Denis

Denis is a Windows backdoor and Trojan.[1]

ID: S0354
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceDenis can launch a remote shell to execute arbitrary commands on the victim’s machine.[1][2]
EnterpriseT1043Commonly Used PortDenis uses port 53 for C2 communications.[1]
EnterpriseT1002Data CompressedDenis compressed collected data using zlib.[3]
EnterpriseT1132Data EncodingDenis encodes the data sent to the server in Base64.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationDenis will decrypt important strings used for C&C communication.[2]
EnterpriseT1073DLL Side-LoadingDenis exploits a security vulnerability to load a fake DLL and execute its code.[1]
EnterpriseT1083File and Directory DiscoveryDenis has several commands to search directories for files.[1][2]
EnterpriseT1107File DeletionDenis has a command to delete files from the victim’s machine.[1][2]
EnterpriseT1027Obfuscated Files or InformationDenis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64.[3][2]
EnterpriseT1055Process InjectionDenis injects its payload into Windows host processes.[2]
EnterpriseT1012Query RegistryDenis queries the Registry for keys and values.[2]
EnterpriseT1105Remote File CopyDenis deploys additional backdoors and hacking tools to the system.[2]
EnterpriseT1064ScriptingDenis executes shellcode on the victim's machine.[2]
EnterpriseT1071Standard Application Layer ProtocolDenis has used DNS tunneling for C2 communications.[1][3]
EnterpriseT1082System Information DiscoveryDenis collects OS information and the computer name from the victim’s machine.[3][2]
EnterpriseT1016System Network Configuration DiscoveryDenis uses ipconfig to gather the IP address from the system.[2]
EnterpriseT1033System Owner/User DiscoveryDenis collects the username from the victim’s machine.[3]

Groups

Groups that use this software:

APT32

References