Overview

overview

10

Static

static

1

jjsploit_8...US.msi

windows10-ltsc_2021-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    jjsploit_8.12.2_x64_en-US.msi

  • Size

    6.3MB

  • Sample

    250407-fh2mdsyzcz

  • MD5

    d8be6f14b4dd7a85a5b5479e88b940da

  • SHA1

    4c1ed04a00fb4fc31cc4c10172d0e6f310faacef

  • SHA256

    c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05

  • SHA512

    77964855eddaf57ebf7810185eacf2bd40bfdd883473ac063223ea496744d81db678c171707d44cfe19077df1fcfb8888a54021fc6af7cb4547dcc464ce717ea

  • SSDEEP

    196608:3dNnRdvjsTOvHK19gO8xbecifaCI1L5N1JTLX4:t1RSavI9sbf8vKf

Score
10/10
dharmafantommimikatzwannacrybootkitcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\f2dc0f58\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>FcgdHYH2iUQJ3jCIUXgLqvmqzTfHZRLVrJ/geS64Wx6fd2NtGO78KEj9OMyKA2A+LDdAlPBWN3mglGt6gR3mDrsPZ2a15RaqzGF/cDHuwlCziQMvC8TFJpB5WAWa6HWas3kB0DM4UiyqZqfy++vLAGC2dHjNEU+rsrG75lqREGDPGdLrEvm3ddSB3uHEbSi0npjngKDQiYYXTYsEHkI3lDYJnM2RJEuzoNZF2sjopwWQXPO5W4f0fCwyxkXQwpOD05LBdU3PqFyAjXUsSj4y+kLlyXBGgn/vuTSbTnK1k/oa/lVEflX5lVgkwgQHnlzE5b+CYUxUTHvBUO6+AUP5gQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      jjsploit_8.12.2_x64_en-US.msi

    • Size

      6.3MB

    • MD5

      d8be6f14b4dd7a85a5b5479e88b940da

    • SHA1

      4c1ed04a00fb4fc31cc4c10172d0e6f310faacef

    • SHA256

      c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05

    • SHA512

      77964855eddaf57ebf7810185eacf2bd40bfdd883473ac063223ea496744d81db678c171707d44cfe19077df1fcfb8888a54021fc6af7cb4547dcc464ce717ea

    • SSDEEP

      196608:3dNnRdvjsTOvHK19gO8xbecifaCI1L5N1JTLX4:t1RSavI9sbf8vKf

    Score
    10/10
    dharmafantommimikatzwannacrybootkitcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomwarespywarestealerworm

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Fantom family

      fantom

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (719) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables Task Manager via registry modification

      defense_evasion

    • Drops file in Drivers directory

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

OSZAR »