chaos

General

Target

Yashma-Ransomware-main.zip
Size

155KB
Sample

241204-bkz45ayrhl
MD5

e8403a7184c407130f2a1cd05c32919c
SHA1

0be3aeca29120efadbc37c4e9ce074fd530c06e5
SHA256

4cea74d80b0fed024d554aec6391dd7a4cc41abc44584b7b4617785d4842a1b0
SHA512

0f6b96ecc2318df177b9a4335f718261a48cf577574cb80b217ba2dff300b5a61da75f40264f4f95f4432c0eda8da5e0cdb68c2c22bbf7eaede58af923bd8776
SSDEEP

3072:IfUjZjB+4cQl18ClRkpf8b4yZWox0fbYgJVlSlcDZwngAgBVKu76LIw2/RbLpwLe:IKjBx1exoGbYOFBW+xLpaC7D8YRseByO

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Targets

- Target
  
  Yashma-Ransomware-main.zip
- Size
  
  155KB
- MD5
  
  e8403a7184c407130f2a1cd05c32919c
- SHA1
  
  0be3aeca29120efadbc37c4e9ce074fd530c06e5
- SHA256
  
  4cea74d80b0fed024d554aec6391dd7a4cc41abc44584b7b4617785d4842a1b0
- SHA512
  
  0f6b96ecc2318df177b9a4335f718261a48cf577574cb80b217ba2dff300b5a61da75f40264f4f95f4432c0eda8da5e0cdb68c2c22bbf7eaede58af923bd8776
- SSDEEP
  
  3072:IfUjZjB+4cQl18ClRkpf8b4yZWox0fbYgJVlSlcDZwngAgBVKu76LIw2/RbLpwLe:IKjBx1exoGbYOFBW+xLpaC7D8YRseByO
Score

10^/10

chaos adware defense_evasion discovery evasion execution persistence privilege_escalation ransomware spyware stealer trojan
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- Renames multiple (250) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1