Kwampirs is a backdoor Trojan used by Orangeworm. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. [1]

ID: S0236
Contributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre

Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1087Account DiscoveryKwampirs collects a list of accounts with the command net users.[1]
EnterpriseT1009Binary PaddingBefore writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationKwampirs decrypts and extracts a copy of its main DLL payload when executing.[1]
EnterpriseT1008Fallback ChannelsKwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.[1]
EnterpriseT1083File and Directory DiscoveryKwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP\[RANDOM].tmp".[1]
EnterpriseT1036MasqueradingKwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[1]
EnterpriseT1135Network Share DiscoveryKwampirs collects a list of network shares with the command net share.[1]
EnterpriseT1050New ServiceKwampirs creates a new service named WmiApSrvEx to establish persistence.[1]
EnterpriseT1027Obfuscated Files or InformationKwampirs downloads additional files that are base64-encoded and encrypted with another cipher.[2]
EnterpriseT1201Password Policy DiscoveryKwampirs collects password policy information with the command net accounts.[1]
EnterpriseT1069Permission Groups DiscoveryKwampirs collects lists of local accounts with administrative access, local group user accounts, and domain local groups with the commands net localgroup administrators, net localgroup users, and net localgroup /domain.[1]
EnterpriseT1057Process DiscoveryKwampirs collects a list of running services with the command tasklist /v.[1]
EnterpriseT1105Remote File CopyKwampirs downloads additional files from C2 servers.[2]
EnterpriseT1018Remote System DiscoveryKwampirs collects a list of available servers with the command net view.[1]
EnterpriseT1085Rundll32Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[1]
EnterpriseT1082System Information DiscoveryKwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.[1]
EnterpriseT1016System Network Configuration DiscoveryKwampirs collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation.[1]
EnterpriseT1049System Network Connections DiscoveryKwampirs collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use.[1]
EnterpriseT1033System Owner/User DiscoveryKwampirs collects registered owner details by using the commands systeminfo and net config workstation.[1]
EnterpriseT1007System Service DiscoveryKwampirs collects a list of running services with the command tasklist /svc.[1]
EnterpriseT1077Windows Admin SharesKwampirs copies itself over network shares to move laterally on a victim network.[1]


Groups that use this software: