Elise

Elise executes net user after initial communication is made to the remote server.(Citation: Lotus Blossom Jun 2015)

Elise communicates over HTTP or HTTPS for C2.(Citation: Lotus Blossom Jun 2015)

If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

Elise configures itself as a service.(Citation: Lotus Blossom Jun 2015)

Elise exfiltrates data using cookie values that are Base64-encoded.(Citation: Lotus Blossom Jun 2015)

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.(Citation: Accenture Dragonfish Jan 2018)

Elise encrypts exfiltrated data with RC4.(Citation: Lotus Blossom Jun 2015)

Elise is capable of launching a remote shell on the host to delete itself.(Citation: Accenture Dragonfish Jan 2018)

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.(Citation: Lotus Blossom Jun 2015)

Elise injects DLL files into iexplore.exe.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.(Citation: Lotus Blossom Jun 2015)