Comnie uses thenet user command.^[1]

Comnie uses HTTP for C2 communication.^[1]

Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.^[1]

Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.^[1]

Comnie establishes persistence via a .lnk file in the victim’s startup path.^[1]

Comnie executes BAT scripts.^[1]

Comnie executes VBS scripts.^[1]

Comnie encrypts command and control communications with RC4.^[1]

Comnie uses RC4 and Base64 to obfuscate strings.^[1]

Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.^[1]

Comnie uses thetasklist to view running processes on the victim’s machine.^[1]

Comnie runs thenet view command

Comnie attempts to detect several anti-virus products.^[1]

Comnie uses Rundll32 to load a malicious DLL.^[1]

Comnie collects the hostname of the victim machine.^[1]

Comnie usesipconfig /all androute PRINT to identify network adapter and interface information.^[1]

Comnie executes thenetstat -ano command.^[1]

Comnie runs the command:net start >> %TEMP%\info.dat on a victim.^[1]

Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.^[1]