| ID | F0012 |
| Objective(s) | Persistence |
| Related ATT&CK Techniques | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) |
| Version | 2.0 |
| Created | 2 August 2022 |
| Last Modified | 21 November 2022 |
Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence. [1]
See ATT&CK: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001).
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | -- | Trojan spyware program that has mainly been used for targeting banking sites. |
| Poison-Ivy | 2005 | -- | After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [2] |
| Hupigon | 2013 | -- | Hupigon drops the file "Systen.dll" and adds the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS DllName = "%System%\Systen.dll". [3] |
| Terminator | May 2013 | -- | The Terminator rat sets "2019" as Windows' startup folder by modifying a registry value. [4] |
| CryptoLocker | 2013 | -- | The malware creates an "autorun" registry key [5] |
| GotBotKR | 2019 | -- | GoBotKR installs itself under registry run keys to establish persistence. [6] |
| Kovter | 2016 | -- | The malware writes an autorun registry entry [7] |
| Rombertik | 2015 | -- | The malware will proceed to install itself in order to ensure persistence across system reboots before continuing on to execute the payload. To install itself, Rombertik first creates a VBS script named “fgf.vbs”, which is used to kick off Rombertik every time the user logs in, and places the script into the user’s Startup folder. [8] |
| Ursnif | 2016 | -- | Adds registry entries to ensure automatic execution at every system startup [9] |
| BlackEnergy | 2007 | -- | BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder [10] |
| Conficker | 2008 | -- | To start itself at system boot, the virus saces a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service [11] |
| DarkComet | 2008 | -- | adds several registry entries to enable automatic execution at startup [12] |
| Emotet | 2018 | -- | To start itself at system boot, Emotet adds the downloaded payload to the registry to maintain persistence [13] |
| Bagle | 2004 | -- | Adds registry keys to enable its automatic execution at every system startup [14] |
[1] https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html
[2] https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy
[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON
[4] https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf
[5] https://www.secureworks.com/research/cryptolocker-ransomware
[6] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[7] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
[8] https://blogs.cisco.com/security/talos/rombertik
[9] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279
[10] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[11] https://en.wikipedia.org/wiki/Conficker
[12] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[13] https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/
[14] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/