Overview

overview

10

Static

static

3

cerber.exe

windows7-x64

10

cerber.exe

windows10-2004-x64

10

cryptowall.exe

windows7-x64

9

cryptowall.exe

windows10-2004-x64

3

jigsaw.exe

windows7-x64

10

jigsaw.exe

windows10-2004-x64

10

Locky.exe

windows7-x64

10

Locky.exe

windows10-2004-x64

10

131.exe

windows7-x64

1

131.exe

windows10-2004-x64

1

Matsnu-MBR...3 .exe

windows7-x64

7

Matsnu-MBR...3 .exe

windows10-2004-x64

3

027cc450ef...d9.dll

windows7-x64

10

027cc450ef...d9.dll

windows10-2004-x64

10

027cc450ef...ju.dll

windows7-x64

10

027cc450ef...ju.dll

windows10-2004-x64

10

myguy.hta

windows7-x64

10

myguy.hta

windows10-2004-x64

10

svchost.exe

windows7-x64

7

svchost.exe

windows10-2004-x64

7

Ransomware...ry.zip

windows7-x64

1

Ransomware...ry.zip

windows10-2004-x64

1

Ransomware...us.zip

windows7-x64

1

Ransomware...us.zip

windows10-2004-x64

1

Resubmissions

01-03-2024 20:38

240301-ze5pesdb79 3

01-03-2024 20:03

240301-ysybtsce5x 3

01-03-2024 18:44

240301-xdmfcabg67 3

01-03-2024 17:56

240301-wjhhxabb92 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ransomware-Samples-main.zip

  • Size

    15.1MB

  • Sample

    240301-wjhhxabb92

  • MD5

    e88a0140466c45348c7b482bb3e103df

  • SHA1

    c59741da45f77ed2350c72055c7b3d96afd4bfc1

  • SHA256

    bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

  • SHA512

    2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

  • SSDEEP

    393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm

Score
10/10
cerberjigsawlockymimikatzbootkitdiscoveryevasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___JCGMJHB6_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/25EB-1823-0FE9-0446-9C54 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/25EB-1823-0FE9-0446-9C54 2. http://p27dokhpz2n7nvgr.14ewqv.top/25EB-1823-0FE9-0446-9C54 3. http://p27dokhpz2n7nvgr.14vvrc.top/25EB-1823-0FE9-0446-9C54 4. http://p27dokhpz2n7nvgr.129p1t.top/25EB-1823-0FE9-0446-9C54 5. http://p27dokhpz2n7nvgr.1apgrn.top/25EB-1823-0FE9-0446-9C54 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/25EB-1823-0FE9-0446-9C54

http://p27dokhpz2n7nvgr.12hygy.top/25EB-1823-0FE9-0446-9C54

http://p27dokhpz2n7nvgr.14ewqv.top/25EB-1823-0FE9-0446-9C54

http://p27dokhpz2n7nvgr.14vvrc.top/25EB-1823-0FE9-0446-9C54

http://p27dokhpz2n7nvgr.129p1t.top/25EB-1823-0FE9-0446-9C54

http://p27dokhpz2n7nvgr.1apgrn.top/25EB-1823-0FE9-0446-9C54

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___F51TT_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="Ub" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">ZQm7Lif</span>u find the necessary files?<br>Is the c<span class="h">BeCxAr</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">lk5RxaQ</span>cause the files' names and the data in your files have been encryp<span class="h">KqYzCxUdbn</span>ted by "Ce<span class="h">QgXI</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">o2</span>ans your files are NOT damage<span class="h">q</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">3RT75E7W</span>rom now it is not poss<span class="h">ATSImL</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">p</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">DuNIZ</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">6214ZdG</span>ore your files with the thir<span class="h">skJ6P3o</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">PLtzN</span>eed with purchasing of the decryption softw<span class="h">0CF1V</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">Z</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/1EA9-A37A-0C8F-0446-9C29</a></span></p> <p>If t<span class="h">seTs</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">QfBdDhqUj</span>ck here</span>&nbsp; to get a new addr<span class="h">W</span>ess of your personal page.<br><br>If the addre<span class="h">v5nJUR3</span>ss of your personal page is the same as befo<span class="h">XVi2w9yA</span>re after you tried to get a new one,<br>you c<span class="h">D0Q</span>an try to get a new address in one hour.</p> <p>At th<span class="h">i</span>is p&#097;ge you will receive the complete instr<span class="h">BhL9</span>uctions how to buy the decrypti<span class="h">Qpi8q0B0G</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">i0C6Z9AKe</span>tore any one file for free to be sure "Cer&#98;e<span class="h">DJOYE0</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">qTkLSscZ</span>sonal page is not availa<span class="h">GaauD</span>ble for a long period there is another way to open your personal page - insta<span class="h">frlNO</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">UUo7QINPRd</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">rufq2GTuE</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">uBUScj</span>ing;</li> <li>on the site you will be offered to do<span class="h">AhgyNKk7</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">uYL</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">ybm</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">GUtQWDx6</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">21hAeUEO</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/1EA9-A37A-0C8F-0446-9C29</span><br> in this browser address bar;</li> <li>pre<span class="h">ErdI62x</span>ss ENTER;</li> <li>the site sho<span class="h">1otB</span>uld be loaded; if for some reason the site is not lo<span class="h">F</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">X7bwPmVG</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">Jl2nK8O1</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">v</span>ional information:</strong></p> <p>You will fi<span class="h">zop7</span>nd the instru<span class="h">BLouueWgm</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">7e02FSaV</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">3jagvk3tp</span>&#111;lder with your enc<span class="h">CNim5U</span>rypted files.</p> <p>The instr<span class="h">kr2</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">LYq1KHlT</span>&#111;lder<span class="h">M8lM2AayKZ</span>s with your encry<span class="h">GEhxgx</span>pted files are not vir<span class="h">xAfMQ0pQ0s</span>uses! The instruc<span class="h">O</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">QZ3e2NzGdG</span>lp you to dec<span class="h">kjcZ</span>rypt your files.</p> <p>Remembe<span class="h">6</span>r! The w&#111;rst si<span class="h">3uQxL3exG</span>tu&#097;tion already happ<span class="h">KVYyh7fP</span>ened and n&#111;w the future of your files de<span class="h">G</span>pends on your determ<span class="h">AfJhQ</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/1EA9-A37A-0C8F-0446-9C29</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/1EA9-A37A-0C8F-0446-9C29" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/1EA9-A37A-0C8F-0446-9C29</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/1EA9-A37A-0C8F-0446-9C29</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">iUYXI8ol</span>افية:</strong></p> <p>س<span class="h">Qh5Q</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">G</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">D</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是被修改��

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___5BSSQ_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/1EA9-A37A-0C8F-0446-9C29 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/1EA9-A37A-0C8F-0446-9C29 2. http://p27dokhpz2n7nvgr.14ewqv.top/1EA9-A37A-0C8F-0446-9C29 3. http://p27dokhpz2n7nvgr.14vvrc.top/1EA9-A37A-0C8F-0446-9C29 4. http://p27dokhpz2n7nvgr.129p1t.top/1EA9-A37A-0C8F-0446-9C29 5. http://p27dokhpz2n7nvgr.1apgrn.top/1EA9-A37A-0C8F-0446-9C29 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/1EA9-A37A-0C8F-0446-9C29

http://p27dokhpz2n7nvgr.12hygy.top/1EA9-A37A-0C8F-0446-9C29

http://p27dokhpz2n7nvgr.14ewqv.top/1EA9-A37A-0C8F-0446-9C29

http://p27dokhpz2n7nvgr.14vvrc.top/1EA9-A37A-0C8F-0446-9C29

http://p27dokhpz2n7nvgr.129p1t.top/1EA9-A37A-0C8F-0446-9C29

http://p27dokhpz2n7nvgr.1apgrn.top/1EA9-A37A-0C8F-0446-9C29

Targets

    • Target

      cerber.exe

    • Size

      604KB

    • MD5

      8b6bc16fd137c09a08b02bbe1bb7d670

    • SHA1

      c69a0f6c6f809c01db92ca658fcf1b643391a2b7

    • SHA256

      e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

    • SHA512

      b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

    • SSDEEP

      6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

    Score
    10/10
    cerberdiscoveryevasionransomware

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Blocklisted process makes network request

    • Contacts a large (1094) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

    • Target

      cryptowall.bin

    • Size

      240KB

    • MD5

      47363b94cee907e2b8926c1be61150c7

    • SHA1

      ca963033b9a285b8cd0044df38146a932c838071

    • SHA256

      45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

    • SHA512

      93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

    • SSDEEP

      3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

    Score
    9/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      jigsaw

    • Size

      283KB

    • MD5

      2773e3dc59472296cb0024ba7715a64e

    • SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

    • SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

    • SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

    • SSDEEP

      6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

    Score
    10/10
    jigsawpersistenceransomwarespywarestealer

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Renames multiple (2022) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      Locky

