Back

Analyzing the Mekotio Trojan

Aug. 30, 2024, 8:37 a.m.

Tags

malware
obfuscation
powershell
persistence
trojan
2024-08-30
mekotio trojan

External References

https://www.cyfirma.com/

https://otx.alienvault.com/

Description

The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-control server for additional payloads, and ensures persistence through system modifications. The main payload consists of executable and script files utilized for malicious activities.

Date

Published Created Modified
Aug. 30, 2024, 8:14 a.m. Aug. 30, 2024, 8:14 a.m. Aug. 30, 2024, 8:37 a.m.

Indicators

65025475c24f4647b6140cbeced6899f8958f1c72ec17ee24816aa35d1a5639e

50.62.182.1

Attack Patterns

Mekotio Trojan

T1064

T1059.001

T1547.001

T1005

T1082

T1083

T1071

T1041