{"description": "Enterprise techniques used by Zebrocy, ATT&CK software S0251 (v3.0)", "name": "Zebrocy (S0251)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) uses HTTP for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) uses SMTP and POP3 for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251)  has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. (Citation: Securelist Sofacy Feb 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: CISA Zebrocy Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) creates an entry in a Registry Run key for the malware to execute on startup.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "showSubtechniques": true}, {"techniqueID": "T1037.001", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) performs persistence with a logon script via adding to the Registry key HKCU\\Environment\\UserInitMprLogonScript.(Citation: ESET Zebrocy Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) uses cmd.exe to execute commands on the system.(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) stores all collected information in a single file before exfiltration.(Citation: ESET Zebrocy Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) decodes its secondary payload and writes it to the victim\u2019s machine. [Zebrocy](https://attack.mitre.org/software/S0251) also uses AES and XOR to decrypt strings and payloads.(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) uses SSL and AES ECB for encrypting C2 communications.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) has exfiltrated data to the designated C2 server using HTTP POST requests.(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. [Zebrocy](https://attack.mitre.org/software/S0251) also runs the echo %APPDATA% command to list the contents of the directory.(Citation: Securelist Sofacy Feb 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019) [Zebrocy](https://attack.mitre.org/software/S0251) can obtain the current execution path as well as perform drive enumeration.(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) has a command to delete files and directories.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.(Citation: Securelist Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1135", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) identifies network drives when they are added to victim systems.(Citation: Securelist Sofacy Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251)'s Delphi variant was packed with UPX.(Citation: Unit42 Sofacy Dec 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) enumerates information about connected storage devices.(Citation: Unit42 Cannon Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) executes the reg query command to obtain information in the Registry.(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "A variant of [Zebrocy](https://attack.mitre.org/software/S0251) captures screenshots of the victim\u2019s machine in JPEG and BMP format.(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) collects the OS version, computer name and serial number for the storage volume C:\\. [Zebrocy](https://attack.mitre.org/software/S0251) also runs the systeminfo command to gather system information. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) runs the ipconfig /all command.(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) uses netstat -aon to gather network connection information.(Citation: ESET Zebrocy May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) gets the username from the system.(Citation: ESET Zebrocy Nov 2018)(Citation: CISA Zebrocy Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Zebrocy](https://attack.mitre.org/software/S0251) gathers the current time zone and date information from the system.(Citation: ESET Zebrocy Nov 2018)(Citation: CISA Zebrocy Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "One variant of [Zebrocy](https://attack.mitre.org/software/S0251) uses WMI queries to gather information.(Citation: Unit42 Sofacy Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Zebrocy", "color": "#66b1ff"}]}