CozyCar
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.(Citation: F-Secure CozyDuke) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
A module in CozyCar allows arbitrary commands to be executed by invoking |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
One persistence mechanism used by CozyCar is to register itself as a Windows service.(Citation: F-Secure CozyDuke) |
Enterprise | T1036 | .003 | Masquerading: Rename System Utilities |
The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.(Citation: F-Secure CozyDuke) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.(Citation: F-Secure CozyDuke) |
.002 | OS Credential Dumping: Security Account Manager |
Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.(Citation: F-Secure CozyDuke) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.(Citation: F-Secure CozyDuke) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
One persistence mechanism used by CozyCar is to register itself as a scheduled task.(Citation: F-Secure CozyDuke) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.(Citation: F-Secure CozyDuke) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.(Citation: F-Secure CozyDuke) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.(Citation: F-Secure CozyDuke) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.