Daserf
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[3] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1560 | 归档收集数据 |
Daserf hides collected data in password-protected .rar archives.[3] |
|
| .001 | Archive via Utility |
Daserf hides collected data in password-protected .rar archives.[3] |
||
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[3] |
| Enterprise | T1001 | .002 | 数据混淆: Steganography |
Daserf can use steganography to hide malicious code downloaded to the victim.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Daserf uses custom base64 encoding to obfuscate HTTP traffic.[2] |
| Enterprise | T1027 | 混淆文件或信息 |
Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[1] |
|
| .002 | Software Packing | |||
| .005 | Indicator Removal from Tools |
Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[1] |
||
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Some Daserf samples were signed with a stolen digital certificate.[3] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER |