Extracted

Extracted

Extracted

Extracted

• • Target

    bc41543926dda3762ae39e35aba7a813_JaffaCakes118

  • Size

    13.8MB

  • MD5

    bc41543926dda3762ae39e35aba7a813

  • SHA1

    81bf36d2c8c97901eb88133566838eba26d74138

  • SHA256

    f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

  • SHA512

    29404267b0a85340a4b9e821aca8a37ee716532adb9626acc39941148c2e91f67022125a4db3d65468b6b564134bf9fa496252bd4d2aacda0be0fd54684c0291

  • SSDEEP

    393216:LDZBIw5QnNtQs9HQYsiZfmu/GyBSye+tfLXSDOaC0zjLCrj:vlQnNSA1skfmkzdtfOi0jLA

  Score

  1^/10
  behavioral1

• • Target

    Documents/Ransomware.Cerber/cerber.exe

  • Size

    604KB

  • MD5

    8b6bc16fd137c09a08b02bbe1bb7d670

  • SHA1

    c69a0f6c6f809c01db92ca658fcf1b643391a2b7

  • SHA256

    e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

  • SHA512

    b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

  • SSDEEP

    6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

  Score

  10^/10

  cerberdefense_evasiondiscoveryevasionpersistenceprivilege_escalationransomwaretrojan

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber

  • Contacts a large (1110) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral2

• • Target

    Documents/Ransomware.Cryptowall/cryptowall.exe

  • Size

    240KB

  • MD5

    47363b94cee907e2b8926c1be61150c7

  • SHA1

    ca963033b9a285b8cd0044df38146a932c838071

  • SHA256

    45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

  • SHA512

    93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

  • SSDEEP

    3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

  Score

  3^/10

  discovery
  behavioral3

• • Target

    Documents/Ransomware.Jigsaw/jigsaw

  • Size

    283KB

  • MD5

    2773e3dc59472296cb0024ba7715a64e

  • SHA1

    27d99fbca067f478bb91cdbcb92f13a828b00859

  • SHA256

    3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

  • SHA512

    6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

  • SSDEEP

    6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

  Score

  10^/10

  jigsawdiscoverypersistenceransomwarespywarestealer

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw

  • Renames multiple (3753) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral4

• • Target

    Documents/Ransomware.Locky/Locky

  • Size

    180KB

  • MD5

    b06d9dd17c69ed2ae75d9e40b2631b42

  • SHA1

    b606aaa402bfe4a15ef80165e964d384f25564e4

  • SHA256

    bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

  • SHA512

    8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

  • SSDEEP

    3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

  Score

  10^/10

  lockydiscoveryransomware

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  behavioral5

• • Target

    Documents/Ransomware.Mamba/131.exe

  • Size

    2.3MB

  • MD5

    409d80bb94645fbc4a1fa61c07806883

  • SHA1

    4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

  • SHA256

    2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

  • SHA512

    a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

  • SSDEEP

    49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz

  Score

  3^/10

  discovery
  behavioral6

• • Target

    Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_

  • Size

    102KB

  • MD5

    1b2d2a4b97c7c2727d571bbf9376f54f

  • SHA1

    1fc29938ec5c209ba900247d2919069b320d33b0

  • SHA256

    7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

  • SHA512

    506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

  • SSDEEP

    1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc

  Score

  3^/10

  discovery
  behavioral7

• • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.exe

  • Size

    353KB

  • MD5

    71b6a493388e7d0b40c83ce903bc6b04

  • SHA1

    34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

  • SHA256

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

  • SHA512

    072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

  • SSDEEP

    6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

  Score

  10^/10

  mimikatzbootkitdiscoverypersistencespywarestealer

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • mimikatz is an open source tool to dump credentials on Windows

  • Blocklisted process makes network request

  • Deletes itself

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral8

• • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin.gz

  • Size

    306KB

  • MD5

    b2303c3eb127d1ce6906d21d9d2d07a5

  • SHA1

    700620e0f8efc992ac38cf32adc1010fee982217

  • SHA256

    3419e0d470f83569be0927128b3e5f992800ceb8f9019fc44763876ed6d8000c

  • SHA512

    4776400cc7d8107122992dce745dc2fa26c90edde6c0f5ec43272f5a21f9a516430765a225dad2c41a33b8d61f50e525973c6d38ca1189d9b49f068c05e73c04

  • SSDEEP

    6144:9SuBf/w62PIghu6aEZjAetG333VhNqn9CqnOqzoKZ0H3ni91dQYdCdU0y:D462BPNGIYqnOqzoKZQ3CdQYIUz

  Score

  3^/10
  behavioral9

• • Target

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin

  • Size

    353KB

  • MD5

    71b6a493388e7d0b40c83ce903bc6b04

  • SHA1

    34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

  • SHA256

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

  • SHA512

    072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

  • SSDEEP

    6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

  Score

  10^/10

  mimikatzbootkitdiscoverypersistencespywarestealer

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • mimikatz is an open source tool to dump credentials on Windows

  • Blocklisted process makes network request

  • Deletes itself

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral10

• • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin.gz

  • Size

    9KB

  • MD5

    65d9d04ea080e04e9d0aebf55aecd5d0

  • SHA1

    0fb30f6072c72fa5a77c796bfe9dfd164b67eda5

  • SHA256

    4340f4c633a53d45de440293d1f09f839467cc4734f499b466e9c58ee7493020

  • SHA512

    d93150b254cfbab05610d9bef81bacbd1ef418cb36f4057550fa5f79314bdd654878d4b050616f5773c69371a65c15a218ecacaac40b62709b442dce669e3c89

  • SSDEEP

    192:YAZona+6XwSgIta9pXfZRXSQ2X+A6W2K0prxy/SJam3BKBd:MnPSgwaDXSQk6M0JHIm3u

  Score

  3^/10
  behavioral11

• • Target

    ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin

  • Size

    13KB

  • MD5

    0487382a4daf8eb9660f1c67e30f8b25

  • SHA1

    736752744122a0b5ee4b95ddad634dd225dc0f73

  • SHA256

    ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

  • SHA512

    e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106

  • SSDEEP

    192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

  Score

  3^/10

  execution
  behavioral12

• • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin.gz

  • Size

    1KB

  • MD5

    51c028cd5f3afe9bf179d81def8d7a8e

  • SHA1

    838499bb7b7e7a9a212536fb9f3024dff29ad769

  • SHA256

    d975bc89371be98a80f9979e4a3c517590029e61ff36605b48b883c723024bde

  • SHA512

    78ea2f6e2fb3fa5deab9ee79adac21b0e1671f0e0a7622abfd6870039588bc4ac8bf068bdf8dd9d364e314074a3adb55fae8532504e0f90786527404f8a8be1e

  Score

  3^/10
  behavioral13

• • Target

    fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin

  • Size

    6KB

  • MD5

    415fe69bf32634ca98fa07633f4118e1

  • SHA1

    101cc1cb56c407d5b9149f2c3b8523350d23ba84

  • SHA256

    fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206

  • SHA512

    e40ad6adcbdfc47ebf0745aed10a5c6c64d5759a0164dbd7ffb64439deffe710c26a8fd91e8d205f3b2f0c417d70d4e82d5f91874bc6f8bbc9ff123b72c2e692

  • SSDEEP

    48:3aT4qf+8xWmXLEEPjH3UNTaOOHG0WomFS/bOhkWTl:3w/xWjFazGMrzQ

  Score

  1^/10
  behavioral14

• • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta

  • Size

    13KB

  • MD5

    0487382a4daf8eb9660f1c67e30f8b25

  • SHA1

    736752744122a0b5ee4b95ddad634dd225dc0f73

  • SHA256

    ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

  • SHA512

    e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106

  • SSDEEP

    192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

  Score

  3^/10

  discovery
  behavioral15

• • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe

  • Size

    704KB

  • MD5

    d2ec63b63e88ece47fbaab1ca22da1ef

  • SHA1

    dd52fcc042a44a2af9e43c15a8e520b54128cdc8

  • SHA256

    e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5

  • SHA512

    89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e

  • SSDEEP

    12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus

  Score

  7^/10

  • Drops startup file

  • Drops desktop.ini file(s)

  behavioral16

• • Target

    Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

  • Size

    225KB

  • MD5

    af2379cc4d607a45ac44d62135fb7015

  • SHA1

    39b6d40906c7f7f080e6befa93324dddadcbd9fa

  • SHA256

    26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

  • SHA512

    69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

  • SSDEEP

    6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f

  Score

  6^/10

  bootkitpersistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral17

• • Target

    Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin

  • Size

    788KB

  • MD5

    a92f13f3a1b3b39833d3cc336301b713

  • SHA1

    d1c62ac62e68875085b62fa651fb17d4d7313887

  • SHA256

    4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c

  • SHA512

    361a5199b5a6321d88f6e7b66eaad3756b4ea7a706fa9dbbe3ffe29217f673d12dd1200e05f96c2175feffc6fecc7f09fda4dd6bfa0ce7bef3d9372f6a534920

  • SSDEEP

    24576:z0wz1d5bAbWhrc56zQ9T4Ole+5PIuklOjB:Hd5Vhr4IMTbeGPJHjB

  Score

  6^/10

  bootkitdiscoverypersistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral18

• • Target

    Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR

  • Size

    52KB

  • MD5

    6152709e741c4d5a5d793d35817b4c3d

  • SHA1

    05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e

  • SHA256

    2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2

  • SHA512

    1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

  • SSDEEP

    768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc

  Score

  7^/10

  discoverypersistenceupx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral19

• • Target

    out.upx

  • Size

    51KB

  • MD5

    8f681b52fcfe200d14c81d297a323cf7

  • SHA1

    1375d3c3cb1d2ea8d6f80a2cfe11107d80ad9a34

  • SHA256

    a1c1164f6b43a3592a98b29adc045f9ca37ec0624eb2f2c027bfffe24a4915d1

  • SHA512

    88f936cfc95833017fefa7a342cb9b41ae7ea2e7123f7e8bb4192db53b0b48998421176132a4ead98fbb25d31d0f1ee8e0f7995d14e94ab3e094d4dcceb7ad36

  • SSDEEP

    768:uElAvOs4CTfOgGYdlNGCizSHdq12UMx9s6zAKSXwa/2e:ZlafjVsrODKpKSXN

  Score

  3^/10

  discovery
  behavioral20

• • Target

    Documents/Ransomware.Radamant/Ransomware.Radamant/Supplementary Agreement 26_01_2016.zip.ViR

  • Size

    37KB

  • MD5

    892626ba70f22a5c7593116b8d2defcf

  • SHA1

    ab41a0bc0e3dbcc7d48b674ec079f55eac6dea13

  • SHA256

    7a436727bac86927ec9d51db86899ffc0b0f92feb1d426c5f2141d94f7d29e13

  • SHA512

    f48e8248f68c2a8d9d3f567850ecbc88ed79e7f75dc5e9295615e5355b853e555abf904735e27d38e34120ef3a0cf2f1cad780142ef8a330b148e0bfc69805de

  • SSDEEP

    768:3XLJmx0iPed1zpMZ87vvQkVq4Y994iM1OLsPRyeqZeK6KK/0XM:3XLExSd1zpV7vYkYy1OgPRyeo6K40XM

  Score

  1^/10
  behavioral21

• • Target

    Documents/Ransomware.Rex/WTEpZSFwgb

  • Size

    7.3MB

  • MD5

    5bd44a35094fe6f7794d895122ddfa62

  • SHA1

    98172e49c3d5d70ffdcefd071f9762c58430a393

  • SHA256

    762a4f2bf5ea4ff72fce674da1adf29f0b9357be18de4cd992d79198c56bb514

  • SHA512

    4033c7335a44a7536a3980aad8cf18ff6336186d71dd7b7f02c3d5c93001ed974285fe9fbbf783bc0abac3e3b3581993ad6d2ac285249aa24b0aafa261f74de8

  • SSDEEP

    49152:mNLLdMtTbVDtCsN5laK2BfCDvI7ZR9kAs5dkPjU2NhYCWpdLJaDSfUGZnh7X3cM9:mNlMt1tCsN5LGfCL7ATfscS8QhXP

  Score

  1^/10
  behavioral22

• • Target

    Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin

  • Size

    49KB

  • MD5

    46bfd4f1d581d7c0121d2b19a005d3df

  • SHA1

    5b063298bbd1670b4d39e1baef67f854b8dcba9d

  • SHA256

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

  • SHA512

    b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

  • SSDEEP

    768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

  Score

  5^/10

  discovery

  • Suspicious use of SetThreadContext

  behavioral23

• • Target

    Documents/Ransomware.Satana/Ransomware.Satana/unpacked.mem

  • Size

    72KB

  • MD5

    108756f41d114eb93e136ba2feb838d0

  • SHA1

    8c6b51923ee7da2f4642c7717db95fbb77d96164

  • SHA256

    b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

  • SHA512

    d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

  • SSDEEP

    768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2

  Score

  10^/10

  satanabootkitdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

  • Satana

    Ransomware family which also encrypts the system's Master Boot Record (MBR).

    ransomwaresatana

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Deletes itself

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral24

• • Target

    Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

  • Size

    284KB

  • MD5

    209a288c68207d57e0ce6e60ebf60729

  • SHA1

    e654d39cd13414b5151e8cf0d8f5b166dddd45cb

  • SHA256

    3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

  • SHA512

    ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

  • SSDEEP

    3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui

  Score

  9^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (3242) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral25

• • Target

    Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67

  • Size

    257KB

  • MD5

    6e080aa085293bb9fbdcc9015337d309

  • SHA1

    51b4ef5dc9d26b7a26e214cee90598631e2eaa67

  • SHA256

    9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

  • SHA512

    4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

  • SSDEEP

    6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd

  Score

  3^/10

  discovery
  behavioral26

• • Target

    Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56

  • Size

    261KB

  • MD5

    6d3d62a4cff19b4f2cc7ce9027c33be8

  • SHA1

    e906fa3d51e86a61741b3499145a114e9bfb7c56

  • SHA256

    afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18

  • SHA512

    973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

  • SSDEEP

    6144:93g0BQG+aZiycigV5bbEo6dZbBODPIsjQ/UFsYWo:93g0OGjZiycigVRbObBODTMUdj

  Score

  3^/10

  discovery
  behavioral27

• • Target

    Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

  • Size

    370KB

  • MD5

    2aea3b217e6a3d08ef684594192cafc8

  • SHA1

    3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

  • SHA256

    0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

  • SHA512

    ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

  • SSDEEP

    6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv

  Score

  8^/10

  discoverypersistenceransomwarespywarestealer

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral28

• • Target

    Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

  • Size

    370KB

  • MD5

    a890e2f924dea3cb3e46a95431ffae39

  • SHA1

    35719ee58a5771156bc956bcf1b5c54ac3391593

  • SHA256

    c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a

  • SHA512

    664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162

  • SSDEEP

    6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi

  Score

  8^/10

  discoverypersistenceransomwarespywarestealer

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral29

• • Target

    Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

  • Size

    329KB

  • MD5

    adb5c262ca4f95fee36ae4b9b5d41d45

  • SHA1

    cdbe420609fec04ddf3d74297fc2320b6a8a898e

  • SHA256

    e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

  • SHA512

    dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754

  • SSDEEP

    6144:TRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+N6MSiF0Q5XNN:pDRbXFHW1+K2UWBGIymYG+zn

  Score

  8^/10

  discoverypersistenceransomwarespywarestealer

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral30

• • Target

    Documents/Ransomware.WannaCry/Ransomware.WannaCry.zip

  • Size

    3.3MB

  • MD5

    efe76bf09daba2c594d2bc173d9b5cf0

  • SHA1

    ba5de52939cb809eae10fdbb7fac47095a9599a7

  • SHA256

    707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

  • SHA512

    4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

  • SSDEEP

    98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN

  Score

  1^/10
  behavioral31

• • Target

    Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

  • Size

    3.4MB

  • MD5

    84c82835a5d21bbcf75a61706d8ab549

  • SHA1

    5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

  • SHA256

    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

  • SHA512

    90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

  • SSDEEP

    98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

  Score

  10^/10

  wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    defense_evasion

  • Sets desktop wallpaper using registry

    ransomware
  behavioral32