Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
Explosive can scan all .exe files located in the USB drive.[1] |
|
| Enterprise | T1112 | 修改注册表 |
Explosive has a function to write itself to Registry values.[1] |
|
| Enterprise | T1115 | 剪贴板数据 |
Explosive has a function to use the OpenClipboard wrapper.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Explosive has encrypted communications with the RC4 method.[2] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1106 | 本机API |
Explosive has a function to call the OpenClipboard wrapper.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Explosive has collected the computer name from the infected host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Explosive has collected the username from the infected host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Explosive has collected the MAC address from the victim's machine.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
Explosive has a function to download a file to the infected system.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.[1][2] |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Explosive has commonly set file and path attributes to hidden.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0123 | Volatile Cedar |