Skip to content

S0167 Matryoshka

Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. 1 2

Item Value
ID S0167
Associated Names
Version 2.0
Created 16 January 2018
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Matryoshka uses DNS for C2.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Matryoshka can establish persistence by adding Registry Run keys.12
enterprise T1059 Command and Scripting Interpreter Matryoshka is capable of providing Meterpreter shell access.1
enterprise T1555 Credentials from Password Stores Matryoshka is capable of stealing Outlook passwords.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Matryoshka is capable of keylogging.12
enterprise T1027 Obfuscated Files or Information Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.2
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Matryoshka can establish persistence by adding a Scheduled Task named “Microsoft Boost Kernel Optimization”.12
enterprise T1113 Screen Capture Matryoshka is capable of performing screen captures.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.2

Groups That Use This Software

ID Name References
G0052 CopyKittens 1


Back to top