Publicly available Slam Ransomware Builder lowers the barrier to entry for cybercriminals by offering free tooling, while presenting credible threats to enterprises. The article details Slam’s features, capabilities, and indicators of compromise to help defenders detect and protect against Slam payloads. #SlamRansomwareBuilder #UACMe #MBRBuilder #VSSDeletion #OneDriveExfiltration #ConsoleApp2
Keypoints
- The Slam Ransomware Builder appeared in late 2021 and led to Slam payloads in the wild; GitHub-hosted versions were removed on Sept 1, 2022.
- It is described as a full-featured ransomware with AES256 encryption, UAC bypass, shadow backup copy deletion and data exfiltration capabilities.
- The tool provides extensive configuration options, including ransom notes, custom encryption passphrases, network awareness, persistence, and advanced settings.
- Defense-evasion features include blocking antivirus sites by modifying the Hosts file to map security domains to 127.0.0.1.
- The Slam builder includes a very early-stage MBR builder (“ Alpha MBR builder”) and an option to configure MBR-based payloads, including reboot behavior.
- Payloads are written to a user path and registered for persistence, with explicit mention of Run Keys in the registry and direct file paths like %AppData%Localdiscord.exe.
- Indicators of compromise include specific file names, PDB strings, and numerous SHA1 hashes associated with Slam artifacts.
MITRE Techniques
- [T1542.003] Pre-OS Boot: Bootkit – Uses an early-stage MBR builder to influence boot behavior; “Payloads from the MBR builder have been observed in the wild with the following PDB string.”
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persists by writing the payload to a path and calling it from the registry Run key; “The payload is written to %AppData%Localdiscord.exe, which is called in the registry (Run key), ensuring the ransomware payload is persistent.”
- [T1112] Modify Registry – Uses registry Run Keys for persistence and other registry modifications as part of setup; “The payload is written to %AppData%Localdiscord.exe, which is called in the registry (Run key)…”
- [T1548.002] Bypass User Account Control – Deploys a UAC bypass based on UACMe to defeat Windows UAC via the AutoElevate backdoor; “single UAC bypass, based on UACMe, which attempts to defeat Windows User Account Control by abusing the built-in Windows AutoElevate backdoor.”
- [T1490] Inhibit System Recovery – Includes options to block recovery and destructive actions designed to hinder restoration; “Inhibit recovery (website blocking, self-destruction, backup destruction).”
- [T1486] Data Encrypted for Impact – Encrypts victim data with AES256 and provides encryption/decryption components; “Slam is a full-featured ransomware with AES256 encryption…”
- [T0809] Data Destruction – Includes backup destruction and related destructive behaviors as part of the threat model; “backup destruction” is listed as part of the recovery-inhibiting capabilities.
Indicators of Compromise
- [File Name] – ConsoleApp2.exe, slam ransomware builder.exe – observed in the Slam artifacts and related build/run contexts.
- [PDB Strings] – “C:slam_mbr_builderMbrOverwritermbrcsobjDebugmbrcs.pdb” and “C:slam_ransomware_builderConsoleApp2ConsoleApp2objDebugConsoleApp2.pdb” – found in build/config data.
- [SHA1 Hashes] – 1ba9043ac164c6c60de4a1ee2ca50b2e7f4ebaf5, 2037d9f2e7cd15930e83f5142c5a48adecd3b617 – associated with Slam payloads and components (and many more hashes).