S0640 Avaddon
Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.12
| Item | Value |
|---|---|
| ID | S0640 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 23 August 2021 |
| Last Modified | 18 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Avaddon bypasses UAC using the CMSTPLUA COM interface.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Avaddon uses registry run keys for persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | Avaddon has been executed through a malicious JScript downloader.31 |
| enterprise | T1486 | Data Encrypted for Impact | Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Avaddon has decrypted encrypted strings.2 |
| enterprise | T1083 | File and Directory Discovery | Avaddon has searched for specific files prior to encryption.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Avaddon looks for and attempts to stop anti-malware solutions.2 |
| enterprise | T1490 | Inhibit System Recovery | Avaddon deletes backups and shadow copies using native system tools.32 |
| enterprise | T1112 | Modify Registry | Avaddon modifies several registry keys for persistence and UAC bypass.2 |
| enterprise | T1106 | Native API | Avaddon has used the Windows Crypto API to generate an AES key.3 |
| enterprise | T1135 | Network Share Discovery | Avaddon has enumerated shared folders and mapped volumes.2 |
| enterprise | T1027 | Obfuscated Files or Information | Avaddon has used encrypted strings.2 |
| enterprise | T1057 | Process Discovery | Avaddon has collected information about running processes.2 |
| enterprise | T1489 | Service Stop | Avaddon looks for and attempts to stop database processes.2 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.2 |
| enterprise | T1016 | System Network Configuration Discovery | Avaddon can collect the external IP address of the victim.1 |
| enterprise | T1047 | Windows Management Instrumentation | Avaddon uses wmic.exe to delete shadow copies.3 |
References
-
Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021. ↩↩↩
-
Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021. ↩↩↩↩