A wiper.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: PassKillDisk
Names: PassKillDisk
Description: A wiper.
Category: Malware
Type: Wiper
Information: https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
Last-card-change: 2020-04-20
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1106 NATIVE API killdisk has called the windows api to retrieve the hard disk handle and shut down the machine. | T1134 ACCESS TOKEN MANIPULATION killdisk has attempted to get the access token of a process by calling openprocesstoken. if killdisk gets the access token, then it attempt to modify the token privileges with adjusttokenprivileges. | T1134 ACCESS TOKEN MANIPULATION killdisk has attempted to get the access token of a process by calling openprocesstoken. if killdisk gets the access token, then it attempt to modify the token privileges with adjusttokenprivileges. T1070.001 INDICATOR REMOVAL : CLEAR WINDOWS EVENT LOGS killdisk deletes application, security, setup, and system windows event logs. T1036.004 MASQUERADING : MASQUERADE TASK OR SERVICE killdisk registers as a service under the plug-and-play support name. T1027 OBFUSCATED FILES OR INFORMATION killdisk uses vmprotect to make reverse engineering the malware more difficult. | T1083 FILE AND DIRECTORY DISCOVERY killdisk has used the findnextfile command as part of its file deletion process. T1082 SYSTEM INFORMATION DISCOVERY killdisk retrieves the hard disk name by calling the createfilea to \.\physicaldrive0 api. | T1485 DATA DESTRUCTION killdisk deletes system files to make the os unbootable. killdisk also targets and deletes files with 35 different file extensions. T1486 DATA ENCRYPTED FOR IMPACT killdisk has a ransomware component that encrypts files with an aes key that is also rsa-1028 encrypted. T1561.002 DISK WIPE : DISK STRUCTURE WIPE killdisk overwrites the first sector of the master boot record with "0x00". T1489 SERVICE STOP killdisk terminates various processes to get the user to reboot the victim machine. T1529 SYSTEM SHUTDOWN/REBOOT killdisk attempts to reboot the machine by terminating specific processes. |