šŸ“˜
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Answers

Was this helpful?

  1. Threat Intelligence

RFI Incoming!

1. Introduction

"Hey, CTI, what is this?"

Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server.

The stakeholder sends the following RFI:

We need to have information about the hash below:
Malicious file name: s1.exe
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (sha256)
0e55ead3b8fd305d9a54f78c7b56741a (md5)
* What malware is it? Does the malware have a name?
* What malware familiy is it?
* What actions does the malicious file do?
* Is there an attribution possible?
* Are there public reports or sandbox runs we can use to further investigate this threat?

Answer your stakeholder in a simple email/text report. Answer the questions, document your collection efforts. Keep a copy of all the URLs and posts you found. Validate the data collected and send your stakeholder actionable intelligence. Add your report as the challange solution

2. Answers

Malwarename:

DoejoCrypt and DEARCRY[1]

Category:

Ransomware

DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

Malware actions: [3]

  • Modifies Installed Components in the registry (Registry Run Keys / Startup Folder)

  • Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt)

  • Reads user/profile data of web browsers --> Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) Enumareate Connected drives

Attribution:

Possibly it stands in relation with HAFNIUM.

Microsoft itself has attributed development and first uses of the exploits with ā€œhigh confidenceā€ to Chinese state-sponsored cyberespionage group Hafnium on 2 March. [4]

Public Reports:

Ressources:

PreviousVirus Total Graph ExerciseNextForensic Exercises

Last updated 3 years ago

Was this helpful?

[1]

[2,3]

[4]

https://bazaar.abuse.ch/sample/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff/
https://tria.ge/210312-3n7ezztylj
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Malware sandboxing report by Hatching Triage
Automated Malware Analysis Report for s1.exe - Generated by Joe Sandbox
https://unit42.paloaltonetworks.com/dearcry-ransomware/unit42.paloaltonetworks.com
https://analyze.intezer.com/files/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-servervulnerabilities/news.sophos.com
Logo
Logo