Samurai
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Samurai can leverage an exfiltration module to download arbitrary files from compromised machines.[1] |
|
| Enterprise | T1090 | 代理 |
Samurai has the ability to proxy connections to specified remote IPs and ports through a a proxy module.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Samurai has created the directory |
| Enterprise | T1112 | 修改注册表 |
The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Samurai can create a service at |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Samurai can use a remote command module for execution via the Windows command line.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Samurai can use a .NET HTTPListener class to receive and handle HTTP POST requests.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Samurai can base64 encode data sent in C2 communications prior to its encryption.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1106 | 本机API | ||
| Enterprise | T1012 | 查询注册表 |
Samurai can query |
|
| Enterprise | T1027 | 混淆文件或信息 |
Samurai can encrypt the names of requested APIs and deliver its final payload as a compressed, encrypted and base64 encoded blob.[1] |
|
| .004 | Compile After Delivery |
Samurai can compile and execute downloaded modules at runtime.[1] |
||
| .007 | Dynamic API Resolution |
Samurai can encrypt API name strings with an XOR-based algorithm.[1] |
||
| Enterprise | T1518 | 软件发现 |
Samurai can check for the presence and version of the .NET framework.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
Samurai has been used to deploy other malware including Ninja.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
Samurai can use a proxy module to forward TCP packets to external hosts.[1] |
|