2024-06-29_14ccb3aa18b39b5f1e430bdbfe408aa3_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-29_14ccb3aa18b39b5f1e430bdbfe408aa3_ryuk
Size

1.1MB
MD5

14ccb3aa18b39b5f1e430bdbfe408aa3
SHA1

42ba34d60feaf41b182767b812d99a34227e11d0
SHA256

1b9e54f6b71586e99ce9ae14a17b42b9abc0c130ccceb9d13ddfb2b9665539d4
SHA512

26d8a6a54ddb8a79e75fcce9add099b359e00906c91150b8858c006472abdc1c63744844d93a1e2f929e50ba56ce457acc996e4e1d7e4a92e5bbb0a8899a1c65
SSDEEP

24576:/6LGg3hjO37Tuz5Q1Q+R7ueR4ia1LEHsq:/6ag3hjuuEad

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-06-29_14ccb3aa18b39b5f1e430bdbfe408aa3_ryuk

Files

2024-06-29_14ccb3aa18b39b5f1e430bdbfe408aa3_ryuk
.exe windows:6 windows x64 arch:x64

da14788b669a962a55c27a8a6619c7e6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\jenkins-ued00e\workspace\Outpost-DaaS\addm\daas_ship\code\cxx\sshworker\tw_sshworker.pdb

Imports

kernel32

WaitForSingleObject
OpenProcess
EnterCriticalSection
LeaveCriticalSection
HeapSize
ReadConsoleW
WriteConsoleW
SetStdHandle
CreateThread
OutputDebugStringW
OutputDebugStringA
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindNextFileW
FindNextFileA
FindFirstFileExW
FindFirstFileExA
FindClose
GetTimeZoneInformation
SetConsoleCtrlHandler
SetFilePointerEx
ReadFile
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetProcessHeap
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetFileType
GetCurrentThread
GetACP
GetCommandLineW
GetCommandLineA
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
GetModuleHandleExW
ExitProcess
HeapReAlloc
HeapFree
HeapAlloc
InterlockedFlushSList
InterlockedPushEntrySList
LoadLibraryExW
FreeLibrary
GetLastError
RtlUnwindEx
RaiseException
RtlPcToFileHeader
InitializeSListHead
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
ResetEvent
SetEvent
CloseHandle
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
GetProcAddress
GetModuleHandleW
GetTickCount
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
Sleep
CreateEventW
InitializeCriticalSectionAndSpinCount
SetLastError
DecodePointer
EncodePointer
MultiByteToWideChar
DeleteCriticalSection
FormatMessageW
WideCharToMultiByte
CreateFileW

ssh

ssh_userauth_gssapi
ssh_userauth_kbdint_setanswer
ssh_userauth_kbdint_getnprompts
ssh_userauth_kbdint
ssh_userauth_password
ssh_userauth_publickey
ssh_userauth_try_publickey
ssh_set_blocking
ssh_pki_export_privkey_to_pubkey
ssh_pki_import_privkey_base64
ssh_key_free
ssh_options_set
ssh_new
ssh_get_fd
ssh_get_error
ssh_free
ssh_disconnect
ssh_connect
ssh_channel_write
ssh_channel_send_eof
ssh_channel_request_shell
ssh_channel_request_pty_size
ssh_channel_read
ssh_channel_poll
ssh_channel_open_session
ssh_channel_new
ssh_channel_free
ssh_channel_close
ssh_threads_get_winlock
ssh_threads_set_callbacks
ssh_init
ssh_get_poll_flags

ws2_32

select
setsockopt

libcrypto-3-x64

BIO_s_mem
BIO_new
EVP_default_properties_enable_fips
BIO_ctrl
BIO_write
ERR_print_errors
BIO_free

omnidynamic431_vc14_rt

??1TypeCode_member@CORBA@@QEAA@XZ
?release@IDLType_Helper@CORBA@@SAXPEAV_objref_IDLType@2@@Z
??1omni_mutex_lock@@QEAA@XZ
??_2Any@CORBA@@QEBAXAEAVcdrStream@@@Z
??_3Any@CORBA@@QEAAXAEAVcdrStream@@@Z
??1Any@CORBA@@QEAA@XZ

