|Abuse Elevation Control Mechanism
|Bypass User Account Control
|Gelsemium can bypass UAC to elevate process privileges on a compromised host.
|Access Token Manipulation
|Gelsemium can use token manipulation to bypass UAC on Windows7 systems.
|Application Layer Protocol
|Gelsemium can use HTTP/S in C2 communications.
|Gelsemium has the ability to use DNS in communication with C2.
|Boot or Logon Autostart Execution
|Registry Run Keys / Startup Folder
|Gelsemium can set persistence with a Registry run key.
|Gelsemium can drop itself in
C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.
|Command and Scripting Interpreter
|Windows Command Shell
|Gelsemium can use a batch script to delete itself.
|Create or Modify System Process
|Gelsemium can drop itself in
C:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.
|Data from Local System
|Gelsemium can collect data from a compromised host.
|Deobfuscate/Decode Files or Information
|Gelsemium can decompress and decrypt DLLs and shellcode.
|Gelsemium can use dynamic DNS domain names in C2.
|Gelsemium can use multiple domains and protocols in C2.
|File and Directory Discovery
|Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.
|Gelsemium can delete its dropper component from the targeted system.
|Gelsemium has the ability to perform timestomping of files on targeted systems.
|Ingress Tool Transfer
|Gelsemium can download additional plug-ins to a compromised host.
|Component Object Model
|Gelsemium can use the
IARPUinstallerStringLauncher COM interface are part of its UAC bypass process.
|Invalid Code Signature
|Gelsemium has used unverified signatures on malicious DLLs.
|Match Legitimate Name or Location
|Gelsemium has named malicious binaries
chrome_elf.dll and has set its persistence in the Registry with the key value
Chrome Update to appear legitimate.
|Gelsemium can modify the Registry to store its components.
|Gelsemium has the ability to use various Windows API functions to perform tasks.
|Non-Application Layer Protocol
|Gelsemium has the ability to use TCP and UDP in C2 communications.
|Obfuscated Files or Information
|Gelsemium has the ability to compress its components.
|Gelsemium can use junk code to hide functions and evade detection.
|Gelsemium can store its components in the Registry.
|Gelsemium can enumerate running processes.
|Dynamic-link Library Injection
|Gelsemium has the ability to inject DLLs into specific processes.
|Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.
|Reflective Code Loading
|Gelsemium can use custom shellcode to map embedded DLLs into memory.
|Security Software Discovery
|Gelsemium can check for the presence of specific security products.
|System Information Discovery
|Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.
|System Owner/User Discovery
|Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.
|Gelsemium can use junk code to generate random activity to obscure malware behavior.