General
-
Target
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin
-
Size
211KB
-
Sample
240103-sfclpsfdcq
-
MD5
bab201c1a2c8e0f99e683591945e7e3d
-
SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65
-
SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
-
SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
-
SSDEEP
6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs
Behavioral task
behavioral1
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Targets
-
-
Target
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin
-
Size
211KB
-
MD5
bab201c1a2c8e0f99e683591945e7e3d
-
SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65
-
SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
-
SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
-
SSDEEP
6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Renames multiple (7423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-