dharma

General

Target

ea54ac4b573864a58e912bc1296e6b3d_JaffaCakes118
Size

335KB
Sample

240919-brkysatcqe
MD5

ea54ac4b573864a58e912bc1296e6b3d
SHA1

cb0b48ec0e1c0da1b46e35c7fc7e498b6439a9ca
SHA256

82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d
SHA512

712e6c66cd158ba9b112f3f00e612ea921b94c664f07a3124b45517d24a7eb6b75f9d0f4c3bc9f8c38af810f1659cefeec6af4dd4bcd3feba512848ed369e3ab
SSDEEP

6144:TFivQEpm5xeolcek45QUw4wQOe6Xs6TdNnWCrmLTwqYXHNQkAyktjq25B+lr:T8vQEpM/m3Re6c6RJWmmL8XHakAhZY

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 6219851C In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 4FC18F34 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  ea54ac4b573864a58e912bc1296e6b3d_JaffaCakes118
- Size
  
  335KB
- MD5
  
  ea54ac4b573864a58e912bc1296e6b3d
- SHA1
  
  cb0b48ec0e1c0da1b46e35c7fc7e498b6439a9ca
- SHA256
  
  82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d
- SHA512
  
  712e6c66cd158ba9b112f3f00e612ea921b94c664f07a3124b45517d24a7eb6b75f9d0f4c3bc9f8c38af810f1659cefeec6af4dd4bcd3feba512848ed369e3ab
- SSDEEP
  
  6144:TFivQEpm5xeolcek45QUw4wQOe6Xs6TdNnWCrmLTwqYXHNQkAyktjq25B+lr:T8vQEpM/m3Re6c6RJWmmL8XHakAhZY
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (310) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2