^[2][3]

Pteranodon can use HTTP for C2.^[1]

Pteranodon copies itself to the Startup folder to establish persistence.^[1]

Pteranodon can usecmd.exe for execution on victim systems.^[1][2]

Pteranodon can use a malicious VBS file for execution.^[2]

Pteranodon creates various subdirectories under%Temp%\reports\% and copies files to those subdirectories. It also creates a folder atC:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.^[1]

Pteranodon can decrypt encrypted data strings prior to using them.^[4]

Pteranodon exfiltrates screenshot files to its C2 server.^[1]

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.^[1]

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.^[1]

Pteranodon can download and execute additional files.^[1][2][5]

Pteranodon has used various API calls.^[4]

Pteranodon can use a dynamic Windows hashing algorithm to map API components.^[4]

Pteranodon schedules tasks to invoke its components in order to establish persistence.^[1][2]

Pteranodon can capture screenshots at a configurable interval.^[1][5]

Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.^[2]

Pteranodon executes functions using rundll32.exe.^[1]

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.^[5]

^{[1][2][4][5][3]}