| Enterprise |
T1071 |
.001 |
Application Layer Protocol: Web Protocols |
KOPILUWAK has used HTTP POST requests to send data to C2.[1] |
| Enterprise |
T1059 |
.007 |
Command and Scripting Interpreter: JavaScript |
KOPILUWAK had used Javascript to perform its core functions.[1] |
| Enterprise |
T1005 |
Data from Local System |
KOPILUWAK can gather information from compromised hosts.[1] |
|
| Enterprise |
T1074 |
.001 |
Data Staged: Local Data Staging |
KOPILUWAK has piped the results from executed C2 commands to %TEMP%\result2.dat on the local machine.[1] |
| Enterprise |
T1041 |
Exfiltration Over C2 Channel |
KOPILUWAK has exfiltrated collected data to its C2 via POST requests.[1] |
|
| Enterprise |
T1680 |
Local Storage Discovery |
KOPILUWAK can discover logical drive information on compromised hosts.[1] |
|
| Enterprise |
T1135 |
Network Share Discovery |
KOPILUWAK can use netstat and Net to discover network shares.[1] |
|
| Enterprise |
T1566 |
.001 |
Phishing: Spearphishing Attachment |
KOPILUWAK has been delivered to victims as a malicious email attachment.[1] |
| Enterprise |
T1057 |
Process Discovery |
KOPILUWAK can enumerate current running processes on the targeted machine.[1] |
|
| Enterprise |
T1016 |
System Network Configuration Discovery |
KOPILUWAK can use Arp to discover a target's network configuration setttings.[1] |
|
| Enterprise |
T1049 |
System Network Connections Discovery |
KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections.[1] |
|
| Enterprise |
T1033 |
System Owner/User Discovery |
KOPILUWAK can conduct basic network reconnaissance on the victim machine with whoami, to get user details.[1] |
|
| Enterprise |
T1204 |
.002 |
User Execution: Malicious File |
KOPILUWAK has gained execution through malicious attachments.[1] |