Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_55168b7e9ea6dfc4ae43b2c51ab94a082720a3164973b21d5396ddaf6b4e69e4

  • Size

    203KB

  • Sample

    241225-t2f2paynek

  • MD5

    b27c745bf042c207af0ca3e6565239db

  • SHA1

    0822839416f3cd39febe833ce57f9ba3ff47027b

  • SHA256

    55168b7e9ea6dfc4ae43b2c51ab94a082720a3164973b21d5396ddaf6b4e69e4

  • SHA512

    8cdd86bc8d3631c01a2aa666f5419e45df5b0dd16f20c104063dc2f0ea94adfff4d06e8893e6aadcb66cddb6af87a284e9caa793825d89243c3d35babbb1ca1f

  • SSDEEP

    3072:M6kogN6PEISFunVWN3kbyg19V3UAOv5Ji:M/2EISFUk6m1Pi

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Targets

    • Target

      sample

    • Size

      203KB

    • MD5

      3771b5d22f16f77407b4a1b1aa17b489

    • SHA1

      0849b2d413a7909f98f63ea293491b47744740bc

    • SHA256

      7a4fd80543cb92d3636bf1f5588b25ffcabe0dc3ec5051600316522c864627a3

    • SHA512

      c1c4c02b96e145db7d735b187c64a500d553dac70905e3ea930831f4f9536a2132ad97487cdb279316b7f858f3e86d288fa796bdbf23a24a49e664ea4372fa75

    • SSDEEP

      3072:l6kogN6PEISFYnVWN3kbyy19V3UoOvhK:l/2EISFWk6m/c

    Score
    10/10
    ryukransomwarediscovery

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (2583) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks