General
-
Target
https://github.com/NTFS123/MalwareDatabase
-
Sample
240621-3srw9szfmk
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>MB0Grm6P/jVMxw4WoULGTPSKhySEsaMvvQy207EeTzljVewsgxgNpwrpqgk8Foo4sG4sn9rG5NzuDL4ia0vEvrLTU1hTUZ35a6ybkP38uSqrvPkk1vgVo/qPigZxRraRqe+mkDhhHGDnhWYZiP7wLDQJLatxnD7/RUkeNCxzIpW9k8IStBbjsASzV56SS5IIxIqUPruvaJe7H44sYIuP+KkKuYQqQ2uXrKn8Eu/23GcvbrZMB9aVdCbz9/RKjYwDskc2MeKM23YjqWLUH1vQnIwf1+n0ofM1OMoSOe+Jz5Ndlk0/og0A1h66kZtPzW68+GXSS95qqCPQEtCjNAUZ1A==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\Common Files\microsoft shared\ClickToRun\DECRYPT_YOUR_FILES.HTML
Ransom Note
Attention ! All your files have been encrypted.
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
Your ID_KEY:
SqiNV/R4RsQKbcEoXzRDBNVMxFATm50MnY9fbm/Qnkq2Boa81mGFe5I9sdQEZBQoRGqYrPi1D3ovkPfW2PttVPZGS/7DY3FiVF0RcPBAlU/cCMw8an0kF87CJ5RAwgaUu9pNG6elAR54SbFjdAWaYCfpBqVlNgPoyPs0ZQilMC8NjOnM/qMj+AZ1E9mZrvwP5OFlSkOHOj0d9cqMlHt+e4dtGql9QxoCI0gB794BKeEnEt/evnr43UyHxsfg3J8nbAn7Nm3ZCv0NpIexicqYmP+GtLhBJuMH+4dqdhagdfWBOH3+aAx0oK/iHm9pCvJcOFSJ4oODgoi8Sdob46tAmQ==ZW4tVVM=
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>NZt2wfqVW5fhMuWcUIwNAMCTVmHXZIAttRj6nBVTs8C5VK8mzbqk+YCpmvsMBNRNM1F/Z/+8WlPIVZMX0tKprJHHH2H6hmtX250kaYsaNNOzEdxPYUbJjnu9pdPRloGFDe2BmFxjA6L7yzc0k/FoQTfAfTSuSOEtIO11OM4IhLq3402NXLrfNaYqnSKFi92dGeYFuPPQUX/UPjeHG9SC3aim43xHYNdZMReWEWazKrNqYVGGCvFo/rr2wFJdpkdDYZpCmGhnW82oaOYJF2r7pTDdfeW8CA1qZBGxoPtJh30EUbqzPvCkkQ7kfw5RtjHXJXevaumbzksF7sscbQdtMw==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Targets
-
-
Target
https://github.com/NTFS123/MalwareDatabase
Score10/10-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (1483) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1