General
-
Target
http://
-
Sample
240222-wwwlasde8z
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Path
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
Ransom Note
You became victim of the GOLDENEYE RANSOMWARE!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way
to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for
"access onion page".
2. Visit one of the following pages with the Tor Browser:
http://golden5a4eqranh7.onion/p7qNSw4V
http://goldeny4vs3nyoht.onion/p7qNSw4V
3. Enter your personal decryption code there:
p7qNSw4VQKJL4bgshsAKuuraaW5YhXf87Fq7Bf16SY4WMgufBihvh2D4mMbedN1aCsYTsQKe2kRDjJn9PqXmLoSJurteWGfg
URLs
http://golden5a4eqranh7.onion/p7qNSw4V
http://goldeny4vs3nyoht.onion/p7qNSw4V
Targets
-
-
Target
http://
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Renames multiple (128) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-