1. Home
  2. Software
  3. Avaddon

Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[1][2]

ID: S0640
Type: MALWARE
Platforms: Windows
Contributors: Matt Brenton, Zurich Global Information Security
Version: 1.0
Created: 23 August 2021
Last Modified: 18 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Avaddon bypasses UAC using the CMSTPLUA COM interface.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Avaddon uses registry run keys for persistence.[2]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Avaddon has been executed through a malicious JScript downloader.[3][1]
Enterprise T1486 Data Encrypted for Impact

Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Avaddon has decrypted encrypted strings.[2]
Enterprise T1083 File and Directory Discovery

Avaddon has searched for specific files prior to encryption.[2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Avaddon looks for and attempts to stop anti-malware solutions.[2]
Enterprise T1490 Inhibit System Recovery

Avaddon deletes backups and shadow copies using native system tools.[3][2]
Enterprise T1112 Modify Registry

Avaddon modifies several registry keys for persistence and UAC bypass.[2]
Enterprise T1106 Native API

Avaddon has used the Windows Crypto API to generate an AES key.[3]
Enterprise T1135 Network Share Discovery

Avaddon has enumerated shared folders and mapped volumes.[2]
Enterprise T1027 Obfuscated Files or Information

Avaddon has used encrypted strings.[2]
Enterprise T1057 Process Discovery

Avaddon has collected information about running processes.[2]
Enterprise T1489 Service Stop

Avaddon looks for and attempts to stop database processes.[2]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.[2]
Enterprise T1016 System Network Configuration Discovery

Avaddon can collect the external IP address of the victim.[1]
Enterprise T1047 Windows Management Instrumentation

Avaddon uses wmic.exe to delete shadow copies.[3]

References

  1. Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.
  2. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  1. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.