Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.9
|
|
|
A Technique detection named "Suspicious JavaScript process" (Low) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
A General detection named "Reshelva backdoor was detected" (Low) was generated when TransBaseOdbcDriver.js was identified as malware.
[1]
|
|
12.A.2
|
|
|
A Technique detection named "Suspicious JavaScript process" (Low) was generated when adb156.exe executed sql-rat.js.
[1]
|
|
|
|
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
-
File Monitoring
-
Process Monitoring
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|