DNSChanger

DNSChanger is used to change DNS settings to generate fraudulent advertising revenue.

ATT&CK Techniques

Name	Use
Defense Evasion::File and Directory Permissions Modification (T1222)	DNSChanger sets file attributes. [2]
Execution::Shared Modules (T1129)	DNSChanger accesses PE headers. [2]

Name	Use
Impact::Generate Traffic from Victim::Advertisement Replacement Fraud (E1643.m02)	The malware alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking. [1]
Defense Evasion::Disable or Evade Security Tools (F0004)	DNSChanger prevents the infected system from installing anti-virus software updates. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	DNSChanger encodes data using XOR. [2]
Defense Evasion::Process Injection (E1055)	DNSChanger attaches user process memory. [2]

Name	Use
Cryptography::Encrypt Data::RC4 (C0027.009)	DNSChanger encrypts data using RC4 PRGA. [2]
Data::Encode Data::XOR (C0026.002)	DNSChanger encodes data using XOR. [2]
File System::Get File Attributes (C0049)	DNSChanger gets file attributes. [2]
File System::Read File (C0051)	DNSChanger reads files on Windows. [2]
File System::Set File Attributes (C0050)	DNSChanger sets file attributes. [2]
File System::Write File (C0052)	DNSChanger writes Fileon Windows. [2]
Memory::Allocate Memory (C0007)	DNSChanger allocates RWX memory. [2]
Operating System::Registry::Query Registry Value (C0036.006)	DNSChanger queries or enumerates registry values. [2]
Operating System::Registry::Set Registry Key (C0036.001)	DNSChanger sets registry keys. [2]

SHA256 Hashes

[2] capa v4.0, analyzed at MITRE on 10/12/2022