TYPEFRAME can uninstall malware components using a batch script.^[1]TYPEFRAME can execute commands using a shell.^[1]

TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.^[1]

TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.^[1]

OneTYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".^[1]

TYPEFRAME can search directories for files on the victim’s machine.^[1]

TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.^[1]

TYPEFRAME can delete files off the system.^[1]

TYPEFRAME can upload and download files to the victim’s machine.^[1]

TYPEFRAME can gather the disk volume information.^[1]

TYPEFRAME can install encrypted configuration data under the Registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll andHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.^[1]

TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.^[1]

TYPEFRAME can install and store encrypted configuration data under the Registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll andHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.^[1]

APIs and strings in someTYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.^[1]

ATYPEFRAME variant can force the compromised system to function as a proxy server.^[1]

A Word document deliveringTYPEFRAME prompts the user to enable macro execution.^[1]

^[1]