SynAck
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 | ||
| Enterprise | T1486 | 数据加密以实现影响 |
SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [1] |
|
| Enterprise | T1083 | 文件和目录发现 |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2] |
|
| Enterprise | T1106 | 本机API |
SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[1][2] |
|
| Enterprise | T1012 | 查询注册表 |
SynAck enumerates Registry keys associated with event logs.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[1][2] |
|
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs | |
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
SynAck lists all the keyboard layouts installed on the victim’s system using |
| Enterprise | T1082 | 系统信息发现 |
SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .013 | 进程注入: Process Doppelgänging |
SynAck abuses NTFS transactions to launch and conceal malicious processes.[1][2] |