Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

240821-vtjnaathnq 10

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

General

  • Target

    bc41543926dda3762ae39e35aba7a813_JaffaCakes118

  • Size

    13.8MB

  • Sample

    240618-zfwsxawdpa

  • MD5

    bc41543926dda3762ae39e35aba7a813

  • SHA1

    81bf36d2c8c97901eb88133566838eba26d74138

  • SHA256

    f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

  • SHA512

    29404267b0a85340a4b9e821aca8a37ee716532adb9626acc39941148c2e91f67022125a4db3d65468b6b564134bf9fa496252bd4d2aacda0be0fd54684c0291

  • SSDEEP

    393216:LDZBIw5QnNtQs9HQYsiZfmu/GyBSye+tfLXSDOaC0zjLCrj:vlQnNSA1skfmkzdtfOi0jLA

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___O22521N_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/C331-BA36-42DC-0446-97E7 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/C331-BA36-42DC-0446-97E7 2. http://p27dokhpz2n7nvgr.14ewqv.top/C331-BA36-42DC-0446-97E7 3. http://p27dokhpz2n7nvgr.14vvrc.top/C331-BA36-42DC-0446-97E7 4. http://p27dokhpz2n7nvgr.129p1t.top/C331-BA36-42DC-0446-97E7 5. http://p27dokhpz2n7nvgr.1apgrn.top/C331-BA36-42DC-0446-97E7 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/C331-BA36-42DC-0446-97E7

http://p27dokhpz2n7nvgr.12hygy.top/C331-BA36-42DC-0446-97E7

http://p27dokhpz2n7nvgr.14ewqv.top/C331-BA36-42DC-0446-97E7

http://p27dokhpz2n7nvgr.14vvrc.top/C331-BA36-42DC-0446-97E7

http://p27dokhpz2n7nvgr.129p1t.top/C331-BA36-42DC-0446-97E7

http://p27dokhpz2n7nvgr.1apgrn.top/C331-BA36-42DC-0446-97E7

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XpVh1a3MqRPea2e1GJEvAYeVkpvF98sqhS total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XpVh1a3MqRPea2e1GJEvAYeVkpvF98sqhS here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XsHmuuiWcMgjitqGaxdaafnBGCnP13zcy6 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay Follow the instructions on the server.
Wallets

15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c Follow the instructions on the server.
Wallets

1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      bc41543926dda3762ae39e35aba7a813_JaffaCakes118

    • Size

      13.8MB

    • MD5

      bc41543926dda3762ae39e35aba7a813

    • SHA1

      81bf36d2c8c97901eb88133566838eba26d74138

    • SHA256

      f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

    • SHA512

      29404267b0a85340a4b9e821aca8a37ee716532adb9626acc39941148c2e91f67022125a4db3d65468b6b564134bf9fa496252bd4d2aacda0be0fd54684c0291

    • SSDEEP

      393216:LDZBIw5QnNtQs9HQYsiZfmu/GyBSye+tfLXSDOaC0zjLCrj:vlQnNSA1skfmkzdtfOi0jLA

    Score
    1/10
    • Target

      Documents/Ransomware.Cerber/cerber.exe

    • Size

      604KB

    • MD5

      8b6bc16fd137c09a08b02bbe1bb7d670

    • SHA1

      c69a0f6c6f809c01db92ca658fcf1b643391a2b7

    • SHA256

      e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

    • SHA512

      b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

    • SSDEEP

      6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Blocklisted process makes network request

    • Contacts a large (1096) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • Deletes itself

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Documents/Ransomware.Cryptowall/cryptowall.exe

    • Size

      240KB

    • MD5

      47363b94cee907e2b8926c1be61150c7

    • SHA1

      ca963033b9a285b8cd0044df38146a932c838071

    • SHA256

      45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

    • SHA512

      93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

    • SSDEEP

      3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Documents/Ransomware.Jigsaw/jigsaw

    • Size

      283KB

    • MD5

      2773e3dc59472296cb0024ba7715a64e

    • SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

    • SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

    • SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

    • SSDEEP

      6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (2001) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      Documents/Ransomware.Locky/Locky

    • Size

      180KB

    • MD5

      b06d9dd17c69ed2ae75d9e40b2631b42

    • SHA1

      b606aaa402bfe4a15ef80165e964d384f25564e4

    • SHA256

      bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

    • SHA512

      8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

    • SSDEEP

      3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

    Score
    10/10
    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Target

      Documents/Ransomware.Mamba/131.exe

    • Size

      2.3MB

    • MD5

      409d80bb94645fbc4a1fa61c07806883

    • SHA1

      4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

    • SHA256

      2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

    • SHA512

      a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

    • SSDEEP

      49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz

    Score
    1/10
    • Target

      Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_

    • Size

      102KB

    • MD5

      1b2d2a4b97c7c2727d571bbf9376f54f

    • SHA1

      1fc29938ec5c209ba900247d2919069b320d33b0

    • SHA256

      7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

    • SHA512

      506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

    • SSDEEP

      1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.exe

    • Size

      353KB

    • MD5

      71b6a493388e7d0b40c83ce903bc6b04

    • SHA1

      34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

    • SHA256

      027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

    • SHA512

      072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

    • SSDEEP

      6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin.gz

    • Size

      306KB

    • MD5

      b2303c3eb127d1ce6906d21d9d2d07a5

    • SHA1

      700620e0f8efc992ac38cf32adc1010fee982217

    • SHA256

      3419e0d470f83569be0927128b3e5f992800ceb8f9019fc44763876ed6d8000c

    • SHA512

      4776400cc7d8107122992dce745dc2fa26c90edde6c0f5ec43272f5a21f9a516430765a225dad2c41a33b8d61f50e525973c6d38ca1189d9b49f068c05e73c04

    • SSDEEP

      6144:9SuBf/w62PIghu6aEZjAetG333VhNqn9CqnOqzoKZ0H3ni91dQYdCdU0y:D462BPNGIYqnOqzoKZQ3CdQYIUz

    Score
    3/10
    • Target

      Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin.gz

    • Size

      9KB

    • MD5

      65d9d04ea080e04e9d0aebf55aecd5d0

    • SHA1

      0fb30f6072c72fa5a77c796bfe9dfd164b67eda5

    • SHA256

      4340f4c633a53d45de440293d1f09f839467cc4734f499b466e9c58ee7493020

    • SHA512

      d93150b254cfbab05610d9bef81bacbd1ef418cb36f4057550fa5f79314bdd654878d4b050616f5773c69371a65c15a218ecacaac40b62709b442dce669e3c89

    • SSDEEP

      192:YAZona+6XwSgIta9pXfZRXSQ2X+A6W2K0prxy/SJam3BKBd:MnPSgwaDXSQk6M0JHIm3u

    Score
    3/10
    • Target

      Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin.gz

    • Size

      1KB

    • MD5

      51c028cd5f3afe9bf179d81def8d7a8e

    • SHA1

      838499bb7b7e7a9a212536fb9f3024dff29ad769

    • SHA256

      d975bc89371be98a80f9979e4a3c517590029e61ff36605b48b883c723024bde

    • SHA512

      78ea2f6e2fb3fa5deab9ee79adac21b0e1671f0e0a7622abfd6870039588bc4ac8bf068bdf8dd9d364e314074a3adb55fae8532504e0f90786527404f8a8be1e

    Score
    3/10
    • Target

      fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin

    • Size

      6KB

    • MD5

      415fe69bf32634ca98fa07633f4118e1

    • SHA1

      101cc1cb56c407d5b9149f2c3b8523350d23ba84

    • SHA256

      fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206

    • SHA512

      e40ad6adcbdfc47ebf0745aed10a5c6c64d5759a0164dbd7ffb64439deffe710c26a8fd91e8d205f3b2f0c417d70d4e82d5f91874bc6f8bbc9ff123b72c2e692

    • SSDEEP

      48:3aT4qf+8xWmXLEEPjH3UNTaOOHG0WomFS/bOhkWTl:3w/xWjFazGMrzQ

    Score
    4/10
    • Target

      Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta

    • Size

      13KB

    • MD5

      0487382a4daf8eb9660f1c67e30f8b25

    • SHA1

      736752744122a0b5ee4b95ddad634dd225dc0f73

    • SHA256

      ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

    • SHA512

      e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106

    • SSDEEP

      192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

    Score
    10/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe

    • Size

      704KB

    • MD5

      d2ec63b63e88ece47fbaab1ca22da1ef

    • SHA1

      dd52fcc042a44a2af9e43c15a8e520b54128cdc8

    • SHA256

      e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5

    • SHA512

      89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e

    • SSDEEP

      12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus

    Score
    7/10
    • Drops startup file

    • Target

      Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

    • Size

      225KB

    • MD5

      af2379cc4d607a45ac44d62135fb7015

    • SHA1

      39b6d40906c7f7f080e6befa93324dddadcbd9fa

    • SHA256

      26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

    • SHA512

      69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

    • SSDEEP

      6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin

    • Size

      788KB

    • MD5

      a92f13f3a1b3b39833d3cc336301b713

    • SHA1

      d1c62ac62e68875085b62fa651fb17d4d7313887

    • SHA256

      4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c

    • SHA512

      361a5199b5a6321d88f6e7b66eaad3756b4ea7a706fa9dbbe3ffe29217f673d12dd1200e05f96c2175feffc6fecc7f09fda4dd6bfa0ce7bef3d9372f6a534920

    • SSDEEP

      24576:z0wz1d5bAbWhrc56zQ9T4Ole+5PIuklOjB:Hd5Vhr4IMTbeGPJHjB

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR

    • Size

      52KB

    • MD5

      6152709e741c4d5a5d793d35817b4c3d

    • SHA1

      05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e

    • SHA256

      2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2

    • SHA512

      1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

    • SSDEEP

      768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      out.upx

    • Size

      51KB

    • MD5

      8f681b52fcfe200d14c81d297a323cf7

    • SHA1

      1375d3c3cb1d2ea8d6f80a2cfe11107d80ad9a34

    • SHA256

      a1c1164f6b43a3592a98b29adc045f9ca37ec0624eb2f2c027bfffe24a4915d1

    • SHA512

      88f936cfc95833017fefa7a342cb9b41ae7ea2e7123f7e8bb4192db53b0b48998421176132a4ead98fbb25d31d0f1ee8e0f7995d14e94ab3e094d4dcceb7ad36

    • SSDEEP

      768:uElAvOs4CTfOgGYdlNGCizSHdq12UMx9s6zAKSXwa/2e:ZlafjVsrODKpKSXN

    Score
    3/10
    • Target

      Documents/Ransomware.Radamant/Ransomware.Radamant/Supplementary Agreement 26_01_2016.zip.ViR

    • Size

      37KB

    • MD5

      892626ba70f22a5c7593116b8d2defcf

    • SHA1

      ab41a0bc0e3dbcc7d48b674ec079f55eac6dea13

    • SHA256

      7a436727bac86927ec9d51db86899ffc0b0f92feb1d426c5f2141d94f7d29e13

    • SHA512

      f48e8248f68c2a8d9d3f567850ecbc88ed79e7f75dc5e9295615e5355b853e555abf904735e27d38e34120ef3a0cf2f1cad780142ef8a330b148e0bfc69805de

    • SSDEEP

      768:3XLJmx0iPed1zpMZ87vvQkVq4Y994iM1OLsPRyeqZeK6KK/0XM:3XLExSd1zpV7vYkYy1OgPRyeo6K40XM

    Score
    1/10
    • Target

      Supplementary Agreement 26_01_2016.scr

    • Size

      91KB

    • MD5

      b0625408735468e40f4af9472afcb35a

    • SHA1

      ae8afddc982abc163147fc47bfd30f2340c56086

    • SHA256

      9842ac7705c39546d9e153b5e014c16df061f306fd2b1904368cf8f503f4204c

    • SHA512

      49e96828e92f142fb55fd301f9855a3965c2dc9e933e50eed0d7d9634771f3201a34704ceba419b5b941dd089306fa91aec36a841665ccc7abe649b95dd1e6ec

    • SSDEEP

      1536:Rr346DHQyoOhwRY35OSmoKM+bBcql/UxyQKs1OiYI/3lHEKIp0+cNFyV:R86LaGccOSLK9qqli1aKKHcNe

    Score
    3/10
    • Target

      Documents/Ransomware.Rex/WTEpZSFwgb

    • Size

      7.3MB

    • MD5

      5bd44a35094fe6f7794d895122ddfa62

    • SHA1

      98172e49c3d5d70ffdcefd071f9762c58430a393

    • SHA256

      762a4f2bf5ea4ff72fce674da1adf29f0b9357be18de4cd992d79198c56bb514

    • SHA512

      4033c7335a44a7536a3980aad8cf18ff6336186d71dd7b7f02c3d5c93001ed974285fe9fbbf783bc0abac3e3b3581993ad6d2ac285249aa24b0aafa261f74de8

    • SSDEEP

      49152:mNLLdMtTbVDtCsN5laK2BfCDvI7ZR9kAs5dkPjU2NhYCWpdLJaDSfUGZnh7X3cM9:mNlMt1tCsN5LGfCL7ATfscS8QhXP

    Score
    1/10
    • Target

      Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin

    • Size

      49KB

    • MD5

      46bfd4f1d581d7c0121d2b19a005d3df

    • SHA1

      5b063298bbd1670b4d39e1baef67f854b8dcba9d

    • SHA256

      683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

    • SHA512

      b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

    • SSDEEP

      768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

    • Target

      Documents/Ransomware.Satana/Ransomware.Satana/unpacked.mem

    • Size

      72KB

    • MD5

      108756f41d114eb93e136ba2feb838d0

    • SHA1

      8c6b51923ee7da2f4642c7717db95fbb77d96164

    • SHA256

      b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

    • SHA512

      d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

    • SSDEEP

      768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

    • Size

      284KB

    • MD5

      209a288c68207d57e0ce6e60ebf60729

    • SHA1

      e654d39cd13414b5151e8cf0d8f5b166dddd45cb

    • SHA256

      3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

    • SHA512

      ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

    • SSDEEP

      3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (754) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67

    • Size

      257KB

    • MD5

      6e080aa085293bb9fbdcc9015337d309

    • SHA1

      51b4ef5dc9d26b7a26e214cee90598631e2eaa67

    • SHA256

      9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

    • SHA512

      4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

    • SSDEEP

      6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (361) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

    • Target

      Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56

    • Size

      261KB

    • MD5

      6d3d62a4cff19b4f2cc7ce9027c33be8

    • SHA1

      e906fa3d51e86a61741b3499145a114e9bfb7c56

    • SHA256

      afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18

    • SHA512

      973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

    • SSDEEP

      6144:93g0BQG+aZiycigV5bbEo6dZbBODPIsjQ/UFsYWo:93g0OGjZiycigVRbObBODTMUdj

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (381) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

    • Target

      Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

    • Size

      370KB

    • MD5

      2aea3b217e6a3d08ef684594192cafc8

    • SHA1

      3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

    • SHA256

      0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

    • SHA512

      ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

    • SSDEEP

      6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

    • Size

      370KB

    • MD5

      a890e2f924dea3cb3e46a95431ffae39

    • SHA1

      35719ee58a5771156bc956bcf1b5c54ac3391593

    • SHA256

      c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

    • SHA512

      664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162

    • SSDEEP

      6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

    • Size

      329KB

    • MD5

      adb5c262ca4f95fee36ae4b9b5d41d45

    • SHA1

      cdbe420609fec04ddf3d74297fc2320b6a8a898e

    • SHA256

      e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

    • SHA512

      dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754

    • SSDEEP

      6144:TRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+N6MSiF0Q5XNN:pDRbXFHW1+K2UWBGIymYG+zn

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Documents/Ransomware.WannaCry/Ransomware.WannaCry.zip

    • Size

      3.3MB

    • MD5

      efe76bf09daba2c594d2bc173d9b5cf0

    • SHA1

      ba5de52939cb809eae10fdbb7fac47095a9599a7

    • SHA256

      707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

    • SHA512

      4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

    • SSDEEP

      98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN

    Score
    1/10
    • Target

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    • SSDEEP

      98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Sets desktop wallpaper using registry

    • Target

      Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    • SSDEEP

      98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

Score
1/10

behavioral2

cerberdiscoveryevasionpersistenceprivilege_escalationransomware
Score
10/10

behavioral3

defense_evasionexecutionimpactpersistenceransomware
Score
9/10

behavioral4

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral5

lockyransomware
Score
10/10

behavioral6

Score
1/10

behavioral7

persistenceupx
Score
7/10

behavioral8

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
3/10

behavioral12

Score
4/10

behavioral13

execution
Score
10/10

behavioral14

Score
7/10

behavioral15

bootkitpersistence
Score
6/10

behavioral16

bootkitpersistence
Score
6/10

behavioral17

persistenceupx
Score
7/10

behavioral18

Score
3/10

behavioral19

Score
1/10

behavioral20

Score
3/10

behavioral21

Score
1/10

behavioral22

satanabootkitdefense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral23

satanabootkitdefense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral24

defense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral25

defense_evasionexecutionimpactpersistenceransomware
Score
10/10

behavioral26

defense_evasionexecutionimpactpersistenceransomware
Score
10/10

behavioral27

persistenceransomwarespywarestealer
Score
8/10

behavioral28

persistenceransomwarespywarestealer
Score
8/10

behavioral29

persistenceransomwarespywarestealer
Score
8/10

behavioral30

Score
1/10

behavioral31

wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm
Score
10/10

behavioral32

wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm
Score
10/10