| ID | X0018 |
| Type | Wiper |
| Aliases | None |
| Platforms | Windows |
| Year | 2012 |
| Associated ATT&CK Software | Shamoon |
Shamoon is a data wiping malware.
| Name | Use |
|---|---|
| Discovery::Process Discovery (T1057) | Shamoon enumerates processes. [5] |
| Execution::Shared Modules (T1129) | Shamoon links many functions at runtime. [5] |
| Execution::System Services::Service Execution (T1569.002) | Shamoon creates services. [5] |
| Persistence::Create or Modify System Process::Windows Service (T1543.003) | Shamoon starts services. [5] |
See ATT&CK: Shamoon - Techniques Used.
| Name | Use |
|---|---|
| Impact::Data Destruction (E1485) | A 2018 variant includes a component that erases files and then wipes the Master Boot Record (MBR), preventing file recovery. [1] |
| Persistence::Modify Existing Service (F0011) | Shamoon enables the RemoteRegistry service to allow remote registry modification. [2] |
| Defense Evasion::Modify Registry (E1112) | Shamoon disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy. [2] |
| Defense Evasion::Hidden Files and Directories::Timestamp (F0005.004) | Shamoon modifies target files' time to August 2012 as an antiforensic trick. [2] |
| Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls (F0015.006) | Malware escalates privileges by impersonating the token through using LogonUser and ImpersonateLoggedOnUser then ImpersonateNamedPipeClient. [2] |
| Impact::Disk Wipe (F0014) | An overwrite component will overwrite the MBR so that the compromised computer can no longer start. [4] |
| Execution::Command and Scripting Interpreter (E1059) | The wiper component of Shamoon creates a service to run the driver with the command: sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul and sends an additional reboot command after completion. [2] |
| Command and Control::Ingress Tool Transfer (E1105) | Shamoon creates a folder on remote computers and then copies its executables (Shamoon and Filerase) into that directory. [3] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | Shamoon encodes data using XOR. [5] |
| Discovery::File and Directory Discovery (E1083) | Shamoon gets a common file path. [5] |
| Discovery::System Information Discovery (E1082) | Shamoon gets the hostname. [5] |
| Execution::Command and Scripting Interpreter (E1059) | Shamoon accepts command line arguments. [5] |
SHA256 Hashes
- c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9
- 4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400
Attack flow for Shamoon based on [2].
[1] https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[3] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/
[4] https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=281521ea-2d18-4bf9-9e88-8b1dc41cfdb6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
[5] capa v4.0, analyzed at MITRE on 10/12/2022