Update Date
02/09/2024

Class: Trojan

A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).

Read more

Platform: MSIL

The Common Intermediate Language (formerly known as Microsoft Intermediate Language, or MSIL) is an intermediate language developed by Microsoft for the .NET Framework. CIL code is generated by all Microsoft .NET compilers in Microsoft Visual Studio (Visual Basic .NET, Visual C++, Visual C#, and others).

Family: Virus.Win32.Donut

No family description

Examples

18A4D609B2046ED0CD5977209F870EA6
4046CFED2A9A13CF791611043663E82E
A1F19B8A16DC7C6E2716DFA4375722E1
B89844DFDD9DA90594454CA8DA7712E3
5CA0C169FA8A07F896949656F0AF3FFF

Tactics and Techniques: Mitre*

TA0007
Discovery

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.


The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.


T1012
Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.


The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.


T1120
Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.


T1614.001
System Location Discovery: System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)


There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)


For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNlsLanguage or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelganging May 2018)


On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.


* © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.