Skip to content

S0242 SynAck

SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. 1 2

Item Value
ID S0242
Associated Names
Version 1.3
Created 17 October 2018
Last Modified 08 September 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact SynAck encrypts the victims machine followed by asking the victim to pay a ransom. 1
enterprise T1083 File and Directory Discovery SynAck checks its directory location in an attempt to avoid launching in a sandbox.12
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs SynAck clears event logs.1
enterprise T1112 Modify Registry SynAck can manipulate Registry keys.1
enterprise T1106 Native API SynAck parses the export tables of system DLLs to locate and call various Windows API functions.12
enterprise T1027 Obfuscated Files or Information SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.12
enterprise T1057 Process Discovery SynAck enumerates all running processes.12
enterprise T1055 Process Injection -
enterprise T1055.013 Process Doppelgänging SynAck abuses NTFS transactions to launch and conceal malicious processes.12
enterprise T1012 Query Registry SynAck enumerates Registry keys associated with event logs.1
enterprise T1082 System Information Discovery SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.1
enterprise T1033 System Owner/User Discovery SynAck gathers user names from infected hosts.1
enterprise T1007 System Service Discovery SynAck enumerates all running services.12
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks SynAck checks its directory location in an attempt to avoid launching in a sandbox.12


Back to top