Overview

overview

10

Static

static

1

b218ea3533...f6.exe

windows7-x64

10

b218ea3533...f6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_fbb346ad0acdc9e1926d5326f5738be955818e4ec19217e0de357ba3930731ed

  • Size

    182KB

  • Sample

    241224-dlg12s1jdp

  • MD5

    e1ecd73648bbd289139e6b18e0e5b3a9

  • SHA1

    a580daf892dfe73be5657913b3c51710c4edad86

  • SHA256

    fbb346ad0acdc9e1926d5326f5738be955818e4ec19217e0de357ba3930731ed

  • SHA512

    c99b653a6dbe66de9e44c0b5db963a397a61008ffb676e9a37953699f36c148c132842fce925295ec2532e4015878f3d87d479fd30fa38039d95456f03d22651

  • SSDEEP

    3072:+9/PBOZzEdyhBrq4hsIfjTUdZyADcj8w2PnmAjD1kOiXCbZ350pmeLH3t:C3BOZzEdIBO4JfXUdkr8OAf1kOiyVJed

Score
10/10
ryukcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'rikzcUO'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Targets

    • Target

      b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6

    • Size

      322KB

    • MD5

      d5793b66a9a31f2ebfea5f9804d77dab

    • SHA1

      4f98055913500597daba98d6fd6321d007a4c271

    • SHA256

      b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6

    • SHA512

      06dd7deaee850fe4fc48bb8e1f5fd7b7f152ec922318953a4ef61b18ba1f5e60785dbb3b6d14d87b4e61613bfdee2d23a6043213411d2b788a6736286db9170a

    • SSDEEP

      6144:o+C8oeP7aBFjcGv0deUkE0vNz1tVCF7OfmoQc:o+FP7k9cGckU/0v1rVoc

    Score
    10/10
    ryukdiscoveryransomwarecredential_accessstealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (4778) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks