targetcompany | 8c4731c1fbf49ef59d696d72db1aa2576e422ff788c4cc65d19a916a307b8581

Resubmissions

29-09-2024 23:33

240929-3j92gswcpr 10

27-06-2024 11:48

240627-nyjqhszcne 10

20-05-2024 02:34

240520-c2m2kagc6x 10

Analysis

max time kernel
599s
max time network
384s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
27-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
Size

1.9MB
MD5

121f43dfb68b710165ec47b2e102b50c
SHA1

dffa99b9fe6e7d3e19afba38c9f7ec739581f656
SHA256

8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
SHA512

6d7d62265b852e7adfcf5903f8b7a6c3cd0329a0d95a5e1a70897775da4e77fd125ba1949c06b2386fbfccbfd713a34c6f014ba92c41d55274f34f767d38945e
SSDEEP

49152:GRooXHbhpWDbkVdmAxURyLAlLcbxY9CE5r9:toXzmSURyCxx

Score

10^/10

targetcompany persistence ransomware

Malware Config

Extracted

Path

/run/initramfs/HOW TO DECRYPT.txt

Family

targetcompany

Ransom Note

Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: E66EC1A7A58C72459ADC9D37 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.

Emails

[email protected]

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Renames multiple (320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Modifies systemd 1 TTPs 2 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/run/systemd/system/netplan-ovs-cleanup.service	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
File opened for modification	/run/systemd/generator.late/speech-dispatcher.service	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/TargetInfo.txt	8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f

/tmp/8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
/tmp/8eb32de1ec33ffaf2add6719d3bbc2576bc468086252c12efd8b5dcc5e44699f
1⤵
- Modifies systemd
- Reads CPU attributes
- Writes file to tmp directory
PID:2469

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/initramfs/HOW TO DECRYPT.txt

Filesize
1KB

MD5
6b7c47b9a29ae12e09c9adf90d9389ad

SHA1
891c0438d5c01ffea34b197a2715fcabe35e3240

SHA256
87c1e95683d0e74d6ab5cdd6f4bd5cede327f8fc44dce1a8b7fe6823f4021e3b

SHA512
454a5760a8490e9d5b41053f75b266dfb98c27f2ab35ae717f914ff82f3f9fc6982b4eb72b1b752cb57dbeb5ba326b668080146899a6e2a817a28fe7d06f062c

Download Submit
/tmp/TargetInfo.txt

Filesize
113B

MD5
c02557b57604230adbc7662692900fbe

SHA1
78817a28709303ca95612b25ba0cd48724af98dc

SHA256
86a707f471ceb457a1b3a66545a298bbbcf1f0f39d83b8325b3637614cd6d899

SHA512
553811dd440d9e09bd1c60a3718a1d0bb284474e5c6e6d0187855f11587feb554adbbb2172c5ad4c238146914db25f9663bb7643873b2019ec48708a3d865077

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads