ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2