Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. SynAck

SynAck

SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

ID: S0242
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [1]
Enterprise T1083 File and Directory Discovery

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]
Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

SynAck clears event logs.[1]
Enterprise T1112 Modify Registry

SynAck can manipulate Registry keys.[1]
Enterprise T1106 Native API

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[1][2]
Enterprise T1027 Obfuscated Files or Information

SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[1][2]
Enterprise T1057 Process Discovery

SynAck enumerates all running processes.[1][2]
Enterprise T1055 .013 Process Injection: Process Doppelgänging

SynAck abuses NTFS transactions to launch and conceal malicious processes.[1][2]
Enterprise T1012 Query Registry

SynAck enumerates Registry keys associated with event logs.[1]
Enterprise T1082 System Information Discovery

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[1]
Enterprise T1033 System Owner/User Discovery

SynAck gathers user names from infected hosts.[1]
Enterprise T1007 System Service Discovery

SynAck enumerates all running services.[1][2]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]

References

  1. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  1. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.