Kraken
December 21, 2023 ยท View on GitHub
| ID | X0010 |
| Type | Bot/Botnet |
| Aliases | Bobax |
| Platforms | Windows |
| Year | 2008 |
| Associated ATT&CK Software | None |
Kraken
A family of bots.
ATT&CK Techniques
| Name | Use |
|---|---|
| Command and Control::Dynamic Resolution::Domain Generation Algorithms (T1568.002) | Kraken uses a domain name generator to provide new domains. [1] |
| Command and Control::Application Layer Protocol::Web Protocols (T1071.001) | The malware uses HTTP to communicate with C2. [1] |
| Execution::Shared Modules (T1129) | Kraken accesses PEB ldr_data. [2] |
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | Kraken encodes data using XOR. [2] |
MBC Behaviors
| Name | Use |
|---|---|
| Command and Control::Domain Name Generation (B0031) | Kraken uses a domain name generator to provide new domains. [1] |
| Anti-Behavioral Analysis::Memory Dump Evasion (B0006) | Dumping Kraken's c.dll module from the heap of its own process is tricky because its PE-header is erased in memory. [1] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | Kraken encrypts data using RC4 PRGA. [2] |
| Data::Encode Data::XOR (C0026.002) | Kraken encodes data using XOR. [2] |
Indicators of Compromise
SHA256 Hashes
- 466892a38785c1a499140d208a101f908e7c9589f126b87e9e20d8c916555306
References
[1] http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html
[2] capa v4.0, analyzed at MITRE on 10/12/2022