| enterprise |
T1560 |
Archive Collected Data |
After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA. |
| enterprise |
T1555 |
Credentials from Password Stores |
A module in Prikormka collects passwords stored in applications installed on the victim. |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Prikormka encodes C2 traffic with Base64. |
| enterprise |
T1025 |
Data from Removable Media |
Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Prikormka encrypts some C2 traffic with the Blowfish cipher. |
| enterprise |
T1083 |
File and Directory Discovery |
A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.001 |
DLL Search Order Hijacking |
Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64. |
| enterprise |
T1120 |
Peripheral Device Discovery |
A module in Prikormka collects information on available printers and disk drives. |
| enterprise |
T1113 |
Screen Capture |
Prikormka contains a module that captures screenshots of the victim’s desktop. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
A module in Prikormka collects information from the victim about installed anti-virus software. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
Prikormka uses rundll32.exe to load its DLL. |
| enterprise |
T1082 |
System Information Discovery |
A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory. |
| enterprise |
T1016 |
System Network Configuration Discovery |
A module in Prikormka collects information from the victim about its IP addresses and MAC addresses. |
| enterprise |
T1033 |
System Owner/User Discovery |
A module in Prikormka collects information from the victim about the current user name. |