ryuk

General

Target

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
Size

728KB
Sample

221125-ljfn7sgc52
MD5

b160ba8945e6d1d8612da6f1a7409621
SHA1

5e59d635511f9f3e9abadf2d8040f7383af41716
SHA256

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
SHA512

c144895fb0c4a4b4de0459bf0669ddbfdaf4cd38a66b5aa8653c8daaca90e7ffeac242b417521a023b091fb6f39f4ea128f23a1afefedc5246a465ad09c2898a
SSDEEP

6144:GatRxLfCE2kkkxk69R0hfyGydNoo7ogryWbF3M6oXCHF9+kktHSefL4s:Ga5DCjGk6whfaoo7HyWyCHF9XktSe0s

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'HrP7O1qDZDw'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Targets

- Target
  
  0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
- Size
  
  728KB
- MD5
  
  b160ba8945e6d1d8612da6f1a7409621
- SHA1
  
  5e59d635511f9f3e9abadf2d8040f7383af41716
- SHA256
  
  0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
- SHA512
  
  c144895fb0c4a4b4de0459bf0669ddbfdaf4cd38a66b5aa8653c8daaca90e7ffeac242b417521a023b091fb6f39f4ea128f23a1afefedc5246a465ad09c2898a
- SSDEEP
  
  6144:GatRxLfCE2kkkxk69R0hfyGydNoo7ogryWbF3M6oXCHF9+kktHSefL4s:Ga5DCjGk6whfaoo7HyWyCHF9XktSe0s
Score

10^/10

ryuk dave discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Dave packer

Modifies file permissions

Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2