ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2