Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    2s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 20:08 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe

  • Size

    763KB

  • MD5

    0e2d81150e390967adede63bb8797e8b

  • SHA1

    3a17122d08cb7b3b3b9628fa3d89871a6b0d1e05

  • SHA256

    a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07

  • SHA512

    0e983af8fc72200f7e4a350abe88a4ddd31a99b94b0b11f3b9e81373fcf320685f4089cbcff206ba432a43472e52d1f34ef3794b93726872df97b8dad2d01d5e

  • SSDEEP

    12288:wvrnDlo7dMeseUgi6b/pUqTpSNrdWTvFUwpFj8y6FC1qk7EnocqcbTes1tWvzK:wK7dvseUWJTcu9FjgkKo+bTeIEz

Score
10/10
djvudiscoveryransomware

Malware Config

Extracted

Family

djvu

C2

http://cajgtus.com/test1/get.php

Attributes
  • extension

    .bgjs

  • offline_id

    Z6iwSvCoAt8T8K2ROxecuXHPNHv7eDyWrc8Ks7t1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://cajgtus.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0863PsawqS

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0Ftq9GtunuzQZHGiqoG
3
8S4cMO/Bdgsd+jTtFbVs1bX4OXiYKnMXg4LclKMEHJ2gnP2X09BkzA29UJQlagak
4
uAL7j7iRagKeU4tAB8w9rziBYoa9zROqer7J6pf5B11vAvvRq4b3127kAxnMhpgo
5
s7MQC7pXIvTkEeGySeG+F5fjSMPUoF1/cAg6GuSWOPXoPvXKRA/mo+xyHVOKZe2+
6
SCpbMHAyMe7o4w/i/pVjv9g8pRDJtz14qtMuAR38ek+SPJ4PJCxA9e0tOi+p4yNn
7
vnFKoL5OwzoF+bvVHnTA7tk4fXB3AyaL9llS0kxEWS7x/kNYQyJPh9fimryM03Cy
8
1wIDAQAB
9
-----END PUBLIC KEY-----

Signatures

  • Detected Djvu ransomware 5 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe
    "C:\Users\Admin\AppData\Local\Temp\a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe
      "C:\Users\Admin\AppData\Local\Temp\a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe"
      2⤵
        PID:1528
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\3c08cbb6-2225-47d3-ba62-f3ade65188df" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:2740

    Network

    • flag-us
      DNS
      api.2ip.ua
      a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe
      Remote address:
      8.8.8.8:53
      Request
      api.2ip.ua
      IN A
      Response
      api.2ip.ua
      IN A
      104.21.65.24
      api.2ip.ua
      IN A
      172.67.139.220
    • flag-us
      GET
      https://api.2ip.ua/geo.json
      a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe
      Remote address:
      104.21.65.24:443
      Request
      GET /geo.json HTTP/1.1
      User-Agent: Microsoft Internet Explorer
      Host: api.2ip.ua
      Response
      HTTP/1.1 429 Too Many Requests
      Date: Tue, 30 Apr 2024 20:08:30 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      strict-transport-security: max-age=63072000; preload
      x-frame-options: SAMEORIGIN
      x-content-type-options: nosniff
      x-xss-protection: 1; mode=block; report=...
      access-control-allow-origin: *
      access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
      access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FYYME6yXSKRv%2BV6%2FK0i5Rxvno4tktalCssRCKtw7bXjeg8svf5xGrgG0dzO7rnQIO4uZTgsjXJ6h4NLp3K4Szw4FSEfFTeidcWuQa7Fjz%2FyjYigO1lLlPGUtMW%2BS"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 87ca2a07aa5b639a-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • 104.21.65.24:443
      https://api.2ip.ua/geo.json
      tls, http
      a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe
      1.1kB
       7.7kB
       15
      11

      HTTP Request

      GET https://api.2ip.ua/geo.json

      HTTP Response

      429
    • 8.8.8.8:53
      api.2ip.ua
      dns
      a9d6a59227370ab078d64d84f81f7502f0511cdbd945a94ca9348a10a9c7be07.exe
      56 B
       88 B
       1
      1

      DNS Request

      api.2ip.ua

      DNS Response

      104.21.65.24
      172.67.139.220

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1528-3-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1528-5-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1528-4-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1528-6-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2180-2-0x0000000003790000-0x00000000038AB000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2180-1-0x0000000001B60000-0x0000000001BFF000-memory.dmp

      Filesize

      636KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.