General

  • Target

    8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc

  • Size

    59KB

  • Sample

    210831-ldycz9hdzj

  • MD5

    04fde4340cc79cd9e61340d4c1e8ddfb

  • SHA1

    88fc623483f7ffe57f986ed10789e6723083fcd8

  • SHA256

    8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc

  • SHA512

    105ddfb8bbfedc8460fb1e6d26c6cd02ea81bfdc12a196c1c2f8e52bc73faf03a688339b4c231ab5b5b3885f2ad248115c32c95fc64e84462a16c3e237e6fc9c

Malware Config

Extracted

Path

C:\\README.f2cbf9aa.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4 When you open our website, put the following data in the input form: Key: lsJTyyTnzJlGQ1I6sfwV6oVcXaRynwN6mWphA7BKXEDIHJcDlhNNHsrxlkpggRChK2nQ7wP0sknJvl37lbqElTopkUywK3QnfJFmqDBSCmFISeWSudjgwxB4kKSp7h4VySHeu4LmDiZXTAh1dbZHWxTtZ0bA6PhCoDrbGkctY4rucITW4IdYUZJC8d2B7SFnr5EA7EoRkajrZW54brM5Kgwqsz67qzH6Hk0Vr3EDcnGzNjGQBapJczIWkgPtMCJdTkeemQ34XH7wawXu3eOGV3uJlBZNoSuaxtDHMGApS8EWsUXhafMW8WxFLAPLCo6pdm7MLcLsVDp9iBXU1sLv2KkGyUJbO0KOmom9f1JREuidviHRfsndEgMFBAjyq5v4VEIraiioAbtWM7eecYaXPVt3rolsBi8mtjxLOpFj73NPPitoIDxBNfHGzXxvRTXi06Pjx9pRnAtjIqoq5wovnHa8uBel8nq8yDJTk7NWdGdsv3yVwV2TmBin7OvFqHN9lweFNJyuziKCVGEtSaglUNudMmpFnNObGlhfh58jQsrQiQZ2d3AOFsi !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4

Targets

    • Target

      8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc

    • Size

      59KB

    • MD5

      04fde4340cc79cd9e61340d4c1e8ddfb

    • SHA1

      88fc623483f7ffe57f986ed10789e6723083fcd8

    • SHA256

      8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc

    • SHA512

      105ddfb8bbfedc8460fb1e6d26c6cd02ea81bfdc12a196c1c2f8e52bc73faf03a688339b4c231ab5b5b3885f2ad248115c32c95fc64e84462a16c3e237e6fc9c

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks