buran

General

Target

2023-08-26_ca53c7bacfb8c147bee538b348707cf1_zeppelin_JC.exe
Size

211KB
Sample

230929-xzpslafd44
MD5

ca53c7bacfb8c147bee538b348707cf1
SHA1

94075d331d4e649e38abb7930616834abecc58af
SHA256

035231fd1c1ed6e0619688a83b43082deee66bff69913aa73421b675f601172a
SHA512

0825ce9e8c741d1a65d33f7de0164e7ce122904ed69c44613d4c5c5ae3b6c40656ad8b44ced7deb9522714fc2d727d57d4340bbbe97c7a268f8957343a40e0a3
SSDEEP

6144:Lia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+d+:LIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: E6C-6FA-E61 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 8A2-89D-08C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  2023-08-26_ca53c7bacfb8c147bee538b348707cf1_zeppelin_JC.exe
- Size
  
  211KB
- MD5
  
  ca53c7bacfb8c147bee538b348707cf1
- SHA1
  
  94075d331d4e649e38abb7930616834abecc58af
- SHA256
  
  035231fd1c1ed6e0619688a83b43082deee66bff69913aa73421b675f601172a
- SHA512
  
  0825ce9e8c741d1a65d33f7de0164e7ce122904ed69c44613d4c5c5ae3b6c40656ad8b44ced7deb9522714fc2d727d57d4340bbbe97c7a268f8957343a40e0a3
- SSDEEP
  
  6144:Lia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+d+:LIMH06cID84DQFu/U3buRKlemZ9DnGAI
Score

10^/10

buran zeppelin persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Renames multiple (3567) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (7424) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2