| ID | X0016 |
| Type | Ransomware |
| Aliases | MSIL/Samas.A, Samas, Samsa |
| Platforms | Windows |
| Year | 2015 |
| Associated ATT&CK Software | SamSam |
SamSam is ransomware.
See ATT&CK: SamSam - Techniques Used.
| Name | Use |
|---|---|
| Impact::Data Encrypted for Impact (E1486) | SamSam encrypts data to hold for ransom. [1] |
| Execution::Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) | Attackers associated with SamSam exploit vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers. [5] |
| Anti-Static Analysis::Executable Code Obfuscation (B0032) | SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [2] |
| Execution::Command and Scripting Interpreter (E1059) | SamSam uses a batch file for executing the malware and deleting certain components. [3] |
| Defense Evasion::Obfuscated Files or Information::Encryption of Code (E1027.m07) | SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [2] |
| Discovery::File and Directory Discovery (E1083) | SamSam enumerates files on Windows. [4] |
| Name | Use |
|---|---|
| File System::Delete File (C0047) | SamSam deletes files. [4] |
| File System::Read File (C0051) | SamSam reads files on Windows. [4] |
SHA256 Hashes
- 0785bb93fdb219ea8cb1673de1166bea839da8ba6d7312284d2a08bd41e38cb9
- 338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13
- 3531bb1077c64840b9c95c45d382448abffa4f386ad88e125c96a38166832252
- 4856f898cd27fd2fed1ea33b4d463a6ae89a9ccee49b134ea8b5492cb447fb75
- 516fb821ee6c19cf2873e637c21be7603e7a39720c7d6d71a8c19d8d717a2495
- 72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479
- 754fab056e0319408227ad07670b77dde2414597ff5e154856ecae5e14415e1a
- 88d24b497cfeb47ec6719752f2af00c802c38e7d4b5d526311d552c6d5f4ad34
- 88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828
- 8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab
- 8f803b66f6c6bc4da9211a2c4c4c5b46a113201ecaf056d35cad325ec4054656
- dabc0f171b55f4aff88f32871374bf09da83668e1db2d2c18b0cd58ed04f0707
- e7bebd1b1419f42293732c70095f35c8310fa3afee55f1df68d4fe6bbee5397e BTC Wallet
- 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR Tor Onion Service
- jcmi5n4c3mvgtyt5.onion
[1] https://www.cisa.gov/uscert/ncas/alerts/AA18-337A
[2] https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html
[3] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf
[4] capa v4.0, analyzed at MITRE on 10/12/2022
[5] https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/