dharma

General

Target

JaffaCakes118_2b6723dd11216843dcbcd4de7b2e5bbbf93e2dc5fa4f950529f0ae43a5dfefa4
Size

154KB
Sample

241222-z57lpsyres
MD5

a39950692342101bf348b6ef27fcaeeb
SHA1

ae7a19ff3c7dc5a89b2267a798499717e173c0f9
SHA256

2b6723dd11216843dcbcd4de7b2e5bbbf93e2dc5fa4f950529f0ae43a5dfefa4
SHA512

927a5cb65984faae5c9a621b712bd3332e3ccd2a7001b0099f4834a9637ceff830f68e806d1a2231a83ba9fcdcd0c0879279d9792433f0ffb01fb465b8c89a0a
SSDEEP

3072:V727bd70WV6s9Fj2EqodVuLQISMGSG/CuyXA6TCz7KjzMm5n92+zimoj:V7SeIvJdcUISMGSruyX3+6jzMmpo+z/0

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

https://tox.chat/download.html

http://pexdatax.com/

Targets

- Target
  
  dmx99.exe
- Size
  
  328KB
- MD5
  
  41b19130b8a7ad8fe5b12643301772c2
- SHA1
  
  d77f20dd52ae752f010a541fb41e693435d7fed1
- SHA256
  
  37ccd85431c6ccba425d7c06de22fe00b391847445fe495484c2c68e33daf613
- SHA512
  
  a87e696d38f865d15d4875d107462f8e5d84a47af1893d42510af2a39c7363de09b6f1037e883d4bb91a47985b5bf9238b0a2abd83462177b5f2d3360be1421b
- SSDEEP
  
  3072:a/LWhbmkRhs5+mmImS8Nk8PsjM57FV4KjIbzGfYaVepkrFBVKplOrxhaic7o:aM1dIo8jM5AKjIfO5RfKSzwo
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (309) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2