ryuk | 8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6 | Triage

Sharing

General

Target

JaffaCakes118_8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6
Size

64KB
Sample

241226-2fhx6atlcn
MD5

609ec98c481fbb334de9f2f9566ff945
SHA1

fa9afbe6e5492a7fd398ffa6a3a41cc5765f2461
SHA256

8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6
SHA512

1a821dce36c919e638b2be6aff8cca2bcdfa24505c9c95e65973f5c8fe67e456fd97a04df11e3661487c61d0dee12dcfcadf6fadecdfa94d67fecc88840a2f44
SSDEEP

1536:QKbTJLgYXeTlpysoBBX/x8f8R4EmQS8hO13m/oSiOVfEXVx:xpLgYXepUsoBB/xOBEmMhOwF8P

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
- Size
  
  115KB
- MD5
  
  d736f4a3fc844b4a7e970b562fbeac85
- SHA1
  
  fdd13c9b9e6c0e07f1215780c4ab742627e57917
- SHA256
  
  b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
- SHA512
  
  7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe
- SSDEEP
  
  1536:3xmseXNzlgZnb5hRfLkLBPYeP6df854o9At8fLKnYpPuQ0sWtmcd+WEspNmKiSxP:3q52hMWI6df84o6atWH+pImKiSxP
Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7368) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Direct Volume Access

File and Directory Permissions Modification

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomware

behavioral2

ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomware