Avaddon
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1112 | 修改注册表 |
Avaddon modifies several registry keys for persistence and UAC bypass.[2] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder | |
| Enterprise | T1059 | .007 | 命令与脚本解释器: JavaScript |
Avaddon has been executed through a malicious JScript downloader.[3][1] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Avaddon looks for and attempts to stop anti-malware solutions.[2] |
| Enterprise | T1486 | 数据加密以实现影响 |
Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.[2] |
|
| Enterprise | T1083 | 文件和目录发现 |
Avaddon has searched for specific files prior to encryption.[2] |
|
| Enterprise | T1489 | 服务停止 |
Avaddon looks for and attempts to stop database processes.[2] |
|
| Enterprise | T1106 | 本机API |
Avaddon has used the Windows Crypto API to generate an AES key.[3] |
|
| Enterprise | T1027 | 混淆文件或信息 | ||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control | |
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.[2] |
| Enterprise | T1490 | 系统恢复抑制 |
Avaddon deletes backups and shadow copies using native system tools.[3][2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Avaddon can collect the external IP address of the victim.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
Avaddon has enumerated shared folders and mapped volumes.[2] |
|
| Enterprise | T1057 | 进程发现 |
Avaddon has collected information about running processes.[2] |
|