General
-
Target
outbyte-camomile-setup.exe
-
Size
14.2MB
-
Sample
250131-2ckycaymbx
-
MD5
319b4e14d098496a5e492441865e9456
-
SHA1
07dcc7e6126652f7c81117ccb185bc007e995afd
-
SHA256
caa2fd83835cea62fc886b6d0ad36c8e79cae1f42af11b0d49ca016f63fd5677
-
SHA512
4588e1d97d792b6a1c476d495c87d1ac2f4c1324fe9897d9bc67d403cedda7062bf88c8029273eca2aa629466e2048fc5931308b8ee8eeecc2768bd57089bdd3
-
SSDEEP
393216:KCpFT8Lm8LtMSwjkCJde/adR2WThXxC/Joy:KO8Lm4tMSwgn/uNJxcJoy
Malware Config
Targets
-
-
Target
outbyte-camomile-setup.exe
-
Size
14.2MB
-
MD5
319b4e14d098496a5e492441865e9456
-
SHA1
07dcc7e6126652f7c81117ccb185bc007e995afd
-
SHA256
caa2fd83835cea62fc886b6d0ad36c8e79cae1f42af11b0d49ca016f63fd5677
-
SHA512
4588e1d97d792b6a1c476d495c87d1ac2f4c1324fe9897d9bc67d403cedda7062bf88c8029273eca2aa629466e2048fc5931308b8ee8eeecc2768bd57089bdd3
-
SSDEEP
393216:KCpFT8Lm8LtMSwjkCJde/adR2WThXxC/Joy:KO8Lm4tMSwgn/uNJxcJoy
Score10/10-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (532) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Adds Run key to start application
-
Downloads MZ/PE file
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1