omniorb431_vc14_rt

??1SystemException@CORBA@@UEAA@XZ
?_NP_marshal@SystemException@CORBA@@EEBAXAEAVcdrStream@@@Z
??1UNKNOWN@CORBA@@UEAA@XZ
?_raise@UNKNOWN@CORBA@@UEBAXXZ
?_NP_repoId@UNKNOWN@CORBA@@UEBAPEBDPEAH@Z
?NP_minorString@UNKNOWN@CORBA@@UEBAPEBDXZ
?reserveAndMarshalLong@cdrStream@@AEAAXJ@Z
?_NP_typeId@UNKNOWN@CORBA@@EEBAPEBDXZ
??1Object@CORBA@@UEAA@XZ
?_non_existent@Object@CORBA@@UEAA_NXZ
?_NP_incrRefCount@Object@CORBA@@UEAAXXZ
?_NP_decrRefCount@Object@CORBA@@UEAAXXZ
?_ptrToObjRef@Object@CORBA@@UEAAPEAXPEBD@Z
?UNKNOWN@omniExHelper@omni@@SAXPEBDHKW4CompletionStatus@CORBA@@@Z
?initialiseCall@omniCallDescriptor@@UEAAXAEAVcdrStream@@@Z
?marshalArguments@omniCallDescriptor@@UEAAXAEAVcdrStream@@@Z
?unmarshalReturnedValues@omniCallDescriptor@@UEAAXAEAVcdrStream@@@Z
?userException@omniCallDescriptor@@UEAAXAEAVcdrStream@@PEAVIOP_C@omni@@PEBD@Z
?unmarshalArguments@omniCallDescriptor@@UEAAXAEAVcdrStream@@@Z
?marshalReturnedValues@omniCallDescriptor@@UEAAXAEAVcdrStream@@@Z
?upcall@omniCallHandle@@QEAAXPEAVomniServant@@AEAVomniCallDescriptor@@@Z
?registerNilCorbaObject@omni@@YAXPEAVObject@CORBA@@@Z
?omniORB_4_3@omni@@3PEBDEB
?PR_magic@Exception@CORBA@@2KB
?insertToAnyFn@UNKNOWN@CORBA@@2P6AXAEAVAny@2@AEBVException@2@@ZEA
?insertToAnyFnNCP@UNKNOWN@CORBA@@2P6AXAEAVAny@2@PEBVException@2@@ZEA
?_PD_repoId@Object@CORBA@@2PEBDEB
?_PR_magic@Object@CORBA@@2KB
?sd_interceptor_call@omniCallDescriptor@@0P6AXPEAV1@PEAVomniServant@@@ZEA
?_unMarshal@omniObjRef@@SAPEAV1@PEBDAEAVcdrStream@@@Z
?_marshal@omniObjRef@@SAXPEAV1@AEAVcdrStream@@@Z
?_invoke@omniObjRef@@QEAAXAEAVomniCallDescriptor@@_N@Z
?_uncheckedNarrow@omniObjRef@@QEAAPEAXPEBD@Z
?_realNarrow@omniObjRef@@QEAAPEAXPEBD@Z
?fetchAndUnmarshalUShort@cdrStream@@AEAAGXZ
?_localServantTarget@omniObjRef@@UEAAPEBDXZ
?fetchAndUnmarshalShort@cdrStream@@AEAAFXZ
?_NP_is_a@Exception@CORBA@@KAPEAV12@PEBV12@PEBD@Z
?fetchAndUnmarshalOctet@cdrStream@@AEAAEXZ
?reserveAndMarshalOctet@cdrStream@@AEAAXE@Z
?ucheckFail@omni@@YAXPEBDH0@Z
?duplicateObjRef@omni@@YAXPEAVomniObjRef@@@Z
?nilRefLock@omni@@YAAEAVomni_tracedmutex@@XZ
?_CORBA_use_nil_ptr_as_nil_objref@@YA_NXZ
?_CORBA_marshal_sequence_range_check_error@@YAXAEAVcdrStream@@@Z
??1UserException@CORBA@@UEAA@XZ
?_rep_id@Exception@CORBA@@UEBAPEBDXZ
?_name@Exception@CORBA@@UEBAPEBDXZ
??1Exception@CORBA@@UEAA@XZ
?_CORBA_bound_check_error@@YAXXZ
?_CORBA_new_operator_return_null@@YAXXZ
?empty_string@_CORBA_String_helper@@2QEBDEB
?_downcast@ServantBase@PortableServer@@EEAAPEAXXZ
?_do_get_interface@ServantBase@PortableServer@@EEAAPEAVomniObjRef@@XZ
?_do_this@ServantBase@PortableServer@@IEAAPEAXPEBD@Z
?_refcount_value@ServantBase@PortableServer@@UEAAKXZ
?_remove_ref@ServantBase@PortableServer@@UEAAXXZ
?_add_ref@ServantBase@PortableServer@@UEAAXXZ
?_get_interface@ServantBase@PortableServer@@UEAAPEAV_objref_InterfaceDef@CORBA@@XZ
?_default_POA@ServantBase@PortableServer@@UEAAPEAVPOA@2@XZ
??1ServantBase@PortableServer@@UEAA@XZ
?_narrow@POA@PortableServer@@SAPEAV12@PEAVObject@CORBA@@@Z
?ORB_init@CORBA@@YAPEAVORB@1@AEAHPEAPEADPEBDQEAY01PEBD@Z
?_downcast@SystemException@CORBA@@SAPEBV12@PEBVException@2@@Z
?_remove_ref@omniServant@@UEAAXXZ
?_add_ref@omniServant@@UEAAXXZ
?_dispatch@omniServant@@UEAA_NAEAVomniCallHandle@@@Z
?_non_existent@omniServant@@UEAA_NXZ
?_is_a@omniServant@@UEAA_NPEBD@Z
?_mostDerivedRepoId@omniServant@@UEAAPEBDXZ
?_downcast@omniServant@@UEAAPEAXXZ
?_ptrToInterface@omniServant@@UEAAPEAXPEBD@Z
??1omniServant@@UEAA@XZ
?releaseObjRef@omni@@YAXPEAVomniObjRef@@@Z
?_CORBA_bad_param_freebuf@@YAXXZ
??1_omniFinalCleanup@@QEAA@XZ
??0_omniFinalCleanup@@QEAA@XZ
??0proxyObjectFactory@omni@@QEAA@PEBD@Z
??1proxyObjectFactory@omni@@UEAA@XZ
??0omniObjRef@@IEAA@PEBDPEAVomniIOR@@PEAVomniIdentity@@_N@Z
??0omniObjRef@@IEAA@XZ
??1omniObjRef@@MEAA@XZ
?reserveAndMarshalShort@cdrStream@@AEAAXF@Z
?_enableShortcut@omniObjRef@@UEAAXPEAVomniServant@@PEB_N@Z
?fetchAndUnmarshalULongLong@cdrStream@@AEAA_KXZ
?reserveAndMarshalULongLong@cdrStream@@AEAAX_K@Z
?fetchAndUnmarshalULong@cdrStream@@AEAAKXZ
?reserveAndMarshalULong@cdrStream@@AEAAXK@Z
?reserveAndMarshalUShort@cdrStream@@AEAAXG@Z
?fetchAndUnmarshalLong@cdrStream@@AEAAJXZ
?_NP_duplicate@UNKNOWN@CORBA@@EEBAPEAVException@2@XZ

