cerber

Sharing

General

Target

Ransomware.zip
Size

15.7MB
Sample

240302-y31jyahe32
MD5

db5767904e1067a3ab570f60300e10ef
SHA1

09be1da25133fbf0527b6034b7626cbcc8fc7c69
SHA256

c2bf26d1b3a311be1bec839ca7c26bf2c944fd79333485a271230ec435c318dd
SHA512

fee1c72f97302642d5d57c174e871ed3a55e2cb1d71d6d8304bc5676a4e7d770fe66730d8687d32815a44473b1e9030b09c6ba7d54d77adecba53c27385d4f74
SSDEEP

393216:OQm4g9/2UsB+tKQTdnhxN/+FIUScHbJAB6o1EljZBh2Hjj6eVu98D9:Rg9/uOTfx4aSbJRoOBh2n/

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note

All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encrtyption was produced using unique public key RSA-4096 generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 48 hours after encryption completed. To retrieve the private key, you need to pay 7 bitcoins Bitcoins have to be sent to this address: 1Hxq9SJobRG8xZc2h4hN9xaaga2jFBiYqQ After you've sent the payment send us an email to : [email protected] with subject : DECRYPT-ID-63100222 If you are not familiar with bitcoin you can buy it from here : SITE 1 : www.coinbase.com SITE 2 : www.bitstamp.net After we confirm the payment , we send the private key so you can decrypt your system.

Emails

[email protected]

Wallets

1Hxq9SJobRG8xZc2h4hN9xaaga2jFBiYqQ

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note

<html> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>81 03 B3 CF 22 2C 10 A1 D3 AC B4 6D 8A 41 F4 B6 B0 49 C7 42 DB B3 E5 18 75 24 82 18 C9 C8 B0 AC EA F0 A8 CA 5A F3 72 4D 01 F9 0F 44 C5 42 41 04 66 47 37 3D 70 A0 04 76 9E 21 72 42 44 87 79 A6 35 61 79 52 82 8E D2 9D 81 F6 96 23 CE D2 FA BD 87 A0 B1 B5 A6 62 B7 A3 78 39 DE F8 21 7A FA C3 49 7B AD B4 BD 89 04 89 B4 DE FE 99 BF 03 8C 17 C2 6E 4A B2 06 F6 6D E3 F0 BA 11 A4 CB 1F 9F 46 </pre> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>site for buy bitcoin:<br> </h1> </div> <div align="left"> <strong>Buy 1 BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://xchange.cc</strong></li> </ol> </div> <div align="left"> <h1>bitcoin adress for pay:<br> </h1> </div> <div align="left">1FuCGsCmmGWZnDkzg2aa7y6RvK3KP7TG7K</div> <div align="left"><strong>Send 1 BTC for decrypt</strong></div> </div> <div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>We give you the opportunity to decipher 1 file free of charge!</li> <li>You can make sure that the service really works and after payment for the «Decryptor» program you can actually decrypt the files!</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>

Emails

class="mark">[email protected]</span>

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note

<html> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>54 4B 0C 07 FB F1 7B 9E 8F B5 4D 5C 08 CD F8 B2 F2 5E A9 E6 16 02 51 5F DF A4 52 B8 19 2A 7D 1A A0 27 76 C5 DC 42 26 F2 C8 1F B3 FA A5 45 B1 28 AC D9 94 5B 3E 4E 14 21 AE CC 68 BB 88 D9 C4 B5 1C 16 4B 6E 62 DE 7C 77 DE CC F0 43 94 C8 C9 96 DC F7 E4 82 A7 27 A3 D2 BF 2B 40 17 7E C8 60 CD 8F D9 DC 45 D5 ED C7 66 BA 01 CA 80 D4 1B 7F 06 48 23 2B B9 A6 81 BD 12 D5 F1 F7 BC 70 1A DC C3 </pre> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>site for buy bitcoin:<br> </h1> </div> <div align="left"> <strong>Buy 1 BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://xchange.cc</strong></li> </ol> </div> <div align="left"> <h1>bitcoin adress for pay:<br> </h1> </div> <div align="left">1FuCGsCmmGWZnDkzg2aa7y6RvK3KP7TG7K</div> <div align="left"><strong>Send 1 BTC for decrypt</strong></div> </div> <div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>We give you the opportunity to decipher 1 file free of charge!</li> <li>You can make sure that the service really works and after payment for the «Decryptor» program you can actually decrypt the files!</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>

Emails

class="mark">[email protected]</span>

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9LOCG7_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/050A-1F36-E42F-0446-924A Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.14ewqv.top/050A-1F36-E42F-0446-924A 2. http://p27dokhpz2n7nvgr.14vvrc.top/050A-1F36-E42F-0446-924A 3. http://p27dokhpz2n7nvgr.129p1t.top/050A-1F36-E42F-0446-924A 4. http://p27dokhpz2n7nvgr.1apgrn.top/050A-1F36-E42F-0446-924A 5. http://p27dokhpz2n7nvgr.1p5fwl.top/050A-1F36-E42F-0446-924A ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/050A-1F36-E42F-0446-924A

http://p27dokhpz2n7nvgr.14ewqv.top/050A-1F36-E42F-0446-924A

http://p27dokhpz2n7nvgr.14vvrc.top/050A-1F36-E42F-0446-924A

http://p27dokhpz2n7nvgr.129p1t.top/050A-1F36-E42F-0446-924A

http://p27dokhpz2n7nvgr.1apgrn.top/050A-1F36-E42F-0446-924A

http://p27dokhpz2n7nvgr.1p5fwl.top/050A-1F36-E42F-0446-924A

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___W9RV9_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="iBv" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>☑ Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">LYGOS</span>u find the necessary files?<br>Is the c<span class="h">yWSSnP</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">q0</span>cause the files' names and the data in your files have been encryp<span class="h">7NzSDp</span>ted by "Ce<span class="h">Xg</span>rber Ransomware".</p> <p>It me<span class="h">vtbm</span>ans your files are NOT damage<span class="h">W6T</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">oJeFpz</span>rom now it is not poss<span class="h">k8jgN</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">P</span>rypt your files safely is to buy the special decryption software "C<span class="h">nbr</span>erber Decryptor".</p> <p>Any attempts to rest<span class="h">ny9Gp</span>ore your files with the thir<span class="h">LyJfD</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">Mq8ZpR</span>eed with purchasing of the decryption softw<span class="h">LQxUiSRR</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">XHhiZie8e</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.14ewqv.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.1p5fwl.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.1p5fwl.top/7B26-1391-7BB0-0446-9133</a></span></p> <p>If t<span class="h">AT</span>his page cannot be opened  <span class="button" onclick="return _url_upd_('en');">cli<span class="h">ynK</span>ck here</span>  to get a new addr<span class="h">C4z7TIO</span>ess of your personal page.<br><br>If the addre<span class="h">5w2Bh</span>ss of your personal page is the same as befo<span class="h">dFN</span>re after you tried to get a new one,<br>you c<span class="h">qx3hZApuqv</span>an try to get a new address in one hour.</p> <p>At th<span class="h">N5</span>is page you will receive the complete instr<span class="h">Xfy</span>uctions how to buy the decrypti<span class="h">2wQeGr</span>on software for restoring all your files.</p> <p>Also at this page you will be able to res<span class="h">bGn</span>tore any one file for free to be sure "Cerbe<span class="h">W90</span>r Decryptor" will help you.</p> <hr> <p>If your per<span class="h">lNd</span>sonal page is not availa<span class="h">ecDwhWO1</span>ble for a long period there is another way to open your personal page - insta<span class="h">GF4QDV0</span>llation and use of Tor Browser:</p> <ol> <li>run your Inte<span class="h">hv</span>rnet browser (if you do not know what it is run the Internet Explorer);</li> <li>ent<span class="h">4fo</span>er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site load<span class="h">E8</span>ing;</li> <li>on the site you will be offered to do<span class="h">740eZ9r9k</span>wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">OSsD</span>n Tor Browser;</li> <li>connect with the butt<span class="h">7obdg</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">lWP2p</span>wser window will be opened after the initialization;</li> <li>type or copy the add<span class="h">rREDokQR</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/7B26-1391-7BB0-0446-9133</span><br> in this browser address bar;</li> <li>pre<span class="h">MF8P5K</span>ss ENTER;</li> <li>the site sho<span class="h">1</span>uld be loaded; if for some reason the site is not lo<span class="h">bBu</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">vFOuzGUA2</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">XwIEY0Rbq</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">zWI5HQ3Jt</span>ional information:</strong></p> <p>You will fi<span class="h">i</span>nd the instru<span class="h">AHxyv</span>ctions ("*_READ_THIS_FILE_*.hta") for re<span class="h">mTN</span>storing your files in any f<span class="h">L</span>older with your enc<span class="h">LQgelR7</span>rypted files.</p> <p>The instr<span class="h">SEvP3FmL</span>uctions "*_READ_THIS_FILE_*.hta" in the f<span class="h">t6f6Rx</span>older<span class="h">3u</span>s with your encry<span class="h">pW</span>pted files are not vir<span class="h">0p</span>uses! The instruc<span class="h">vCoZDWSY</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">BbiTaAq</span>lp you to dec<span class="h">jT</span>rypt your files.</p> <p>Remembe<span class="h">7E98t1Nu</span>r! The worst si<span class="h">5Io0lK</span>tuation already happ<span class="h">XIzc</span>ened and now the future of your files de<span class="h">iR8Hshl0V</span>pends on your determ<span class="h">lkNz0rArYS</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.14ewqv.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/7B26-1391-7BB0-0446-9133</a><hr><a href="http://p27dokhpz2n7nvgr.1p5fwl.top/7B26-1391-7BB0-0446-9133" target="_blank">http://p27dokhpz2n7nvgr.1p5fwl.top/7B26-1391-7BB0-0446-9133</a></span></p> <p>في حالة تعذر فتح هذه الصفحة  <span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>  لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/7B26-1391-7BB0-0446-9133</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">JAyf</span>افية:</strong></p> <p>س<span class="h">g</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">IQRQwu5Fp3</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">fE6AIMIu85</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件？<br>您文件的内容无法阅读？</p> <p>这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p> <p>这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密�

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___AQS7ZWR2_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/7B26-1391-7BB0-0446-9133 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.14ewqv.top/7B26-1391-7BB0-0446-9133 2. http://p27dokhpz2n7nvgr.14vvrc.top/7B26-1391-7BB0-0446-9133 3. http://p27dokhpz2n7nvgr.129p1t.top/7B26-1391-7BB0-0446-9133 4. http://p27dokhpz2n7nvgr.1apgrn.top/7B26-1391-7BB0-0446-9133 5. http://p27dokhpz2n7nvgr.1p5fwl.top/7B26-1391-7BB0-0446-9133 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/7B26-1391-7BB0-0446-9133

http://p27dokhpz2n7nvgr.14ewqv.top/7B26-1391-7BB0-0446-9133

http://p27dokhpz2n7nvgr.14vvrc.top/7B26-1391-7BB0-0446-9133

http://p27dokhpz2n7nvgr.129p1t.top/7B26-1391-7BB0-0446-9133

http://p27dokhpz2n7nvgr.1apgrn.top/7B26-1391-7BB0-0446-9133

http://p27dokhpz2n7nvgr.1p5fwl.top/7B26-1391-7BB0-0446-9133

Targets

- Target
  
  3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.bin
- Size
  
  72KB
- MD5
  
  c12a9eae7b63f5bdd90deb3969079492
- SHA1
  
  f0700457e66091be7222748c7170881608d3a0cd
- SHA256
  
  3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e
- SHA512
  
  44270af6f6fed42dcb190f0761714bdc1a4888197f3d19f1c6c1d694138e54b17ec9403ff24658ee6a9e7379fceaae1e727ccefe512b26818e2310669fbeabc9
- SSDEEP
  
  1536:1ODavnxrn1hV6tXqHa0Fyp7Sz4C4OKqlmAC+YyWd4AEZswQUI5GLy:AoV6puaMypmMTOK/41krQ+
Score

10^/10

persistence ransomware spyware stealer
- Renames multiple (6123) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  Ransomware/Alphabet.bin
- Size
  
  168KB
- MD5
  
  dbe78231174b03239eb262cc2d2d0900
- SHA1
  
  fc472223cd9aee3cf912fc401bd47774569d07ac
- SHA256
  
  4e60f3c8eaa0441d4ffdced18aa04153bb91b5470bc5441ba5878f7760ca9b5b
- SHA512
  
  27561377d217c449e4730a0eab69cd1edd68480ea22e6b3c8fee0e76603acc36cbc420c204b3ecf98f0dde4cf731cad6937751c780c796c7192a84ad1823d2ba
- SSDEEP
  
  1536:rBUzOE+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNcl:wOE1+l+kcJF1+l+kctphpG
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  Ransomware/Atom Payload Builder.exe
- Size
  
  513KB
- MD5
  
  224db51b372a5a26f3e09d2a64af50b2
- SHA1
  
  bca07e1a05bc30bbf51ccfdc34676fc574b790d7
- SHA256
  
  5ab04878b630d1e0598fb6f74570f653a6bd0753dad9ef55ecf467bee7e618e1
- SHA512
  
  f031ee3a4307bddffcf9809f3e4d778a5f8ebe1d53ba8fde13bd1c6248e93e8e479ddb21dca9a201aaa261c4111eee2c21a241fbe3087f9eb777bccc542163de
- SSDEEP
  
  12288:amhp5zFkcxdQ8r0R3gYR3nxdJYEm5ATgulc/:3BZoR3gYR3nFmBulc
Score

1^/10
behavioral5 behavioral6
- Target
  
  Ransomware/Cerber
- Size
  
  492KB
- MD5
  
  8b3d0bc69064a0155a205a4202417330
- SHA1
  
  0aa06a222900a2d3042e73fc21b52004d7856aeb
- SHA256
  
  9ef7fe10bbbb58899859d82ba7a698cbfdd546c6e9e4d3b55193e4180682036c
- SHA512
  
  e54140bdf79b5498cb7f4a519a4d9ed54e3a4845ae822a2f25c3f1d97b616b9f1374ece7ff788e0e667e5ac5824f81aa1a1861b8d212e832533590ac1f96633a
- SSDEEP
  
  12288:ww+dKNr2YH7WQx3IjKoa+888888888888W888888888888:wVKMYbWzuBf
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1094) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral7 behavioral8
- Target
  
  Ransomware/EternalRocks
- Size
  
  5.0MB
- MD5
  
  53f23e72664dc9efd4251ba1b120d932
- SHA1
  
  5e033b70775429fb6a5c2f40435984526f3a4ca1
- SHA256
  
  3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693
- SHA512
  
  fad16aeff2bc7ff24eba061167769d40ef228fc986c3a6ca3cabb5e42625bd22a7a9745cabe551b089d8361305f92bc1786b40e2f00d185a9e524e0935f867f5
- SSDEEP
  
  98304:SX/pvSmTsOmMpu5l/sB0seyAp/QszFjXEKZFbr0vKPMKznq:EBvpsOmX5ly0sbAtVXEKZF+sVq
Score

1^/10
behavioral10 behavioral9
- Target
  
  Ransomware/GLOBEIMPOSTER
- Size
  
  232KB
- MD5
  
  1bbd2dc9746292c60121865663b287f2
- SHA1
  
  04644335ef7523274146a4f39ab30621c2a2a9a1
- SHA256
  
  2815c8cdb02003298f7959fd1cf6eed893de6652f3861a6a2e3e5744b8ac9234
- SHA512
  
  da557f37abac2300ee03e4167d1dbf9d06d7f6faa6af887fb0966de4c3c7d35117f8ca0cee6e5d68d9ba091ab9464eb1a4b601a759c3b860b141afc346a0da66
- SSDEEP
  
  6144:6pSie0JHvaS7MTqp4Re4jjMXn3lNv8en:6pUSPaSkqp4RtMlhh
Score

10^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (8643) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  Ransomware/GhostCrypter.bin
- Size
  
  87KB
- MD5
  
  d60b0083605a9fb10b4d21005f1febd0
- SHA1
  
  ed538f9dc4a7b58649d55b892e4a32cfb25b98a1
- SHA256
  
  eae568e1a06b6dd762c92a8e0be5349c0c474ff429785fdad7d58083a10485de
- SHA512
  
  4c8b4e93685852cc4634f2cc2bd66ff86b2e133b9f6899441488b630569c26832eab07b08ced87b62031749969bb9c0d2e1fd229071213ed71eeaa9f27fb87cb
- SSDEEP
  
  1536:NcMqI3TJ38pY5GuncfTpgg5qKB3gg5bwFlG3zg4llJLmA+pVStv:Nck3TJ38pY5OfTpTpggSHGblzL8S
Score

9^/10

persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral13 behavioral14
- Target
  
  Ransomware/Golden Eyes - via unikey.exe
- Size
  
  1.3MB
- MD5
  
  3f6bfaa577b7be13705f41cc5b6cb1eb
- SHA1
  
  0a9cd77276ac62848eeb1c428cf9f05c0e0ec69c
- SHA256
  
  21780731ba0394eaa38254960f445321f2ca10450623855d8e2f1d6e30481022
- SHA512
  
  9f02e7fc31f7fe3ebebebc4b38f49cd885f91b5bc3ee0b7c0cb2f19f2e8f983aebf671197471b61f624dbc13183bac66f8c19d50fb3a501c269ea3d1a9029ce1
- SSDEEP
  
  24576:/7blFG2wAhxKw0cDJ/ztH6NtCsL96AEwZIOd++kD4mRkdqbhm:/75o2FfKwT1/x2btFtsTD4mRkdqbhm
Score

10^/10

metasploit neshta backdoor bootkit discovery persistence spyware stealer trojan
- Detect Neshta payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral15 behavioral16
- Target
  
  Ransomware/Locky
- Size
  
  180KB
- MD5
  
  b06d9dd17c69ed2ae75d9e40b2631b42
- SHA1
  
  b606aaa402bfe4a15ef80165e964d384f25564e4
- SHA256
  
  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
- SHA512
  
  8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
- SSDEEP
  
  3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score

10^/10

locky ransomware
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
behavioral17 behavioral18
- Target
  
  Ransomware/Matsnu.com_
- Size
  
  102KB
- MD5
  
  1b2d2a4b97c7c2727d571bbf9376f54f
- SHA1
  
  1fc29938ec5c209ba900247d2919069b320d33b0
- SHA256
  
  7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
- SHA512
  
  506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
- SSDEEP
  
  1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score

7^/10

persistence upx
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  Ransomware/Rex
- Size
  
  7.3MB
- MD5
  
  5bd44a35094fe6f7794d895122ddfa62
- SHA1
  
  98172e49c3d5d70ffdcefd071f9762c58430a393
- SHA256
  
  762a4f2bf5ea4ff72fce674da1adf29f0b9357be18de4cd992d79198c56bb514
- SHA512
  
  4033c7335a44a7536a3980aad8cf18ff6336186d71dd7b7f02c3d5c93001ed974285fe9fbbf783bc0abac3e3b3581993ad6d2ac285249aa24b0aafa261f74de8
- SSDEEP
  
  49152:mNLLdMtTbVDtCsN5laK2BfCDvI7ZR9kAs5dkPjU2NhYCWpdLJaDSfUGZnh7X3cM9:mNlMt1tCsN5LGfCL7ATfscS8QhXP
Score

9^/10

discovery
- Contacts a large (11706) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral21
- Target
  
  Ransomware/ShellLocker.exe
- Size
  
  679KB
- MD5
  
  5f3a3ee275a03ac1c2fa5482649b6471
- SHA1
  
  9673a5a87428e3b38e65f2cd922946d47c4a329b
- SHA256
  
  c9661b2f5274b1835d64e6d58ea5a8ff58ffa8d9d19a9a31bd43f074c6e2eb69
- SHA512
  
  405139d37c3ec224f96316a59b2764d159d750d480acbbbc77c7bb8f46d9709dbcbea60cfe6d6f500d72e4b23b88ac52951bf13fb34ad81ffde9d5c32b0fb46a
- SSDEEP
  
  12288:/W3FwqcxVUmAb35S9DLF4YMQ9WhueDFEkSstBZfMUpqv:/W3FwqcxKmgBkW8dstXEUpqv
Score

1^/10
behavioral22 behavioral23
- Target
  
  Ransomware/Unlock92.bin
- Size
  
  24KB
- MD5
  
  afe4fa37dbbe91319f0684bc9524e557
- SHA1
  
  db412ecb113e8f40781105af0d3dbc67760a9461
- SHA256
  
  639f0ebcb2349caf7ab5f34e0d7c156db660f54f621fa9c2151c9f5795528670
- SHA512
  
  83d7730a0213c98c4c9d5e8d195eab9c73362824d541df6e68e0106b409be756db4db2317f9ed2796de2e5bb86bdbf9195c0b8c6d91b8986df9ebe58c3603da7
- SSDEEP
  
  384:TPDGsgnqFmaPJB4hWMhX5fLhMYQJtz0F92nudaTfrnnnwKPjDKcsujYcV6SUwJF9:DDGbQ/8WMN5frVF9qnnfPfZYcV6lw9b
Score

9^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (661) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral24 behavioral25
- Target
  
  Ransomware/cryptowall.bin
- Size
  
  240KB
- MD5
  
  47363b94cee907e2b8926c1be61150c7
- SHA1
  
  ca963033b9a285b8cd0044df38146a932c838071
- SHA256
  
  45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
- SHA512
  
  93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
- SSDEEP
  
  3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral26 behavioral27
- Target
  
  Ransomware/eda2.exe
- Size
  
  208KB
- MD5
  
  9ed4b9ace2563ce02973e94999e5081e
- SHA1
  
  7c69fd4f8650370ce07d18436ee4a44185f4f529
- SHA256
  
  fa2a9561a0cfc535908b8b39168391d4f87c685e8d95f52a51d194cc7264ba37
- SHA512
  
  6d48b956cbfc2d1a27a89e082bd7f914b5aeac8e00339a961cd1a18bab860185a64bb471f71e69e4bd1cacb801f57df140dffe7fd6b5b007eb2ec4b5540f8031
- SSDEEP
  
  3072:etRM+lmsolAIrRuw+mqv9j1MWLQ5MTmmsolNIrRuw+mqv9j1MWLQ5:1+lDAArTmDAN
Score

1^/10
behavioral28 behavioral29
- Target
  
  Ransomware/jigsaw
- Size
  
  283KB
- MD5
  
  2773e3dc59472296cb0024ba7715a64e
- SHA1
  
  27d99fbca067f478bb91cdbcb92f13a828b00859
- SHA256
  
  3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
- SHA512
  
  6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
- SSDEEP
  
  6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (1997) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral30 behavioral31
- Target
  
  Ransomware/mamba.exe
- Size
  
  2.3MB
- MD5
  
  409d80bb94645fbc4a1fa61c07806883
- SHA1
  
  4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
- SHA256
  
  2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
- SHA512
  
  a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
- SSDEEP
  
  49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score

1^/10
behavioral32