Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server.
The stakeholder sends the following RFI:
We need to have information about the hash below:
Malicious file name: s1.exe
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (sha256)
0e55ead3b8fd305d9a54f78c7b56741a (md5)
* What malware is it? Does the malware have a name?
* What malware familiy is it?
* What actions does the malicious file do?
* Is there an attribution possible?
* Are there public reports or sandbox runs we can use to further investigate this threat?
Answer your stakeholder in a simple email/text report. Answer the questions, document your collection efforts. Keep a copy of all the URLs and posts you found. Validate the data collected and send your stakeholder actionable intelligence. Add your report as the challange solution
2. Answers
Malwarename:
DoejoCryptand DEARCRY[1]
Category:
Ransomware
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
Malware actions: [3]
Modifies Installed Components in the registry (Registry Run Keys / Startup Folder)
Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt)
Reads user/profile data of web browsers --> Infostealers often target stored browser data, which can include saved credentials etc.
Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March. [4]