omnithread43_vc14_rt

??1init_t@omni_thread@@QEAA@XZ
??0init_t@omni_thread@@QEAA@XZ
??1omni_mutex@@QEAA@XZ
??0omni_mutex@@QEAA@XZ

Sections

.text
Size: 834KB - Virtual size: 834KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 219KB - Virtual size: 218KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 1024B - Virtual size: 777B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 283B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

da14788b669a962a55c27a8a6619c7e6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

ssh

ws2_32

libcrypto-3-x64

omnidynamic431_vc14_rt

omniorb431_vc14_rt

omnithread43_vc14_rt

Sections

.text Size: 834KB - Virtual size: 834KB

.rdata Size: 219KB - Virtual size: 218KB

.data Size: 12KB - Virtual size: 23KB

.pdata Size: 39KB - Virtual size: 38KB

.idata Size: 14KB - Virtual size: 14KB

.gfids Size: 3KB - Virtual size: 3KB

.tls Size: 1024B - Virtual size: 777B

.00cfg Size: 512B - Virtual size: 283B

.rsrc Size: 40KB - Virtual size: 39KB

.reloc Size: 9KB - Virtual size: 8KB

.text
Size: 834KB - Virtual size: 834KB

.rdata
Size: 219KB - Virtual size: 218KB

.data
Size: 12KB - Virtual size: 23KB

.pdata
Size: 39KB - Virtual size: 38KB

.idata
Size: 14KB - Virtual size: 14KB

.gfids
Size: 3KB - Virtual size: 3KB

.tls
Size: 1024B - Virtual size: 777B

.00cfg
Size: 512B - Virtual size: 283B

.rsrc
Size: 40KB - Virtual size: 39KB

.reloc
Size: 9KB - Virtual size: 8KB