Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 04:13
Behavioral task
behavioral1
Sample
2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe
-
Size
672KB
-
MD5
759b003089b555b423b1b2c1c6889b55
-
SHA1
4b5cd46abd9c8ac4d16bd7f358ebfc82b59afd30
-
SHA256
1b90313095227d545c97a68f3e58dac368f58ba314d7a1f945a3a1757415de79
-
SHA512
9b1e817c66e93236a8d3015a460cebfaa667587c9c725266f89c522ffdf4a12b0c3a9b960466676cb307db73f611ec54fefb80316ccd40e4c9e10028cfa09dc7
-
SSDEEP
12288:DjEiyrFmeLmbWAUVAyu2kLV13E4PmKvymcesKxt5Z3y+pIhfJhkiMySTXdv5MiW6:vEbfmbWcymjabesKxt5Z3y+pIhfJhkiK
Malware Config
Extracted
crylock
- emails
-
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext('<%RESERVE_CONTACT%>')"><b><%RESERVE_CONTACT%></b></font>. Telegram <font face="monospace" OnClick="copytext('https://t.me/assist_decoderr')"><b>https://t.me/assist_decoder</b></font>. <br> You unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>
Signatures
-
Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe 2820 2024-05-30_759b003089b555b423b1b2c1c6889b55_cryakl_darkgate.exe