Skip to content

Latest commit

 

History

History
86 lines (65 loc) · 3.77 KB

samsam.md

File metadata and controls

86 lines (65 loc) · 3.77 KB
Raw
ID X0016
Aliases MSIL/Samas.A, Samas, Samsa
Platforms Windows
Year 2015
Associated ATT&CK Software SamSam

SamSam

SamSam is ransomware.

ATT&CK Techniques

See ATT&CK: SamSam - Techniques Used.

Enhanced ATT&CK Techniques

Name Use
Impact::Data Encrypted for Impact (E1486) SamSam encrypts data to hold for ransom. [1]
Execution::Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) Attackers associated with SamSam exploit vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers. [5]
Anti-Static Analysis::Executable Code Obfuscation (B0032) SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [2]
Execution::Command and Scripting Interpreter (E1059) SamSam uses a batch file for executing the malware and deleting certain components. [3]
Defense Evasion::Obfuscated Files or Information::Encryption of Code (E1027.m07) SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [2]
Discovery::File and Directory Discovery (E1083) SamSam enumerates files on Windows. [4]

MBC Behaviors

Name Use
File System::Delete File (C0047) SamSam deletes files. [4]
File System::Read File (C0051) SamSam reads files on Windows. [4]

Indicators of Compromise

SHA256 Hashes

  • 0785bb93fdb219ea8cb1673de1166bea839da8ba6d7312284d2a08bd41e38cb9
  • 338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13
  • 3531bb1077c64840b9c95c45d382448abffa4f386ad88e125c96a38166832252
  • 4856f898cd27fd2fed1ea33b4d463a6ae89a9ccee49b134ea8b5492cb447fb75
  • 516fb821ee6c19cf2873e637c21be7603e7a39720c7d6d71a8c19d8d717a2495
  • 72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479
  • 754fab056e0319408227ad07670b77dde2414597ff5e154856ecae5e14415e1a
  • 88d24b497cfeb47ec6719752f2af00c802c38e7d4b5d526311d552c6d5f4ad34
  • 88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828
  • 8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab
  • 8f803b66f6c6bc4da9211a2c4c4c5b46a113201ecaf056d35cad325ec4054656
  • dabc0f171b55f4aff88f32871374bf09da83668e1db2d2c18b0cd58ed04f0707
  • e7bebd1b1419f42293732c70095f35c8310fa3afee55f1df68d4fe6bbee5397e BTC Wallet
  • 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR Tor Onion Service
  • jcmi5n4c3mvgtyt5.onion

References

[1] https://www.cisa.gov/uscert/ncas/alerts/AA18-337A

[2] https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html

[3] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf

[4] capa v4.0, analyzed at MITRE on 10/12/2022

[5] https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/