S0389 JCry
JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.1
Item | Value |
---|---|
ID | S0389 |
Associated Names | |
Type | MALWARE |
Version | 1.1 |
Created | 18 June 2019 |
Last Modified | 30 March 2020 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1547 | Boot or Logon Autostart Execution | - |
enterprise | T1547.001 | Registry Run Keys / Startup Folder | JCry has created payloads in the Startup directory to maintain persistence. 1 |
enterprise | T1059 | Command and Scripting Interpreter | - |
enterprise | T1059.001 | PowerShell | JCry has used PowerShell to execute payloads.1 |
enterprise | T1059.003 | Windows Command Shell | JCry has used cmd.exe to launch PowerShell.1 |
enterprise | T1059.005 | Visual Basic | JCry has used VBS scripts. 1 |
enterprise | T1486 | Data Encrypted for Impact | JCry has encrypted files and demanded Bitcoin to decrypt those files. 1 |
enterprise | T1490 | Inhibit System Recovery | JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.1 |
enterprise | T1204 | User Execution | - |
enterprise | T1204.002 | Malicious File | JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer. 1 |