SynAck
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact |
SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [1] |
|
| Enterprise | T1083 | File and Directory Discovery |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2] |
|
| Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs | |
| Enterprise | T1112 | Modify Registry | ||
| Enterprise | T1106 | Native API |
SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[1][2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[1][2] |
|
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .013 | Process Injection: Process Doppelgänging |
SynAck abuses NTFS transactions to launch and conceal malicious processes.[1][2] |
| Enterprise | T1012 | Query Registry |
SynAck enumerates Registry keys associated with event logs.[1] |
|
| Enterprise | T1082 | System Information Discovery |
SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[1] |
|
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
SynAck lists all the keyboard layouts installed on the victim’s system using |
| Enterprise | T1033 | System Owner/User Discovery | ||
| Enterprise | T1007 | System Service Discovery | ||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2] |