nitro | db6ded62d80e29a35b0a3fd6613fea1e65cc3cece41c6e281426d5cf5ff77e51 | Triage

Sharing

General

Target

23e8858a3f412190e31be918bb91c72b_JaffaCakes118
Size

61KB
Sample

241008-xplm7ayfnb
MD5

23e8858a3f412190e31be918bb91c72b
SHA1

355e30d1259d02a805a5a8d00848413321ceadd1
SHA256

db6ded62d80e29a35b0a3fd6613fea1e65cc3cece41c6e281426d5cf5ff77e51
SHA512

16af337585d5fb7d4055fdb1feabc3c1707af33e13c99ccc7c0575f153e821eb556a0a10381a4d087d17811e948d88a8a429b06cd53b149a2f288b6b4665cdb6
SSDEEP

768:9KsMqCXfVcWO/M9ZkiANIU+sYLDwUzc80gmq3oP/oDz:9KseiM9ZkiAPEr/0O8/o/

Score

10^/10

nitro discovery persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  23e8858a3f412190e31be918bb91c72b_JaffaCakes118
- Size
  
  61KB
- MD5
  
  23e8858a3f412190e31be918bb91c72b
- SHA1
  
  355e30d1259d02a805a5a8d00848413321ceadd1
- SHA256
  
  db6ded62d80e29a35b0a3fd6613fea1e65cc3cece41c6e281426d5cf5ff77e51
- SHA512
  
  16af337585d5fb7d4055fdb1feabc3c1707af33e13c99ccc7c0575f153e821eb556a0a10381a4d087d17811e948d88a8a429b06cd53b149a2f288b6b4665cdb6
- SSDEEP
  
  768:9KsMqCXfVcWO/M9ZkiANIU+sYLDwUzc80gmq3oP/oDz:9KseiM9ZkiAPEr/0O8/o/
Score

10^/10

nitro discovery persistence ransomware spyware stealer
- Nitro
  A ransomware that demands Discord nitro gift codes to decrypt files.
  ransomware nitro
- Renames multiple (76) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

nitrodiscoverypersistenceransomwarespywarestealer

behavioral2

nitrodiscoverypersistenceransomwarespywarestealer