DNSChanger

DNSChanger is used to change DNS settings to generate fraudulent advertising revenue.

ATT&CK Techniques

Name	Use
Defense Evasion::File and Directory Permissions Modification (T1222)	DNSChanger sets file attributes. [3]
Execution::Shared Modules (T1129)	DNSChanger accesses PE headers. [3]

Name	Use
Defense Evasion::File and Directory Permissions Modification (T1222)	Set file attributes (This capa rule had 1 match) [3]
Execution::Shared Modules (T1129)	Access PE header (This capa rule had 3 matches) [3]

Name	Use
Impact::Generate Traffic from Victim::Advertisement Replacement Fraud (E1643.m02)	The malware alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking. [1]
Defense Evasion::Disable or Evade Security Tools (F0004)	DNSChanger prevents the infected system from installing anti-virus software updates. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	DNSChanger encodes data using XOR. [3]
Defense Evasion::Process Injection (E1055)	DNSChanger attaches user process memory. [3]

Name	Use
Cryptography::Encrypt Data::RC4 (C0027.009)	DNSChanger encrypts data using RC4 PRGA. [3]
Data::Encode Data::XOR (C0026.002)	DNSChanger encodes data using XOR. [3]
File System::Get File Attributes (C0049)	DNSChanger gets file attributes. [3]
File System::Read File (C0051)	DNSChanger reads files on Windows. [3]
File System::Set File Attributes (C0050)	DNSChanger sets file attributes. [3]
File System::Write File (C0052)	DNSChanger writes Fileon Windows. [3]
Memory::Allocate Memory (C0007)	DNSChanger allocates RWX memory. [3]
Operating System::Registry::Query Registry Value (C0036.006)	DNSChanger queries or enumerates registry values. [3]
Operating System::Registry::Set Registry Key (C0036.001)	DNSChanger sets registry keys. [3]

SHA256 Hashes

[3] capa v4.0, analyzed at MITRE on 10/12/2022