# RFI Incoming! ### 1. Introduction "Hey, CTI, what is this?" Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server. The stakeholder sends the following RFI: ``` We need to have information about the hash below: Malicious file name: s1.exe 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (sha256) 0e55ead3b8fd305d9a54f78c7b56741a (md5) * What malware is it? Does the malware have a name? * What malware familiy is it? * What actions does the malicious file do? * Is there an attribution possible? * Are there public reports or sandbox runs we can use to further investigate this threat? ``` Answer your stakeholder in a simple email/text report. Answer the questions, document your collection efforts. Keep a copy of all the URLs and posts you found. Validate the data collected and send your stakeholder actionable intelligence. Add your report as the challange solution ### 2. Answers **Malwarename:** DoejoCrypt and DEARCRY\[1] **Category:** Ransomware > DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks. **Malware actions:** \[3] * Modifies Installed Components in the registry (Registry Run Keys / Startup Folder) * Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt) * Reads user/profile data of web browsers --> Infostealers often target stored browser data, which can include saved credentials etc. * Drops desktop.ini file(s) Enumareate Connected drives **Attribution:** Possibly it stands in relation with HAFNIUM. Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March. \[4] **Public Reports:** {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} **Ressources**: \[1] \[2,3] \[4]