Overview

overview

10

Static

static

3

0aaecf7f77...91.exe

windows7-x64

10

0aaecf7f77...91.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_8b94e0c9693aa1bd89eb828a8b61fdf8ca2398b8e92dcf91d509cdb888285223

  • Size

    208KB

  • Sample

    241225-dzqkcawncz

  • MD5

    90d2d2bf064f059e6bfeecd25e5845e0

  • SHA1

    601a57d0955c71cec50a06795e2d50120c8cbcec

  • SHA256

    8b94e0c9693aa1bd89eb828a8b61fdf8ca2398b8e92dcf91d509cdb888285223

  • SHA512

    4e246b31e3d0fd9e0faf44df7c5023099640d11748cbbc8c4760ab16d5a78ec0769fe38bc7ce9845224fb9c10c382909cfcaad2215b8eea23704acfc71441b86

  • SSDEEP

    6144:HOKSoVSTQXuHRnU1BX4OxmxeaJSRtVFOopWNAVqjXNUB:uKSoVSTvqJxGeMogN28OB

Score
10/10
ryukcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Targets

    • Target

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • Size

      468KB

    • MD5

      9296a9b81bfe119bd786a6f5a8ad43ad

    • SHA1

      581cf7c453358cd94ceed70088470c32a7307c8e

    • SHA256

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • SHA512

      64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

    • SSDEEP

      6144:TDsDjEwQj9kQGxBOfJWgqimbqMS4oXVqhTA4G2PGYWAl/uSp:cDEj9kQG6JNfmMJqWDIl//p

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8057) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks