General
-
Target
4085.js
-
Size
776KB
-
Sample
210810-bncd46zw42
-
MD5
b6e9c6f1113c92ad6757266ae75769a2
-
SHA1
9190e8d268db4deb7cd97624b17cba6617244699
-
SHA256
9fca4b9bb2238dec26fc6b6161dc9d62647883966f1cfd661537fb8c097ff4fe
-
SHA512
1684c2350b540da9326159455cb57937a2fefc1b97f1231c12cc66ffa601f71ce52096d5c37737d644c49b1c9ae7b5e33eb86890b1405a79d2aa364afbc1f09b
Static task
static1
Behavioral task
behavioral1
Sample
4085.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4085.js
Resource
win10v20210408
Malware Config
Extracted
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kd8eby0@onionmail.org
kd8eby0@nuke.africa
Targets
-
-
Target
4085.js
-
Size
776KB
-
MD5
b6e9c6f1113c92ad6757266ae75769a2
-
SHA1
9190e8d268db4deb7cd97624b17cba6617244699
-
SHA256
9fca4b9bb2238dec26fc6b6161dc9d62647883966f1cfd661537fb8c097ff4fe
-
SHA512
1684c2350b540da9326159455cb57937a2fefc1b97f1231c12cc66ffa601f71ce52096d5c37737d644c49b1c9ae7b5e33eb86890b1405a79d2aa364afbc1f09b
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-