General

  • Target

    RNSM00464.7z

  • Size

    24.7MB

  • Sample

    241008-x8vefa1hpc

  • MD5

    654a8d9ad78eae28285ebbe220a66d40

  • SHA1

    568769a38792f94bb52014952ffa12b987bfbad9

  • SHA256

    3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11

  • SHA512

    41414ad0f340c83ff61b218670dc66cbc4bb2d8726d0d32e3c6a3da09901b69e49f0361e97054fc9189a726007f04e1f2d6c43debd963653101d0094fbf0eb27

  • SSDEEP

    393216:iZ79twuT+C2ZeYslhGR8d3za68YmQd3RZnVDOn3CcSwlT/g2zR0bM8E8:8UZeYslcSd5mmLE3zttD0pL

Malware Config

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

djvu

C2

http://astdg.top/fhsgtsspen6/get.php

Attributes
  • extension

    .hoop

  • offline_id

    922IaqlBU1I6IKX6eTDABuH3amHHwoa5qUSb8vt1

  • payload_url

    http://securebiz.org/dl/build2.exe

    http://astdg.top/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-I6qIbIYiz9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0326gDrgo

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

127.0.0.1:5555

haso.ddns.net:5555

Mutex

F8GIE4GJ812773

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Driver

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Install Flash Player

  • message_box_title

    Error

  • password

    crocro35

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

112.175.88.207

112.175.88.208

Extracted

Path

\Device\HarddiskVolume1\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>E4AFD8D1-2700</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ TO UN-HACK

Ransom Note
WARNING! WARINING! Your Computer Has Been Compromised! If You Wish To Gain Back Access To Your Computer And Prevent Further Spread Of Encryption Across Your Newtork - UGRENTLY FOLLOW THE INSTRUCTIONS BELOW.... You MUST send 1.5 BTC To The Below Bitcoin Address bc1q8f3a4s546jm7dnw7gmv72k39wjs36cj0gfsf6f You Have 3 hours to get payment across before we begin to spread malware across your network. Getting Your Files Back Is in our best interest so please confirm payment to below email And all files will be un-encrypted and back to there original state once payment confirmation is received. Email: [email protected] Thank You - Razor Squad

Extracted

Path

F:\HowToRestoreMyFiles.txt

Ransom Note
All data in your machine turned to useless binary code. Your databases and important files have been downloaded and will be published after 12 days if not paid. To return files and prevent publishing email us at: [email protected], [email protected] (send copy to both). Tips: *No one else can help you , don't waste your business time. *You ask for proof that we have your data , and you can see our old target that their data have been published. *If not paid after 12 days Google your company name and you will see your private data in there, happy will legal and business challenges of data leak after. *For decryption anyone/any company offering help will get extra fee(some times even more than ours!)added to ours or simplly will scam you (dont pay us after getting test file, lie and scam you) so if you wanna intermediary chose a trusted one to avoid scams, and get your data. *For decryption you send a few sample files for test before any payment. We won't be available for long. Dont play with encrypted files that will corrupt them and make unrecoverable. Use google translate (if you don't know english) Your key: LQ2+Tkig+7Fb350+B8uhiOhVgYZIwYNf68UtIPzon3cnjwBFbWwSgtRxKOdTkIzObpnMINr//cilOP0JdaINvWDjnwXv0aEGE0lpU0GPo4r6o8dmdI06JyAGXLhB8G5PJNNGrE3IqxAPjjoSF14QXnGe4ceZyf5IO49ay6fSB6Y=

Targets

    • Target

      RNSM00464.7z

    • Size

      24.7MB

    • MD5

      654a8d9ad78eae28285ebbe220a66d40

    • SHA1

      568769a38792f94bb52014952ffa12b987bfbad9

    • SHA256

      3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11

    • SHA512

      41414ad0f340c83ff61b218670dc66cbc4bb2d8726d0d32e3c6a3da09901b69e49f0361e97054fc9189a726007f04e1f2d6c43debd963653101d0094fbf0eb27

    • SSDEEP

      393216:iZ79twuT+C2ZeYslhGR8d3za68YmQd3RZnVDOn3CcSwlT/g2zR0bM8E8:8UZeYslcSd5mmLE3zttD0pL

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Detected Djvu ransomware

    • Disables service(s)

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Urelas

      Urelas is a trojan targeting card games.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks