General
-
Target
2988.zip
-
Size
427KB
-
Sample
210810-8tcx1fnns6
-
MD5
6a36fca9f379b98c8c762036d066f04b
-
SHA1
6bde482cbb536c4b6f6dfce935633eaa8264018f
-
SHA256
e747eb439e6de1810c84d328c6c015365a0b48d87a6e2b12dd9339665ad6af77
-
SHA512
cd432f4f4ef3c34a487c40acb6e9bd27ff7749b4694607a593f7849c32465b4a7a11d1b1b540e9908b6f2a4f0448bddb0b849c6fae4d1889d40b4000e2fbabc6
Static task
static1
Behavioral task
behavioral1
Sample
2988.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2988.js
Resource
win10v20210410
Malware Config
Extracted
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kd8eby0@onionmail.org
kd8eby0@nuke.africa
Targets
-
-
Target
2988.js
-
Size
702KB
-
MD5
5722cc13cc4d2f58cbc35fa38d33a208
-
SHA1
431326c4fd9f62457f56aa6e9a0ee86c9fe5b7f7
-
SHA256
bb96e1541b8ff33e5ff71c2d4298019f815a93a5c5f84d46197212784f5ef804
-
SHA512
21febe0557b5ea65bcac19668777ee75e10a96eabc85eb421c4c747c6ea9a10d0ce2a1c7b8f579d832c226216579e498164efd4cf481176479d66a9672866eda
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-