EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
EvilGrab (438c6d0f-03f0-4b49-89d2-40bf5349c3fc)	Malpedia	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
EvilGrab (c9b4ec27-0a43-4671-a967-bcac5df0e056)	Tool	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	EvilGrab - S0152 (2f1a9fd0-3b7c-4d77-a358-78db13adbe78)	Malware	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
EvilGrab (c9b4ec27-0a43-4671-a967-bcac5df0e056)	Tool	Private Cluster (c542f369-f06d-4168-8c84-fdf5fc7f2a8d)	Unknown	2
EvilGrab (c9b4ec27-0a43-4671-a967-bcac5df0e056)	Tool	EvilGrab (438c6d0f-03f0-4b49-89d2-40bf5349c3fc)	Malpedia	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2