General
-
Target
2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe
-
Size
211KB
-
Sample
231011-wk1qwafa43
-
MD5
51e3c1e8f1e4bb84098cc6f86092aa51
-
SHA1
d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
-
SHA256
d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
-
SHA512
f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
SSDEEP
6144:yia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+7o+:yIMH06cID84DQFu/U3buRKlemZ9DnGAI
Behavioral task
behavioral1
Sample
2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Targets
-
-
Target
2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe
-
Size
211KB
-
MD5
51e3c1e8f1e4bb84098cc6f86092aa51
-
SHA1
d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
-
SHA256
d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
-
SHA512
f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
SSDEEP
6144:yia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+7o+:yIMH06cID84DQFu/U3buRKlemZ9DnGAI
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Renames multiple (2497) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (2933) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-