General

  • Target

    Ransomware-Samples-main.zip

  • Size

    15.1MB

  • Sample

    240226-h5eggsfh39

  • MD5

    e88a0140466c45348c7b482bb3e103df

  • SHA1

    c59741da45f77ed2350c72055c7b3d96afd4bfc1

  • SHA256

    bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

  • SHA512

    2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

  • SSDEEP

    393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___Z1OG_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="l4KH3" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">jHELf3v</span>u find the necessary files?<br>Is the c<span class="h">XikaL</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">HevVjbLEd</span>cause the files' names and the data in your files have been encryp<span class="h">Qgt2T06w</span>ted by "Ce<span class="h">zGmZSe5auw</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">cWgd</span>ans your files are NOT damage<span class="h">XEBAA6QBh</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">FqW</span>rom now it is not poss<span class="h">n584y</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">NjYrFq</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">7OL</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">ELED</span>ore your files with the thir<span class="h">lwU</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">jTmW</span>eed with purchasing of the decryption softw<span class="h">c</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">0v</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C</a></span></p> <p>If t<span class="h">B3</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">8Ae8d</span>ck here</span>&nbsp; to get a new addr<span class="h">Fa</span>ess of your personal page.<br><br>If the addre<span class="h">N3</span>ss of your personal page is the same as befo<span class="h">d</span>re after you tried to get a new one,<br>you c<span class="h">Sw9cLcD</span>an try to get a new address in one hour.</p> <p>At th<span class="h">a0Y</span>is p&#097;ge you will receive the complete instr<span class="h">ZF75j</span>uctions how to buy the decrypti<span class="h">Xco</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">BlOKo</span>tore any one file for free to be sure "Cer&#98;e<span class="h">fXFcx</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">O</span>sonal page is not availa<span class="h">lkfvbta</span>ble for a long period there is another way to open your personal page - insta<span class="h">jQ2jTkZKnV</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">l</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">vgAYO3cydg</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">zc8k8prF</span>ing;</li> <li>on the site you will be offered to do<span class="h">Yi</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">ebd71FZsw</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">k</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">RpR</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">1l</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C</span><br> in this browser address bar;</li> <li>pre<span class="h">U1SQJHfA</span>ss ENTER;</li> <li>the site sho<span class="h">I</span>uld be loaded; if for some reason the site is not lo<span class="h">Wh</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">NNlBJPOH</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">S3D</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">NIyCkRYURn</span>ional information:</strong></p> <p>You will fi<span class="h">7F7a3MgqEr</span>nd the instru<span class="h">qft2LLJnb</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">eINhcsewcB</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">D</span>&#111;lder with your enc<span class="h">4o</span>rypted files.</p> <p>The instr<span class="h">5FfR9QP</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">L96qRDZpw</span>&#111;lder<span class="h">cEACCjrmvr</span>s with your encry<span class="h">05TNP6</span>pted files are not vir<span class="h">LCn</span>uses! The instruc<span class="h">zF4GXHc</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">NSaf</span>lp you to dec<span class="h">8em8LkW</span>rypt your files.</p> <p>Remembe<span class="h">Tt2</span>r! The w&#111;rst si<span class="h">GbExCuekc5</span>tu&#097;tion already happ<span class="h">2WPs</span>ened and n&#111;w the future of your files de<span class="h">DjteJo9CU</span>pends on your determ<span class="h">APry</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">wr28aNs</span>افية:</strong></p> <p>س<span class="h">Q</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">qqt</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">7mU7L</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___AII4_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C 2. http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C 3. http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C 4. http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C 5. http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C

Targets

    • Target

      Ransomware-Samples-main.zip

    • Size

      15.1MB

    • MD5

      e88a0140466c45348c7b482bb3e103df

    • SHA1

      c59741da45f77ed2350c72055c7b3d96afd4bfc1

    • SHA256

      bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

    • SHA512

      2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

    • SSDEEP

      393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm

    Score
    1/10
    • Target

      Ransomware-Samples-main/Cerber/Ransomware.Cerber.zip

    • Size

      215KB

    • MD5

      5c571c69dd75c30f95fe280ca6c624e9

    • SHA1

      b0610fc5d35478c4b95c450b66d2305155776b56

    • SHA256

      416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

    • SHA512

      8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

    • SSDEEP

      3072:EJk9kcytz1Qg4kViSMoq9OsLvz8L5HINY8lYdeIX8woWJQHr6LqK2fU0MwL0b06R:EUkcyVlDq8rIblYomoWnvfp0g

    Score
    1/10
    • Target

      cerber.exe

    • Size

      604KB

    • MD5

      8b6bc16fd137c09a08b02bbe1bb7d670

    • SHA1

      c69a0f6c6f809c01db92ca658fcf1b643391a2b7

    • SHA256

      e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

    • SHA512

      b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

    • SSDEEP

      6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Contacts a large (1092) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • Drops startup file

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Ransomware-Samples-main/Cryptowall/Ransomware.Cryptowall.zip

    • Size

      100KB

    • MD5

      8710ea46c2db18965a3f13c5fb7c5be8

    • SHA1

      24978c79b5b4b3796adceffe06a3a39b33dda41d

    • SHA256

      60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e

    • SHA512

      c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583

    • SSDEEP

      3072:OCDc19avf1fHqOhdzVD/9Ae7RT5f6IiL+WfXS21o4D:OCD0QvlqGRlAlX+sXjo4D

    Score
    1/10
    • Target

      cryptowall.bin

    • Size

      240KB

    • MD5

      47363b94cee907e2b8926c1be61150c7

    • SHA1

      ca963033b9a285b8cd0044df38146a932c838071

    • SHA256

      45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

    • SHA512

      93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

    • SSDEEP

      3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

    Score
    3/10
    • Target

      Ransomware-Samples-main/Jigsaw/Ransomware.Jigsaw.zip

    • Size

      239KB

    • MD5

      3ad6374a3558149d09d74e6af72344e3

    • SHA1

      e7be9f22578027fc0b6ddb94c09b245ee8ce1620

    • SHA256

      86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

    • SHA512

      21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

    • SSDEEP

      3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ

    Score
    1/10
    • Target

      jigsaw

    • Size

      283KB

    • MD5

      2773e3dc59472296cb0024ba7715a64e

    • SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

    • SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

    • SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

    • SSDEEP

      6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (3772) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      Ransomware-Samples-main/LICENSE

    • Size

      34KB

    • MD5

      1ebbd3e34237af26da5dc08a4e440464

    • SHA1

      31a3d460bb3c7d98845187c716a30db81c44b615

    • SHA256

      3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986

    • SHA512

      d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686

    • SSDEEP

      768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum

    Score
    1/10
    • Target

      Ransomware-Samples-main/Locky/Ransomware.Locky.zip

    • Size

      125KB

    • MD5

      b265305541dce2a140da7802442fbac4

    • SHA1

      63d0b780954a2bc96b3a77d9a2b3369d865bf1fd

    • SHA256

      0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0

    • SHA512

      af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282

    • SSDEEP

      1536:6mXbzYYlSESr+LdgbfzNTBstcc6yVeHuwuY5pzl5Lypx0DIY6KQOoTFKmN9YMKW8:dbSr+Jg7lB2cV1aQ+WQVTFX9YPGQi1Mf

    Score
    1/10
    • Target

      Locky

    • Size

      180KB

    • MD5

      b06d9dd17c69ed2ae75d9e40b2631b42

    • SHA1

      b606aaa402bfe4a15ef80165e964d384f25564e4

    • SHA256

      bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

    • SHA512

      8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

    • SSDEEP

      3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

    Score
    10/10
    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Target

      Ransomware-Samples-main/Mamba/Ransomware.Mamba.zip

    • Size

      1.0MB

    • MD5

      f94d1f4e2ce6c7cc81961361aab8a144

    • SHA1

      88189db0691667653fe1522c6b5673bf75aa44aa

    • SHA256

      610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a

    • SHA512

      7b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad

    • SSDEEP

      24576:Uy0yC/fh9Dnt24GZrEXdjl3Fha3fXUkWpfnb:CyGf7TtCZrOll1svX0fb

    Score
    1/10
    • Target

      Ransomware-Samples-main/Matsnu/Ransomware.Matsnu.zip

    • Size

      62KB

    • MD5

      0a3487070911228115f3a13e9da2cb89

    • SHA1

      c2d57c288bc9951dee4cc289d15e18158ef3f725

    • SHA256

      f73027dd665772cc94dbe22b15938260be61cbaad753efdccb61c4fa464645e0

    • SHA512

      996f839d347d8983e01e6e94d2feb48f2308ab7410c6743a72b7ecff15b34a30cd12a5764c0470c77138cf8724d5641d03dd81793e28d47fe597f315e116fa77

    • SSDEEP

      1536:Wtmvcv25VrNQnc+6KmmjnFcqbq6eXq8GPHTDAY:WBUNQnc+6Vmmv6e8fP

    Score
    1/10
    • Target

      Ransomware-Samples-main/Petrwrap/Ransomware.Petrwrap.zip

    • Size

      1.1MB

    • MD5

      6884a35803f2e795fa4b121f636332b4

    • SHA1

      527bfbf4436f9cce804152200c4808365e6ba8f9

    • SHA256

      cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c

    • SHA512

      262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60

    • SSDEEP

      24576:XtZfUANeQHLqNZ2rl5zkFGPI/9+4C/BGq/Om00pN5m:XtZc+trnHkxVqQqm

    Score
    1/10
    • Target

      Ransomware-Samples-main/Petya/Ransomware.Petya.zip

    • Size

      538KB

    • MD5

      e8fb95ebb7e0db4c68a32947a74b5ff9

    • SHA1

      6f93f85342aa3ea7dcbe69cfb55d48e5027b296c

    • SHA256

      33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9

    • SHA512

      a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320

    • SSDEEP

      12288:h62An+lYWejkM9KIIoyoAWPPpxS8yrST5UvF50VHCJvD3DpNu7NwRUDxuJnU:hJA+BncEoyojpxS8yrSV0nvHpNu7eQxH

    Score
    1/10
    • Target

      Ransomware-Samples-main/README.md

    • Size

      549B

    • MD5

      ec3725f86203d73125aa3070816bb4a3

    • SHA1

      4ebfd463e20656581f328d21ca7226d46c46da88

    • SHA256

      1e54544721a7c12cdc7e79e4212fc116f6f7b71cdc7a2b51ae142ab69e8784bc

    • SHA512

      fee577aec39892858d13e26f862354755467d54137a289cf353f8a47512066a1a0be2dd575e2608422745c2a52812d5d80ce145dc41c900eabb46b154f5a96d5

    Score
    3/10
    • Target

      Ransomware-Samples-main/Radamant/Ransomware.Radamant.zip

    • Size

      59KB

    • MD5

      fce365d60e13df34a6843894ac9be499

    • SHA1

      5211ac4e7d8459f0db9aa19a03c55cb2063fee5f

    • SHA256

      3e1813da2d561157df7667cde0117fdddd883c5b1272f76d1ae85ad889c38220

    • SHA512

      9747c95c1a1314fd0fb462951feafa51a75c0794e56a6bbbd16d192e366907aa764bc9adbc7d8319e5d43a37b10889808ae5d619ae1202200d7dba34afa2bc1b

    • SSDEEP

      1536:cKmaCJ5RF2bf2mwPUv0M47ChtgxyZShQ9FttDUFQ1VkJA/:XmHJAY23iSOxygkFttQFSkJA/

    Score
    1/10
    • Target

      Ransomware-Samples-main/RedBoot/Ransomware.RedBoot.zip

    • Size

      1.2MB

    • MD5

      51250dabf7df7832640e4a680676cb46

    • SHA1

      74ba41bb17af6e5638171f7a6d9d49e978d8d3b3

    • SHA256

      7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44

    • SHA512

      43f898d7e5752312a79138dcce94c117a20fb6efd9e522fc1ed3cc2d407d13cacf5b6f810c7c1966c4c03217aeb51fce641feb31b26620ff239756132b17f57a

    • SSDEEP

      24576:X55snqlV0L1X93CIhhFrJK/Hw75gIiaC+4llRCIPY7tdyPHno51SCUR:J53lV0LX5hFrswyVFlMEYSnCw

    Score
    1/10
    • Target

      Ransomware-Samples-main/Rex/Ransomware.Rex.zip

    • Size

      2.7MB

    • MD5

      50188823168525455c273c07d8457b87

    • SHA1

      0d549631690ea297c25b2a4e133cacb8a87b97c6

    • SHA256

      32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d

    • SHA512

      b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70

    • SSDEEP

      49152:vWKde2aWpNtWWKPqd0c1OWfD6vAcxntjWPNeJ5Rf/coFN0LZkyIEsNdd:eKI2FpNtfaqGc1EAczjk41EuN0LZky9y

    Score
    1/10
    • Target

      Ransomware-Samples-main/Satana/Ransomware.Satana.zip

    • Size

      57KB

    • MD5

      82f621944ee2639817400befabedffcf

    • SHA1

      c183ae5ab43b9b3d3fabdb29859876c507a8d273

    • SHA256

      4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f

    • SHA512

      7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b

    • SSDEEP

      1536:GBfLHxIOBET2Uvk6w5yD5O92x2HtYli0kR5sJ7LNeeSLK/TJ:GBf9IOXok6DODtY40kDsjiL6F

    Score
    1/10
    • Target

      Ransomware-Samples-main/TeslaCrypt/Ransomware.TeslaCrypt.zip

    • Size

      479KB

    • MD5

      f755a44bbb97e9ba70bf38f1bdc67722

    • SHA1

      f70331eb64fd893047f263623ffb1e74e6fe4187

    • SHA256

      3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e

    • SHA512

      f8ce666ae273e6c5cd57447189a8cf0e53c7704cf269fa120068f21e6faf6c89e2e75f37aee43cac83f4534790c5c6f1827621684034ef3eb7e94d7ee1ac365e

    • SSDEEP

      6144:xQAq0svy/pQhk1NBePvxGNWeOyqYAGfr/H/h60BHtzbprAvNGTG/fi5QCIq3h11Z:LyKoUlWeOP8HXrINZ/2uJUgVu

    Score
    1/10
    • Target

      Ransomware-Samples-main/Thanos/Ransomware.Thanos.zip

    • Size

      145KB

    • MD5

      00184463f3b071369d60353c692be6f0

    • SHA1

      d3c1e90f39da2997ef4888b54d706b1a1fde642a

    • SHA256

      cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

    • SHA512

      baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006

    • SSDEEP

      3072:fn8L7y+NJQpRhkU0kbH2PNo/1GjTqOncYIOSsk:f8L7xNJQFzCo/ojTqOnYD

    Score
    1/10
    • Target

      Ransomware-Samples-main/Unnamed_0/Ransomware.Unnamed_0.zip

    • Size

      835KB

    • MD5

      abc651b27b067fb13cb11e00d33e5226

    • SHA1

      1869459025fcf845b90912236af43a5d8d0f14dd

    • SHA256

      690339e6d19da0b5c63406d68484a4984736f6c7159235afd9eeb2ae00cafc36

    • SHA512

      4b85ae9001b9d1f11d57b6b2565ab0d468c3b8be469cad231e1203c4f6858af98d8e739b03fb849c2f3ec7b493781e88d32e7b7567c4b61cc1189daeea285bbf

    • SSDEEP

      12288:9nmNxspjOW6b5EVZTf2qDByG/WNGeWnwnpiVdnBQzXwBdn+TMLCAZn23dr+/TaNT:MNO1OnbElqCnwni7cXo+ECYnq2Jd4l

    Score
    1/10
    • Target

      Ransomware-Samples-main/Vipasana/Ransomware.Vipasana.zip

    • Size

      638KB

    • MD5

      8d2c4c192772985776bacfd77f7bc4d9

    • SHA1

      3b923b911d443e321e551f26c9588b16a994d52e

    • SHA256

      1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8

    • SHA512

      6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1

    • SSDEEP

      12288:atcWK55CAyTliOve2dCbNF2NJ9lTYG6WxGc7jdw04YPghNxEvREoXIaK:k7KCP5tWiCpYj6/Cm04YPgvivRENL

    Score
    1/10
    • Target

      Ransomware-Samples-main/WannaCry/Ransomware.WannaCry.zip

    • Size

      3.3MB

    • MD5

      efe76bf09daba2c594d2bc173d9b5cf0

    • SHA1

      ba5de52939cb809eae10fdbb7fac47095a9599a7

    • SHA256

      707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

    • SHA512

      4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

    • SSDEEP

      98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN

    Score
    1/10
    • Target

      Ransomware-Samples-main/WannaCry_Plus/Ransomware.WannaCry_Plus.zip

    • Size

      2.3MB

    • MD5

      5641d280a62b66943bf2d05a72a972c7

    • SHA1

      c857f1162c316a25eeff6116e249a97b59538585

    • SHA256

      ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

    • SHA512

      0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

    • SSDEEP

      49152:9mqR0GTCRh8C9PYUYwm79evoBD2HSypKLZ5u/KU940CwmWtSQX5ddmL6T:RA8GY3b9ev62yypKLlUVCpSSQX5ddmeT

    Score
    1/10
    • Target

      Ransomware-Samples-main/ransomware.png

    • Size

      36KB

    • MD5

      01369d5062d49b270c8dd6ab535bc403

    • SHA1

      39c654df64cd7386081da8108f23573f331debab

    • SHA256

      ed672ed37bfdadddb835de8c346655a17b653094197a2d6080e6777fa59785ea

    • SHA512

      de704934135717cb62e4d15ef1666e78b3d43c17ff5d50b279c21a5318ac2ce0cea88ebeb17b66f4668e1ca1a8801bdd6bab0194b157b1da6bd90c71b29da08e

    • SSDEEP

      768:cfWDt10l7IWSENqPZxdv8aNdYjie60vLP2N4fUtbpSErCB3X:WI10loxxh8aNdWie6wb26f8m3X

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks