Třída: Trojan-Dropper
Programy Trojan-Dropper jsou navrženy tak, aby tajně nainstalovaly škodlivé programy zabudované do svého kódu do počítačů poškozených.Tento typ škodlivého programu obvykle ukládá řadu souborů do jednotky oběti (obvykle do adresáře systému Windows, adresáře systému Windows, dočasného adresáře atd.) A spouští je bez jakéhokoli oznámení (nebo s falešným upozorněním na chybu archivu, zastaralá verze operačního systému atd.).
Takové programy používají hackeři k:
tajně nainstalujte programy trojských koní a / nebo viry
chránit známé škodlivé programy od antivirových řešení; ne všechny antivirové programy dokáží skenovat všechny součásti tohoto typu trojských koní.
Platfoma: Win32
Win32 je rozhraní API v operačních systémech Windows NT (Windows XP, Windows 7 atd.), Které podporují provádění 32bitových aplikací. Jedna z nejrozšířenějších programovacích platforem na světě.Family: Trojan-Dropper.Win32.Dapato
No family descriptionExamples
D5AAA797E8BE1093173E9A74EE70ECF1A33D0F96E1365F24BAEAE24A034722AE
B6F08AADE874399CDB84C3F646051FE6
4374E515A4D4E1EADA4B4C56EF16D49B
642930EBAA268FD4268DA4F86FD0F071
Tactics and Techniques: Mitre*
TA0007
Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1012
Query Registry
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
T1614.001
System Location Discovery: System Language Discovery
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)
There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key
On a macOS or Linux system, adversaries may query
There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelganging May 2018)On a macOS or Linux system, adversaries may query
locale to retrieve the value of the $LANG environment variable. * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.