Update Date
02/10/2024

Class: Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up. Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page). This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Family: Trojan-Downloader.Win32.Stantinko.gkkh

No family description

Examples

8CC6115F2563A280BCE7D2D573CC4F6B
0142238344EF3A15325C4BCC9DB44675
3A5CD7B448961899D5E63B9ECE362D48
7935C5C23C3947EFC8A8E1019601FD4F
1952E1F424ADBD6CCD6673FFE6F034FE

Tactics and Techniques: Mitre*

TA0002
Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.


PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.


Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.


T1569.002
System Services: Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.


PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.


Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.


* © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.