Skip to content

S0640 Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.12

Item Value
ID S0640
Associated Names
Version 1.0
Created 23 August 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Avaddon bypasses UAC using the CMSTPLUA COM interface.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Avaddon uses registry run keys for persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.007 JavaScript Avaddon has been executed through a malicious JScript downloader.31
enterprise T1486 Data Encrypted for Impact Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.2
enterprise T1140 Deobfuscate/Decode Files or Information Avaddon has decrypted encrypted strings.2
enterprise T1083 File and Directory Discovery Avaddon has searched for specific files prior to encryption.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Avaddon looks for and attempts to stop anti-malware solutions.2
enterprise T1490 Inhibit System Recovery Avaddon deletes backups and shadow copies using native system tools.32
enterprise T1112 Modify Registry Avaddon modifies several registry keys for persistence and UAC bypass.2
enterprise T1106 Native API Avaddon has used the Windows Crypto API to generate an AES key.3
enterprise T1135 Network Share Discovery Avaddon has enumerated shared folders and mapped volumes.2
enterprise T1027 Obfuscated Files or Information Avaddon has used encrypted strings.2
enterprise T1057 Process Discovery Avaddon has collected information about running processes.2
enterprise T1489 Service Stop Avaddon looks for and attempts to stop database processes.2
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.2
enterprise T1016 System Network Configuration Discovery Avaddon can collect the external IP address of the victim.1
enterprise T1047 Windows Management Instrumentation Avaddon uses wmic.exe to delete shadow copies.3