TinyTurla
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
TinyTurla has mimicked an existing Windows service by being installed as |
| .005 | 伪装: Match Legitimate Name or Location |
TinyTurla has been deployed as |
||
| Enterprise | T1112 | 修改注册表 |
TinyTurla can set its configuration parameters in the Registry.[1] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1008 | 回退信道 |
TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1106 | 本机API |
TinyTurla has used |
|
| Enterprise | T1012 | 查询注册表 |
TinyTurla can query the Registry for its configuration information.[1] |
|
| Enterprise | T1027 | .011 | 混淆文件或信息: Fileless Storage |
TinyTurla can save its configuration parameters in the Registry.[1] |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
TinyTurla can install itself as a service on compromised machines.[1] |
| Enterprise | T1105 | 输入工具传输 |
TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.[1] |
|
| Enterprise | T1029 | 预定传输 |
TinyTurla contacts its C2 based on a scheduled timing set in its configuration.[1] |
|