| ID | X0021 |
| Aliases | None |
| Platforms | Windows |
| Year | 2013 |
| Associated ATT&CK Software | None |
Terminator is a remote access tool (RAT).
| Name | Use |
|---|---|
| Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks (T1497) | The Terminator RAT evades sandboxes by not executing until after a reboot. Most sandboxes don't reboot during an analysis. [2] |
| Name | Use |
|---|---|
| Defense Evasion::Self Deletion (F0007.001) | The RAT evades sandboxes by terminating and removing itself (DW20.exe) after installation. [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | The RAT sets "2019" as a Windows' startup folder by modifying a registry value. [1] |
| Execution::User Execution (E1204) | The malware relies on user interaction to execute. [2] |
| Name | Use |
|---|---|
| Command and Control::C2 Communication::Send Data (B0030.001) | The malware sends data to the C2. [2] |
| Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution (B0003.003) | The Terminator RAT evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis. [1] |
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | The Terminator RAT evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis. [1] |
SHA256 Hashes
- 1f97d32674964528db46021a0466138dd01458bfa79f7450e2b222ae1de8ac1f
[1] https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf
[2] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf