Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | Archive Collected Data |
Exaramel for Windows automatically encrypts files before sending them to the C2 server.[1] |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[1] |
| .005 | Command and Scripting Interpreter: Visual Basic |
Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[1] |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV."[1] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.[1] |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service. |