General
-
Target
19fb1b610cb224e9441f962d04e263f2_JaffaCakes118
-
Size
304KB
-
Sample
240628-ns52kazgln
-
MD5
19fb1b610cb224e9441f962d04e263f2
-
SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae
-
SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f
-
SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8
-
SSDEEP
6144:S2mUkzPrZt+XAJAHg3UiRusOrFxQYj85LLqCAXFYQYwGyhazbCkIGUNv:SFzjZtcAJAHg3RRcrFxtj85LLqclwtIE
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion
Targets
-
-
Target
19fb1b610cb224e9441f962d04e263f2_JaffaCakes118
-
Size
304KB
-
MD5
19fb1b610cb224e9441f962d04e263f2
-
SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae
-
SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f
-
SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8
-
SSDEEP
6144:S2mUkzPrZt+XAJAHg3UiRusOrFxQYj85LLqCAXFYQYwGyhazbCkIGUNv:SFzjZtcAJAHg3RRcrFxtj85LLqclwtIE
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Renames multiple (7862) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-