crypvault

Sharing

General

Target

Batch_7.zip
Size

6.8MB
Sample

241122-d6bprstne1
MD5

77e8eab2073a789150dc3eefb0541f1c
SHA1

e2a21748a32116967087f421e91b1e4afbe38dc5
SHA256

17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
SHA512

a9e462f5234ac18ef699243383ce3538ae0d1069cf900e5cfae132049a3b13bba783d61ac325348a1aaa2187095896864919916e8daf8c924bd22180974c0f1c
SSDEEP

196608:xu+epCgmrd0rEVf4ZxvoFApfzStfGGaPA:4+0mr+EOYApA

Score

10^/10

Malware Config

Extracted

Family

pony

http://hollandfintech.net/api/gate.php

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

Ransom Note

ATTENTION: All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.5 BTC (bitcoins). To do this: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.5 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.5 BTC to this Bitcoin address: oJHR97yvh97wrjvwlkrcnqrp79w9rvqnrvj 4. Send any e-mail to: [email protected] After that you will recieve e-mail with detailed instructions how to restore your files. Remember: nobody can help you except us. It is useless to reinstall Windows, rename files, etc. Your files will be decrypted as quick as you make payment.

Emails

[email protected]

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 4269048812</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 4269048812

URLs

http://rktazuzi7hbln7sy.onion/

Targets

- Target
  
  DUMP_00A10000-00A1D000.exe.ViR.exe
- Size
  
  52KB
- MD5
  
  6152709e741c4d5a5d793d35817b4c3d
- SHA1
  
  05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
- SHA256
  
  2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
- SHA512
  
  1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390
- SSDEEP
  
  768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc
Score

7^/10

discovery persistence upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
- Size
  
  176KB
- MD5
  
  b88fd69b53a6e4587d9e95a0c6061141
- SHA1
  
  728281eb2bde83701f379797f1b2e36765429543
- SHA256
  
  ebea4a46175b0e9c24e74b774f9ecfb036030f916ec5f2fced34fcb6c1f3ba57
- SHA512
  
  5105c000a7d0c2d68feb00e4f7de77b5afe58347b5d0c24f64346ec3bd8f684f1087ef8559c568f19ef47c301c7675cea0bf91d5551aeb38c89e23a114421aba
- SSDEEP
  
  3072:OCHM30xGHntNzuOIPEerSoKx1B2vUNc/H7BJ4gKraLKQ5oGqDQuRGBiY50pOwP:tMntdcKoWn2vzbvWm3ADQNwOo
Score

10^/10

discovery persistence upx
- Modifies WinLogon for persistence
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  Dumped_.exe
- Size
  
  72KB
- MD5
  
  afc0e1b3c683fcfb276f8e054d733945
- SHA1
  
  a1ef6e368f78bc147c2ee70449917f3929d669ed
- SHA256
  
  86a4ec02684bfd8a055929b0aa6f687bd54e80da0ed689be4e315adf76edbbcb
- SHA512
  
  68adc819478468c55e85d9cb476b94a363f7d90df1697cd1a1814180ca1dfb47cba4f584d6706330c7d7e2b1e26092c780345cb59bdf736daf4616f06fae7ce7
- SSDEEP
  
  768:0Nt2Lmmi8euodnS53h1O8jFQ3tuL7EAj+WTbibIKFQnjVPoxPaBF77tiU8r:nLZOQRM8Jg12+q7LnjVP0U
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  EntrateSetup.exe
- Size
  
  261KB
- MD5
  
  cd6258b33207e85f20fec5f39d9ba09f
- SHA1
  
  fc132ed8922a767061abfd372dfb6f23bd8c0b62
- SHA256
  
  103bc884dce60ec680dd00bcd2d45721319b526b2f6ae7ebe75c73a5c977dafe
- SHA512
  
  2d0f5c0ee81b050fa99dc40fd5ea1864ae68f4d08a7610ea08f8c99e589d90d917a009ff25286d4351b133cf466a408e442c99a8b8cca99d81a81af8e4c6ab49
- SSDEEP
  
  6144:oxagl7jMOfUsQgatPpi9SQG7q94Al6HnIpOLoG7SYQ5SFZ:oxagRjM+JQ1Pp2y1Al6HesZ7Sl8Z
Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  ErrorFileRemover.exe
- Size
  
  2.4MB
- MD5
  
  dbfbf254cfb84d991ac3860105d66fc6
- SHA1
  
  893110d8c8451565caa591ddfccf92869f96c242
- SHA256
  
  68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
- SHA512
  
  5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
- SSDEEP
  
  49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral9
- Target
  
  ExtraTools.exe
- Size
  
  280KB
- MD5
  
  0210d88f1a9c5a5a7eff5c44cf4f7fbc
- SHA1
  
  83bff855966cf72a2dd85acae7187caeab556abf
- SHA256
  
  06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f
- SHA512
  
  42445a8d1a3662e16ee1f5129b8792a47c8b17992940e1ba97a96c11d038d0d5088ca00719c6031e204adefbb18672c58113ac5de66b016a63e330b672fde132
- SSDEEP
  
  3072:il+Lkqpd5vh6+RDuUZbEl+Lkqpd5vlpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxu:Ppd5vhrDuUZxpd5vbXfNSLdkryGdY
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral11 behavioral12
- Target
  
  F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
- Size
  
  86KB
- MD5
  
  f45f47edced7fac5a99c45ab4b8c2d54
- SHA1
  
  9060189dd95635c5f75d7f91c9bd345200e83028
- SHA256
  
  0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8
- SHA512
  
  ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3
- SSDEEP
  
  768:4H5GP9db20gWEF5mx1pOtIWoZzP5N1jydBWGwRYuKlYsVSsVSSVSENVSjYR:Uo760g95mRhZFrWBWvrs1/LNIYR
Score

10^/10

discovery evasion persistence upx
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral13 behavioral14
- Target
  
  decrypt_0000000000000020-000A0000.exe
- Size
  
  611KB
- MD5
  
  c81f5b5e057b4a3c7eee9e4d1c4abd53
- SHA1
  
  949af2ac0176ae4bcc4c07a41e26094f8ed301aa
- SHA256
  
  94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd
- SHA512
  
  541892f2d23a1d3c3324e721764a62aed8191e4ff47ba681684aa251842337b8a8e78d72eee98c73d70bb917e19724ec9671259022b21faad324734fcf462a92
- SSDEEP
  
  12288:LSY9aHA9OWHFzHaqxSjxspvZhsKsh+M7:hiA9OWlz6qmx8hnsh+u
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
- Size
  
  182KB
- MD5
  
  1105f1e5cd13fc30fde877432e27457d
- SHA1
  
  108f03f9c98c63506dd8b9f6581f37ae5c18de23
- SHA256
  
  dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
- SHA512
  
  49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373
- SSDEEP
  
  3072:nO2W3zwMGWxLNjglP4cdkYsxSehTr76bJnhL:O2izwWlFuPP2xSehX6Fx
Score

10^/10

crypvault pony collection credential_access defense_evasion discovery execution impact persistence ransomware rat spyware stealer
- CrypVault
  Ransomware family which makes encrypted files look like they have been quarantined by AV.
  ransomware crypvault
- Crypvault family
  crypvault
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds policy Run key to start application
  persistence
- Deletes itself
- Drops startup file
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  dircrypt.deobf.exe
- Size
  
  321KB
- MD5
  
  d224637a6b6e3001753d9922e749d00d
- SHA1
  
  bacb2313289e00a1933b7984dd1cbef01c8019ee
- SHA256
  
  9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
- SHA512
  
  08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0
- SSDEEP
  
  6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf
Score

10^/10

discovery evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral19 behavioral20
- Target
  
  dma locker 4.0.exe
- Size
  
  315KB
- MD5
  
  18ef6bc988d99b2ec1e91daec2619f72
- SHA1
  
  ddb7bce5fd44d1b3a1d38dfccb8d5b23ae5ed73b
- SHA256
  
  53a0dc85e447c58cb8d7c7e00381c8548878390c7a1443326625faa2b461ebe8
- SHA512
  
  02d30a6ac6a9fddc9fe542d19284e0398e1b6b329eff0c0d1410a5568cf87fb7b3c2e7d548c111b7e0fb41e4a5aee2d14678b3be11e11bd33c39477840d1ee6a
- SSDEEP
  
  3072:uon0fbxl3q7UWEj8FBqLXtCovWZ9crTb2aa1ppUPZCvW2Zg5JpdNCympz/CpUERj:1wl3eB6XtCMWZerWDvUhCvWl5NF
Score

9^/10

defense_evasion discovery execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral21 behavioral22
- Target
  
  downloader.js
- Size
  
  8KB
- MD5
  
  2fabecc77b10b39ff03f221f39f50c6c
- SHA1
  
  e66ab4015c360a0f0866ea840dbeb2ef4953c86d
- SHA256
  
  f6e2c1b42ce68165fd2cd8580daf47d594c4960fc8fb5cdbf1ec210e3ffae87f
- SHA512
  
  9c8bcaee59eaa6d9738caf9a61214e098438e5ecc352e8faaa7972625c3bce3f00eece4bd7b43587b09a5ef66c93778b42d0b39a7ef46aeca5d3f7da2a43384a
- SSDEEP
  
  192:E4/wMMuUYDKe5enZr2CU0eC+To2fOO0spxetRut64pB6BS:bMufcnZr2CU0etTaO7GtRut6UMQ
Score

10^/10

execution ransomware spyware stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral23 behavioral24
- Target
  
  dump.mem.exe
- Size
  
  53KB
- MD5
  
  22c7f529c6da6da1d063daeeaea41d71
- SHA1
  
  e24872be78361eb23ab5797aff421a6c7561e235
- SHA256
  
  ea3745e02a69f4123e06115b3abeb8dc6930000ed97d8a55351641b76b4d5e1a
- SHA512
  
  d93e581d158bb7d23d42cca59704ae1c1a1ba3846833dc76bece113360b319381a97d8a50d3d9cf02ac0f710e763057699e95c1843c00a5971dc1feec42386ae
- SSDEEP
  
  384:v3Arp7pMcV+D7xMkycTUFkY7XnxO/hH+mbtv/f5E8mGfF2A/:vSpdkyF57XabtHf5EEdp
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
- Size
  
  89KB
- MD5
  
  276e5289101e0536abf03736217f9fbd
- SHA1
  
  2631f18ca5631d265c6e4ffc8eb1fcfbcf1c68bd
- SHA256
  
  e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32
- SHA512
  
  fa7f39599f9aa689f7944930704106a6c294715a9d0984cc0624aa666da87cdfc4315b865d07874674ba14cf91df43dd54f15fc4ed2f18c3acb9ed0a5119765a
- SSDEEP
  
  1536:Af/YvFSSZtDgN+DrDkDEFtClfF89lGL+v:m/Yv0SZtDgN+Dr+EcfF89ll
Score

10^/10

persistence discovery
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.exe
- Size
  
  54KB
- MD5
  
  4b24f2c99d93b86bd0d8a1445d976092
- SHA1
  
  6ea9246fd85cf2663ca6fc7e97b7bcd11d25551b
- SHA256
  
  e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad
- SHA512
  
  43c9bc692edbc5151518626008eb33e14b7d6b80ff9b457a0d0702ef2d5b86b33cab0df8a22005182a56aa6a4275458b5a0edb18af4aa759e60be75b88ac792a
- SSDEEP
  
  768:1YQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZR:1YQW57kCUzbFqvyyFhl2gpyVcrR
Score

1^/10
behavioral29 behavioral30
- Target
  
  e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
- Size
  
  33KB
- MD5
  
  0d2c400c967b3df9f1c5e193e9ffe482
- SHA1
  
  2b09bd6fb74d067e107727a7494ddd33eba47338
- SHA256
  
  e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a
- SHA512
  
  55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4
- SSDEEP
  
  384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (4015) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral31 behavioral32