    • Size

      180KB

    • MD5

      b06d9dd17c69ed2ae75d9e40b2631b42

    • SHA1

      b606aaa402bfe4a15ef80165e964d384f25564e4

    • SHA256

      bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

    • SHA512

      8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

    • SSDEEP

      3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

    Score
    10/10
    lockyransomware

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

      ransomwarelocky
    behavioral7behavioral8

    • Target

      131.exe

    • Size

      2.3MB

    • MD5

      409d80bb94645fbc4a1fa61c07806883

    • SHA1

      4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

    • SHA256

      2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

    • SHA512

      a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

    • SSDEEP

      49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz

    Score
    1/10
    behavioral10behavioral9

    • Target

      Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_

    • Size

      102KB

    • MD5

      1b2d2a4b97c7c2727d571bbf9376f54f

    • SHA1

      1fc29938ec5c209ba900247d2919069b320d33b0

    • SHA256

      7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

    • SHA512

      506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

    • SSDEEP

      1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc

    Score
    7/10
    persistenceupx

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      027cc450ef5f8c5f653329641ec1fed9.exe

    • Size

      353KB

    • MD5

      71b6a493388e7d0b40c83ce903bc6b04

    • SHA1

      34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

    • SHA256

      027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

    • SHA512

      072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

    • SSDEEP

      6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

    Score
    10/10
    mimikatzbootkitpersistencespywarestealer

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral13behavioral14

    • Target

      027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin

    • Size

      353KB

    • MD5

      71b6a493388e7d0b40c83ce903bc6b04

    • SHA1

      34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

    • SHA256

      027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

    • SHA512

      072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

    • SSDEEP

      6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

    Score
    10/10
    mimikatzbootkitpersistencespywarestealer

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral15behavioral16

    • Target

      myguy.hta

    • Size

      13KB

    • MD5

      0487382a4daf8eb9660f1c67e30f8b25

    • SHA1

      736752744122a0b5ee4b95ddad634dd225dc0f73

    • SHA256

      ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

    • SHA512

      e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106

    • SSDEEP

      192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

    Score
    10/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

    • Target

      svchost.exe

    • Size

      704KB

    • MD5

      d2ec63b63e88ece47fbaab1ca22da1ef

    • SHA1

      dd52fcc042a44a2af9e43c15a8e520b54128cdc8

    • SHA256

      e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5

    • SHA512

      89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e

    • SSDEEP

      12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus

    Score
    7/10

    • Drops startup file

    • Drops desktop.ini file(s)

    behavioral19behavioral20

    • Target

      Ransomware-Samples-main/WannaCry/Ransomware.WannaCry.zip

    • Size

      3.3MB

    • MD5

      efe76bf09daba2c594d2bc173d9b5cf0

    • SHA1

      ba5de52939cb809eae10fdbb7fac47095a9599a7

    • SHA256

      707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

    • SHA512

      4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

    • SSDEEP

      98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN

    Score
    1/10
    behavioral21behavioral22

    • Target

      Ransomware-Samples-main/WannaCry_Plus/Ransomware.WannaCry_Plus.zip

    • Size

      2.3MB

    • MD5

      5641d280a62b66943bf2d05a72a972c7

    • SHA1

      c857f1162c316a25eeff6116e249a97b59538585

    • SHA256

      ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

    • SHA512

      0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

    • SSDEEP

      49152:9mqR0GTCRh8C9PYUYwm79evoBD2HSypKLZ5u/KU940CwmWtSQX5ddmL6T:RA8GY3b9ev62yypKLlUVCpSSQX5ddmeT

    Score
    1/10
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

Score
3/10

behavioral1

cerberdiscoveryevasionransomware
Score
10/10

behavioral2

cerberdiscoveryevasionransomware
Score
10/10

behavioral3

persistenceransomware
Score
9/10

behavioral4

Score
3/10

behavioral5

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral6

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral7

lockyransomware
Score
10/10

behavioral8

lockyransomware
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

persistenceupx
Score
7/10

behavioral12

Score
3/10

behavioral13

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral14

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral15

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral16

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral17

Score
10/10

behavioral18

Score
10/10

behavioral19

Score
7/10

behavioral20

Score
7/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10