Skip to content

Latest commit

 

History

History
63 lines (49 loc) · 2.21 KB

encryption-key.md

File metadata and controls

63 lines (49 loc) · 2.21 KB
Raw
ID C0028
Objective(s) Cryptography
Related ATT&CK Techniques None
Version 2.0
Created 13 October 2020
Last Modified 13 September 2023

Encryption Key

Malware may import, generate, or otherwise use an encryption key.

Methods

Name ID Description
Import Public Key C0028.001 Malware imports a public key.
RC4 KSA C0028.002 Malware uses the RC4 Key Scheduling Algorithm (KSA).

Use in Malware

Name Date Method Description
BlackEnergy 2007 -- BlackEnergy creates new key via CryptAcquireContext. [1]
Kovter 2016 -- Kovter creates a new key via CryptAcquireContext. [1]
Locky Bart 2017 -- Locky Bart creates a new key via CryptAcquireContext. [1]
Rombertik 2015 C0028.002 Rombertik encrypts data using RC4 KSA. [1]

Detection

Tool: capa Mapping APIs
import public key Encryption Key::Import Public Key (C0028.001) advapi32.CryptAcquireContext, crypt32.CryptImportPublicKeyInfo, crypt32.CryptStringToBinary, crypt32.CryptDecodeObjectEx
create new key via CryptAcquireContext Encryption Key (C0028) advapi32.CryptAcquireContext
encrypt data using RC4 KSA Encryption Key::RC4 KSA (C0028.002)
reference public RSA key Encryption Key (C0028)

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022