General
-
Target
7114.js
-
Size
924KB
-
Sample
210810-89dl5weby2
-
MD5
07f090249cbb74e99d45ef1b7736fb4d
-
SHA1
17a7c3ccdf04a6cbc08b514e818ba26a150dbea9
-
SHA256
ce60311f972334032b25221385076f68474c28b6249e292b6925af9f16acb07e
-
SHA512
4a54a6824ab0e99ca656100e230f348289f9a56c6f69298f83e08b81c08267d47d2518175ae68d1d7729ed7252b8b08815926e0b0f8da6f56737bb2d7b817440
Static task
static1
Behavioral task
behavioral1
Sample
7114.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7114.js
Resource
win10v20210408
Malware Config
Extracted
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kd8eby0@onionmail.org
kd8eby0@nuke.africa
Targets
-
-
Target
7114.js
-
Size
924KB
-
MD5
07f090249cbb74e99d45ef1b7736fb4d
-
SHA1
17a7c3ccdf04a6cbc08b514e818ba26a150dbea9
-
SHA256
ce60311f972334032b25221385076f68474c28b6249e292b6925af9f16acb07e
-
SHA512
4a54a6824ab0e99ca656100e230f348289f9a56c6f69298f83e08b81c08267d47d2518175ae68d1d7729ed7252b8b08815926e0b0f8da6f56737bb2d7b817440
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-