Movatterモバイル変換


[0]ホーム

URL:


  1. Home
  2. Software
  3. Comnie

Comnie

Comnie is a remote backdoor which has been used in attacks in East Asia.[1]

ID: S0244
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 25 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1087.001Account Discovery:Local Account

Comnie uses thenet user command.[1]

EnterpriseT1071.001Application Layer Protocol:Web Protocols

Comnie uses HTTP for C2 communication.[1]

EnterpriseT1119Automated Collection

Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[1]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[1]

.009Boot or Logon Autostart Execution:Shortcut Modification

Comnie establishes persistence via a .lnk file in the victim’s startup path.[1]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

Comnie executes BAT scripts.[1]

.005Command and Scripting Interpreter:Visual Basic

Comnie executes VBS scripts.[1]

EnterpriseT1573.001Encrypted Channel:Symmetric Cryptography

Comnie encrypts command and control communications with RC4.[1]

EnterpriseT1027Obfuscated Files or Information

Comnie uses RC4 and Base64 to obfuscate strings.[1]

.001Binary Padding

Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[1]

EnterpriseT1057Process Discovery

Comnie uses thetasklist to view running processes on the victim’s machine.[1]

EnterpriseT1018Remote System Discovery

Comnie runs thenet view command

EnterpriseT1518.001Software Discovery:Security Software Discovery

Comnie attempts to detect several anti-virus products.[1]

EnterpriseT1218.011System Binary Proxy Execution:Rundll32

Comnie uses Rundll32 to load a malicious DLL.[1]

EnterpriseT1082System Information Discovery

Comnie collects the hostname of the victim machine.[1]

EnterpriseT1016System Network Configuration Discovery

Comnie usesipconfig /all androute PRINT to identify network adapter and interface information.[1]

EnterpriseT1049System Network Connections Discovery

Comnie executes thenetstat -ano command.[1]

EnterpriseT1007System Service Discovery

Comnie runs the command:net start >> %TEMP%\info.dat on a victim.[1]

EnterpriseT1102.002Web Service:Bidirectional Communication

Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[1]

References

×

[8]ページ先頭

©2009-2026 Movatter.jp