SYNAPSE : Ransomware Technical Analysis – CYFIRMA

MITRE Techniques

• [T1047] Windows Management Instrumentation – An instance of class WBEM Locator is created using Windows API call CoCreateInstance with CLSID pointing to wbemprox.dll. “An instance of class WBEM Locator is created using Windows API call CoCreateInstance… wbemprox.dll”
• [T1059.003] Windows Command Shell – The malware supports command line usage such as triggering via a command line argument “-smode”. “command line argument: -smode”
• [T1106] Native API – The sample imports only msvcrt.dll for _ftol2_sse and loads other imports dynamically via LoadLibraryW() and GetProcAddress(). “It has only 1 import [ msvcrt.dll -> _ftol2_sse ], and all other important imports are loaded dynamically using LoadLibraryW() and GetProcAddress()”
• [T1559.001] Component Object Model – Before encryption, the malware utilizes COM objects to enumerate and delete ShadowCopies. “COM Objects to Delete ShadowCopy”
• [T1134] Access Token Manipulation – Access token impersonation used to elevate privileges: “Access token manipulation attacks are widely employed to elevate privileges on a system.”
• [T1027] Obfuscated Files or Information – STR1 uses a 32-byte XOR-based marker for encryption: “STR1 “Chuong Dong looks like <REDACTED>!!” with 32 bytes size – Figure 4 serves as a marker for a customized encryption operation.”
• [T1070.004] File Deletion – Wiper behavior: “The PE drops a Wiper that writes 0x00 bytes until the drive is full and then deletes the file.”
• [T1562.001] Disable or Modify Tools – Kills Defender and associated services: “Kills Windows Defender and associated services.”
• [T1027.009] Embedded Payloads – The malware embeds a secondary payload inside the binary (e.g., “.rdata” section): “embedded inside “.rdata” section of SynapseCrypter.exe”
• [T1140] Deobfuscate/Decode Files or Information – Decrypted configuration is stored as JSON: “The decrypted configuration is stored as JSON…”
• [T1046] Network Service Discovery – ARP scanning used to discover online hosts on the LAN: “ARP scanning for discovering online hosts in the LAN.”
• [T1057] Process Discovery – The malware identifies specific processes (e.g., lsass.exe) and uses them: “The malware identifies “lsass.exe” process and returns PID.”
• [T1082] System Information Discovery – Telemetry includes OS info such as “os”: “Windows 10 Enterprise Evaluation”: “os”: “Windows 10 Enterprise Evaluation”
• [T1083] File and Directory Discovery – All files on a drive are scanned before encryption: “All files from a drive are scanned before encryption…”
• [T1124] System Time Discovery – Time zone checks via Windows APIs: “GetTimeZoneInformation() to retrieve the host’s time zone.”
• [T1614.001] System Language Discovery – Language checks using UILanguage APIs: “GetSystemDefaultUILanguage() and GetUserDefaultUILanguage()”
• [T1071.001] Web Protocols – Telemetry reports are sent via HTTP POST: “SynapseCrypter sends telemetry reports to cyber criminals via HTTP POST request.”
• [T1573] Encrypted Channel – The POST data is encrypted: “the data is encrypted and sent via an HTTP POST request.”
• [T1486] Data Encrypted for Impact – Files are encrypted: “All your files are encrypted and stolen…”
• [T1489] Service Stop – Defender/services are stopped: “Windows Defender and associated services” are terminated.
• [T1490] Inhibit System Recovery – Shadow copy deletion and space wiping to hinder recovery: “wipe shadowcopy” and related steps.
• [T1491.001] Internal Defacement – Visual changes (wallpaper/icon) on infection: “Sets ICON for .Synapse extension and sets a wallpaper.”
• [T1529] System Shutdown/Reboot – Process shutdown prioritization and finalization: “SetProcessShutdownParameters to ensure it executes with the highest priority and only terminates after completing encryption tasks.”
• [T1561.001] Disk Content Wipe – Wipes disk content/free space as cleanup: “Disk Content Wipe” and “wipe freespace.”