ryuk | 42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662 | Triage

Sharing

General

Target

JaffaCakes118_42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662
Size

146KB
Sample

241226-2yrysatpht
MD5

fdb06e9e6c295e910342f70afe720c74
SHA1

5f24316922e2d3e0a0e086ac16b6cafeb929cd56
SHA256

42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662
SHA512

8ca8817fb29126d83127a330ff9d03d1e782c93e4e9c0188965f8b0123e152d879324046fee35a7948415ac239d9fa2648c2d007bd30df8d02fe686b82dc455e
SSDEEP

3072:CP2VjEyYPuGEhfUpu9khPzC7nqLUjkRKmEVK+It8U8hfNbysVGJZ:22VjEZuGofUpuX7iUjIC48hUJZ

Score

10^/10

ryuk credential_access defense_evasion discovery execution impact persistence ransomware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  rudZqlH.exe
- Size
  
  254KB
- MD5
  
  4540720d38ed99bceeb97161ca1ff401
- SHA1
  
  5714dfd839db561ebcb3cccfcb6f0e39ef644f7b
- SHA256
  
  4a87552c4238cdcf1b8611da467164e609da339ff897c50ad4d04aa105ec55bb
- SHA512
  
  2be902451da4262ed9899ecd570e12f31516f4d937909ee8e99f2c5dfcdbd7a218cc4eda494357678067ccc58a674944d08150248707a96e7d64ff01b83f0dbf
- SSDEEP
  
  3072:jrfwrgyViUc2LHCGwb4EVI3KwyuREPPg3Ubb5eW9OOH3F7ZHWAAf:vfgVNVbJ64EVKKXuREw33oHzuf
Score

10^/10

ryuk credential_access defense_evasion discovery execution impact persistence ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (5245) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Direct Volume Access

File and Directory Permissions Modification

Indicator Removal

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

Windows Credential Manager

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ryukcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarestealer

behavioral2

ryukcredential_accessdiscoverypersistenceransomwarestealer