LiteDuke
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
LiteDuke can create persistence by adding a shortcut in the |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1012 | 查询注册表 |
LiteDuke can query the Registry to check for the presence of |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
LiteDuke has been packed with multiple layers of encryption.[1] |
| .003 | 混淆文件或信息: Steganography |
LiteDuke has used image files to hide its loader component.[1] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
LiteDuke can securely delete files by first writing random data to the file.[1] |
| Enterprise | T1082 | 系统信息发现 |
LiteDuke can enumerate the CPUID and BIOS version on a compromised system.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
LiteDuke can enumerate the account name on a targeted system.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.[1] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
LiteDuke can wait 30 seconds before executing additional code if security software is detected.[1] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
LiteDuke has the ability to check for the presence of Kaspersky security software.[1] |
| Enterprise | T1105 | 输入工具传输 | ||