Skip to content

S0140 Shamoon

Shamoon is wiper malware that was first used by an Iranian group known as the “Cutting Sword of Justice” in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.1234

Item Value
ID S0140
Associated Names Disttrack
Version 2.1
Created 31 May 2017
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Disttrack 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Shamoon attempts to disable UAC remote restrictions by modifying the Registry.1
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Shamoon has used HTTP for C2.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the “MaintenaceSrv” and “hdv_725x” services.12
enterprise T1485 Data Destruction Shamoon attempts to overwrite operating system files and disk structures with image files.341 In a later variant, randomly generated data was used for data overwrites.25
enterprise T1486 Data Encrypted for Impact Shamoon has an operational mode for encrypting data instead of overwriting it.12
enterprise T1140 Deobfuscate/Decode Files or Information Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.2
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe Shamoon has been seen overwriting features of disk structure such as the MBR.3412
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp Shamoon can change the modified time for files to evade forensic detection.5
enterprise T1105 Ingress Tool Transfer Shamoon can download an executable to run on the victim.1
enterprise T1570 Lateral Tool Transfer Shamoon attempts to copy itself to remote machines on the network.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service’s display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the “MaintenaceSrv” service, which misspells the word “maintenance.”15
enterprise T1112 Modify Registry Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.415
enterprise T1027 Obfuscated Files or Information Shamoon contains base64-encoded strings.1
enterprise T1012 Query Registry Shamoon queries several Registry keys to identify hard disk partitions to overwrite.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.4
enterprise T1018 Remote System Discovery Shamoon scans the C-class subnet of the IPs on the victim’s interfaces.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.41
enterprise T1082 System Information Discovery Shamoon obtains the victim’s operating system version and keyboard layout and sends the information to the C2 server.12
enterprise T1016 System Network Configuration Discovery Shamoon obtains the target’s IP address and local network segment.15
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Shamoon creates a new service named “ntssrv” to execute the payload. Shamoon can also spread via PsExec.16
enterprise T1529 System Shutdown/Reboot Shamoon will reboot the infected system once the wiping functionality has been completed.25
enterprise T1124 System Time Discovery Shamoon obtains the system time and will only activate if it is greater than a preset date.12
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.42