ATT&CK v16 has been released! Check out the blog post for more information.

JCry

JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.^[1]

ID: S0389

ⓘ

Type: MALWARE

Version: 1.1

Created: 18 June 2019

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	JCry has created payloads in the Startup directory to maintain persistence. ^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	JCry has used PowerShell to execute payloads.^[1]
		.003	Command and Scripting Interpreter: Windows Command Shell	JCry has used `cmd.exe` to launch PowerShell.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	JCry has used VBS scripts. ^[1]
Enterprise	T1486		Data Encrypted for Impact	JCry has encrypted files and demanded Bitcoin to decrypt those files. ^[1]
Enterprise	T1490		Inhibit System Recovery	JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer. ^[1]

References

Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.