dharma

General

Target

JaffaCakes118_553cddc453d29d25725907c77345e745208156f12fe544685cec2b8d0cbb4fe2
Size

69KB
Sample

241230-v4as5a1mem
MD5

febfe3f02ef2f6f032ed770c86a1fc16
SHA1

395d947aee780e1f8e1a5916ca8496ead738db41
SHA256

553cddc453d29d25725907c77345e745208156f12fe544685cec2b8d0cbb4fe2
SHA512

e354f8ca4bc8b5287c0f6013733497ccb83b14549606ca031eb7ebc6937c2468c77cf793cbed30beb00896424745adcaccbd588920ff1c3dbc1452048e553a9c
SSDEEP

1536:fzDai+ghUHUDjyb3ZAp7lENdUogtY965AtPnToY9GFr6psM7pYBWUHyZ8TQYO:/x+ghU0Xi32JlMvgt06aBs4GFr6h7iWL

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  1eca4383fb0c1d2e92b9a0ef1e939643a0fefdb37b4519e731030197c7091ff1
- Size
  
  92KB
- MD5
  
  627c54e435c997f228937d70fa4efabe
- SHA1
  
  de983ae81197370c1c0db019e47367ef0521163d
- SHA256
  
  1eca4383fb0c1d2e92b9a0ef1e939643a0fefdb37b4519e731030197c7091ff1
- SHA512
  
  c827d16c316ba46e5ed73018a73dc99c2e62a0c809aeb986027444a1d5d53e4c3fcb955152debc30bc69c82621eeb6ec454d6add17e5b2875cf3d25e325f0466
- SSDEEP
  
  1536:mBwl+KXpsqN5vlwWYyhY9S4AYCKkjEvPSFd3tsEodcSDR:Qw+asqN5aW/hLKFPUJc
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (316) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2