Skip to content

S0113 Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. 1

Item Value
ID S0113
Associated Names
Version 1.3
Created 31 May 2017
Last Modified 19 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.1
enterprise T1555 Credentials from Password Stores A module in Prikormka collects passwords stored in applications installed on the victim.1
enterprise T1555.003 Credentials from Web Browsers A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Prikormka encodes C2 traffic with Base64.1
enterprise T1025 Data from Removable Media Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Prikormka encrypts some C2 traffic with the Blowfish cipher.1
enterprise T1083 File and Directory Discovery A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.1
enterprise T1027 Obfuscated Files or Information Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.1
enterprise T1120 Peripheral Device Discovery A module in Prikormka collects information on available printers and disk drives.1
enterprise T1113 Screen Capture Prikormka contains a module that captures screenshots of the victim’s desktop.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery A module in Prikormka collects information from the victim about installed anti-virus software.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Prikormka uses rundll32.exe to load its DLL.1
enterprise T1082 System Information Discovery A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.1
enterprise T1016 System Network Configuration Discovery A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.1
enterprise T1033 System Owner/User Discovery A module in Prikormka collects information from the victim about the current user name.1


Back to top