ID | E1105 |
| Objective(s) | Command and Control, Lateral Movement, Persistence |
| Related ATT&CK Techniques | Ingress Tool Transfer (T1105) |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
Malware may copy files from an external system to a system on a compromised network.
Note that this behavior is separate from possible execution (installation) of the file, which is covered by the Install Additional Program (B0023) behavior.
See ATT&CK: Ingress Tool Transfer (T1105).
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | After the Poison Ivy implant is running on the target machine, the attacker can use a Windows GUI controller to control the target computer. [1] |
| DarkComet | 2008 | -- | DarkComet can download files from a remote repository upon instruction. [2] |
| Shamoon | 2012 | -- | Shamoon creates a folder on remote computers and then copies its executables (Shamoon and Filerase) into that directory. [3] |
| CozyCar | 2010 | -- | CozyCar requests a file using SSL to a C2 domain. [4] |
| Vobfus | 2016 | -- | Vobfus downloads its latest version from a remote server. [5] |
| TEARDROP | 2018 | -- | TEARDROP executes the decrypted, embedded code buffer, which is a Cobalt Strike RAT. [6] |
| Matanbuchus | 2021 | -- | Malware downloads DLLs from the hardcoded URL/remote server. [7] [8] |
| GoBotKR | 2019 | -- | GoBotKR can download additional files and update itself. [9] |
| Gamut | 2014 | -- | Gamut receives files from the C2. [10] |
| UP007 | 2016 | -- | UP007 downloads files from the C2. [11] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| suspicious_mpcmdrun_use | Ingress Tool Transfer (E1105) | -- |
| network_document_file | Ingress Tool Transfer (E1105) | URLDownloadToFileW, HttpOpenRequestW, send, InternetCrackUrlW, InternetCrackUrlA, WSASend, URLDownloadToCacheFileW |
[1] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/
[3] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[2] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[3] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/
[4] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[5] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/
[6] https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-039b
[7] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[8] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[9] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[10] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/
[11] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/