Resubmissions

05-10-2021 19:56

211005-yn32hsacd9 10

27-09-2021 13:20

210927-qlaceshagr 10

General

  • Target

    HotCoffeeRansomware.exe

  • Size

    776KB

  • Sample

    210927-qlaceshagr

  • MD5

    c054c0f03277f7f0bdad9350fa3d5c2d

  • SHA1

    752071b548bb3a4c45c91174fcf5cf95ce99638a

  • SHA256

    546f3a70ab029ad78105f1b7cf581038362cfbb3c7120326075552d72656ec98

  • SHA512

    783a02a18f15c80c21cb08b9822ab02c0f62a11340edbbc44a364db9d820bda795db086f843ed3c2597d86c2933dc531ebdaa2ab3fc97e3f5e18aa3c437f6576

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOT_COFFEE_README.hta

Ransom Note
GIVE ME HOT COFFEE You have been bamboozled by the hot coffee ransomware. Your files have been encrypted using military grade encryption and only we have the decryption key. If you want to get your files back you need to pay a ransom of 1 large long black with an extra espresso shot. Email EMAIL@protonmail.com for further instructions. You have 7 days to pay or else.
Emails

EMAIL@protonmail.com

Targets

    • Target

      HotCoffeeRansomware.exe

    • Size

      776KB

    • MD5

      c054c0f03277f7f0bdad9350fa3d5c2d

    • SHA1

      752071b548bb3a4c45c91174fcf5cf95ce99638a

    • SHA256

      546f3a70ab029ad78105f1b7cf581038362cfbb3c7120326075552d72656ec98

    • SHA512

      783a02a18f15c80c21cb08b9822ab02c0f62a11340edbbc44a364db9d820bda795db086f843ed3c2597d86c2933dc531ebdaa2ab3fc97e3f5e18aa3c437f6576

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks