General

  • Target

    Ransomware-master.zip

  • Size

    12.9MB

  • Sample

    240802-t92clawgja

  • MD5

    30da61eabe92b48ce784f7ee31f5ec44

  • SHA1

    4922cfc2c10b5d92b2fb199fc6a2aaed095035e0

  • SHA256

    2e156957ffdc73801662b89b1f6773434c4d13bb4b9bc1670827e399ad64aa7e

  • SHA512

    648a9e6ddce09e5bf5da680f8d031afe3224b236cea9598e64e0d592f64ec0bed61e0ff089a931772d0f758a42a463e7ee6ea7ef117ad1c1453dbc2240b9f209

  • SSDEEP

    393216:67aFd62nfFSrjIkV4mu/GyBSKb+JYSWTmq:67aHnnNmkpbDSWD

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___5AV0M_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA 2. http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA 3. http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA 4. http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA 5. http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___MKQYX_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="R5dCEAPV" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">ZmGJhheEX</span>u find the necessary files?<br>Is the c<span class="h">sRUHMfxpo8</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">epoDWyPKs</span>cause the files' names and the data in your files have been encryp<span class="h">zN</span>ted by "Ce<span class="h">2</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">nfs</span>ans your files are NOT damage<span class="h">s6uQ6R</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">rvsxvsS1</span>rom now it is not poss<span class="h">sn</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">sMl2fN</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">oed6QULo</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">XIH40</span>ore your files with the thir<span class="h">07AkCLlTs</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">OWZ2pFX</span>eed with purchasing of the decryption softw<span class="h">ZPN8cz</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">yGdscN1T</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA</a></span></p> <p>If t<span class="h">vG5H6</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">x</span>ck here</span>&nbsp; to get a new addr<span class="h">Td</span>ess of your personal page.<br><br>If the addre<span class="h">As</span>ss of your personal page is the same as befo<span class="h">fgr5qrdX</span>re after you tried to get a new one,<br>you c<span class="h">O</span>an try to get a new address in one hour.</p> <p>At th<span class="h">5674HIVFgA</span>is p&#097;ge you will receive the complete instr<span class="h">omqR6K</span>uctions how to buy the decrypti<span class="h">i2owzV</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">zOF</span>tore any one file for free to be sure "Cer&#98;e<span class="h">c4rkq7Wpog</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">3Uy874OMI</span>sonal page is not availa<span class="h">eYUCRp</span>ble for a long period there is another way to open your personal page - insta<span class="h">JAP</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">Kz8N7dF8</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">MZqmdLq</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">mVjrL</span>ing;</li> <li>on the site you will be offered to do<span class="h">GP</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">vH7</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">aMBREVT2wq</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">plqddlg</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">0</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA</span><br> in this browser address bar;</li> <li>pre<span class="h">Gjbg</span>ss ENTER;</li> <li>the site sho<span class="h">x8</span>uld be loaded; if for some reason the site is not lo<span class="h">XnbHsbsj</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">buCCuA9</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">xQrj</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">QiB1puR</span>ional information:</strong></p> <p>You will fi<span class="h">8wNWvQIn3</span>nd the instru<span class="h">TMR7HCXSV</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">BaeQ</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">L</span>&#111;lder with your enc<span class="h">WZ2wVLwC</span>rypted files.</p> <p>The instr<span class="h">ljRPD</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">3L7Fjl</span>&#111;lder<span class="h">qjNrXAf</span>s with your encry<span class="h">D28dUKeaGk</span>pted files are not vir<span class="h">6vBX</span>uses! The instruc<span class="h">pt</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">dm95mi7O</span>lp you to dec<span class="h">m</span>rypt your files.</p> <p>Remembe<span class="h">A51CQn7</span>r! The w&#111;rst si<span class="h">tC0sSJwqK</span>tu&#097;tion already happ<span class="h">9clYrr</span>ened and n&#111;w the future of your files de<span class="h">YOpk6HBtYs</span>pends on your determ<span class="h">Sut2HEDd</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">tm</span>افية:</strong></p> <p>س<span class="h">5r</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">7J4liv</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">JLra</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是��

Targets

    • Target

      Ransomware-master.zip

    • Size

      12.9MB

    • MD5

      30da61eabe92b48ce784f7ee31f5ec44

    • SHA1

      4922cfc2c10b5d92b2fb199fc6a2aaed095035e0

    • SHA256

      2e156957ffdc73801662b89b1f6773434c4d13bb4b9bc1670827e399ad64aa7e

    • SHA512

      648a9e6ddce09e5bf5da680f8d031afe3224b236cea9598e64e0d592f64ec0bed61e0ff089a931772d0f758a42a463e7ee6ea7ef117ad1c1453dbc2240b9f209

    • SSDEEP

      393216:67aFd62nfFSrjIkV4mu/GyBSKb+JYSWTmq:67aHnnNmkpbDSWD

    Score
    3/10
    • Target

      Ransomware-master/LICENSE

    • Size

      1KB

    • MD5

      a31887cbb9ee63d417035c0c01213070

    • SHA1

      6beb39510e95e12f4f0426999fdb652c7742252b

    • SHA256

      13d93567d2d97b99868b6f263fe00f425aa95007d30297c3c55c685bde51d460

    • SHA512

      77e75fd7038201b602da56e86d2fff9eea22f1e703fee34f35fde0e6e3bb8434bd9b939db6853068d54fdb46182800e7638850a396a409dad83c3ecbc17bfb75

    Score
    1/10
    • Target

      Ransomware-master/README.md

    • Size

      1KB

    • MD5

      ec42c9f687d906db4c64b31e1da2fbb0

    • SHA1

      4e57f51ac2263e7ca317efb759ba145d375d8859

    • SHA256

      78585fb1ce39b3d4df15fb07d59bb276d15c830c6df0b0f780c6f7ae6fa31c8b

    • SHA512

      ea4ba33763a0914d99df7d8888f35bfec8dd0f701a48bb3eae53a9958447e6655f1cece5a4d44cb7aa7af11dfb2e73ce417cc897674902550000d3a515b6e793

    Score
    3/10
    • Target

      Ransomware-master/Ransomware

    • Size

      25KB

    • MD5

      d54b447020c50a74fefeeacd7be46733

    • SHA1

      96f347b8545bde22d52e36d95779dceff0401697

    • SHA256

      d1ebf588dbbcca6b21d20ef37d368d48bf6d7a9cdb6636245010fe87e4533f70

    • SHA512

      415825c912210b5115dab8f2388631120eab7ee98bd7cba04705b700d10e325e1b42b6f8dbe5ff37a3b411a203ae436915d4dd6b655750f354817382d31f0954

    • SSDEEP

      384:7B866666r66666966666EVGWml1VZAs9SX9BO9:7BUGWml1VZAs9Sm9

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.Cerber.zip

    • Size

      215KB

    • MD5

      5c571c69dd75c30f95fe280ca6c624e9

    • SHA1

      b0610fc5d35478c4b95c450b66d2305155776b56

    • SHA256

      416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

    • SHA512

      8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

    • SSDEEP

      3072:EJk9kcytz1Qg4kViSMoq9OsLvz8L5HINY8lYdeIX8woWJQHr6LqK2fU0MwL0b06R:EUkcyVlDq8rIblYomoWnvfp0g

    Score
    1/10
    • Target

      cerber.exe

    • Size

      604KB

    • MD5

      8b6bc16fd137c09a08b02bbe1bb7d670

    • SHA1

      c69a0f6c6f809c01db92ca658fcf1b643391a2b7

    • SHA256

      e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

    • SHA512

      b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

    • SSDEEP

      6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Contacts a large (1093) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • Drops startup file

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Ransomware-master/etc/Ransomware.Cryptowall.zip

    • Size

      100KB

    • MD5

      8710ea46c2db18965a3f13c5fb7c5be8

    • SHA1

      24978c79b5b4b3796adceffe06a3a39b33dda41d

    • SHA256

      60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e

    • SHA512

      c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583

    • SSDEEP

      3072:OCDc19avf1fHqOhdzVD/9Ae7RT5f6IiL+WfXS21o4D:OCD0QvlqGRlAlX+sXjo4D

    Score
    1/10
    • Target

      cryptowall.bin

    • Size

      240KB

    • MD5

      47363b94cee907e2b8926c1be61150c7

    • SHA1

      ca963033b9a285b8cd0044df38146a932c838071

    • SHA256

      45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

    • SHA512

      93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

    • SSDEEP

      3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

    Score
    3/10
    • Target

      Ransomware-master/etc/Ransomware.Jigsaw.zip

    • Size

      239KB

    • MD5

      3ad6374a3558149d09d74e6af72344e3

    • SHA1

      e7be9f22578027fc0b6ddb94c09b245ee8ce1620

    • SHA256

      86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

    • SHA512

      21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

    • SSDEEP

      3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ

    Score
    1/10
    • Target

      jigsaw

    • Size

      283KB

    • MD5

      2773e3dc59472296cb0024ba7715a64e

    • SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

    • SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

    • SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

    • SSDEEP

      6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (3748) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      Ransomware-master/etc/Ransomware.Locky.zip

    • Size

      125KB

    • MD5

      b265305541dce2a140da7802442fbac4

    • SHA1

      63d0b780954a2bc96b3a77d9a2b3369d865bf1fd

    • SHA256

      0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0

    • SHA512

      af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282

    • SSDEEP

      1536:6mXbzYYlSESr+LdgbfzNTBstcc6yVeHuwuY5pzl5Lypx0DIY6KQOoTFKmN9YMKW8:dbSr+Jg7lB2cV1aQ+WQVTFX9YPGQi1Mf

    Score
    1/10
    • Target

      Locky

    • Size

      180KB

    • MD5

      b06d9dd17c69ed2ae75d9e40b2631b42

    • SHA1

      b606aaa402bfe4a15ef80165e964d384f25564e4

    • SHA256

      bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

    • SHA512

      8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

    • SSDEEP

      3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Target

      Ransomware-master/etc/Ransomware.Mamba.zip

    • Size

      1.0MB

    • MD5

      f94d1f4e2ce6c7cc81961361aab8a144

    • SHA1

      88189db0691667653fe1522c6b5673bf75aa44aa

    • SHA256

      610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a

    • SHA512

      7b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad

    • SSDEEP

      24576:Uy0yC/fh9Dnt24GZrEXdjl3Fha3fXUkWpfnb:CyGf7TtCZrOll1svX0fb

    Score
    1/10
    • Target

      131.exe

    • Size

      2.3MB

    • MD5

      409d80bb94645fbc4a1fa61c07806883

    • SHA1

      4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

    • SHA256

      2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

    • SHA512

      a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

    • SSDEEP

      49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz

    Score
    3/10
    • Target

      Ransomware-master/etc/Ransomware.Matsnu.zip

    • Size

      62KB

    • MD5

      0a3487070911228115f3a13e9da2cb89

    • SHA1

      c2d57c288bc9951dee4cc289d15e18158ef3f725

    • SHA256

      f73027dd665772cc94dbe22b15938260be61cbaad753efdccb61c4fa464645e0

    • SHA512

      996f839d347d8983e01e6e94d2feb48f2308ab7410c6743a72b7ecff15b34a30cd12a5764c0470c77138cf8724d5641d03dd81793e28d47fe597f315e116fa77

    • SSDEEP

      1536:Wtmvcv25VrNQnc+6KmmjnFcqbq6eXq8GPHTDAY:WBUNQnc+6Vmmv6e8fP

    Score
    1/10
    • Target

      Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_

    • Size

      102KB

    • MD5

      1b2d2a4b97c7c2727d571bbf9376f54f

    • SHA1

      1fc29938ec5c209ba900247d2919069b320d33b0

    • SHA256

      7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

    • SHA512

      506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

    • SSDEEP

      1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc

    Score
    3/10
    • Target

      Ransomware-master/etc/Ransomware.Petrwrap.zip

    • Size

      1.1MB

    • MD5

      6884a35803f2e795fa4b121f636332b4

    • SHA1

      527bfbf4436f9cce804152200c4808365e6ba8f9

    • SHA256

      cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c

    • SHA512

      262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60

    • SSDEEP

      24576:XtZfUANeQHLqNZ2rl5zkFGPI/9+4C/BGq/Om00pN5m:XtZc+trnHkxVqQqm

    Score
    1/10
    • Target

      027cc450ef5f8c5f653329641ec1fed9.exe

    • Size

      353KB

    • MD5

      71b6a493388e7d0b40c83ce903bc6b04

    • SHA1

      34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

    • SHA256

      027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

    • SHA512

      072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

    • SSDEEP

      6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      myguy.hta

    • Size

      13KB

    • MD5

      0487382a4daf8eb9660f1c67e30f8b25

    • SHA1

      736752744122a0b5ee4b95ddad634dd225dc0f73

    • SHA256

      ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

    • SHA512

      e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106

    • SSDEEP

      192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

    Score
    3/10
    • Target

      Ransomware-master/etc/Ransomware.Petya.zip

    • Size

      538KB

    • MD5

      e8fb95ebb7e0db4c68a32947a74b5ff9

    • SHA1

      6f93f85342aa3ea7dcbe69cfb55d48e5027b296c

    • SHA256

      33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9

    • SHA512

      a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320

    • SSDEEP

      12288:h62An+lYWejkM9KIIoyoAWPPpxS8yrST5UvF50VHCJvD3DpNu7NwRUDxuJnU:hJA+BncEoyojpxS8yrSV0nvHpNu7eQxH

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.Radamant.zip

    • Size

      59KB

    • MD5

      fce365d60e13df34a6843894ac9be499

    • SHA1

      5211ac4e7d8459f0db9aa19a03c55cb2063fee5f

    • SHA256

      3e1813da2d561157df7667cde0117fdddd883c5b1272f76d1ae85ad889c38220

    • SHA512

      9747c95c1a1314fd0fb462951feafa51a75c0794e56a6bbbd16d192e366907aa764bc9adbc7d8319e5d43a37b10889808ae5d619ae1202200d7dba34afa2bc1b

    • SSDEEP

      1536:cKmaCJ5RF2bf2mwPUv0M47ChtgxyZShQ9FttDUFQ1VkJA/:XmHJAY23iSOxygkFttQFSkJA/

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.Rex.zip

    • Size

      2.7MB

    • MD5

      50188823168525455c273c07d8457b87

    • SHA1

      0d549631690ea297c25b2a4e133cacb8a87b97c6

    • SHA256

      32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d

    • SHA512

      b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70

    • SSDEEP

      49152:vWKde2aWpNtWWKPqd0c1OWfD6vAcxntjWPNeJ5Rf/coFN0LZkyIEsNdd:eKI2FpNtfaqGc1EAczjk41EuN0LZky9y

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.Satana.zip

    • Size

      57KB

    • MD5

      82f621944ee2639817400befabedffcf

    • SHA1

      c183ae5ab43b9b3d3fabdb29859876c507a8d273

    • SHA256

      4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f

    • SHA512

      7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b

    • SSDEEP

      1536:GBfLHxIOBET2Uvk6w5yD5O92x2HtYli0kR5sJ7LNeeSLK/TJ:GBf9IOXok6DODtY40kDsjiL6F

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.TeslaCrypt.zip

    • Size

      479KB

    • MD5

      f755a44bbb97e9ba70bf38f1bdc67722

    • SHA1

      f70331eb64fd893047f263623ffb1e74e6fe4187

    • SHA256

      3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e

    • SHA512

      f8ce666ae273e6c5cd57447189a8cf0e53c7704cf269fa120068f21e6faf6c89e2e75f37aee43cac83f4534790c5c6f1827621684034ef3eb7e94d7ee1ac365e

    • SSDEEP

      6144:xQAq0svy/pQhk1NBePvxGNWeOyqYAGfr/H/h60BHtzbprAvNGTG/fi5QCIq3h11Z:LyKoUlWeOP8HXrINZ/2uJUgVu

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.Vipasana.zip

    • Size

      638KB

    • MD5

      8d2c4c192772985776bacfd77f7bc4d9

    • SHA1

      3b923b911d443e321e551f26c9588b16a994d52e

    • SHA256

      1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8

    • SHA512

      6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1

    • SSDEEP

      12288:atcWK55CAyTliOve2dCbNF2NJ9lTYG6WxGc7jdw04YPghNxEvREoXIaK:k7KCP5tWiCpYj6/Cm04YPgvivRENL

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.WannaCry.zip

    • Size

      3.3MB

    • MD5

      efe76bf09daba2c594d2bc173d9b5cf0

    • SHA1

      ba5de52939cb809eae10fdbb7fac47095a9599a7

    • SHA256

      707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

    • SHA512

      4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

    • SSDEEP

      98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.Wannacry_Plus.zip

    • Size

      2.3MB

    • MD5

      5641d280a62b66943bf2d05a72a972c7

    • SHA1

      c857f1162c316a25eeff6116e249a97b59538585

    • SHA256

      ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

    • SHA512

      0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

    • SSDEEP

      49152:9mqR0GTCRh8C9PYUYwm79evoBD2HSypKLZ5u/KU940CwmWtSQX5ddmL6T:RA8GY3b9ev62yypKLlUVCpSSQX5ddmeT

    Score
    1/10
    • Target

      Ransomware-master/etc/Ransomware.library

    • Size

      33B

    • MD5

      4c3afa1c36b5d93cf231f23567fc0320

    • SHA1

      98682eeb359d3e917c2292128f84f5134427e2c2

    • SHA256

      a62d6f70aa846adb172d15706798faca370eadcc0ba8ad35ce5285232e8a501d

    • SHA512

      5c72bfd0b1d948338a8adf72abae79b4130db30650db2e8a5965f761a3f304ae9f14b2f5a3ef50fe1869e475ef5bf0b5ef4a8d746267cb8a65ab086f00ff7dc1

    Score
    3/10
    • Target

      Ransomware-master/etc/load.sh

    • Size

      4KB

    • MD5

      8f14e34971812277edeb8a31376cb27a

    • SHA1

      5a96858d0d97ca1e229a1270d1a34a09c3c677ea

    • SHA256

      1a275cbf23a5a5620d40cda6bd3f621a48d7b2119b2c8bf97b87a97f83933e85

    • SHA512

      a63a692e0d63944ee9824578b52f7eb41fd9d9f7e3414d22cb3b81f337571f0c8720672866f4f534eb1c7f3c87662b120addff038806363f3ccaf86a69949ca4

    • SSDEEP

      96:v7fGWJIKNsm/kgrkSYpJhc0P+Z6psE8Gkh+mKuc3nWX5neEpT2:vbdp1fY3hlaG1kh+mjcm4EU

    Score
    3/10
    • Target

      Ransomware-master/test.py

    • Size

      186B

    • MD5

      f5c90d7b70869e8de04c7d7e3051dea9

    • SHA1

      93cf6fd3b58cfa7e9ccb7c88bd2cccd65a4d4be7

    • SHA256

      4bfe4b8e987cae3539dddec1fc0732a7b1195768f0c8ff3352dccd4fa76bc249

    • SHA512

      64d5aaaa1bcbb17eff100bc83d1020660b6e4b6734f99bd5017e0d895753b70619bafd63809b72768815ce1ad1cc80fecd41e8414b1498201bd310dfed213d25

    Score
    3/10
    • Target

      Ransomware-master/test2.py

    • Size

      554B

    • MD5

      dc42f74575c40fc6c90d73b747df6803

    • SHA1

      ff5d98b1f959810719299c5fb0042436634b1999

    • SHA256

      d1f9f5e30ac4d8d5771af930b15a51fb040cb1a2b84c7b7feeebb7e4d5fdc1bb

    • SHA512

      d4a311676aa16d11f678eaf32e5ee4c18ba2f3beab0d494e09ae6a8214575d5178b9de7126131ad0d5da909594a4e0dbbb791ebed62550b9080cf2a8fb78bb9e

    Score
    3/10
    • Target

      Ransomware-master/warna.py

    • Size

      650B

    • MD5

      19522678240a7e6d1e5531ed275b6a64

    • SHA1

      01653b2ca19505c7e9a7972df2e7d6784cc627b6

    • SHA256

      6986bfb870797a56611749719d8aabfdfcf272392765692a15c065c42f88c3cf

    • SHA512

      8f2d1efd81a4bafa8d3a50fce740514469a7ccdb2d68f908b9e86d1714ca605525e75a5f0f5ac9dd798299db75810bdf0d06f88e0103609b4d0843ff12d24292

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discovery
Score
3/10

behavioral2

Score
1/10

behavioral3

Score
3/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

cerberdiscoveryevasionpersistenceprivilege_escalationransomware
Score
10/10

behavioral7

Score
1/10

behavioral8

discovery
Score
3/10

behavioral9

Score
1/10

behavioral10

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral11

Score
1/10

behavioral12

lockydiscoveryransomware
Score
10/10

behavioral13

Score
1/10

behavioral14

discovery
Score
3/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

Score
1/10

behavioral18

mimikatzbootkitdiscoverypersistencespywarestealer
Score
10/10

behavioral19

discovery
Score
3/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

Score
3/10

behavioral32

Score
3/10