Nebulae
ID: S0630
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.0
Created: 30 June 2021
Last Modified: 15 October 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Nebulae can achieve persistence through a Registry Run key.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
| Enterprise | T1005 | Data from Local System |
Nebulae has the capability to upload collected files to C2.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Nebulae can use RC4 and XOR to encrypt C2 communications.[1] |
| Enterprise | T1083 | File and Directory Discovery |
Nebulae can list files and directories on a compromised host.[1] |
|
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading | |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Nebulae has created a service named "Windows Update Agent1" to appear legitimate.[1] |
| .005 | Masquerading: Match Legitimate Name or Location |
Nebulae uses functions named |
||
| Enterprise | T1106 | Native API |
Nebulae has the ability to use |
|
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1082 | System Information Discovery |
Nebulae can discover logical drive information including the drive type, free space, and volume information.[1] |
|