Overview

overview

10

Static

static

3

Samet B_y_k_zk_k.exe

windows7-x64

10

Samet B_y_k_zk_k.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_3ef678ef77ee119b3fe2cf0650f31fb997edd7d15abc508e9738e554cd35e771

  • Size

    60KB

  • Sample

    241230-24j55awkez

  • MD5

    b8a70faa6039ec211f92d90f2c47c287

  • SHA1

    83c54f3d3c4335842a7c33df5625d3522e8bb763

  • SHA256

    3ef678ef77ee119b3fe2cf0650f31fb997edd7d15abc508e9738e554cd35e771

  • SHA512

    74f5b865bbb2c7546023ab9be48f5f5fb0b45e1bf51c3857315ca9b8bfbd1efa66551d7ea00cec0d320a1348b6280e1379098b15c357107a95e34470d3330633

  • SSDEEP

    1536:UuBGiL9vqznUYiiAoo4pmBQkxdueFJvsaz3QWdgY:jAiLxqrUjiA9OmPxdueFJWWdr

Score
10/10
ryukcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Targets

    • Target

      Samet B_y_k_zk_k.bin

    • Size

      119KB

    • MD5

      c68395e474088d5339972e2bf5a30f3c

    • SHA1

      502e42240969399c09337ecc7b5ca8fc1ba4baf3

    • SHA256

      9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

    • SHA512

      5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

    • SSDEEP

      1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8062) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks