Software: Matroyshka

From enterprise
Jump to: navigation, search
Matroyshka
Software
ID S0167
Aliases Matroyshka
Type Malware
Platform Windows

Matroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences.12

Alias Descriptions

  • Matroyshka - 1

Techniques Used

  • Scheduled Task - Matroyshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".12
  • Process Injection - Matroyshka uses reflective DLL injection to inject the malicious library and execute the RAT.2
  • Rundll32 - Matroyshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.2