Overview

overview

10

Static

static

6

My Talking...36.exe

windows10-2004-x64

6

My Talking...11.apk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    My Talking Angela.zip

  • Size

    118.3MB

  • Sample

    240305-ssl1xahh4w

  • MD5

    06bfaa4efd9c05519e712fc2ad40e381

  • SHA1

    9c5cac8f936a9c937e7d7014f08ba540d97fd842

  • SHA256

    147695a93ca690a62967e982d9fb3ee52b36693f594806b14e10e09a9dd60e10

  • SHA512

    da85c72fb5ba1404cd091a59500ef8ec35bfcb644622a7c9a453d09ec8c08645892ba7fbc955d707c6e6d90976fb76b3a621954b16a1db40b4aef6aca3ad5759

  • SSDEEP

    3145728:xptW554ufrNSiu6myuRTD1vRkqdfJB2LG98P2U2op:tWDLLoyAvRksfXeD2Y

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ktheJDyWNBai66oBsAwbHKlehkWKLojk3mLrVgXc9FuOOH95QsHOMrxzwtsNTwUX3PrHVzyj+fZhMW7orLlOl75K8nueF2TZNqPj6CiEdsnv4yKen4wa+dtcwJUMC9lBd7oTDsb32b6dhDiymgXbPZZ14TJnw2hcBhbTx54Kt1oYDjX+cHC1ftMvCiUVbkPxIx6B2jtlUFKv+35QTFZvZrhEznrdNuXL7vMhnWHOjiMRHNr7ObblsbHU+phWIlz7PPNiMDs0AXDrF6/07u7kJSkpCrrKYpDiZGHs3YgYvqdQsd3ijoZdU99tpkVGBl+/LUlFpS5f1yEyZYewYvddsw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      My Talking Angela/BlueStacksInstaller_5.8.100.1036.exe

    • Size

      783KB

    • MD5

      0781512d75a512b443d6f75437902aff

    • SHA1

      d9395ad80f1eca1627eec368d25f53901d94df42

    • SHA256

      ea851b062c25c36ec7d7988bae56fb385be244bf26c44e43cfe0069887b55a6d

    • SHA512

      fb2d8b82b2481b7a9232ff40c191a3ec5ac04bb5c2f75db9cef5c16cfd35a7ad15bcbbe70880a625c9adeb877d8cc252b8de42f6eeddbd006e8ab253a46d8715

    • SSDEEP

      12288:NivtCXQd0RYK1mv6qQdeRPHKhuV9c1klspixcogZAhcZr0CXWYJ:NivtCXF1mv6qQOqWcyOJBAhc104

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1

    • Target

      My Talking Angela/com.outfit7.mytalkingangelafree_6.0.2.3411.apk

    • Size

      121.1MB

    • MD5

      3f81742d6b3508d633a99923f42c68c0

    • SHA1

      ea016865afbcf08a7364b88b663f2f73ef7bd414

    • SHA256

      8db0754525a449a70aa9043b3bcb112453764a45788cba1cfa64fab25dea1c70

    • SHA512

      76338f27b39796e5daa092fa266084be6316e8a6d53cf71abe0603d9d1115a9e897e61ffb275b6b988143253dbb34b7567d73418523f9fa4f6b44a279c7dc4fa

    • SSDEEP

      3145728:xMbXVoTTg2qSkBO9KmQz506b3prDroVr+vnTQlBZpTJE:iVGTg2kD950O3prDrj7Ql1u

    Score
    10/10
    fantomevasionransomware

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Renames multiple (4852) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks