{ "type": "bundle", "id": "bundle--6cca12f1-9940-44b9-be72-5b913bb97d3e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--37caa819-ace9-4d22-8313-4ab44e46640a", "spec_version": "2.1", "created": "2023-04-05T18:50:21.503Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--c99f0e1e-08c6-43e7-abf0-08cdcd8faa7b", "start_refs": [ "attack-action--45238a64-cca7-4b73-b70e-f2bb9d57f5c6" ], "name": "Shamoon", "description": "Malware family targeting energy, government, and telecom in the middle east and europe.", "scope": "malware", "external_references": [ { "source_name": "McAfee", "description": "Article", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" }, { "source_name": "MBC", "description": "Malware corpus", "url": "https://github.com/MBCProject/mbc-markdown/blob/Lauren-malware-corpus/xample-malware/shamoon.md" } ] }, { "type": "identity", "id": "identity--c99f0e1e-08c6-43e7-abf0-08cdcd8faa7b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "attack-action", "id": "attack-action--45238a64-cca7-4b73-b70e-f2bb9d57f5c6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Shamoon is placed on the target system through unknown means", "effect_refs": [ "attack-action--5042c11d-5d35-4bf0-a8c8-e8913e2505ce" ] }, { "type": "attack-condition", "id": "attack-condition--b39f76f6-09ed-442f-b696-ac978a5487b5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Shamoon dropper has received an appropriate argument to run" }, { "type": "attack-action", "id": "attack-action--5042c11d-5d35-4bf0-a8c8-e8913e2505ce", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Embedded Payloads", "description": "Shamoon dropper contains 3 components masked as encrypted files embedded in the PE sections", "effect_refs": [ "attack-condition--b39f76f6-09ed-442f-b696-ac978a5487b5" ] }, { "type": "file", "id": "file--e46c754c-c096-4f87-920d-ad5c92a47831", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "MaintenaceSrv32.exe", "size": 1800000, "ctime": "2011-11-28T16:50:59.000Z" }, { "type": "attack-action", "id": "attack-action--536348d5-cd08-4031-82e0-612d13187348", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deobfuscate/Decode Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1140", "technique_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "description": "Shamoon dropper decrypts the embedded resources into the C:\\Windows\\System32 folder", "effect_refs": [ "attack-action--11e47c90-b34b-4265-b4dc-010d857a5752" ] }, { "type": "tool", "id": "tool--c344a37f-c1ae-42a1-ac43-ba185ea4bc21", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "MNU", "description": "communication module", "tool_types": [ "unknown" ] }, { "type": "malware", "id": "malware--61779767-a88b-4883-a433-b05e0cab925d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "Shamoon", "description": "destructive malware targeting oil, gas, telecom, and energy companies and government organizations", "malware_types": [ "dropper", "trojan" ], "is_family": true, "capabilities": [ "escalates-privileges", "installs-other-components", "anti-debugging", "anti-vm" ] }, { "type": "malware", "id": "malware--8330215a-4eb4-4812-87e6-1e5b14ac4205", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "PIC", "description": "64-bit version of the dropper", "malware_types": [ "dropper", "trojan" ], "is_family": false, "capabilities": [ "escalates-privileges", "installs-other-components", "anti-debugging", "anti-vm" ] }, { "type": "malware", "id": "malware--c658e292-4c33-44b7-801b-c40323499950", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "LNG", "description": "wiper component", "malware_types": [ "wiper" ], "is_family": false, "capabilities": [ "compromises-data-availability" ] }, { "type": "attack-action", "id": "attack-action--18ac2f5f-282e-4d62-aa93-bc7567467f76", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deobfuscate/Decode Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1140", "technique_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "description": "Shamoon dropper decrypts several strings in memory", "effect_refs": [ "attack-action--1fe37889-9591-40d8-b20b-a3578e05f1c0" ] }, { "type": "attack-action", "id": "attack-action--1fe37889-9591-40d8-b20b-a3578e05f1c0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Information Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1082", "technique_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "description": "Shamoon gathers information on the System and determines whether to drop the 32-bit or 64-bit version", "effect_refs": [ "attack-action--f468a33c-d9e2-4938-9412-658e256acedf", "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61" ] }, { "type": "attack-action", "id": "attack-action--f468a33c-d9e2-4938-9412-658e256acedf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Shamoon drops a file key8854321.pub into the folder c:\\Windows\\Temp\\key8854321.pub", "effect_refs": [ "attack-operator--adcac5fc-f2c9-439a-8ca4-82a1edba4433" ] }, { "type": "file", "id": "file--057c8ab8-947c-47ec-8a01-8296cbbc3907", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "key8854321.pub", "size": 782 }, { "type": "directory", "id": "directory--713c50dc-64a9-4854-8804-1adffd42791e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "path": "c:\\Windows\\Temp\\key8854321.pub" }, { "type": "attack-action", "id": "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deobfuscate/Decode Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1140", "technique_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "description": "Shamoon dropper decrypts 2 files for later use", "effect_refs": [ "attack-operator--adcac5fc-f2c9-439a-8ca4-82a1edba4433" ] }, { "type": "file", "id": "file--165ada62-d185-4ba9-9c6b-6654c71e017e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "mdmnis5tQ1.pnf" }, { "type": "file", "id": "file--e342d706-bde4-4985-890c-5a679b36399e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "averbh_noav.pnf" }, { "type": "directory", "id": "directory--2ea57f2a-3c00-4f3b-811a-0a10e7685fd9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "path": "C:\\Windows\\inf\\mdmnis5tQ1.pnf" }, { "type": "directory", "id": "directory--280eb736-0baf-4a96-97e0-65a3466cb799", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "path": "C:\\Windows\\inf\\averbh_noav.pnf" }, { "type": "attack-operator", "id": "attack-operator--adcac5fc-f2c9-439a-8ca4-82a1edba4433", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--1514add9-71b2-41ab-9be9-2382620367ef" ] }, { "type": "attack-action", "id": "attack-action--1514add9-71b2-41ab-9be9-2382620367ef", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Services", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1569", "technique_ref": "attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253", "description": "Shamoon enables the service RemoteRegistry to remotely modify the registry", "effect_refs": [ "attack-action--0c56e942-1cb5-4335-ac0b-fe11442bcb4a" ] }, { "type": "attack-action", "id": "attack-action--0c56e942-1cb5-4335-ac0b-fe11442bcb4a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Modify Registry", "description": "Shamoon enables the registry key LocalAccountTokenFilterPolicy, which disables remote user account control", "effect_refs": [ "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81" ] }, { "type": "attack-action", "id": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Share Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1135", "technique_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "description": "Malware checks if specific shares exist to copy and spread itself", "effect_refs": [ "attack-action--0ab1c6fd-eb0a-4601-a629-3694f5ed5222" ] }, { "type": "attack-action", "id": "attack-action--0ab1c6fd-eb0a-4601-a629-3694f5ed5222", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Service Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1007", "technique_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa", "description": "Shamoon queries LocalService to retrieve specific information related to the LocalService account", "effect_refs": [ "attack-action--536348d5-cd08-4031-82e0-612d13187348" ] }, { "type": "infrastructure", "id": "infrastructure--842a04a1-0a42-4217-9514-8787ec2e4471", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "ADMIN$", "infrastructure_types": [ "network-share" ] }, { "type": "attack-action", "id": "attack-action--11e47c90-b34b-4265-b4dc-010d857a5752", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Timestomp", "description": "The file times are set to August 2012 as an anti-forensics trick", "effect_refs": [ "attack-action--81b765cf-ba71-4818-8b1f-276aee316264" ] }, { "type": "note", "id": "note--f9d1fe3d-0efd-4a01-aa69-a668361d0d32", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "content": "Any file Shamoon can destroy, it changes the date to August 2012", "object_refs": [ "attack-action--11e47c90-b34b-4265-b4dc-010d857a5752" ] }, { "type": "infrastructure", "id": "infrastructure--aa463037-9cd7-486b-a70a-4e9c110404eb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "C$\\WINDOWS", "infrastructure_types": [ "network-share" ] }, { "type": "infrastructure", "id": "infrastructure--f4146823-dc6c-4ece-add5-b99632572876", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "E$\\WINDOWS", "infrastructure_types": [ "network-share" ] }, { "type": "infrastructure", "id": "infrastructure--e564b7fb-d887-4ba0-a67c-7dec8bc2649f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "name": "D$\\WINDOWS", "infrastructure_types": [ "network-share" ] }, { "type": "attack-action", "id": "attack-action--81b765cf-ba71-4818-8b1f-276aee316264", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Token Impersonation/Theft", "description": "Shamoon elevates privileges by impersonating the user's token", "effect_refs": [ "attack-action--6934aee5-fb1d-456c-a0f8-020991900f6b" ] }, { "type": "attack-action", "id": "attack-action--6934aee5-fb1d-456c-a0f8-020991900f6b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.711Z", "modified": "2026-06-11T23:57:51.711Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Service", "description": "Shamoon creates a new service MaintenaceSrv with the Autostart option and runs the service with its own process", "effect_refs": [ "attack-condition--5bca49d8-ee56-4134-a084-a4936d004801", "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af" ] }, { "type": "attack-condition", "id": "attack-condition--5bca49d8-ee56-4134-a084-a4936d004801", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The wiper has been dropped on the system and can now run" }, { "type": "attack-action", "id": "attack-action--b18d81cf-9c59-413d-b148-45a2067adbbd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Wiper is dropped into the System32 folder", "effect_refs": [ "attack-action--128547af-e0f2-4185-afae-9b40736a5c56" ] }, { "type": "malware", "id": "malware--a55fe43a-7622-4094-ae85-d86304ae71de", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "name": "netbxndxlg2.exe", "description": "This executable is the wiper component. It can have many different names and contains the wiper driver embedded within its resources. It requires a parameter to run.", "malware_types": [ "wiper" ], "is_family": false, "capabilities": [ "anti-forensics", "hides-executing-driver" ] }, { "type": "directory", "id": "directory--e8d2e666-4458-4aac-b1dc-012a94de815c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "path": "C:\\Windows\\System32" }, { "type": "attack-action", "id": "attack-action--128547af-e0f2-4185-afae-9b40736a5c56", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Embedded Payloads", "description": "Shamoon wiper component contains the wiper driver embedded in its resources", "effect_refs": [ "attack-action--697e8511-7e7e-48b3-aff7-0bf6b15bc868" ] }, { "type": "attack-action", "id": "attack-action--697e8511-7e7e-48b3-aff7-0bf6b15bc868", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deobfuscate/Decode Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1140", "technique_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "description": "Shamoon wiper decrypts the wiper driver", "effect_refs": [ "attack-action--ce6c04c1-c6ab-4aab-a194-ac50e51640d7" ] }, { "type": "malware", "id": "malware--e6bee1d3-8348-4b91-a453-86e1d8e9dfc3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "name": "hdv_725x.sys", "description": "Wiper driver which can have multiple different names.", "malware_types": [ "wiper" ], "is_family": false, "capabilities": [ "compromises-data-availability", "wipes-data" ] }, { "type": "file", "id": "file--5d5d34f0-e5c5-44ec-99dd-a0489af7c07e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "name": "netbxndxlg2.exe", "size": 393000, "ctime": "2011-11-28T15:52:52.000Z" }, { "type": "attack-action", "id": "attack-action--ce6c04c1-c6ab-4aab-a194-ac50e51640d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Service", "description": "The wiper driver creates a service to run the driver", "command_ref": "process--e57d55da-f484-4028-b536-6c1db57e1aac", "effect_refs": [ "attack-action--2f8b5bc0-849b-44c2-adbd-4846bfbcf382" ] }, { "type": "process", "id": "process--e57d55da-f484-4028-b536-6c1db57e1aac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "command_line": "sc create hdv_725x type= kernel start= demand binpath= WINDOWS\\hdv_725x.sys 2>&1 >nul" }, { "type": "attack-action", "id": "attack-action--2f8b5bc0-849b-44c2-adbd-4846bfbcf382", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disk Wipe", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1561", "technique_ref": "attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967", "description": "The wiper driver overwrites every file in C:\\Windows\\System32 and all files on the system", "effect_refs": [ "attack-action--3a6645fc-5ec3-426b-be28-b2faaa221b1f" ] }, { "type": "attack-action", "id": "attack-action--3a6645fc-5ec3-426b-be28-b2faaa221b1f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Shutdown/Reboot", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1529", "technique_ref": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc", "description": "Disk wiper forces a reboot", "command_ref": "process--8a2b6ded-1aab-48fd-a713-7d5cd7bf5cad" }, { "type": "process", "id": "process--8a2b6ded-1aab-48fd-a713-7d5cd7bf5cad", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "command_line": "Shutdown -r -f -t 2" }, { "type": "note", "id": "note--2506b2a8-07a9-4a3a-a7d8-5621298b9fc8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "content": "Once reboot, the system shows a blue screen", "object_refs": [ "attack-action--3a6645fc-5ec3-426b-be28-b2faaa221b1f" ] }, { "type": "attack-condition", "id": "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The worm component is dropped onto the system" }, { "type": "attack-action", "id": "attack-action--ef1f8cce-2e33-4444-bf37-e5c1d4bc20c2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Worm is dropped into the System32 folder", "effect_refs": [ "attack-action--2d0ca7f5-25c6-4f85-aab7-9694e1cb4214" ] }, { "type": "malware", "id": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "name": "averfx2swtvZ.exe", "description": "Worm component can have many different names", "malware_types": [ "worm" ], "is_family": false, "capabilities": [ "access-remote-machines", "infects-remote-machines", "probes-local-network" ] }, { "type": "file", "id": "file--538ab06b-7a80-4a90-b586-8e8e837222a6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "name": "averfx2swtvZ.exe", "size": 260500, "ctime": "2011-11-28T15:53:13.000Z" }, { "type": "directory", "id": "directory--2d04594e-97e6-419f-8846-ecc667d28350", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "path": "C:\\Windows\\System32" }, { "type": "file", "id": "file--a8a30517-52b1-4c70-9814-93e3fd456c26", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "name": "hdv_725x.sys", "size": 27140, "ctime": "2011-12-28T17:51:24.000Z" }, { "type": "attack-action", "id": "attack-action--2d0ca7f5-25c6-4f85-aab7-9694e1cb4214", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Remote System Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1018", "technique_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "description": "Worm scans the local network for potential control servers to connect to", "effect_refs": [ "attack-condition--ad9dc433-b702-4ef9-9a89-84f72a90fe85" ] }, { "type": "attack-condition", "id": "attack-condition--ad9dc433-b702-4ef9-9a89-84f72a90fe85", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Worm connects to remote servers" }, { "type": "attack-action", "id": "attack-action--dfbfce2d-4710-4333-b591-62ef89bbb868", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Tool Transfer", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1570", "technique_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "description": "Worm can spread the Shamoon dropper to remote systems" }, { "type": "note", "id": "note--0b87f10c-f4f6-4d97-9d14-c8dc717bc124", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "content": "The wiper can be used independently from the dropper", "object_refs": [ "file--5d5d34f0-e5c5-44ec-99dd-a0489af7c07e" ] }, { "type": "note", "id": "note--23503f72-803d-41c0-af57-db208344cd82", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "content": "Shamoon has evolved over the years. This is the name of the Shamoon service created in 2018. In 2016, the service created was NtsSrv. In 2017, the service created was NtertSrv.", "object_refs": [ "attack-action--6934aee5-fb1d-456c-a0f8-020991900f6b" ] }, { "type": "note", "id": "note--7ce81b7a-c7e4-49e9-9011-cb6e8628cbb2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "content": "The worm component may not run during the infection. The worm and the wiper are mutually exclusive components.", "object_refs": [ "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af" ] }, { "type": "relationship", "id": "relationship--26b1f33d-5f6b-47c7-adb8-431fdce7490f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--45238a64-cca7-4b73-b70e-f2bb9d57f5c6", "target_ref": "malware--61779767-a88b-4883-a433-b05e0cab925d" }, { "type": "relationship", "id": "relationship--6e407df0-1833-4727-b24f-a9d32883fce5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-condition--b39f76f6-09ed-442f-b696-ac978a5487b5", "target_ref": "attack-action--18ac2f5f-282e-4d62-aa93-bc7567467f76" }, { "type": "relationship", "id": "relationship--76238af2-1e87-414d-aa9b-065774cb0880", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--536348d5-cd08-4031-82e0-612d13187348", "target_ref": "tool--c344a37f-c1ae-42a1-ac43-ba185ea4bc21" }, { "type": "relationship", "id": "relationship--d4351333-8041-4b79-a286-5c58aaff566a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--536348d5-cd08-4031-82e0-612d13187348", "target_ref": "malware--8330215a-4eb4-4812-87e6-1e5b14ac4205" }, { "type": "relationship", "id": "relationship--77db3718-e42d-4cff-9657-f83cb499a3f8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--536348d5-cd08-4031-82e0-612d13187348", "target_ref": "malware--c658e292-4c33-44b7-801b-c40323499950" }, { "type": "relationship", "id": "relationship--c5d2cd6e-1452-4035-9021-3bfe25e7bc83", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "malware--61779767-a88b-4883-a433-b05e0cab925d", "target_ref": "file--e46c754c-c096-4f87-920d-ad5c92a47831" }, { "type": "relationship", "id": "relationship--3ceaa560-9a61-4e47-a5db-cf34b741b85f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--f468a33c-d9e2-4938-9412-658e256acedf", "target_ref": "file--057c8ab8-947c-47ec-8a01-8296cbbc3907" }, { "type": "relationship", "id": "relationship--0a414d5c-86f4-4da8-8418-5332ac1c5f8d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "file--057c8ab8-947c-47ec-8a01-8296cbbc3907", "target_ref": "directory--713c50dc-64a9-4854-8804-1adffd42791e" }, { "type": "relationship", "id": "relationship--44a23b31-54b1-4802-87b0-d98329d77386", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61", "target_ref": "file--e342d706-bde4-4985-890c-5a679b36399e" }, { "type": "relationship", "id": "relationship--00c25681-f308-4209-a6b6-e081c35ec98e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61", "target_ref": "file--165ada62-d185-4ba9-9c6b-6654c71e017e" }, { "type": "relationship", "id": "relationship--e697244e-c14c-4f0a-a189-ead07fc52cf4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "file--165ada62-d185-4ba9-9c6b-6654c71e017e", "target_ref": "directory--2ea57f2a-3c00-4f3b-811a-0a10e7685fd9" }, { "type": "relationship", "id": "relationship--956c40b0-b868-439c-9202-ecdaed214ec0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "file--e342d706-bde4-4985-890c-5a679b36399e", "target_ref": "directory--280eb736-0baf-4a96-97e0-65a3466cb799" }, { "type": "relationship", "id": "relationship--2369a44c-810b-4318-8ab0-b5993b881da7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", "target_ref": "infrastructure--f4146823-dc6c-4ece-add5-b99632572876" }, { "type": "relationship", "id": "relationship--2efb2fa3-1a44-4cf6-be75-f280897dcf95", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", "target_ref": "infrastructure--e564b7fb-d887-4ba0-a67c-7dec8bc2649f" }, { "type": "relationship", "id": "relationship--38f72ec9-8380-4890-a843-238ea23c183d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", "target_ref": "infrastructure--842a04a1-0a42-4217-9514-8787ec2e4471" }, { "type": "relationship", "id": "relationship--5672e12b-9b9b-446f-ab28-7e2226760f09", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", "target_ref": "infrastructure--aa463037-9cd7-486b-a70a-4e9c110404eb" }, { "type": "relationship", "id": "relationship--27ed30a1-08fe-4db4-811d-c06634b4b24f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-condition--5bca49d8-ee56-4134-a084-a4936d004801", "target_ref": "attack-action--b18d81cf-9c59-413d-b148-45a2067adbbd" }, { "type": "relationship", "id": "relationship--cc19fc70-02ef-4828-8845-ceaff7697058", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--b18d81cf-9c59-413d-b148-45a2067adbbd", "target_ref": "malware--a55fe43a-7622-4094-ae85-d86304ae71de" }, { "type": "relationship", "id": "relationship--1583e5bf-bb92-458c-90d3-18b687cddb8e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "malware--a55fe43a-7622-4094-ae85-d86304ae71de", "target_ref": "directory--e8d2e666-4458-4aac-b1dc-012a94de815c" }, { "type": "relationship", "id": "relationship--ce83d35b-f449-443f-a35a-af3244c5782a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "malware--a55fe43a-7622-4094-ae85-d86304ae71de", "target_ref": "file--5d5d34f0-e5c5-44ec-99dd-a0489af7c07e" }, { "type": "relationship", "id": "relationship--e52536fd-9e8a-4ea5-89e2-46f617c1a11d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--697e8511-7e7e-48b3-aff7-0bf6b15bc868", "target_ref": "malware--e6bee1d3-8348-4b91-a453-86e1d8e9dfc3" }, { "type": "relationship", "id": "relationship--388ce8d2-73eb-419f-8ab0-c8ece0aee069", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "malware--e6bee1d3-8348-4b91-a453-86e1d8e9dfc3", "target_ref": "file--a8a30517-52b1-4c70-9814-93e3fd456c26" }, { "type": "relationship", "id": "relationship--d63e9522-102f-4020-8887-3c3b49bc5294", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af", "target_ref": "attack-action--ef1f8cce-2e33-4444-bf37-e5c1d4bc20c2" }, { "type": "relationship", "id": "relationship--1359ffc9-a33c-4420-ae80-8208f76ba6bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-action--ef1f8cce-2e33-4444-bf37-e5c1d4bc20c2", "target_ref": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2" }, { "type": "relationship", "id": "relationship--4f47259f-c3c6-44e7-959b-580f85ca533f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2", "target_ref": "file--538ab06b-7a80-4a90-b586-8e8e837222a6" }, { "type": "relationship", "id": "relationship--be31bd0d-55f3-470e-8549-d43d4ff97851", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2", "target_ref": "directory--2d04594e-97e6-419f-8846-ecc667d28350" }, { "type": "relationship", "id": "relationship--c18a1539-53cd-4ffb-81d9-f8e7af145e33", "spec_version": "2.1", "created": "2026-06-11T23:57:51.712Z", "modified": "2026-06-11T23:57:51.712Z", "relationship_type": "related-to", "source_ref": "attack-condition--ad9dc433-b702-4ef9-9a89-84f72a90fe85", "target_ref": "attack-action--dfbfce2d-4710-4333-b591-62ef89bbb868" } ] }