Skip to content

Hide Navigation Hide TOC

Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3)

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)

Cluster A Galaxy A Cluster B Galaxy B Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Shamoon (776b1849-8d5b-4762-8ba1-cbbaddb4ce3a) Tool Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern Shamoon - S0140 (8901ac23-6b50-410c-b0dd-d8174a86f9b3) Malware 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2