targetcompany | 8c4731c1fbf49ef59d696d72db1aa2576e422ff788c4cc65d19a916a307b8581

Resubmissions

29/09/2024, 23:33

240929-3j92gswcpr 10

27/06/2024, 11:48

240627-nyjqhszcne 10

20/05/2024, 02:34

240520-c2m2kagc6x 10

Analysis

max time kernel
108s
max time network
132s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
20/05/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
Size

1.9MB
MD5

121f43dfb68b710165ec47b2e102b50c
SHA1

dffa99b9fe6e7d3e19afba38c9f7ec739581f656
SHA256

8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
SHA512

6d7d62265b852e7adfcf5903f8b7a6c3cd0329a0d95a5e1a70897775da4e77fd125ba1949c06b2386fbfccbfd713a34c6f014ba92c41d55274f34f767d38945e
SSDEEP

49152:GRooXHbhpWDbkVdmAxURyLAlLcbxY9CE5r9:toXzmSURyCxx

Score

10^/10

targetcompany persistence ransomware

Malware Config

Extracted

Path

/var/spool/cron/atjobs/HOW TO DECRYPT.txt

Family

targetcompany

Ransom Note

Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 69482246DA7E767130883B50 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/atjobs/HOW TO DECRYPT.txt	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
File opened for modification	/var/spool/cron/atjobs/.SEQ	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/TargetInfo.txt	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f

/tmp/8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
/tmp/8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
1⤵
- Creates/modifies Cron job
- Reads CPU attributes
- Writes file to tmp directory
PID:1382

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/TargetInfo.txt

Filesize
115B

MD5
01936ac91954aea25989b61cbcd31092

SHA1
67f52a6f8fcd7bb63528af9d49ecd5c6ef4913e2

SHA256
9dcb426c3fb616da749f216b541c5ee683c2c637c9edace102ca0c162915a9a1

SHA512
eeb068ac139af3d4546962dcab682e4bde93cb5ddd2ad563ca6eecfca54ece719ef7d445b9229bde816eba7e71e3bbb33ae002ce1df912c83f43c6c6d595cdd0

Download Submit
/var/spool/cron/atjobs/HOW TO DECRYPT.txt

Filesize
1KB

MD5
bb3314fffa5118460f2a18340b4cfeb6

SHA1
888dedc9966f498c7efd4b0c71ae589327d96bfc

SHA256
9169eaaf695d126b128b2d67bec64c63dcc5a5527e93e71b4875b912cebeeb8a

SHA512
110b33b831bdbed608170a53fa1df73aff1b9fe3101fd65a938be05e79f2816661db170658cc1e7c9e1b4847c9bc4700cac7b7b9f515000d533fa3e642b44e54

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads