encryption-key.md

ID	C0028
Objective(s)	Cryptography
Related ATT&CK Techniques	None
Version	2.0
Created	13 October 2020
Last Modified	13 September 2023

Encryption Key

Malware may import, generate, or otherwise use an encryption key.

Methods

Name	ID	Description
Import Public Key	C0028.001	Malware imports a public key.
RC4 KSA	C0028.002	Malware uses the RC4 Key Scheduling Algorithm (KSA).

Use in Malware

Name	Date	Method	Description
BlackEnergy	2007	--	BlackEnergy creates new key via CryptAcquireContext. [1]
Kovter	2016	--	Kovter creates a new key via CryptAcquireContext. [1]
Locky Bart	2017	--	Locky Bart creates a new key via CryptAcquireContext. [1]
Rombertik	2015	C0028.002	Rombertik encrypts data using RC4 KSA. [1]

Detection

Tool: capa	Mapping	APIs
import public key	Encryption Key::Import Public Key (C0028.001)	advapi32.CryptAcquireContext, crypt32.CryptImportPublicKeyInfo, crypt32.CryptStringToBinary, crypt32.CryptDecodeObjectEx
create new key via CryptAcquireContext	Encryption Key (C0028)	advapi32.CryptAcquireContext
encrypt data using RC4 KSA	Encryption Key::RC4 KSA (C0028.002)
reference public RSA key	Encryption Key (C0028)

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022