Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)(Citation: CheckPoint Dok)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	1
Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	1
Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	1
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	1
Login Items - T1547.015 (84601337-6a55-4ad7-9c35-79e0d1ea2ab3)	Attack Pattern	Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	1
Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	1
Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	1
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	1
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb)	Attack Pattern	Dok - S0281 (f36b2598-515f-4345-84e5-5ccde253edbe)	Malware	1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Login Items - T1547.015 (84601337-6a55-4ad7-9c35-79e0d1ea2ab3)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2