General

  • Target

    RNSM00480.7z

  • Size

    26.3MB

  • Sample

    240917-rf92jawhqe

  • MD5

    eddd0c8d8f9919c8a2d18a25047d1b8c

  • SHA1

    06c72f0c222805e448a3a5f15c204ddca9b65492

  • SHA256

    3a6cee5509bb09d4e479d91dbf1ba292e76686c14c6a1049de7c0e0ddbdf7a2b

  • SHA512

    68c7cb44dfc9c2b184844825e94a7f6ab122ad0eae8a1bd6eaf1132357c209976563eea702b5f6123a23c682f9aff23095f5307954809fa3e93ff0ea14eb3f6b

  • SSDEEP

    393216:pSaU4WVWKWzPcGR3Rh5+bNAyie1ZEkkR7jxxacZ+HrMBnmHcLN0uYXKY3CBB0Ddl:dXTbR35S3PPe7j1sYg8LoXvSB4CTNA

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\+REcovER+kwixt+.txt

Ransom Note
{}_~_~+ -$.-_+$|~~_|| =|_$.**+-~| $+|=*.-=| !!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-4096. More information about the RSA algorythm can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links: 1. http://88fga.ketteaero.com/C87BFBF0377562DB 2. http://2bdfb.spinakrosa.at/C87BFBF0377562DB 3. http://uj5nj.onanwhit.com/C87BFBF0377562DB If all of the addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: k7tlx3ghr3m4n2tu.onion/C87BFBF0377562DB 4. Follow the instructions on the site. !!! Your personal identification ID: C87BFBF0377562DB !!! )(*=~_$~+$==-$*~=$$ __$-=-+*
URLs

http://88fga.ketteaero.com/C87BFBF0377562DB

http://2bdfb.spinakrosa.at/C87BFBF0377562DB

http://uj5nj.onanwhit.com/C87BFBF0377562DB

http://k7tlx3ghr3m4n2tu.onion/C87BFBF0377562DB

Extracted

Family

blackmatter

Version

2.0

Botnet

207aab0afc614ac68359fc63f9665961

C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
1
34WGP/yGynGizPJpgmg5CvCFh1PeGt/gRzzq5FRXlXqQtl/YZFi9bsedrfoKMBRJJ857UZu2s7+vQvFl1LD1aW2pNhELtXYqb7Fgcn+zlSXM0zpE67GPEtUsOBfywEOSfqlurpfCd/hz0HFO2XLxJx9ngHbAzTC9Ei9J9QTa4Xs=
aes.base64
1
t4R5NVaR520hYIWAkZ6mFg==

Extracted

Path

F:\WzEgyMggM.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

112.175.88.207

112.175.88.208

218.54.30.235

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\_R_E_A_D___T_H_I_S___JQ6X30OI_.txt

Ransom Note
Hi, I'am CERBER RANSOMWARE ;) ----- YOUR DOCUMENTS, PH0T0S, DATABASES AND 0THER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/30C0-25AF-6105-0006-4DCA Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA 2. http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA 3. http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA 4. http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA 5. http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/30C0-25AF-6105-0006-4DCA

http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA

http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA

http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA

http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA

http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\_R_E_A_D___T_H_I_S___ZX0XEV_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;B&#069;&#82; &#82;&#65;NS&#79;MW&#65;&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="ZJXHD8" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">4ERtMwRC9</span>u find the necessary files?<br>Is the c<span class="h">0179R</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">PVbtv</span>cause the files' names and the data in your files have been encryp<span class="h">vQHchJ</span>ted by "Ce<span class="h">bftBoq58d</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">Sc</span>ans your files are NOT damage<span class="h">T7QmXvoa</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">K1aSjsNUrD</span>rom now it is not poss<span class="h">XMyW4</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">VZpvQp4kx</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">CqfVSrb5X</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">BlyCxo</span>ore your files with the thir<span class="h">BKVZLflii</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">3t7hPZUNP</span>eed with purchasing of the decryption softw<span class="h">K</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">oPMPlJPyRv</span>ase wait...</span><a class="url" href="http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA</a></span></p> <p>If t<span class="h">RYpJXd</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">3LL</span>ck here</span>&nbsp; to get a new addr<span class="h">PHB5d</span>ess of your personal page.<br><br>If the addre<span class="h">hKqTXnyFX</span>ss of your personal page is the same as befo<span class="h">87</span>re after you tried to get a new one,<br>you c<span class="h">3jSBt</span>an try to get a new address in one hour.</p> <p>At th<span class="h">f</span>is p&#097;ge you will receive the complete instr<span class="h">u</span>uctions how to buy the decrypti<span class="h">7RJUDD</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">YHDCU2f0</span>tore any one file for free to be sure "Cer&#98;e<span class="h">pHkugB</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">IS</span>sonal page is not availa<span class="h">1v</span>ble for a long period there is another way to open your personal page - insta<span class="h">V6PCxi</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">ZiWz</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">qJ1</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">HcBuO</span>ing;</li> <li>on the site you will be offered to do<span class="h">Zqa</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">wsUAxXX</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">Ypd</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">WSg</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">wrx</span>ress <br><span class="info">http://xpcx6erilkjced3j.onion/30C0-25AF-6105-0006-4DCA</span><br> in this browser address bar;</li> <li>pre<span class="h">PIUZ6fG</span>ss ENTER;</li> <li>the site sho<span class="h">erd5cCk7R</span>uld be loaded; if for some reason the site is not lo<span class="h">o7r5Bp15</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">dGEjio</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">H0gRq2</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">qVPGedg</span>ional information:</strong></p> <p>You will fi<span class="h">JOe</span>nd the instru<span class="h">X</span>cti&#111;ns ("*_R_E_A_D___T_H_I_S_*.hta") for re<span class="h">f5g5K3p</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">Y</span>&#111;lder with your enc<span class="h">0j0OjM</span>rypted files.</p> <p>The instr<span class="h">QVK</span>ucti&#111;ns "*_R_E_A_D___T_H_I_S_*.hta" in the f<span class="h">T</span>&#111;lder<span class="h">CgBzYQ</span>s with your encry<span class="h">re</span>pted files are not vir<span class="h">F7iA6FE6</span>uses! The instruc<span class="h">Ebd2Y</span>tions "*_R_E_A_D___T_H_I_S_*.hta" will he<span class="h">hdbiW</span>lp you to dec<span class="h">AgrN0</span>rypt your files.</p> <p>Remembe<span class="h">1ih4t</span>r! The w&#111;rst si<span class="h">um</span>tu&#097;tion already happ<span class="h">jac7UnV</span>ened and n&#111;w the future of your files de<span class="h">zV40eW4V</span>pends on your determ<span class="h">H0n6XMYN</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور ع<span class="h">63A</span>لى الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيع<span class="h">2s0</span>ي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن<span class="h">5XHiO8gd</span> الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحي<span class="h">PwWM</span>دة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة<span class="h">bgNS4r</span> الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA</a><hr><a href="http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA" target="_blank">http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://xpcx6erilkjced3j.onion/30C0-25AF-6105-0006-4DCA</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">J2kNd4V</span>افية:</strong></p> <p>سوف تجد <span class="h">fzU4XwCm</span>إرشادات استعادة الملفات الخاصة بك ("*_R_E_A_D___T_H_I_S_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرشادات ("*_RE<span class="h">hDVzR0</span>AD_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_R_E_A_D___T_H_I_S_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ موقف قد حدث بال<span class="h">JMe70q6LDR</span>فعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需<span class="h">5UL6AVhVx</span>的文件?<br>您文件的内容无法阅读?</p> <p>这是正常��

Extracted

Path

C:\Program Files\Common Files\DESIGNER\!! READ ME !!.txt

Ransom Note
Good day. All your files are encrypted. For decryption contact us. Write here belingmor@cock.li reserve admin@cuba-supp.com jabber cuba_support@exploit.im We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.
Emails

belingmor@cock.li

admin@cuba-supp.com

cuba_support@exploit.im

URLs

http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/

Targets

    • Target

      RNSM00480.7z

    • Size

      26.3MB

    • MD5

      eddd0c8d8f9919c8a2d18a25047d1b8c

    • SHA1

      06c72f0c222805e448a3a5f15c204ddca9b65492

    • SHA256

      3a6cee5509bb09d4e479d91dbf1ba292e76686c14c6a1049de7c0e0ddbdf7a2b

    • SHA512

      68c7cb44dfc9c2b184844825e94a7f6ab122ad0eae8a1bd6eaf1132357c209976563eea702b5f6123a23c682f9aff23095f5307954809fa3e93ff0ea14eb3f6b

    • SSDEEP

      393216:pSaU4WVWKWzPcGR3Rh5+bNAyie1ZEkkR7jxxacZ+HrMBnmHcLN0uYXKY3CBB0Ddl:dXTbR35S3PPe7j1sYg8LoXvSB4CTNA

    • AtomSilo

      Ransomware family first seen in September 2021.

    • AtomSilo Ransomware

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Urelas

      Urelas is a trojan targeting card games.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (132) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Contacts a large (1126) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.