S0242 SynAck
SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. 1 2
| Item | Value |
|---|---|
| ID | S0242 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 17 October 2018 |
| Last Modified | 08 September 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | SynAck encrypts the victims machine followed by asking the victim to pay a ransom. 1 |
| enterprise | T1083 | File and Directory Discovery | SynAck checks its directory location in an attempt to avoid launching in a sandbox.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | SynAck clears event logs.1 |
| enterprise | T1112 | Modify Registry | SynAck can manipulate Registry keys.1 |
| enterprise | T1106 | Native API | SynAck parses the export tables of system DLLs to locate and call various Windows API functions.12 |
| enterprise | T1027 | Obfuscated Files or Information | SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.12 |
| enterprise | T1057 | Process Discovery | SynAck enumerates all running processes.12 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.013 | Process Doppelgänging | SynAck abuses NTFS transactions to launch and conceal malicious processes.12 |
| enterprise | T1012 | Query Registry | SynAck enumerates Registry keys associated with event logs.1 |
| enterprise | T1082 | System Information Discovery | SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.1 |
| enterprise | T1033 | System Owner/User Discovery | SynAck gathers user names from infected hosts.1 |
| enterprise | T1007 | System Service Discovery | SynAck enumerates all running services.12 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | SynAck checks its directory location in an attempt to avoid launching in a sandbox.12 |