Skip to content

S0389 JCry

JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.1

Item Value
ID S0389
Associated Names
Version 1.1
Created 18 June 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder JCry has created payloads in the Startup directory to maintain persistence. 1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell JCry has used PowerShell to execute payloads.1
enterprise T1059.003 Windows Command Shell JCry has used cmd.exe to launch PowerShell.1
enterprise T1059.005 Visual Basic JCry has used VBS scripts. 1
enterprise T1486 Data Encrypted for Impact JCry has encrypted files and demanded Bitcoin to decrypt those files. 1
enterprise T1490 Inhibit System Recovery JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer. 1