| ID | X0034 |
| Type | Backdoor, Bot/Botnet, Dropper |
| Aliases | None |
| Platforms | Windows |
| Year | 2010 |
| Associated ATT&CK Software | CozyCar |
A modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.
See ATT&CK: CozyCar - Techniques Used.
| Name | Use |
|---|---|
| Command and Control::Ingress Tool Transfer (E1105) | CozyCar requests a file using SSL to a C2 domain. [1] |
| Defense Evasion::Self Deletion (F0007) | CozyCar has a dll file that serves as a cleanup mechanism for its dropped binary. [1] |
| Command and Control::C2 Communication (B0030) | CozyCar communicates with a C2 server. [1] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | Upon execution, CozyCar drops a decoy file and a secondary dropper. [1] |
SHA256 Hashes
- c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f
- 08b410d359ec2d6cab73bd6c0be138d9bdc475e3f63fec65794a74e5d5958b3b
IP Addresses
- 103.254.16.168
- 103.226.132.7
- 122.228.193.115
[1] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/