SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

ID: S0242
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1106Execution through APISynAck parses the export tables of system DLLs to locate and call various Windows API functions.[1][2]
EnterpriseT1083File and Directory DiscoverySynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]
EnterpriseT1070Indicator Removal on HostSynAck clears event logs.[1]
EnterpriseT1112Modify RegistrySynAck can manipulate Registry keys.[1]
EnterpriseT1027Obfuscated Files or InformationSynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[1][2]
EnterpriseT1057Process DiscoverySynAck enumerates all running processes.[1][2]
EnterpriseT1186Process DoppelgängingSynAck abuses NTFS transactions to launch and conceal malicious processes.[1][2]
EnterpriseT1012Query RegistrySynAck enumerates Registry keys associated with event logs.[1]
EnterpriseT1082System Information DiscoverySynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[1]
EnterpriseT1033System Owner/User DiscoverySynAck gathers user names from infected hosts.[1]
EnterpriseT1007System Service DiscoverySynAck enumerates all running services.[1][2]
EnterpriseT1497Virtualization/Sandbox EvasionSynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]