Overview

overview

10

Static

static

3

e803f1a1ac...94.exe

windows7-x64

10

e803f1a1ac...94.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_2b23e704cfd8d62a359ef0325bfd4aaef5249cf6567ab8eceb88395978e3291a

  • Size

    380KB

  • Sample

    241226-x9klmawpgl

  • MD5

    f1edd6e9079c428701bf1ff2c2a91ecf

  • SHA1

    cd3074ba1cc1ee426b631e2b9dc6ff14a66048d7

  • SHA256

    2b23e704cfd8d62a359ef0325bfd4aaef5249cf6567ab8eceb88395978e3291a

  • SHA512

    98fa7540e165557158497ad1e9e955dd4c026b156eb27d62b82c261d65f924e30b5a691fb9847a5f97550b45a20710a3491ddbeb42084e4fb81dea5a3b4f2dca

  • SSDEEP

    6144:ujI+19QNyNYFgVzTvYte0Mnbpy3DqwE1yM9MiJ+/pTAO4NM1wtsCWDEfW5tG:2P1CsNsgpTkxoqi1yqJiD4NM1lDEfSG

Score
10/10
ryukcredential_accessdavediscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'DQlMnNo'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Targets

    • Target

      e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

    • Size

      836KB

    • MD5

      c5cd1f0fe551a0ce5678a7c9d86e6450

    • SHA1

      f584c89c1539520f280efd9bcd4cb3da37588979

    • SHA256

      e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

    • SHA512

      40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

    • SSDEEP

      12288:9usRYNsWq1PfXPV/aA5hqOzpT3OKuvE2F8C+lBE7RDb5Xr4Cgi/:fxV/aoEOzpx8ZNXUCgi/

    Score
    10/10
    ryukcredential_accessdavediscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (7819) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

      dave

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks