ryuk

General

Target

JaffaCakes118_8ab6ffe813edc1e7e54486294ecdeeeadd2bf4ac3114eaae17e5c8a02eb0ee9d
Size

66KB
Sample

241222-d4f7gaskdp
MD5

3a1b20ddfe25786b7d184422df213d22
SHA1

4159d0d10773820f864e51269196f4696543812b
SHA256

8ab6ffe813edc1e7e54486294ecdeeeadd2bf4ac3114eaae17e5c8a02eb0ee9d
SHA512

16c9a8825773d2f587d78ee49264356aa4a4538d6b5f7222bef0c820231af851cb256efde6af42605d1e32b5fbc50a79f884920d63b2f8700f346356b8e91993
SSDEEP

1536:ZiFQbal+2Ce+qZboDrrQVI34FSaGk4xKGqSEThNH4c82cYZ:ZlbalWdrU8QpGk43ETMI

Score

10^/10

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'kfXg4XYqb'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Targets

- Target
  
  a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2
- Size
  
  124KB
- MD5
  
  45e3bef94fdefd78f8e6bcedd5f43715
- SHA1
  
  b875676f6eaf9fd3d9105303015b6d60e7c919a8
- SHA256
  
  a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2
- SHA512
  
  15f90b3be77324ca0e7cd1d487fc5b971782facb528c88e55bb63c30d76106fd941a30bbedd07755089b6d55a2852e82c896ff0f7c0a188b59b20c4ee6543e17
- SSDEEP
  
  1536:m9p0vgrhngEP67ZbY5aTKDveKCBMcVjNKHwsmUXXUAzbcaBXU4fqhBmQSsWZcdHB:siEP+HckDKHwsvnUIAwrqhBmEHX/pM
Score

10^/10

ryuk credential_access discovery ransomware stealer spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (5074) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral1 behavioral2