Resubmissions

11-01-2022 18:27

220111-w33m7agfg9 10

20-12-2021 20:51

211220-zm6xfsbge6 10

General

  • Target

    rook1.exe

  • Size

    5.4MB

  • Sample

    220111-w33m7agfg9

  • MD5

    4f7adc32ec67c1a55853ef828fe58707

  • SHA1

    36de7997949ac3b9b456023fb072b9a8cd84ade8

  • SHA256

    96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

  • SHA512

    a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74

Malware Config

Extracted

Path

C:\HowToRestoreYourFiles.txt

Family

rook

Ransom Note
-----------Welcome. Again. -------------------- [+]Whats Happen?[+] Your files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet. By the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees?[+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money. If we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services. You have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files. Please use the company email to contact us, otherwise we will not reply. [+] How to get access on website?[+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site:https://torproject.org/ b) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 2) Our mail box: a)rook@onionmail.org b)securityRook@onionmail.org c)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox ------------------------------------------------------------------------------------------------ !!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!!!!!! AGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere. !!!!!!! ONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger. !!!!!!!
Emails

a)rook@onionmail.org

b)securityRook@onionmail.org

Targets

    • Target

      rook1.exe

    • Size

      5.4MB

    • MD5

      4f7adc32ec67c1a55853ef828fe58707

    • SHA1

      36de7997949ac3b9b456023fb072b9a8cd84ade8

    • SHA256

      96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

    • SHA512

      a45e4a20133c842037789157c3ed845afdefbb0d2fe3958d75f0cb3cdfeee106262f9de0e0aca92ac84a0211432cd19773e0f769b970ddb8a80e5f7855676f74

    • Rook

      Rook is a ransomware which copies from NightSky ransomware.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks