General

  • Target

    b1ac46470933de2096f95f35116dc3dd2a52b416150b75dc3d5e3ee4d521a09a

  • Size

    202KB

  • Sample

    241106-sj77savlgr

  • MD5

    5f43ead2fcf68ab420a0b563dd1b23f4

  • SHA1

    15b4dd41a806ce1c23164735f997f4b0b09f3db8

  • SHA256

    b1ac46470933de2096f95f35116dc3dd2a52b416150b75dc3d5e3ee4d521a09a

  • SHA512

    e3511218e4ff9b8db11d1124a5106b5e63d3aa18af1980744552b5b0fa172b9d3c0257b2b34f231addf057d04cbb8a4ec1709d1e1e1b8d3d651822b278863638

  • SSDEEP

    3072:NjnBqm4O2oVkkdIqWaFcdG/GYAuv9vX01FBdvuVOe5/XhVRXf4cVbMTjIlmR:9nBFRqqWe2Z3DisYP1v1Fl

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\how_to_decrypt.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- Should we release a public CL Builder? :-) --> <html> <title>VXUG Ransomware</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('November 6 2024 15:10:32'); var discount_date = new Date('November 11 2024 15:10:32'); var end_date = new Date('November 13 2024 15:10:32'); var main_contact = '[email protected]'; var hid = '[35CB212D-DB7B5D9E]'; var second_contact = '@vxunderground'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+' &nbsp;&nbsp;&nbsp; '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED BY VXUG</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted by vx-underground.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us on twitter <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

Targets

    • Target

      b1ac46470933de2096f95f35116dc3dd2a52b416150b75dc3d5e3ee4d521a09a

    • Size

      202KB

    • MD5

      5f43ead2fcf68ab420a0b563dd1b23f4

    • SHA1

      15b4dd41a806ce1c23164735f997f4b0b09f3db8

    • SHA256

      b1ac46470933de2096f95f35116dc3dd2a52b416150b75dc3d5e3ee4d521a09a

    • SHA512

      e3511218e4ff9b8db11d1124a5106b5e63d3aa18af1980744552b5b0fa172b9d3c0257b2b34f231addf057d04cbb8a4ec1709d1e1e1b8d3d651822b278863638

    • SSDEEP

      3072:NjnBqm4O2oVkkdIqWaFcdG/GYAuv9vX01FBdvuVOe5/XhVRXf4cVbMTjIlmR:9nBFRqqWe2Z3DisYP1v1Fl

    • Crylock

      Ransomware family, which is a new variant of Cryakl ransomware.

    • Crylock family

    • Renames multiple (8379) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks