General
-
Target
http://bing.com
-
Sample
241215-xh3m5asrd1
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>SDHhXJsfSrQ+MBWGGngKTSyj+naGLCvNQ+kKsJTnquSS9hhBZT0fXAhgZzcKMBra0iWMORZ3wpVbyj890r6LHM/yRUaxIyTLbYmzxuku/nZ+ikcT7RZEZWudxLuSOuzBrhm9lSf6Fs5N29SmtXyTtueUg3QWWv5jb/Vi1TakqID2I00Y9IqscQgYw4H+eI0W431pWhWuQMBuk81nR0lyLXJPty5r+lIzRPW2Cvd6a7169Bh5COCcehno8Ei3QJ1sw4P38K0dveEdBy2XMX/ERUUPZJ8i1A+VdO/+k2bKT+5o77mK53+THdpVVzWp9DldZp521wJVu0Dd30yisVXfjQ==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>TuLnvoF+NSh7squL/v6oc3qreVtwb/Rm9yoxhb91QcizV6OLtj0/Cciy6DxwqsAEvEMC3vbhi1Hraggi8/ZCZ0I04xqR0d/nDUf7sjZg1kzXOktw4WxAZ56UgLYLkyTuvLTHQiTVQec5xNvE30HAo0PovdTsPxVqVUa0W4ztLogSZx+6xU+f0OEcbRM4b/wm9Pnw88c/uBOWst62yEEy1e03iANay4mOSGcDQCIPRQ4rh7+AeomZSBvRW6fteW1jKTZvBa8xedC+OPP9Rduo2/4WESmTThtE0A3dMlNhc00OtV8XciwGOHkH1hY9fRgnTWzMvFHkEPqBVi4Rb3bm8g==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>gLrKE5IshbZnMIvG5xpVWrWPrKO1nim1Hh+V9pwbFQ1F+SEPaHuk5jvAto+b+JtJkj/hAFqEHyh2KXuCQS7j5qb0tYZO/eLr97sJ4m1GLof4uC7ug8Gyu00dobi34xca1HowcGRPIS89Heo1S5KaVfytT/gvG0a9AdAIs0xkkofwmwL04FFBxgZYIoLdykwJCHIgO/mPFgtIpe5tsZM6hyxkPxk6PJgg5xCsLIHANgnDqL3y3cR3uDmJg1ia/q36bPFiaUCYuA4hpYwpEW42ZbR9fxF5pKyKbSgUAfUz2Qgm90XrcvDfNIFubq4JUJM9Pw1q638cqpb7DqZCfSL4MA==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Targets
-
-
Target
http://bing.com
Score10/10-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Floxif family
-
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detects Floxif payload
-
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1