Overview

overview

10

Static

static

10

3145cd124d...JC.exe

windows7-x64

10

3145cd124d...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

  • Size

    225KB

  • Sample

    230801-t8c9daag21

  • MD5

    3145cd124db5c8c34e053aea87694baa

  • SHA1

    5645f85669b81b82936a821900425046a511dc8d

  • SHA256

    52e8721e17365eb4281908df3ffbe6920ad0da496ec7b6288812e564002801b7

  • SHA512

    a180166e2cc56ec429e7edfee7fbf8e2cbf3ec64190a0270995340ece4047d525d239b8230759bf2f1f17912b6e357c06608c2414658d3cd03edb28c36b006e1

  • SSDEEP

    6144:3SK1AqRHi/EXtw+apQ3an64DQFu/U3buRKlemZ9DnGAeOhYp+c:3osHiGWRpQb4DQFu/U3buRKlemZ9DnGn

Score
10/10
zeppelinevasionransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note
!!! YOUR FILES HAVE BEEN ENCRYPTED !!! All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your computer. 3. Open it, click "New Profile," and create a new profile. 4. Press the + "Add to friends" button and enter my TOX ID DBA5908245E3067FDA9B0C0D6FEEADC3D3C965A29AC340CA14D539924700DC53948D5F860D7D 5. Click "Send friend request." 6. Keep qTox open and wait. In a few hours, I'll accept your request, and we can begin communicating. Your personal ID: 1F5-33B-521
URLs

https://tox.chat/download.html

Targets

    • Target

      3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

    • Size

      225KB

    • MD5

      3145cd124db5c8c34e053aea87694baa

    • SHA1

      5645f85669b81b82936a821900425046a511dc8d

    • SHA256

      52e8721e17365eb4281908df3ffbe6920ad0da496ec7b6288812e564002801b7

    • SHA512

      a180166e2cc56ec429e7edfee7fbf8e2cbf3ec64190a0270995340ece4047d525d239b8230759bf2f1f17912b6e357c06608c2414658d3cd03edb28c36b006e1

    • SSDEEP

      6144:3SK1AqRHi/EXtw+apQ3an64DQFu/U3buRKlemZ9DnGAeOhYp+c:3osHiGWRpQb4DQFu/U3buRKlemZ9DnGn

    Score
    10/10
    zeppelinevasionransomware

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (6964) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (7459) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Stops running service(s)

      evasion

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks