General

  • Target

    2023-08-26_ca53c7bacfb8c147bee538b348707cf1_zeppelin_JC.exe

  • Size

    211KB

  • Sample

    231011-f6vtraeb47

  • MD5

    ca53c7bacfb8c147bee538b348707cf1

  • SHA1

    94075d331d4e649e38abb7930616834abecc58af

  • SHA256

    035231fd1c1ed6e0619688a83b43082deee66bff69913aa73421b675f601172a

  • SHA512

    0825ce9e8c741d1a65d33f7de0164e7ce122904ed69c44613d4c5c5ae3b6c40656ad8b44ced7deb9522714fc2d727d57d4340bbbe97c7a268f8957343a40e0a3

  • SSDEEP

    6144:Lia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+d+:LIMH06cID84DQFu/U3buRKlemZ9DnGAI

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 2C2-4A4-4B0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      2023-08-26_ca53c7bacfb8c147bee538b348707cf1_zeppelin_JC.exe

    • Size

      211KB

    • MD5

      ca53c7bacfb8c147bee538b348707cf1

    • SHA1

      94075d331d4e649e38abb7930616834abecc58af

    • SHA256

      035231fd1c1ed6e0619688a83b43082deee66bff69913aa73421b675f601172a

    • SHA512

      0825ce9e8c741d1a65d33f7de0164e7ce122904ed69c44613d4c5c5ae3b6c40656ad8b44ced7deb9522714fc2d727d57d4340bbbe97c7a268f8957343a40e0a3

    • SSDEEP

      6144:Lia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+d+:LIMH06cID84DQFu/U3buRKlemZ9DnGAI

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Renames multiple (950) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks