KOPILUWAK
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1059 | .007 | 命令与脚本解释器: JavaScript |
KOPILUWAK had used Javascript to perform its core functions.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
KOPILUWAK has used HTTP POST requests to send data to C2.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
KOPILUWAK has piped the results from executed C2 commands to |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
KOPILUWAK has gained execution through malicious attachments.[1] |
| Enterprise | T1082 | 系统信息发现 |
KOPILUWAK can discover logical drive information on compromised hosts.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
KOPILUWAK can conduct basic network reconnaissance on the victim machine with |
|
| Enterprise | T1049 | 系统网络连接发现 |
KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
KOPILUWAK can use Arp to discover a target's network configuration setttings.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
KOPILUWAK can use netstat and Net to discover network shares.[1] |
|
| Enterprise | T1057 | 进程发现 |
KOPILUWAK can enumerate current running processes on the targeted machine.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
KOPILUWAK has exfiltrated collected data to its C2 via POST requests.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
KOPILUWAK has been delivered to victims as a malicious email attachment.[1] |
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0026 | C0026 |
KOPILUWAK was used as a first-stage profiling utility for previous victims of ANDROMEDA during C0026.[1] |