{ "name": "Analyzing the Mekotio Trojan", "slug": "analyzing-the-mekotio-trojan", "description": "The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-control server for additional payloads, and ensures persistence through system modifications. The main payload consists of executable and script files utilized for malicious activities.", "published": "2024-08-30T06:14:11+00:00", "created_at": "2024-08-30T06:14:11+00:00", "modified_at": "2024-08-30T06:37:11+00:00", "created_at_opencti": "2024-08-30T06:14:11+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-08-30", "malware", "mekotio trojan", "obfuscation", "persistence", "powershell", "trojan" ], "related_entities": { "observables": [ { "id": "", "name": "50.62.182.1" }, { "id": "", "name": "65025475c24f4647b6140cbeced6899f8958f1c72ec17ee24816aa35d1a5639e" } ], "malware": [ { "id": "legacy:malware:3d6054b26e687b36", "name": "Mekotio Trojan", "slug": "mekotio-trojan" } ], "attack_patterns": [ { "id": "4d36ebe8-4925-419a-bdd5-73f6427a975d", "name": "T1064" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ] }, "external_refs": [ "https://www.cyfirma.com/research/analyzing-the-mekotio-trojan/", "https://otx.alienvault.com/pulse/66d17f53d59771b7c9c4c94b" ] }