| ID | X0032 |
| Type | Remote Access Trojan |
| Aliases | None |
| Platforms | Windows |
| Year | 2018 |
| Associated ATT&CK Software | GravityRAT |
GravityRAT evades detection by checking current CPU temperature.
| Name | Use |
|---|---|
| Discovery::Account Discovery (T1087) | GravityRAT gets session user name. [4] |
See ATT&CK: GravityRAT - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls (F0015.006) | GravityRAT abuses Microsoft's Dynamic Data Exchange (DDE) protocol. [2] |
| Discovery::File and Directory Discovery (E1083) | GravityRAT enumerates files on Windows. [4] |
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Virtual Machine Detection (B0009) | The malware checks the system temperature by recording thermal readings for detecting VMs. Heat levels indicate whether the system is a VM. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS (B0009.024) | The malware creates a WMI request to identify the BIOS version. [1] |
| Cryptography::Encrypt Data::AES (C0027.001) | GravityRAT v3 supports AES file encryption. [2] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check (B0009.023) | The malware checks if the manufacturer field in the Win32_Computer entry (in WMI) contains "Virtual", "Vmware", or "Virtualbox." [2] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Modern Specs Check - Processor count (B0009.018) | GravityRAT determines the machine to be a VM if the core count is 1. [2] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address (B0009.028) | GravityRAT checks if the MAC address starts with a well-known hexadecimal number used by various VM developer. [2] |
| Command And Control::C2 Communication::Receive Data (B0030.002) | GravityRAT receives data. [4] |
| File System::Create Directory (C0046) | GravityRAT creates directories. [4] |
| File System::Delete File (C0047) | GravityRAT deletes files. [4] |
| File System::Read File (C0051) | GravityRAT reads files on Windows. [4] |
| File System::Write File (C0052) | GravityRAT writes files on Windows. [4] |
| Process::Suspend Thread (C0055) | GravityRAT suspends threads. [4] |
| Process::Terminate Process (C0018) | GravityRAT terminates processes. [4] |
SHA256 Hashes
- c39270febb9097def21777c994d10738ba2a915c88f516fb1e896e5d7240cc0d
- 71264d9c67800d3bedc6facb6915e855f7531c12445af58f47167e81c735c892
- 99dd67915566c0951b78d323bb066eb5b130cc7ebd6355ec0338469876503f90
[1] https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/
[2] https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
[3] https://securelist.com/gravityrat-the-spy-returns/99097/
[4] capa v4.0, analyzed at MITRE on 10/12/2022