Description
Ransomware family also known as ChaCha.
05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862
General
Target
Size
Sample
05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862
391KB
220216-27gt6sfdel
Score
10 /10
MD5
SHA1
SHA256
SHA512
e8e9272aace01bb4620601f1fe51e278
21de9ba136a16e1929f7d50ee1b5bb8b30e85406
05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862
b292539a41236a51fafafcd62edab8f0118d2cccaf3bedd1c1f6faabb85b0257bf8abc04b47911538cb4afd0792d1cc9a25df0d7a3693950beb47edd4e8294bc
Malware Config
Extracted
| Path | C:\DECRYPT-FILES.html |
| Ransom Note |
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">2+W1qufLs2UfRfN4H+u8tUglGmjMLx1IXqT5OFzBepsjUWZanmMZtQYmOlYzh6NWuKYQnA1XYrGmOPe5raAIzRWcA7gsKDH5QlJq0R5N0V5cI+oJTMtsQlxp9T6OGoQGaKxbvLLRgI8SjneEhkgLFGWtXgsTmwSjTzkSw4T55RdvN4TMPC9ytE0LM3W2GDM0VdkZRtCSAfLCBuorlsIhldRWtR4wwRQyTPuGijPm7QjyHQpzv2a2clVXkX+dKFA6RYwwAyxkl11F830naC//Rn3jT1KpQYgpx2pJiWDn8pnpfgxzrr2RN1U52JXDu7OSnIeM+CvwsktMMGmK3oPkV6CSIHAuIrieP8yV1Dewox3v85J0o8p7rxGrwF3UrVIvQHNjZid9RjhTLhc+oreKumzCiZU1QaGMt9FuneyS3GIBMVmsuScTHpBfj6Z0rc57WW0+jRNviQ3RZGluupv/rNIZ71l0j3lpLzYQs2QBfqvYblhAljWjUwiefub2WoWl2scOPqnfqx0Q9E4lTnBd7sn4eOWn3gqE4CEzVnhSq6PZjpX2oNrNgFR0wXR2Oi8ZFnQcllFOo+u9igjmj9xVlKHTa7VMwVM0/L0wHOeTko9d5K7RmFWpV/hqwKsSxJL+Pp3u0PcS+C1PZirxt5sINnPrQleglDc70AahjmocGvZLFkrzd00fy9Qhl53FKULLRID8wu57zNhC05OsHQZhv9bsb92RUEc1YtatxATwTzASIAaefYBUZcjQzHT0gwFIcN1Q4AarF2+wIVPMshlKj3YboHakpjszFifADfpSfUvXKtZOzTH4Aw+yvmWkjix2hvlX/iFYq9NPFcGm0gZ31dVsAvWUYtzODO5slAjMwveiSYR1o7CIKsFNE/TZUBt+J64RRrvA0caec4m7RbX9VVDxVNFxK5tZEaKU46b2V2Qe06aA/oivy90KSBpQcSKZNGle0UWlZT2BVGlFI4LpMBErqTM1pnvhXvFMDh6oMLXoAPWjKq9x2s6v002mhjU366qgxVxdb23WKiUCv191FqoAfyu6Q69TdaUn+XhPpebdELnOJg4IOpC1upG8304XsN8BbNQ7FZoF6fk+qYsVJO1NrIR1UoOxqooOXh4cYiZNqabnq6TF8qsuoQ2F3EGnQCH/rZo8qWHJGrCw9F4Ch41DJ2AZjtw+3tFnR59ghQGRWSyb+UjMG3GMrfDFvcvEFNyGrtnAoxqyq96zBVUnVnWkd7bp5fDWJ/FQnbGbcZZLGmGq8ZbN7ryVaN8HJbZjUvhDu9wk5eP2zXMSLe2qREbCO8PUUpdBfLyhnvS63ZPmcAfris1JYVB4Z3R7oNRE3B59q9znaUe5h+4KTYjYYSAq8N5nvAz1ua8dmt2/pb3Kyws9jKrJZPprC1FqHBVC2GDYLmmqZWVFf89Lb0ltRa7j6ktmqStLZcuWYJkNAWtqkI8WpfU+YLd9NXnFc032BCDlfhcVHrTYhBaHp+sr6u7EDKUlcKiGcpgNHevlJSSpX/rBWTXgFRh5xq/NfGwJmyIx8RySxQIlJDQEHD5r6u1ip/661DhtJJNAzKPHH69RsTWJpeGVF7X479CQhP7YdQSPYThGlLgMwn+EE2ZmuDmjE31xa2g8eCR++btSgKG3DaGjzoWOHDsrzFwKrTNRnWROMXcoBgU52583EIN1H4AZeYdmZ4TiVshU6vjH4ZL2Zxr13clSMl4X7/8OKHyUUC1+IUyrM6fXPb8Y+iHS9RB4ib1ie22I0dwkRjQNbZuZoWaiKqyTxNgvDc0v+TxQdY4TTTE64Tpunm6+VEUte2bZo5B+Ii0gNukyvARRSOUrLl0c4RGfY4eFVuMtl7MKWGi95ybsA+NCbZcyALeHpzR+Dvu0A+OPDyUTx9Rf+qM3ezoLjGuFTOXdZ8Lbv0PfQQ62Itb7g0fLiul3SmcFovN5dViyXI2EM2scZD5sni+OisAlyPxh+czkzpqLT8u6JX4LzBDOdkmgsWLXVNF3p/XGzOgXzU2yfKyy8NoM6Zu//6yLWipoF9ChoA7lKrUY4H4jk0IhzZTGRjX/eY7yYNVuwy/CgQ62Y5cYzX1YNW0XdrcBBD0Q9WFSC8PCEWfRDYqhXY3+ORTDCAATa1IE1BcNcCJQsqNM+FsqaipofP87KLY7QMF/cnoiVfSNVx8GxEWHSYundxrI9SRbwEG2NLJf10sKJOfXdQz7oTORfY43xvxsGVtJVgDoOsiwGlNEgFjdEwoiOAA5ADIAZQAwADkAOQBjADgAMgAyAGUAZAAwAGUAMwAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADMALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwko3Ze3gDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
|
| Emails |
<b>yourrealdecrypt@airmail.cc</b> |
Extracted
| Path | C:\DECRYPT-FILES.html |
| Ransom Note |
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">cQsKJeNmSJzye0CxQJaG0JOOpi48VqoObbsnvQOIG7dnIp+w2JMcIr9wDtMevXsdiMHGEfuwpNCI83fyBlvYN9Rhs5nkRbPUw6tM1+IvFeoivTA6NK3MtGpAB99XZ5xCRwU49kG87ARm0N6XhKOXTrwGDkImn5as3IxwvvbLYGSULpO/MfvtIErSXCaLTnVMk7k9qTekmuknHLzLkLAJPgcE8beM+9hh500448aEkOsWGmnvRE7QpoUx8IaKZfXvc4wEmouJSHIFAXDkiAiuIaytjmxX8dqUsW1Kw+DHqpyhVh7OIpvmXY8DJfR3IIzfEg18N27fR7gvJsGb6aUk4ItytnIBRafmVvwAudy0Sqn9kFDQixZIfeeT+x8FbpC3nNeEaKy54c6Zrf1Wu04N5WDALogQGsW9i9BFVhtq6w6KGq6C+foqI7BTOv4BvT+a7sr14HMO7/W/NEq8LYw3IqOIs0l2eerbAztHu4hFF51lJUBchgXz0LvUujaP/zqH3fikjQUj+Jd6lQIN7JskkXlem8QM3UUhJs18cPkcmrLv5rLquER1WnUbHtAGgv/R0CfQRfu2SXs3Xezmg2SP4SGEC2BH9u2C4LM7NPPVDDuX0RxEpmBsmp4p38fy5PlhBhB/JCYYyOfbdsWl63TC7InaQtguJOj0koQt9qgs9NNjG8lFpR38yrZQwNCxLowIy2WNruVxFF5Z+YbHB9sAl3GYEHS4nsIrB4+lFUquurGfpA0SigeLTE7jGc+7BdjDBklVvtfihkJQDywKx2MJ10f2GB0I46x28SkPsAF4pMzIk68LvZaKLzLPsfqY0r5Wy2MWttaLRwyGbfSmyPdcZSWwnn1SkWAJ7XuXSRRF19BvCAzdXhIdcZOSmh/aYmqaL2+V6whfytvSfLbK+LOCz70HOv/4zhflb4FqI32F5fd0BX+WPgovtb7AGQ6l1YaWoDyB1GPCXfGhhxsHLhBrSUbUdcB5fC1JmNXUzGYmQi9pfahFTs/f1Vm1rBvRVmbow2ynB0sUMk9tY5TJxIEGK++Fn+K2WoluavWrbj/ycs52TBtX8i6GodfCkeEXOwUQaRs7V8WFoVw8FG7nCeBmBCe6vKTJJtTBF5mKrI9Adl9QLf6XVQvQFuye/sjleu0X0DJ69tNKvkzytRVU23C237ihYI0jWpjagNtMA3M16oCPCDTZ/eB2coXtNc8ktbX5ufEOPB7JGAxrKZW2bnf5p+S7my2LYKVoHkUfqKM4tEp/cPM73N42bnhYRnMSsTLhUhIkXp6X9QVwpGTdbTBlmYXoaQGWUm09dxku1La2LAxMuk6qinHTzhQu6Xhb8LE3ZfI1X8GprJyG7gFWsnVJj6YjjykiTWXgb/wKZkdb5sAQTJHGFXtXr0b2CXh/4G690XeWa7+zfrVDk7vXJjZNcSuwW78X4YxlBE37E+qN/SG2dmi0dIGN6+moDqyNtG2LAQKhZ5/2IgUVEdseFd6qpGUdu7tABpYs2OwIIGE+1xqMlxUtwt2UY08EN2PIcwiT8j+nlEee7zDP1Hex+XIMMqOe8VBzi1orfHgs+sPjYVKT7PLdX5QobZUo3BrQLFZd75DeERBrkAF6OGxw/XvadCB4pVbaSCj4WhFm2zwV35LC6BGEtJguT52rLh74PNiV341kYMs8ywYcFD5F23GEUblkBZ6D0UOCf/K3bsSgw1JxDM8XIUx1XWQaOnyajaRZnXSTJcSTRxL0cd5k+pqvt8SgDLhAfMx23fTshp0jlolWLPw/i2TJ4huFuiM/7QoVIwRTQcNKvcxPfgvrGOC+o1/uRByMq8eGOrH09I+s8Ygvy/VRGq4UfhfUxugBZerUmvDFhONlKEdCsEyuERx5RV/JrHwQRG/Pn8FVZ5cIs+9eQoxr/kBZv4FHQ0oRkDIpwRuXrDpMUD3NQDpN/MT4sBPeUeYx6i2RwAxyBHevMjgf1tZB8AwhNR7kSeoWnKdrf4Jp3qE+o/F6w9DHqESxUaP8R0WjSs5G8tqKqtC3dtuaUl6RwZUTPoop7+f9swTQ2oGyCPPyTGhFyndN7GnX8lWhyju+znA4iNgJsSXNC/IQwbzyQjbgzHJEsIOWU6mugn354um7VXJZJkz7o1olmKoeWFider8SLXHUpmgzoHTpWOh9OAdZZ4si4Ku6b2altFBsFZVzaSgOSVEGVxXddSYZEG1Klc6m8bdy2xVcyvseC7D+lSonlXSsEfWWwHP7gCxZQAoiOAA4ADAAMgAwADkAOQBjADkAOAAyADgAMwAxAGIAMgAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwurG3DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
|
| Emails |
<b>yourrealdecrypt@airmail.cc</b> |
Targets
Target
MD5
Filesize
05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862
e8e9272aace01bb4620601f1fe51e278
391KB
Score
10/10
SHA1
SHA256
SHA512
21de9ba136a16e1929f7d50ee1b5bb8b30e85406
05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862
b292539a41236a51fafafcd62edab8f0118d2cccaf3bedd1c1f6faabb85b0257bf8abc04b47911538cb4afd0792d1cc9a25df0d7a3693950beb47edd4e8294bc
Tags
Signatures
-
Maze
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Drops startup file
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Sets desktop wallpaper using registry
Tags
TTPs
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks