Skip to content

Hide Navigation Hide TOC

ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)

Cluster A Galaxy A Cluster B Galaxy B Level
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2