Mebromi

A BIOS bootkit.

ATT&CK Techniques

Name	Use
Discovery::Process Discovery (T1057)	Mebromi enumerates processes. [2]
Discovery::System Service Discovery (T1007)	Mebromi queries a service status. [2]
Execution::Shared Modules (T1129)	Mebromi links functions at runtime on Windows. [2]
Execution::System Services::Service Execution (T1569.002)	Mebromi interacts with a driver via control codes. [2]
Impact::Service Stop (T1489)	Mebromi stops services. [2]
Persistence::Create or Modify System Process::Windows Service (T1543.003)	Mebromi starts services. [2]

Name	Use
Defense Evasion::Bootkit (F0013)	An MBR bootkit and a BIOS bootkit targeting Award BIOS. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	Mebromi encodes data using XOR. [2]
Discovery::File and Directory Discovery (E1083)	Mebromi gets a file size. [2]
Discovery::System Information Discovery (E1082)	Mebromi checks OS version. [2]
Execution::Command and Scripting Interpreter (E1059)	Mebromi accepts command line arguments. [2]

Name	Use
Execution::Conditional Execution (B0025)	Malware only proceeds if it detects the BIOS ROM is Award BIOS. [1]
Execution::Install Additional Program (B0023)	Malware contains a dropper that installs additional programs like Cbrom.exe. [1]
Data::Encode Data::XOR (C0026.002)	Mebromi encodes data using XOR. [2]
File System::Copy File (C0045)	Mebromi copies files. [2]
File System::Delete File (C0047)	Mebromi deletes files. [2]
File System::Move File (C0063)	Mebromi moves files. [2]
File System::Read File (C0051)	Mebromi reads files on Windows. [2]
Memory::Allocate Memory (C0007)	Mebromi allocates RWX memory. [2]
Process::Create Process (C0017)	Mebromi creates a process on Windows. [2]

SHA256 Hashes

[2] capa v4.0, analyzed at MITRE on 10/12/2022