Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]

ID: S0167
Platforms: Windows
Version: 2.0
Created: 16 January 2018
Last Modified: 23 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Matryoshka uses DNS for C2.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Matryoshka can establish persistence by adding Registry Run keys.[1][2]

Enterprise T1059 Command and Scripting Interpreter

Matryoshka is capable of providing Meterpreter shell access.[1]

Enterprise T1555 Credentials from Password Stores

Matryoshka is capable of stealing Outlook passwords.[1][2]

Enterprise T1056 .001 Input Capture: Keylogging

Matryoshka is capable of keylogging.[1][2]

Enterprise T1027 Obfuscated Files or Information

Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[2]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.[2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Matryoshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".[1][2]

Enterprise T1113 Screen Capture

Matryoshka is capable of performing screen captures.[1][2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[2]

Groups That Use This Software

ID Name References
G0052 CopyKittens