Home
Software
Avaddon

Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.^[1]^[2]

ID: S0640

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Matt Brenton, Zurich Global Information Security

Version: 1.0

Created: 23 August 2021

Last Modified: 25 April 2025

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.002	Abuse Elevation Control Mechanism:Bypass User Account Control	Avaddon bypasses UAC using the CMSTPLUA COM interface.^[2]
Enterprise	T1547	.001	Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder	Avaddon uses registry run keys for persistence.^[2]
Enterprise	T1059	.007	Command and Scripting Interpreter:JavaScript	Avaddon has been executed through a malicious JScript downloader.^[3]^[1]
Enterprise	T1486		Data Encrypted for Impact	Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Avaddon has decrypted encrypted strings.^[2]
Enterprise	T1083		File and Directory Discovery	Avaddon has searched for specific files prior to encryption.^[2]
Enterprise	T1562	.001	Impair Defenses:Disable or Modify Tools	Avaddon looks for and attempts to stop anti-malware solutions.^[2]
Enterprise	T1490		Inhibit System Recovery	Avaddon deletes backups and shadow copies using native system tools.^[3]^[2]
Enterprise	T1112		Modify Registry	Avaddon modifies several registry keys for persistence and UAC bypass.^[2]
Enterprise	T1106		Native API	Avaddon has used the Windows Crypto API to generate an AES key.^[3]
Enterprise	T1135		Network Share Discovery	Avaddon has enumerated shared folders and mapped volumes.^[2]
Enterprise	T1027		Obfuscated Files or Information	Avaddon has used encrypted strings.^[2]
Enterprise	T1057		Process Discovery	Avaddon has collected information about running processes.^[2]
Enterprise	T1489		Service Stop	Avaddon looks for and attempts to stop database processes.^[2]
Enterprise	T1614	.001	System Location Discovery:System Language Discovery	Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.^[2]
Enterprise	T1016		System Network Configuration Discovery	Avaddon can collect the external IP address of the victim.^[1]
Enterprise	T1047		Windows Management Instrumentation	Avaddon uses wmic.exe to delete shadow copies.^[3]

References

Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.
Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.

Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.

Movatterモバイル変換

Avaddon

Enterprise Layer

Techniques Used

References