Shamoon

Data wiping malware.

ATT&CK Techniques

Name	Use
Impact::Data Destruction (E1485)	A 2018 variant includes a component that erases files and then wipes the master boot record, preventing file recovery [1]
Persistence::Modify Existing Service (F0011)	Shamoon enables the RemoteRegistry service to allow remote registry modification [2]
Defense Evasion::Modify Registry (E1112)	Disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy [2]
Defense Evasion::Hidden Files and Directories::Timestamp (F0005.004)	Modifies target files' time to August 2012 as an antiforensic trick [2]
Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls (F0015.006)	Escalates privilege by impersonating the token. First uses LogonUser and ImpersonateLoggedOnUser, then ImpersonateNamedPipeClient. [2]
Impact::Disk Wipe (F0014)	An overwrite component will overwrite the MBR so that the compromised computer can no longer start [4]
Execution::Command and Scripting Interpreter (E1059)	The wiper component of Shamoon creates a service to run the driver with the command: sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul and sends an additional reboot command after completion [2]
Command and Control::Ingress Tool Transfer (E1105)	Creates a folder on remote computers and then copies its executables (Shamoon and Filerase) into that directory [3]

SHA256 Hashes