ryuk

General

Target

sample1_BINFILE.zip
Size

71KB
Sample

211027-ks2scsbbd6
MD5

6161c819bcaac48d9c704bfdac95a607
SHA1

4dff5f080d2c1c10382e41843c08c33fd67fc29d
SHA256

2d3b8208e42e72b356add50649a91ffab352498a0cfe4a4c4828e6a331e63a6d
SHA512

8dd1e9e0e29d21fc02a4145090071f2452b663f69768c1138f9e936033e6f4e06eb21a755c8705065ad50f60e351b822f2dd3437ce483ce90eb4e8bfc8e14948

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Targets

- Target
  
  781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample
- Size
  
  139KB
- MD5
  
  8555b213260ba5eda4bf37652cecb431
- SHA1
  
  80bd92b996fce311b52aa791a8ace4b20f8fb7ab
- SHA256
  
  781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a
- SHA512
  
  0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136
Score

10^/10

ryuk discovery ransomware persistence
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Sets service image path in registry
  persistence
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
behavioral1 behavioral2 behavioral3