Overview

overview

10

Static

static

6440.js

windows7_x64

10

6440.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6440.js

  • Size

    541KB

  • Sample

    210831-hdfz8htfb6

  • MD5

    268848cb4ff95f5b95a8c619b626eb1e

  • SHA1

    1ba3890f085853d01475ddf9fa3d991dee706be6

  • SHA256

    f827fc739c432960cabffffa30111ac512e019928c22ce6f55efca587bdb75bf

  • SHA512

    07cfd18fa8ec70db0a1c0f061ee5c6951979bada17777dd30cc473ee0cb161882109920a8d46ca961d4626231d94b4bac85a52180c34ae90442d16d70192781c

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://jolantagraban.pl/log/57843441668980/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 752-02C-F46 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      6440.js

    • Size

      541KB

    • MD5

      268848cb4ff95f5b95a8c619b626eb1e

    • SHA1

      1ba3890f085853d01475ddf9fa3d991dee706be6

    • SHA256

      f827fc739c432960cabffffa30111ac512e019928c22ce6f55efca587bdb75bf

    • SHA512

      07cfd18fa8ec70db0a1c0f061ee5c6951979bada17777dd30cc473ee0cb161882109920a8d46ca961d4626231d94b4bac85a52180c34ae90442d16d70192781c

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks