RFI Incoming!

1. Introduction

"Hey, CTI, what is this?"

Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server.

The stakeholder sends the following RFI:

We need to have information about the hash below:
Malicious file name: s1.exe
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (sha256)
0e55ead3b8fd305d9a54f78c7b56741a (md5)
* What malware is it? Does the malware have a name?
* What malware familiy is it?
* What actions does the malicious file do?
* Is there an attribution possible?
* Are there public reports or sandbox runs we can use to further investigate this threat?

Answer your stakeholder in a simple email/text report. Answer the questions, document your collection efforts. Keep a copy of all the URLs and posts you found. Validate the data collected and send your stakeholder actionable intelligence. Add your report as the challange solution

2. Answers

Malwarename:

DoejoCrypt and DEARCRY[1]

Category:

Ransomware

DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

Malware actions: [3]

Modifies Installed Components in the registry (Registry Run Keys / Startup Folder)
Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt)
Reads user/profile data of web browsers --> Infostealers often target stored browser data, which can include saved credentials etc.
Drops desktop.ini file(s) Enumareate Connected drives

Attribution:

Possibly it stands in relation with HAFNIUM.

Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March. [4]

Public Reports:

https://analyze.intezer.com/files/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

Automated Malware Analysis Report for s1.exe - Generated by Joe Sandbox

https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-servervulnerabilities/news.sophos.com

https://unit42.paloaltonetworks.com/dearcry-ransomware/unit42.paloaltonetworks.com

Malware sandboxing report by Hatching Triage

Ressources:

[1]https://bazaar.abuse.ch/sample/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff/

[2,3]https://tria.ge/210312-3n7ezztylj

[4]https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

PreviousVirus Total Graph Exercise NextForensic Exercises

Last updated 2 years ago