General
-
Target
JaffaCakes118_cf91382d70dfe360421aa242aff2ac21732e4a55d8aa555cf06be63a0dae2e76
-
Size
204KB
-
Sample
241230-x933zavpdl
-
MD5
21e3d465603c69b3a404bd2457676f54
-
SHA1
86c6adbb027bcb47fc0e422d3df2500a69ac3f80
-
SHA256
cf91382d70dfe360421aa242aff2ac21732e4a55d8aa555cf06be63a0dae2e76
-
SHA512
001173e3202fd77aa16a289dcbaedd5ede1210e9d4bdfc81d00e3c3a2803b0703d4c4073c47f41b356b98ca68c66b12b702ab0ab993f34ed4731fe4f409a21e0
-
SSDEEP
1536:2Nsbl+bkoZ0RsOmISEQ2fj4kS44mVZPke4y7KcGgIbsW9d7B9dlI8P4+rQe/ZB:V+kozOUEQ6euVZx4y7K719VO8A+E4ZB
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
Targets
-
-
Target
sample
-
Size
204KB
-
MD5
a3fc648a1677cf64c3a08d6325c916e6
-
SHA1
829a28d636f6c858b7d6100a74f074be6255f417
-
SHA256
6830d45f53d318fbd102fa427fe5c4534d58b8beb50e6ae8e33b6348140f8d94
-
SHA512
cbbacc315eb40d7e93b932bf3690a15583805c9662efd212c09d0116d16b707f32cfd25285e4548d41e914f86fe810a896f6c36bcc0fbb55dd9172a346dadaf6
-
SSDEEP
1536:BNsbl+bkoZ0RsOmISEQ2fj4k844mVZPke4y7KcEgIbsW9d7B9dlI8PQ+rCe/C:o+kozOUEQ6QuVZx4y7K/19VO8o+O4C
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Ryuk family
-
Renames multiple (103) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-