RFI Incoming!
1. Introduction
"Hey, CTI, what is this?"
Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server.
The stakeholder sends the following RFI:
We need to have information about the hash below:
Malicious file name: s1.exe
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (sha256)
0e55ead3b8fd305d9a54f78c7b56741a (md5)
* What malware is it? Does the malware have a name?
* What malware familiy is it?
* What actions does the malicious file do?
* Is there an attribution possible?
* Are there public reports or sandbox runs we can use to further investigate this threat?
Answer your stakeholder in a simple email/text report. Answer the questions, document your collection efforts. Keep a copy of all the URLs and posts you found. Validate the data collected and send your stakeholder actionable intelligence. Add your report as the challange solution
2. Answers
Malwarename:
DoejoCrypt and DEARCRY[1]
Category:
Ransomware
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
Malware actions: [3]
Modifies Installed Components in the registry (Registry Run Keys / Startup Folder)
Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt)
Reads user/profile data of web browsers --> Infostealers often target stored browser data, which can include saved credentials etc.
Drops desktop.ini file(s) Enumareate Connected drives
Attribution:
Possibly it stands in relation with HAFNIUM.
Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March. [4]
Public Reports:
Ressources:
[1]https://bazaar.abuse.ch/sample/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff/
[2,3]https://tria.ge/210312-3n7ezztylj
[4]https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Last updated
Was this helpful?