{"description": "Enterprise techniques used by Prikormka, ATT&CK software S0113 (v1.4)", "name": "Prikormka (S0113)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "comment": "After collecting documents from removable media, [Prikormka](https://attack.mitre.org/software/S0113) compresses the collected files, and encrypts it with Blowfish.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) adds itself to a Registry Run key with the name guidVGA or guidVSA.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects passwords stored in applications installed on the victim.(Citation: ESET Operation Groundbait)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) encodes C2 traffic with Base64.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1025", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) creates a directory, %USERPROFILE%\\AppData\\Local\\SKC\\, which is used to store collected log files.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) encrypts some C2 traffic with the Blowfish cipher.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "After encrypting its own log files, the log encryption module in [Prikormka](https://attack.mitre.org/software/S0113) deletes the original, unencrypted files from the host.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) contains a keylogger module that collects keystrokes and the titles of foreground windows.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "Some resources in [Prikormka](https://attack.mitre.org/software/S0113) are encrypted with a simple XOR operation or encoded with Base64.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information on available printers and disk drives.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) contains a module that captures screenshots of the victim's desktop.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information from the victim about installed anti-virus software.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Prikormka](https://attack.mitre.org/software/S0113) uses rundll32.exe to load its DLL.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information from the victim about Windows OS version, computer name, battery info, and physical memory.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information from the victim about its IP addresses and MAC addresses.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information from the victim about the current user name.(Citation: ESET Operation Groundbait)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Prikormka", "color": "#66b1ff"}]}