Overview

overview

10

Static

static

9403.js

windows7_x64

10

9403.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9403.js

  • Size

    345KB

  • Sample

    210831-ayvc4rd3e6

  • MD5

    eea189749c6dcf6c8c04205ab60bb53c

  • SHA1

    62ddf57299772f737a0ed6b5cc128e6357eea2c8

  • SHA256

    70ec3d6d6a6978bd21bd40b4e3e3a569d48b05fac0a7a8765753704d4197bfa2

  • SHA512

    f0c4f1e2ab43eb984f84abcf36075976f2f2be8e4e87f24c821ddfa076638a7271bb6278f8857bb18113034a6bb89fcf2a2a1c3e3b6b6a39b9536facee985d4e

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://jolantagraban.pl/log/57843441668980/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 49A-B0B-A4F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      9403.js

    • Size

      345KB

    • MD5

      eea189749c6dcf6c8c04205ab60bb53c

    • SHA1

      62ddf57299772f737a0ed6b5cc128e6357eea2c8

    • SHA256

      70ec3d6d6a6978bd21bd40b4e3e3a569d48b05fac0a7a8765753704d4197bfa2

    • SHA512

      f0c4f1e2ab43eb984f84abcf36075976f2f2be8e4e87f24c821ddfa076638a7271bb6278f8857bb18113034a6bb89fcf2a2a1c3e3b6b6a39b9536facee985d4e

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks