Gelsemium
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .001 | 伪装: Invalid Code Signature |
Gelsemium has used unverified signatures on malicious DLLs.[1] |
| .005 | 伪装: Match Legitimate Name or Location |
Gelsemium has named malicious binaries |
||
| Enterprise | T1112 | 修改注册表 |
Gelsemium can modify the Registry to store its components.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Gelsemium can drop itself in |
| Enterprise | T1568 | 动态解析 | ||
| Enterprise | T1620 | 反射性代码加载 |
Gelsemium can use custom shellcode to map embedded DLLs into memory.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder | |
| .012 | 启动或登录自动启动执行: Print Processors |
Gelsemium can drop itself in |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1008 | 回退信道 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .004 | 应用层协议: DNS |
Gelsemium has the ability to use DNS in communication with C2.[1] |
||
| Enterprise | T1083 | 文件和目录发现 |
Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.[1] |
|
| Enterprise | T1106 | 本机API |
Gelsemium has the ability to use various Windows API functions to perform tasks.[1] |
|
| Enterprise | T1012 | 查询注册表 |
Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.[1] |
|
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
Gelsemium can use junk code to hide functions and evade detection.[1] |
| .011 | 混淆文件或信息: Fileless Storage | |||
| .013 | 混淆文件或信息: Encrypted/Encoded File | |||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Gelsemium can bypass UAC to elevate process privileges on a compromised host.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Gelsemium can delete its dropper component from the targeted system.[1] |
| .006 | 移除指标: Timestomp |
Gelsemium has the ability to perform timestomping of files on targeted systems.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[1] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Gelsemium can use junk code to generate random activity to obscure malware behavior.[1] |
|
| Enterprise | T1134 | 访问令牌操控 |
Gelsemium can use token manipulation to bypass UAC on Windows7 systems.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Gelsemium can check for the presence of specific security products.[1] |
| Enterprise | T1105 | 输入工具传输 |
Gelsemium can download additional plug-ins to a compromised host.[1] |
|
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Gelsemium has the ability to inject DLLs into specific processes.[1] |
| Enterprise | T1559 | .001 | 进程间通信: Component Object Model |
Gelsemium can use the |
| Enterprise | T1095 | 非应用层协议 |
Gelsemium has the ability to use TCP and UDP in C2 communications.[1] |
|