chaos

General

Target

2024-08-27_e6c1ecb5c8e5780ab000dabff162dee7_chaos_destroyer_wannacry
Size

27KB
Sample

240828-amfylaxgrh
MD5

e6c1ecb5c8e5780ab000dabff162dee7
SHA1

7487be31436fc53343755af2dffa8cb784b79075
SHA256

c5a4a99a53040e54a4be54daa8c4922c0a412c03ee393479eb0dc40494749ca3
SHA512

2f23dd73536945d5170a89466990b1e3bec70890997cfa8fc6594b90571f35df47db94b99aa2015775c8cc93f48258848e5943cc54e86dcf75f71b8d95e092ca
SSDEEP

384:DYenjLLA4/rBvkhpmGl1DRZdi+vYSul6OVp91r/rITb1BLBgxDGiz:qir2mGXNZ9c9tcTyxDvz

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\read_it.txt

Ransom Note

Your network has been breached by 8base ransomware group. We have extracted valuable or sensitive data from your network and encrypted the data on your systems. Decryption is only possible with a private key that only we posses. Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise. Scamming is just bad for business in this line of work. All your files are encrypted using AES-256 military grade algorithm. So, 1. Don't try to recover data, because the encrypted files are unrecoverable unless you have the key. Any try for recovering data without the key (using third-party applications/companies) causes PERMANENT damage. Take it serious. 2. You have to trust us. This is our business (after firing from high-tech companies) and the reputation is all we have. 3. All you need to do is following up the payment procedure and then you will receive decrypting key using for returning all of your files and VMs. Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded. We advise you not to use any data recovery tools without leaving copies of the initial encrypted file. You are risking irreversibly damaging the file by doing this. ID:C2DMS57OET5K2ZN11F How to contact us: [email protected] [email protected] Contact us and tell us your ID why trust us? If you pay the ransom, we will provide the decryption key software and send it to your mailbox. Provide an encrypted file (no larger than 1MB) that we will restore to prove our good faith.

Emails

[email protected]

Targets

- Target
  
  2024-08-27_e6c1ecb5c8e5780ab000dabff162dee7_chaos_destroyer_wannacry
- Size
  
  27KB
- MD5
  
  e6c1ecb5c8e5780ab000dabff162dee7
- SHA1
  
  7487be31436fc53343755af2dffa8cb784b79075
- SHA256
  
  c5a4a99a53040e54a4be54daa8c4922c0a412c03ee393479eb0dc40494749ca3
- SHA512
  
  2f23dd73536945d5170a89466990b1e3bec70890997cfa8fc6594b90571f35df47db94b99aa2015775c8cc93f48258848e5943cc54e86dcf75f71b8d95e092ca
- SSDEEP
  
  384:DYenjLLA4/rBvkhpmGl1DRZdi+vYSul6OVp91r/rITb1BLBgxDGiz:qir2mGXNZ9c9tcTyxDvz
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (183) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral1 behavioral2