# RFI Incoming!

### 1. Introduction

"Hey, CTI, what is this?"

Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server.

The stakeholder sends the following RFI:

```
We need to have information about the hash below:
Malicious file name: s1.exe
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (sha256)
0e55ead3b8fd305d9a54f78c7b56741a (md5)
* What malware is it? Does the malware have a name?
* What malware familiy is it?
* What actions does the malicious file do?
* Is there an attribution possible?
* Are there public reports or sandbox runs we can use to further investigate this threat?
```

Answer your stakeholder in a simple email/text report. Answer the questions, document your collection efforts. Keep a copy of all the URLs and posts you found. Validate the data collected and send your stakeholder actionable intelligence. Add your report as the challange solution

### 2. Answers

**Malwarename:**

DoejoCrypt and DEARCRY\[1]

**Category:** 

Ransomware

> DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

**Malware actions:** \[3] 

* Modifies Installed Components in the registry (Registry Run Keys / Startup Folder) 
* Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt) 
* Reads user/profile data of web browsers --> Infostealers often target stored browser data, which can include saved credentials etc. 
* Drops desktop.ini file(s) Enumareate Connected drives

**Attribution:**

Possibly it stands in relation with HAFNIUM. 

Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March. \[4]

**Public Reports:**

{% embed url="<https://analyze.intezer.com/files/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff>" %}

{% embed url="<https://www.joesandbox.com/analysis/367746/0/html>" %}

{% embed url="<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-servervulnerabilities/>" %}

{% embed url="<https://unit42.paloaltonetworks.com/dearcry-ransomware/>" %}

{% embed url="<https://tria.ge/210312-3n7ezztylj>" %}

**Ressources**:&#x20;

\[1]<https://bazaar.abuse.ch/sample/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff/>

\[2,3]<https://tria.ge/210312-3n7ezztylj>

\[4]<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/threat-intelligence/rfi-incoming.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.