Overview

overview

10

Static

static

1

a2686bc365...1e5.js

windows7-x64

10

a2686bc365...1e5.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5.js

  • Size

    15KB

  • Sample

    241121-jaepfazley

  • MD5

    d6f08791f0df06ddfe6e846d536a887f

  • SHA1

    cde039518a07cb2ea65c4f2e984d19702cf84555

  • SHA256

    a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5

  • SHA512

    66820099e493ebf7974d38cb7d78b1018cf7706ee12c278c1b86bec8bf6321b937cbfc91f35a5a82c5fb85564ce018e74ba00de4f6bb6eb9b2da71e0e0ecfc57

  • SSDEEP

    384:XM49Wq5HlWaDIFieYws+9VgPxo+Kd9Mvv2iN05N5fXmfAvT3Q9FwhagFx2Vv6dUZ:XD9WsH0a8Finws+9VgPxo+Kd9MvvjN0u

Score
10/10
defense_evasionexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note
ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.44780 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.44780 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.44780 BTC to this Bitcoin address: 1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN 4. Open one of the following links in your browser to download decryptor: http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).
Wallets

1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

URLs

http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

Targets

    • Target

      a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5.js

    • Size

      15KB

    • MD5

      d6f08791f0df06ddfe6e846d536a887f

    • SHA1

      cde039518a07cb2ea65c4f2e984d19702cf84555

    • SHA256

      a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5

    • SHA512

      66820099e493ebf7974d38cb7d78b1018cf7706ee12c278c1b86bec8bf6321b937cbfc91f35a5a82c5fb85564ce018e74ba00de4f6bb6eb9b2da71e0e0ecfc57

    • SSDEEP

      384:XM49Wq5HlWaDIFieYws+9VgPxo+Kd9Mvv2iN05N5fXmfAvT3Q9FwhagFx2Vv6dUZ:XD9WsH0a8Finws+9VgPxo+Kd9MvvjN0u

    Score
    10/10
    defense_evasionexecutionpersistenceransomware

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks