Encryption Key
November 18, 2024 ยท View on GitHub
| ID | C0028 |
| Objective(s) | Cryptography |
| Related ATT&CK Techniques | None |
| Version | 2.1 |
| Created | 13 October 2020 |
| Last Modified | 5 December 2023 |
Encryption Key
Malware may import, generate, or otherwise use an encryption key.
Methods
| Name | ID | Description |
|---|---|---|
| Import Public Key | C0028.001 | Malware imports a public key. |
| RC4 KSA | C0028.002 | Malware uses the RC4 Key Scheduling Algorithm (KSA). |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| BlackEnergy | 2007 | -- | BlackEnergy creates new key via CryptAcquireContext. [1] |
| Kovter | 2016 | -- | Kovter creates a new key via CryptAcquireContext. [1] |
| Locky Bart | 2017 | -- | Locky Bart creates a new key via CryptAcquireContext. [1] |
| Rombertik | 2015 | C0028.002 | Rombertik encrypts data using RC4 KSA. [1] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| import public key | Encryption Key::Import Public Key (C0028.001) | advapi32.CryptAcquireContext, crypt32.CryptImportPublicKeyInfo, crypt32.CryptStringToBinary, crypt32.CryptDecodeObjectEx |
| create new key via CryptAcquireContext | Encryption Key (C0028) | advapi32.CryptAcquireContext |
| encrypt data using RC4 KSA | Encryption Key::RC4 KSA (C0028.002) | -- |
| reference public RSA key | Encryption Key (C0028) | -- |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| mass_data_encryption | MassDataEncryption | Encryption Key (C0028) | CryptEncrypt |
| generates_crypto_key | CryptGenKey | Encryption Key (C0028) | CryptGenKey, CryptExportKey |
References
[1] capa v4.0, analyzed at MITRE on 10/12/2022