| ID | X0009 |
| Aliases | None |
| Platforms | Windows |
| Year | 2016 |
| Associated ATT&CK Software | None |
A trojan that performs click-fraud.
| Name | Use |
|---|---|
| Initial Access::Phishing::Spearphishing Attachment (T1566.001) | The malware is sent out to victims via an attachment [2] |
| Execution::User Execution::Malicious File (T1204.002) | The malware relies on a victim to execute itself [2] |
| Defense Evasion::System Binary Proxy Execution::Mshta (T1218.005) | The malware uses mshta.exe to run Javascript [1] |
| Name | Use |
|---|---|
| Impact::Generate Traffic from Victim (E1643) | Performs click-fraud. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | The malware writes an autorun registry entry [2] |
| Execution::Command and Scripting Interpreter (E1059) | The malware executes malicious javascript and powershell [1] |
| Defense Evasion::Modify Registry (E1112) | The malware modifies the registry during execution [2] |
| Defense Evasion::Obfuscated Files or Information (E1027) | The malware will use a key to decrypt text from a URL to create more malicious code [1] |
| Anti-Static Analysis::Software Packing (F0001) | The malware comes packed by a crypter/FUD [1] |
| Name | Use |
|---|---|
| Defense Evasion::Alternative Installation Location::Registry Install (B0027.002) | Stores malware files in the Registry instead of the hard drive [2] |
SHA256 Hashes
- 15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589
- bffe7ccbcf69e7c787ff10d1dc7dbf6044bffcb13b95d851f4a735917b3a6fdf
[1] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
[2] https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem.