Overview

overview

10

Static

static

3

0323b4326b...02.exe

windows7-x64

10

0323b4326b...02.exe

windows10-2004-x64

10

0898a80dc2...92.exe

windows7-x64

10

0898a80dc2...92.exe

windows10-2004-x64

10

0aaecf7f77...91.exe

windows7-x64

10

0aaecf7f77...91.exe

windows10-2004-x64

10

16af8d85ef...38.exe

windows7-x64

9

16af8d85ef...38.exe

windows10-2004-x64

9

180f82bbed...43.exe

windows7-x64

10

180f82bbed...43.exe

windows10-2004-x64

10

23e95ba676...7f.exe

windows7-x64

10

23e95ba676...7f.exe

windows10-2004-x64

10

3a6ebac4f8...ca.exe

windows7-x64

10

3a6ebac4f8...ca.exe

windows10-2004-x64

10

41367ad447...00.exe

windows7-x64

10

41367ad447...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

  • Size

    1.1MB

  • Sample

    241230-xhyn6swmhw

  • MD5

    4dee5e8c48891cbaa6bff2e447a34780

  • SHA1

    109b56248514eb5a6b27fa9b48ac9cec6fb55d62

  • SHA256

    6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

  • SHA512

    643227614fb34b035494dee42f8285ae1dfd5c15c3b560a018786cae40ae4fcd34a427bc1a30395d238405d76d4b96c6c8797850ef2563b5ed018dfa9804c577

  • SSDEEP

    24576:MCsAf6UELHKSoVBxiR2b/n31ZgvWX7GlEMHsIjOrzSmxvvjGbL:Vs3HKSABEO3vgOX7G9+zFZg

Score
10/10
ryukcredential_accessdavediscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'JZwuk732'; $torlink = 'http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'nO49CJnf9vO'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'CRAny5Nq'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Targets

    • Target

      0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

    • Size

      208KB

    • MD5

      aa5abadf25aa3f30c1c83c5d43a7ee8f

    • SHA1

      ff50650068de776d2c0a8962cbccd7ffc431327a

    • SHA256

      0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

    • SHA512

      033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

    • SSDEEP

      3072:PKNg7ImkKWV/B6LXWhL7UHwT5aOff+2l7Fpxt9PJ30YoV4MQQbz4kB:SN8WBB6LXWhLLT5tf+2PpZo2m4q

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (2949) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

    • Size

      124KB

    • MD5

      b16db2ad22dfe39c289f9ebd9ef4c493

    • SHA1

      23ccb60927905eb9be2a9ee4230ebac0836b611c

    • SHA256

      0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

    • SHA512

      5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

    • SSDEEP

      1536:Oe3QTh4VRf+T+c/7pFqkogzZ+QKfLzP1QLorq3caR09dA77hQHfsWdSLcdc/Zwi6:Q9yjSzZ+QKfLztQLomsktUlcx

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8020) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • Size

      468KB

    • MD5

      9296a9b81bfe119bd786a6f5a8ad43ad

    • SHA1

      581cf7c453358cd94ceed70088470c32a7307c8e

    • SHA256

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • SHA512

      64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

    • SSDEEP

      6144:TDsDjEwQj9kQGxBOfJWgqimbqMS4oXVqhTA4G2PGYWAl/uSp:cDEj9kQG6JNfmMJqWDIl//p

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8137) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338

    • Size

      168KB

    • MD5

      f60db4476317c6d130d6102ef7571958

    • SHA1

      d4f41df13bc0f5eec21987f1e412d1d444f86681

    • SHA256

      16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338

    • SHA512

      7bbd954f12915a6867187b96ba62b846627c15a5a3167b72522c4f2bdea95be64782ce1cd65ad89f2edfaba161cb7088866283fddb4c57857cfc2ec795be82ca

    • SSDEEP

      1536:kMF3yMOaDcnicDtJk7TdUPLkjchkyXRT9gCVbIPH3yLMah104EQXsVTsW+t8cd7M:J0icakojNyXRTiCVbIv+pEzMrcjqt

    Score
    9/10
    discoveryransomwarespywarestealer

    • Renames multiple (7378) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

    • Size

      635KB

    • MD5

      a563c50c5fa0fd541248acaf72cc4e7d

    • SHA1

      4b8c12b074e20a796071aa50dc82fe2ff755e8f6

    • SHA256

      180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

    • SHA512

      d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

    • SSDEEP

      6144:LA+0uP79QAbIhsU2Hl7A6P+ZT6EnW5TMGRx4S7SM22C4:LACbIhs5He6PtgvS7SM2T4

    Score
    10/10
    ryukcredential_accessdavediscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (3157) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

      dave

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral9

    • Target

      23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

    • Size

      121KB

    • MD5

      7364f6222ac58896e8920f32e4d30aac

    • SHA1

      915fd6fb4e20909025f876f3bb453ec52e21b7be

    • SHA256

      23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

    • SHA512

      f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

    • SSDEEP

      3072:BXJu7BIjMhO2mKWmHgeBsVEu2w9+RXdd:BX6B7WmHdp

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (7185) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral11behavioral12

    • Target

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

    • Size

      200KB

    • MD5

      ad3a5956dc4e8fd6a62671a6204d11b9

    • SHA1

      aac34bd5c2f8e63dca20034f24384c2ce1d641b5

    • SHA256

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

    • SHA512

      23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13

    • SSDEEP

      3072:URQTlkAsGqrezGACPTPr74tOGOq+z3M1EgimoiY6RRerR5GyK231/Bdz:JTlEG9SAWTPr5zgimoiPRRe9HH

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (7839) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13behavioral14

    • Target

      41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

    • Size

      544KB

    • MD5

      526fa2ecb5f8fee6aec4b5d7713d909a

    • SHA1

      51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

    • SHA256

      41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

    • SHA512

      f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

    • SSDEEP

      6144:0foeu9rlMfTOC5TGdQJEMpc35IA0dOYiUeinhn6:0fdsUCiYQJxc3YiUeinhn6

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (2509) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral2

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral3

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral4

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral5

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral6

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral7

discoveryransomware
Score
9/10

behavioral8

discoveryransomwarespywarestealer
Score
9/10

behavioral9

ryukcredential_accessdavediscoveryransomwarestealer
Score
10/10

behavioral10

ryukcredential_accessdavediscoveryransomwarestealer
Score
10/10

behavioral11

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral12

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral13

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral14

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral15

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral16

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10