Register to stream ATT&CKcon 2.0 October 29-30


SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

ID: S0242
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [1]
Enterprise T1106 Execution through API SynAck parses the export tables of system DLLs to locate and call various Windows API functions. [1] [2]
Enterprise T1083 File and Directory Discovery SynAck checks its directory location in an attempt to avoid launching in a sandbox. [1] [2]
Enterprise T1070 Indicator Removal on Host SynAck clears event logs. [1]
Enterprise T1112 Modify Registry SynAck can manipulate Registry keys. [1]
Enterprise T1027 Obfuscated Files or Information SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering. [1] [2]
Enterprise T1057 Process Discovery SynAck enumerates all running processes. [1] [2]
Enterprise T1186 Process Doppelgänging SynAck abuses NTFS transactions to launch and conceal malicious processes. [1] [2]
Enterprise T1012 Query Registry SynAck enumerates Registry keys associated with event logs. [1]
Enterprise T1082 System Information Discovery SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries. [1]
Enterprise T1033 System Owner/User Discovery SynAck gathers user names from infected hosts. [1]
Enterprise T1007 System Service Discovery SynAck enumerates all running services. [1] [2]
Enterprise T1497 Virtualization/Sandbox Evasion SynAck checks its directory location in an attempt to avoid launching in a sandbox. [1] [2]