"runs the payload ’ s entry point, the autoit script waits exactly two seconds to give the payload time to complete the process - hollowing routine inside svchost. exe ( figure 18 ). the script then lists all running svchost. exe process ( figure 19 ), retrieves their creation tim…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1518.001Security Software Discovery
99%
"vsserv. exe - wrsa. exe - zatray. exe - zaprivacyservice. exe the script also iterates through the windows uninstall registry keys, searching for the following keywords related to antivirus and security software : - 360 - anti - virus - antivirus - avast - avg - bitdefender - com…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.012Process Hollowing
98%
"rtldecompressfragment api, expanding it back into a full pe executable. if a. tda file is present, the autoit script decrypts and loads it as an intermediate pe loader ( stage 2 ) into memory. however, if only a. dmp file is found ( no. tda present ), the autoit script bypasses t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
96%
"##ifies a layered approach that has enabled water saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates. as adversaries ’ techniques evolve, organizations must be prepared for the heightened risk posed by cam…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1217Browser Information Discovery
91%
"s chrome browser history to identify visits to banking websites ( figure 12 ). it locates the chrome history database within the user ’ s profile directory, creates a temporary copy, and reads its contents. the function then searches for specific banking - related urls ( table 3 …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1547.001Registry Run Keys / Startup Folder
87%
"##vss it also enumerates active services to check for the same strings. if any match is found, the malware immediately triggers a custom exception ( eedfade ) via raiseexception, effectively terminating execution to avoid sandbox analysis ( figure 20 ). system profiling via wmi i…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1217Browser Information Discovery
73%
"set to portuguese ( brazil ) by comparing its language code ( 0416 ). if not, it shows an error message with the detected language and exits the program. a helper function translates language codes into readable names like portuguese ( portugal ), english ( us ), or spanish ( spa…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.006Python
63%
"browsers : - chrome. exe - firefox. exe - msedge. exe - navegadorexclusivobradesco. exe - opera. exe this behavior is common in banking malware that intercepts sessions or forces victims to reopen banking sites under attacker - controlled conditions. backdoor capabilities the inj…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
55%
"browsers : - chrome. exe - firefox. exe - msedge. exe - navegadorexclusivobradesco. exe - opera. exe this behavior is common in banking malware that intercepts sessions or forces victims to reopen banking sites under attacker - controlled conditions. backdoor capabilities the inj…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
50%
"is triggered by detecting banking or cryptocurrency - related windows on the victim ' s computer ( figure 13 ). if any of these windows contain keywords related to targeted entities, it proceeds on locating the. tda file ( ucjdpq. tda ) dropped earlier as part of the msi installe…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
42%
"and enhance the flexibility and resilience of their malicious operations. when instalar. bat was executed, it downloaded component files including python 3. 12. 7, get - pip. py, and the chromedriver. exe needed by the python script to function properly and carry out its propagat…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil.