General

  • Target

    2024-06-28_6e3f5d381c1d231bbbb5e0b63ae2c2db_ryuk

  • Size

    3.0MB

  • Sample

    240628-hhqw1ayeql

  • MD5

    6e3f5d381c1d231bbbb5e0b63ae2c2db

  • SHA1

    d4c38113e1419f9b0c4601e659230e42be1255f9

  • SHA256

    2359ed53ec94a4418de14aa5401575419a3a64c223c9ef93e420ac2e144826e9

  • SHA512

    6fc6de837021bfa9e5ce76954a54cc5aaa7c662834bc238c8310083d6bc38205deec4d9d315ee845ba7980f14c008237f7bff452fb52781e38b02577dedf51e3

  • SSDEEP

    49152:QE5a9fkBmFJ7EvlY0hbRt2xjSWuqMfejK2iP4GGlNKrEjhEMUfz/HAt:4nmaWaK2iP4GMAEjCMUy

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://106.227.21.176:443/unionpay/index

http://119.167.135.234:443/unionpay/index

http://124.227.25.200:443/unionpay/index

http://119.96.90.226:443/unionpay/index

http://111.132.34.203:443/unionpay/index

http://42.202.211.91:443/unionpay/index

http://61.182.131.227:443/unionpay/index

http://1.190.42.204:443/unionpay/index

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    106.227.21.176,/unionpay/index,119.167.135.234,/unionpay/index,124.227.25.200,/unionpay/index,119.96.90.226,/unionpay/index,111.132.34.203,/unionpay/index,42.202.211.91,/unionpay/index,61.182.131.227,/unionpay/index,1.190.42.204,/unionpay/index

  • http_header1

    AAAABwAAAAAAAAADAAAAAgAAAAZ0ZnN0az0AAAAGAAAABkNvb2tpZQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAAEAAAABRIb3N0OiB3d3cuYWxpeXVuLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uAAAACgAAACBYLVJlcXVlc3RlZC1XaXRoOiBYTUxIdHRwUmVxdWVzdAAAABAAAAAUSG9zdDogd3d3LmFsaXl1bi5jb20AAAAHAAAAAAAAAAUAAAAFb3JkZXIAAAAHAAAAAQAAAAMAAAACAAAACXsiZGF0YSI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    7680

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCh3BRlss3kMAoxpOnFDqBH0SVbtj5CSj61uHgta20DGx8l5roXgtA86epLeD3kP+8DZxHmj/FjaOzqawNmx88AlVDeiEIDadC3Uo7YyN3SZPw7IcHDrm/12jre9OvoGnKdt33qJebD5NsyC4HyQqB/h/jtdT3EpVV/F0/mrq6RYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.66652032e+09

  • unknown2

    AAAABAAAAAEAAAACAAAAAgAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /unionpay/info

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

  • watermark

    100000000

Targets

    • Target

      2024-06-28_6e3f5d381c1d231bbbb5e0b63ae2c2db_ryuk

    • Size

      3.0MB

    • MD5

      6e3f5d381c1d231bbbb5e0b63ae2c2db

    • SHA1

      d4c38113e1419f9b0c4601e659230e42be1255f9

    • SHA256

      2359ed53ec94a4418de14aa5401575419a3a64c223c9ef93e420ac2e144826e9

    • SHA512

      6fc6de837021bfa9e5ce76954a54cc5aaa7c662834bc238c8310083d6bc38205deec4d9d315ee845ba7980f14c008237f7bff452fb52781e38b02577dedf51e3

    • SSDEEP

      49152:QE5a9fkBmFJ7EvlY0hbRt2xjSWuqMfejK2iP4GGlNKrEjhEMUfz/HAt:4nmaWaK2iP4GMAEjCMUy

MITRE ATT&CK Matrix

Tasks