Resubmissions

03/05/2025, 14:08

250503-rfpetstyay 10

03/05/2025, 14:00

250503-rbbceatxay 10

General

  • Target

    CCleaner-Crack.exe

  • Size

    60.2MB

  • Sample

    250503-rdsdpscp2x

  • MD5

    6e982e7b6699097e3106c7dfcd2a25d9

  • SHA1

    d3b988b209d171dffe0a380be2a938302de2bd68

  • SHA256

    ffb8cffd028a5cec524d366602d1513b6e7d43b36a86169547b70f8babf62c21

  • SHA512

    fd34fde72e57c23942b9e8a557cae349394832c2850a04d082182d2bfb91645a37d63d24e6fcb0d15162e6fc1092a3db2dd5a1289806fffd1da39d829c42bafa

  • SSDEEP

    1572864:25ksmc+KRqCd2SwWQEHyi6kMvBIxrcXZ73qe/GFXK:2pIiIWQyn6xBh3qvXK

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RarSFX1\handler.bat

Ransom Note
@echo off taskkill /f /im explorer.exe >nul color 0a title InjectLocker Ransomware echo Your files have been encrypted using a professional encryption. echo For decryption solutions, visit https://my.cbox.ws/d3cryption and ask us how to decrypt. echo tl;dr: your files were encrypted by InjectLock Team echo And also, I don't care if you work at a big company. pause >nul pause >nul pause >nul
URLs

https://my.cbox.ws/d3cryption

Targets

    • Target

      CCleaner-Crack.exe

    • Size

      60.2MB

    • MD5

      6e982e7b6699097e3106c7dfcd2a25d9

    • SHA1

      d3b988b209d171dffe0a380be2a938302de2bd68

    • SHA256

      ffb8cffd028a5cec524d366602d1513b6e7d43b36a86169547b70f8babf62c21

    • SHA512

      fd34fde72e57c23942b9e8a557cae349394832c2850a04d082182d2bfb91645a37d63d24e6fcb0d15162e6fc1092a3db2dd5a1289806fffd1da39d829c42bafa

    • SSDEEP

      1572864:25ksmc+KRqCd2SwWQEHyi6kMvBIxrcXZ73qe/GFXK:2pIiIWQyn6xBh3qvXK

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Network Share Discovery

      Attempt to gather information on host network.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks