SPACESHIP
ID: S0035
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
||
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[1] |
| Enterprise | T1083 | 文件和目录发现 |
SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[1] |
|
| Enterprise | T1052 | .001 | 通过物理介质渗出: Exfiltration over USB |
SPACESHIP copies staged data to removable drives when they are inserted into the system.[1] |