General

  • Target

    2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe

  • Size

    211KB

  • Sample

    231011-wk1qwafa43

  • MD5

    51e3c1e8f1e4bb84098cc6f86092aa51

  • SHA1

    d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb

  • SHA256

    d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c

  • SHA512

    f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080

  • SSDEEP

    6144:yia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+7o+:yIMH06cID84DQFu/U3buRKlemZ9DnGAI

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 1C4-0A6-B75 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 1A2-B51-0DD Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe

    • Size

      211KB

    • MD5

      51e3c1e8f1e4bb84098cc6f86092aa51

    • SHA1

      d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb

    • SHA256

      d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c

    • SHA512

      f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080

    • SSDEEP

      6144:yia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+7o+:yIMH06cID84DQFu/U3buRKlemZ9DnGAI

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Renames multiple (2497) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (2933) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks