blackcat

General

Target

__monero_chan_monero_drawn_by_freerun79__sample-c27ac21e4c771729d224f96a865a76e0.jpg
Size

306KB
Sample

240923-sr77razekk
MD5

b4c10bd4dd5d40369ac98bc68f9b3de6
SHA1

1af7ece19cf5a4e769393a12b7a58f8d0e77a465
SHA256

019bcd286332c9c6f6c1591a3199cbb535c941c942d1a41be848264792731f95
SHA512

f667ea52dda31c71853e7fdfde662cc1d5b393ac8ab0a6151405b23c8ed3235af77d9e20dbe8e8a39ce8831a4ff1708b8e98a556d3ac426d016dd5817cf2f04e
SSDEEP

6144:MdR+WYCz+sFopT//HqK/sjOKqXrQwZ3oAG8SsubPBztiNndSOiOf:MdRetXxJ0krpZ3RG8buDBwNnAi

Score

10^/10

Malware Config

Extracted

Family

blackcat

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
cvz8n37
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://gbxbwicx3x35kn7n73opnpp4kkzjcra42iv2akoo2dcjinf6jf6qbuyd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  __monero_chan_monero_drawn_by_freerun79__sample-c27ac21e4c771729d224f96a865a76e0.jpg
- Size
  
  306KB
- MD5
  
  b4c10bd4dd5d40369ac98bc68f9b3de6
- SHA1
  
  1af7ece19cf5a4e769393a12b7a58f8d0e77a465
- SHA256
  
  019bcd286332c9c6f6c1591a3199cbb535c941c942d1a41be848264792731f95
- SHA512
  
  f667ea52dda31c71853e7fdfde662cc1d5b393ac8ab0a6151405b23c8ed3235af77d9e20dbe8e8a39ce8831a4ff1708b8e98a556d3ac426d016dd5817cf2f04e
- SSDEEP
  
  6144:MdR+WYCz+sFopT//HqK/sjOKqXrQwZ3oAG8SsubPBztiNndSOiOf:MdRetXxJ0krpZ3RG8buDBwNnAi
Score

10^/10

blackcat cryptolocker troldesh wannacry bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx worm
- BlackCat
  A Rust-based ransomware sold as RaaS first seen in late 2021.
  ransomware blackcat
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Modifies visibility of file extensions in Explorer
  evasion
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1