Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Prikormka

Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.[1]

ID: S0113
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 11 April 2024
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1560Archive Collected Data

After collecting documents from removable media,Prikormka compresses the collected files, and encrypts it with Blowfish.[1]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[1]

EnterpriseT1555Credentials from Password Stores

A module inPrikormka collects passwords stored in applications installed on the victim.[1]

.003Credentials from Web Browsers

A module inPrikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[1]

EnterpriseT1132.001Data Encoding:Standard Encoding

Prikormka encodes C2 traffic with Base64.[1]

EnterpriseT1025Data from Removable Media

Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.[1]

EnterpriseT1074.001Data Staged:Local Data Staging

Prikormka creates a directory,%USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.[1]

EnterpriseT1573.001Encrypted Channel:Symmetric Cryptography

Prikormka encrypts some C2 traffic with the Blowfish cipher.[1]

EnterpriseT1083File and Directory Discovery

A module inPrikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[1]

EnterpriseT1574.001Hijack Execution Flow:DLL

Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.[1]

EnterpriseT1070.004Indicator Removal:File Deletion

After encrypting its own log files, the log encryption module inPrikormka deletes the original, unencrypted files from the host.[1]

EnterpriseT1056.001Input Capture:Keylogging

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[1]

EnterpriseT1027.013Obfuscated Files or Information:Encrypted/Encoded File

Some resources inPrikormka are encrypted with a simple XOR operation or encoded with Base64.[1]

EnterpriseT1120Peripheral Device Discovery

A module inPrikormka collects information on available printers and disk drives.[1]

EnterpriseT1113Screen Capture

Prikormka contains a module that captures screenshots of the victim's desktop.[1]

EnterpriseT1518.001Software Discovery:Security Software Discovery

A module inPrikormka collects information from the victim about installed anti-virus software.[1]

EnterpriseT1218.011System Binary Proxy Execution:Rundll32

Prikormka uses rundll32.exe to load its DLL.[1]

EnterpriseT1082System Information Discovery

A module inPrikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[1]

EnterpriseT1016System Network Configuration Discovery

A module inPrikormka collects information from the victim about its IP addresses and MAC addresses.[1]

EnterpriseT1033System Owner/User Discovery

A module inPrikormka collects information from the victim about the current user name.[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp