Overview

overview

10

Static

static

1

7faeb64c50...ed.exe

windows7-x64

10

7faeb64c50...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_907503b17094e4849d3f2b17f132c745e4a39c4c1b55c08b3e1d381c70c381d2

  • Size

    140KB

  • Sample

    241222-wdm67svjhy

  • MD5

    872978ff81425a927ef0ca5b76b2eca7

  • SHA1

    80ad8318fbe49953a9650a4138ab85390d572a38

  • SHA256

    907503b17094e4849d3f2b17f132c745e4a39c4c1b55c08b3e1d381c70c381d2

  • SHA512

    c96d7a5c4bd2823808fb52517ac520d70b886626da40c62ca47082da22f57ec9f665289c60900cbb7023710751c9149143575dfb42033bafdd0ceb5069b05488

  • SSDEEP

    1536:+MsdrKPHfJ2mzwLh2vXQsD2f8ALUJ1QdBhJwU6Jaxdq7uoYWxqChtJB6+uRvmCHN:+MssP/N/uf8CjTlq3lXJcvTb9b

Score
10/10
ryukcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'lRwc4TXe'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Targets

    • Target

      7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

    • Size

      273KB

    • MD5

      0eed6a270c65ab473f149b8b13c46c68

    • SHA1

      bffb380ef3952770464823d55d0f4dfa6ab0b8df

    • SHA256

      7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

    • SHA512

      1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

    • SSDEEP

      3072:n/YRw64GUbH9dpWYEFq5hY9e1Z36NS31gs03ApyCb6DnE/PdrfS6sOK5hI+z7XI:Qa6owYEFq5hY9aqNS1y4/PdzS+s64I

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8041) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks