{"description": "Enterprise techniques used by Ursnif, ATT&CK software S0386 (v1.5)", "name": "Ursnif (S0386)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used HTTPS for C2.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used Registry Run keys to establish automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) droppers have used VBA macros to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has registered itself as a system service in the Registry for automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used encoded data in HTTP URLs for C2.(Citation: ProofPoint Ursnif Aug 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has collected files from victim machines, including certificates and cookies.(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used a DGA to generate domain names for C2.(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used HTTP POSTs to exfil gathered information.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) droppers have used COM properties to execute malware in hidden windows.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has deleted data staged in tmp files after exfiltration.(Citation: TrendMicro Ursnif Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has dropped payload and configuration files to disk. [Ursnif](https://attack.mitre.org/software/S0386) has also been used to download and execute additional payloads.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.(Citation: TrendMicro Ursnif Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used Registry modifications as part of its installation routine.(Citation: TrendMicro BKDR_URSNIF.SM)(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used CreateProcessW to create child processes.(Citation: FireEye Ursnif Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) droppers execute base64 encoded [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016)\t[Ursnif](https://attack.mitre.org/software/S0386) droppers have also been delivered as password-protected zip files that execute base64 encoded [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has gathered information about running processes.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.005", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has injected code into target processes via thread local storage callbacks.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro PE_URSNIF.A2)(Citation: FireEye Ursnif Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used process hollowing to inject into child processes.(Citation: FireEye Ursnif Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used a peer-to-peer (P2P) network for C2.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used [Tor](https://attack.mitre.org/software/S0183) for C2.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used [Reg](https://attack.mitre.org/software/S0075) to query the Registry for installed programs.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has copied itself to and infected removable drives for propagation.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro Ursnif File Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used hooked APIs to take screenshots.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro BKDR_URSNIF.SM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used [Systeminfo](https://attack.mitre.org/software/S0096) to gather system information.(Citation: TrendMicro Ursnif Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has gathered information about running services.(Citation: TrendMicro Ursnif Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1080", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has copied itself to and infected files in network drives for propagation.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro Ursnif File Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) has used a 30 minute delay after execution to evade sandbox monitoring tools.(Citation: TrendMicro Ursnif File Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Ursnif](https://attack.mitre.org/software/S0386) droppers have used WMI classes to execute [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.(Citation: Bromium Ursnif Mar 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ursnif", "color": "#66b1ff"}]}