ryuk | f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0 | Triage

Sharing

General

Target

7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118
Size

376KB
Sample

240731-vm6t8svanp
MD5

7d3f19b760cb1958a2c4d9ca7492c406
SHA1

c3fa91438850c88c81c0712204a273e382d8fa7b
SHA256

f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0
SHA512

64d14a7a3866c76d45bea7bee19d40f63241c777d8d259a8a79279cac51396fe9469f28fc68eaa8ab688af13a47c4c5af0d62005d93a4649f81e411b8f2eae91
SSDEEP

6144:jwHqh+1uu3RVmPY55eExdAev5wuSiRqAO1iNgLTBs4LhVJqRcelLQMo8:P+1uu3RVmPYaad5wuSiRqLNeRcZMo8

Score

10^/10

ryuk credential_access dave discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118
- Size
  
  376KB
- MD5
  
  7d3f19b760cb1958a2c4d9ca7492c406
- SHA1
  
  c3fa91438850c88c81c0712204a273e382d8fa7b
- SHA256
  
  f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0
- SHA512
  
  64d14a7a3866c76d45bea7bee19d40f63241c777d8d259a8a79279cac51396fe9469f28fc68eaa8ab688af13a47c4c5af0d62005d93a4649f81e411b8f2eae91
- SSDEEP
  
  6144:jwHqh+1uu3RVmPY55eExdAev5wuSiRqAO1iNgLTBs4LhVJqRcelLQMo8:P+1uu3RVmPYaad5wuSiRqLNeRcZMo8
Score

10^/10

ryuk credential_access dave discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (1232) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Discovery

Browser Information Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdavediscoveryransomwarestealer

behavioral2