Classe: Trojan-FakeAV
Une classe de programmes malveillants qui simulent l'activité d'un logiciel antivirus ou de parties de modules de sécurité du système d'exploitation. Ces programmes sont conçus pour extorquer de l'argent aux utilisateurs en échange de la détection et de la suppression des menaces, qui sont en fait inexistantes. De manière générale, ce logiciel malveillant affiche de nombreuses fenêtres pop-up répétées dans le but de rendre l'utilisateur soucieux de la sécurité de son système et de payer pour de faux logiciels AV. De plus, les programmes Trojan-FakeAV empêchent l'ordinateur de fonctionner correctement, mais n'inhibent pas complètement le système d'exploitation afin de faire croire à l'utilisateur que la menace est crédible.Plus d'informations
Plateforme: Win32
Win32 est une API sur les systèmes d'exploitation Windows NT (Windows XP, Windows 7, etc.) qui prend en charge l'exécution des applications 32 bits. L'une des plateformes de programmation les plus répandues au monde.Famille: Trojan-FakeAV.Win32.SpySheriff
No family descriptionExamples
A110A25D5B331EBE34D9777EAB40011BA4DC7EAF8651DB6D226CCF1F0F6B632C
C80C3554925FC149740D50FB819ECE85
953A8DAEC0023C8B9EEC665E1A9F3079
58D0B1670E77B7420CBFFEE3F8DDB56C
Tactics and Techniques: Mitre*
TA0007
Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1518.001
Software Discovery: Security Software Discovery
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are netsh,
Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the
Example commands that can be used to obtain security software information are netsh,
reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the
DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud) * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.