buran

General

Target

de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118
Size

406KB
Sample

241210-1aspqsvlfm
MD5

de904e0d5b71c0c3d99430b61d40aae2
SHA1

5e1add3f70404f2110c389674e481484365eead4
SHA256

43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b
SHA512

25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0
SSDEEP

6144:Zmr7jJUEMBNUNwxJ6m16i6d+W+u7Qn7prLtSacoTccdk+Hy:ZyfJcLUNMu7Qn7prLQQTccrS

Score

10^/10

Malware Config

Extracted

Path

C:\PerfLogs\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 957-AC5-69F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  de904e0d5b71c0c3d99430b61d40aae2_JaffaCakes118
- Size
  
  406KB
- MD5
  
  de904e0d5b71c0c3d99430b61d40aae2
- SHA1
  
  5e1add3f70404f2110c389674e481484365eead4
- SHA256
  
  43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b
- SHA512
  
  25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0
- SSDEEP
  
  6144:Zmr7jJUEMBNUNwxJ6m16i6d+W+u7Qn7prLtSacoTccdk+Hy:ZyfJcLUNMu7Qn7prLQQTccrS
Score

10^/10

zeppelin discovery persistence ransomware buran defense_evasion execution impact
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Buran family
  buran
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Zeppelin family
  zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (6073) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2