PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
PyDCrypt has dropped DCSrv under the |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
PyDCrypt has decrypted and dropped the DCSrv payload to disk.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| .006 | 命令与脚本解释器: Python |
PyDCrypt, along with its functions, is written in Python.[1] |
||
| Enterprise | T1562 | .004 | 妨碍防御: Disable or Modify System Firewall |
PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
PyDCrypt will remove all created artifacts such as dropped executables.[1] |
| Enterprise | T1033 | 系统所有者/用户发现 |
PyDCrypt has probed victim machines with |
|
| Enterprise | T1049 | 系统网络连接发现 |
PyDCrypt has used netsh to find RPC connections on remote machines.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1009 | Moses Staff |