Overview

overview

10

Static

static

3

ggpermV3/A...64.exe

windows10-1703-x64

1

ggpermV3/A...64.exe

windows10-2004-x64

1

ggpermV3/T...er.exe

windows10-1703-x64

ggpermV3/T...er.exe

windows10-2004-x64

8

ggpermV3/ggpermV3.exe

windows10-1703-x64

10

ggpermV3/ggpermV3.exe

windows10-2004-x64

1

ggpermV3/s...er.exe

windows10-1703-x64

1

ggpermV3/s...er.exe

windows10-2004-x64

1

ggpermV3/woof.bat

windows10-1703-x64

8

ggpermV3/woof.bat

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ggpermV3.zip

  • Size

    1.2MB

  • Sample

    231229-ber7bsbgfr

  • MD5

    53966312c3041a20dfdfec9b1cad7916

  • SHA1

    ae5deb357969c426cdf9cf831c29eb32f132863d

  • SHA256

    7c89499d85795d6727f8d864733b78870f3ce076ed4aa065c8f8cc44ee126b1f

  • SHA512

    8e2b1103dc5db7d98b408af07114214cf752dfbd20109e4f6d1a8d11afbbad69048c221750dc2dbebb2df3351a8d40a662e8b272dc2af93d368bf65f470086e1

  • SSDEEP

    24576:AOMg2q4I4kVAeVvTov0bdBL//FJztDzViSeYUgNW9O5zcNU:rwfkVjVvzT/FnligUVK3

Score
10/10
cerberevasionransomwarespywarestealer

Malware Config

Targets

    • Target

      ggpermV3/AMIDEWINx64.EXE

    • Size

      453KB

    • MD5

      6a6505b2413d2c7b16c6d059448db9e5

    • SHA1

      dfe6c6b6051c26326a12dc9d0d5701cb4728266c

    • SHA256

      53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

    • SHA512

      1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

    • SSDEEP

      6144:JIeh4+TOKGuTSuXCJ6AtCoZPhGL/TnJ+z5rsxQhsCI9t/tk7MP:jpPTxXihA+zBhsC2Z

    Score
    1/10
    behavioral1behavioral2

    • Target

      ggpermV3/Trinity Cleaner.exe

    • Size

      752KB

    • MD5

      5ff39c44ff3eaf7798bffa670fb4b600

    • SHA1

      cd22cc93964fdeb470460642c44fd4ce31f3bf1e

    • SHA256

      fd5d49ac3a9a4130261f43ef6e6c9c6a4a317e7ba421f88e22e0fbe96fd45429

    • SHA512

      6ec8f1e38d78a773f8b0764f7aa5d8902c8c556a2583bdf62b6485e093c8a193b5965e3d908abe60d80b0fc690e2def7721aa896f14f6e77c80f72aa11fa3878

    • SSDEEP

      12288:FBTyBtZmiNYQtIFc5oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JP:eBtZicIFc5oiJfJulj1CBMeIFjKuQdGP

    Score
    10/10
    evasionransomwarespywarestealer

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral3behavioral4

    • Target

      ggpermV3/ggpermV3.exe

    • Size

      62KB

    • MD5

      eac37455baace3357722d2bc5cf40be9

    • SHA1

      bfbb2b0f876a0784e5a0d78b7981b27254c0a766

    • SHA256

      e333b29fa06d2138c9a4c634fde1fe4212bd2a027c0175008001c8af60d34053

    • SHA512

      78065623e0bafa450e49c91b700da3a31536033d005a6d20126cc886bc1075788a4e5d5f7b689b47c4eea01f58f797e696f06038dd967b6143d07204048ad067

    • SSDEEP

      1536:eh4f8xsBb7KAMFYieXfRc/onjx6FXs+ceAP5w:bBbnRJfROqwFcZbP5w

    Score
    10/10
    cerberevasionransomwarespywarestealer

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      ggpermV3/sxghr-driver.exe

    • Size

      137KB

    • MD5

      84c83f1f50bed460d9bd13fa4d83304b

    • SHA1

      e4c17ffcc97654efa537310f81702d922b3101f3

    • SHA256

      a89fcdf02e9d587c2c00cbfa5efada6b308f62d7d8a296f7a1cfc8c4991de375

    • SHA512

      4d19b7c31265507c7962a45c2babd266bd8dceae4e9d3cd3c9359083c066a77028158790f3f14cbb22a46ec90d754efa6fa811774b330f6910b7e5576335c289

    • SSDEEP

      3072:1efQZKfOC31VwyY9egNtfNjJvjmqqF7Hb/LMm5MqDC:1DewyY9egLRePYm5B

    Score
    1/10
    behavioral7behavioral8

    • Target

      ggpermV3/woof.bat

    • Size

      1KB

    • MD5

      9dfe4e730dcc5e0d3951038ad2a095a1

    • SHA1

      e033d9a40234b9544606ec4d603add264cb38841

    • SHA256

      bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8

    • SHA512

      297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

    Score
    8/10
    evasion

    • Stops running service(s)

      evasion

    • Drops file in System32 directory

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks