CozyCar
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .003 | 伪装: Rename System Utilities |
The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[2] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
One persistence mechanism used by CozyCar is to register itself as a Windows service.[2] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
A module in CozyCar allows arbitrary commands to be executed by invoking |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[2] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.[2] |
| .002 | 操作系统凭证转储: Security Account Manager |
Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.[2] |
||
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[2] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[2] |
| Enterprise | T1082 | 系统信息发现 |
A system info module in CozyCar gathers information on the victim host’s configuration.[2] |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[2] |
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[2] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[2] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
One persistence mechanism used by CozyCar is to register itself as a scheduled task.[2] |