Prikormka
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.(Citation: ESET Operation Groundbait) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.(Citation: ESET Operation Groundbait) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Prikormka encodes C2 traffic with Base64.(Citation: ESET Operation Groundbait) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Prikormka creates a directory, |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Prikormka encrypts some C2 traffic with the Blowfish cipher.(Citation: ESET Operation Groundbait) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.(Citation: ESET Operation Groundbait) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.(Citation: ESET Operation Groundbait) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.(Citation: ESET Operation Groundbait) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.(Citation: ESET Operation Groundbait) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
A module in Prikormka collects information from the victim about installed anti-virus software.(Citation: ESET Operation Groundbait) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Prikormka uses rundll32.exe to load its DLL.(Citation: ESET Operation Groundbait) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.