Register to stream ATT&CKcon 2.0 October 29-30


NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[1][2]

ID: S0353
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1074 Data Staged NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information NOKKI uses a unique, custom de-obfuscation technique. [1]
Enterprise T1107 File Deletion NOKKI can delete files to cover tracks. [1]
Enterprise T1179 Hooking NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine. [1]
Enterprise T1036 Masquerading NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file. [1]
Enterprise T1027 Obfuscated Files or Information NOKKI uses Base64 encoding for strings. [1]
Enterprise T1060 Registry Run Keys / Startup Folder NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. [1]
Enterprise T1105 Remote File Copy NOKKI has downloaded a remote module for execution. [1]
Enterprise T1085 Rundll32 NOKKI has used rundll32 for execution. [1]
Enterprise T1071 Standard Application Layer Protocol NOKKI has used FTP and HTTP for C2 communications. [1]
Enterprise T1082 System Information Discovery NOKKI can gather information on drives and the operating system on the victim’s machine. [1]
Enterprise T1016 System Network Configuration Discovery NOKKI can gather information on the victim IP address. [1]
Enterprise T1033 System Owner/User Discovery NOKKI can collect the username from the victim’s machine. [1]
Enterprise T1124 System Time Discovery NOKKI can collect the current timestamp of the victim's machine. [1]