JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.[1]

ID: S0389
Version: 1.1
Created: 18 June 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

JCry has created payloads in the Startup directory to maintain persistence. [1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

JCry has used PowerShell to execute payloads.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

JCry has used cmd.exe to launch PowerShell.[1]

.005 Command and Scripting Interpreter: Visual Basic

JCry has used VBS scripts. [1]

Enterprise T1486 Data Encrypted for Impact

JCry has encrypted files and demanded Bitcoin to decrypt those files. [1]

Enterprise T1490 Inhibit System Recovery

JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.[1]

Enterprise T1204 .002 User Execution: Malicious File

JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer. [1]