General

  • Target

    Mixed In Key 8.dmg

  • Size

    10.4MB

  • Sample

    240602-abvbvabf4s

  • MD5

    58680abd58baca826c2029f32e5b78b3

  • SHA1

    98040c4d358a6fb9fed970df283a9b25f0ab393b

  • SHA256

    b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

  • SHA512

    be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28

  • SSDEEP

    196608:1kBu2wBiw00Bsqbxxf15AS2710A8O2RgXuHueFrs/7M+49/jhHh/:ig2whsQr5ASEcO28enS/7J4tT/

Malware Config

Extracted

Path

/Users/run/Desktop/READ_ME_NOW.txt

Ransom Note
YOUR IMPORTANT FILES ARE ENCRYPTED Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service. We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement). Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included. In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever. Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is: 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7 Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored. THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE
Wallets

13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

Targets

    • Target

      Mixed In Key 8.dmg

    • Size

      10.4MB

    • MD5

      58680abd58baca826c2029f32e5b78b3

    • SHA1

      98040c4d358a6fb9fed970df283a9b25f0ab393b

    • SHA256

      b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

    • SHA512

      be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28

    • SSDEEP

      196608:1kBu2wBiw00Bsqbxxf15AS2710A8O2RgXuHueFrs/7M+49/jhHh/:ig2whsQr5ASEcO28enS/7J4tT/

    • EvilQuest

      EvilQuest family.

    • EvilQuest payload

    • Compromise Client Software Binary

      Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server.

    • File Permission

      Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.

    • Installer Packages

      Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

    • Launch Daemon

      Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.

    • Target

      Mixed In Key 8.pkg

    • Size

      10.0MB

    • MD5

      66405f4bb6db1136037fde9f43830119

    • SHA1

      0898cd7a55b55853ce9da0f0f360ec31ecec4974

    • SHA256

      9e8c30955ccb5797efaab676ffdf36fe08ce32d4aab4d18e1a9ed2be43d5db0f

    • SHA512

      3c176a83742d35b10645b70db4ed2ff00b888073d0daa73c7a4ce11c88b5b2cda818b9ab1844b35192bbd2436567e186ca200432fe4ef8a377ecf4be49da3da1

    • SSDEEP

      196608:NkBu2wBiw00Bsqbxxf19Hhx7r0A8JAi2RgXuHueFrs/7M+XvEYBu:Kg2whsQrndWJAi28enS/7JXtBu

    • EvilQuest

      EvilQuest family.

    • EvilQuest payload

    • Compromise Client Software Binary

      Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server.

    • File Permission

      Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.

    • Installer Packages

      Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.

    • Launch Daemon

      Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.

MITRE ATT&CK Enterprise v15

Tasks