Arjun Trivedi

Saturday, 30 March 2024

Security Research 101

Research in the cybersecurity industry is paramount as it drives innovation, enabling the development of cutting-edge solutions to combat evolving threats. It fosters a deeper understanding of emerging attack vectors and vulnerabilities, empowering organizations to proactively safeguard their assets. Furthermore, research serves as the cornerstone for the advancement of best practices and standards, ensuring robust defense mechanisms are in place. It cultivates a culture of continuous learning and adaptation, crucial in an ever-changing threat landscape.

Ultimately, research in cybersecurity is indispensable for staying ahead of adversaries and safeguarding digital assets in an increasingly interconnected world.

Find below my approach to conducting successful research.

Security research is the art of skillfully pursuing the discovery of previously unidentified threats to technology systems or products. It also involves devising innovative methods to address and mitigate these risks by implementing out-of-the-box ideas. This pursuit leverages deep expertise, advanced technologies, and a passion for problem-solving to enhance overall security measures and deliver significant benefits to the broader community.

Subject and Hypothesis:

The genesis of any fruitful security research endeavor lies in selecting a pertinent subject and formulating a clear hypothesis. This initial step is akin to laying the cornerstone of a building – it sets the direction and foundation for the entire project. When choosing a subject, opt for one that not only intrigues you but also harbors the potential for substantial impact.

Example: "The hypothesis that outdated encryption algorithms leave networks vulnerable to cyber-attacks propelled my research into developing more robust encryption methods."

2.      Data Study:

Once the subject and hypothesis are delineated, embark upon a thorough exploration of existing data. Analyze past research, case studies, and relevant literature to gain insights into the intricacies of the chosen domain. This phase serves as the bedrock upon which subsequent research activities will be built.

Example: "A comprehensive study of breach reports and vulnerability assessments provided invaluable insights into emerging threats and attack vectors."

3.      Simulation / perform Actual Use Cases:

With a solid understanding of the existing landscape, proceed to simulate scenarios or create real-world use cases to validate your hypothesis. This step involves putting theory into practice, thereby elucidating the practical implications of your research.

Example: "By simulating various cyber-attack scenarios, I was able to assess the efficacy of proposed defense mechanisms and identify potential vulnerabilities."

4.      Identifying Data Gaps and Requirements:

During research, it's imperative to identify any gaps in data or resources required to fuel further exploration. Assess the cost and time implications of acquiring necessary data and devise strategies to address these challenges effectively.

Example: "The unavailability of real-time threat intelligence necessitated collaboration with industry partners to access proprietary datasets."

5.      Planning for Development:

Armed with comprehensive insights and a validated hypothesis, it's time to chart a course for development. Formulate a strategic plan delineating the steps required to translate research findings into tangible solutions or innovations.

Example: "A phased development approach enabled seamless integration of research outcomes into existing cybersecurity frameworks, minimizing disruption and maximizing impact."

6.      Delivering Success:

The culmination of diligent research efforts lies in delivering tangible outcomes that contribute to the advancement of cybersecurity. Whether in the form of new products, services, or pioneering discoveries, success is measured by the transformative impact of your research endeavors.

Example: "The successful implementation of novel intrusion detection algorithms resulted in a significant reduction in cyber threats across enterprise networks.

A journey in security research necessitates a strategic approach and unwavering determination. By adhering to the outlined pathway – from hypothesis formulation to delivering success – aspiring researchers can navigate the complexities of the cybersecurity landscape with confidence and efficacy.

Arthur Conan Doyle said,

"It is a capital mistake to theorize before one has data. Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts."

Embrace data-driven research, and let your research pave the way for a safer digital future.

Saturday, 28 January 2023

AITM Phishing Attacks detect using Sentinel SIEM Tool and MSTICPY

In today's corporate world, many organizations are embracing the use of multi-cloud and hybrid cloud environments, a strategic move that allows for flexibility and cost efficiency. However, this shift has also led to an increase in cyber-attack risks, be it from industry-constructed threats or targeted attacks from Advanced Persistent Threat (APT) groups.

These attacks have become alarmingly sophisticated, with the ability to bypass security sensors and establish persistent activity within the enterprise environment. In order to detect and combat such activity, it is essential to employ an advanced Microsoft Sentinel SIEM (Security Information and Event Management) tool that is capable of hunting threats across multi-cloud environments.

Multi-cloud threat hunting is the art of uncovering and neutralizing security hazards that traverse multiple cloud infrastructures. One preferable tool that can be employed for this purpose is the Microsoft Sentinel SIEM, this SIEM platform allows organizations to monitor and analyze security events across their entire infrastructure, including on-premises, cloud, and hybrid environments. Allow me to illustrate with an example from the most current and emerging SIEM tool from Microsoft Sentinel.

One of the essential features of Sentinel SIM is its ability to Hunt and respond to Advanced Persistent Threats (APTs), which are highly sophisticated and targeted attacks that are designed to evade traditional security measures. One of the most prevalent APT scenarios is the Adversary-in-the-Middle (AITM) phishing attacks, a common tactic employed by cybercriminals to gain unauthorized access to sensitive information. In this type of attack, the attacker intercepts communications between two parties and manipulates the data in order to trick one of the parties into providing sensitive information.

Microsoft Sentinel SIEM can detect AITM phishing attacks by analyzing email headers, attachment properties, and other email-related data to identify suspicious patterns and anomalies. Additionally, it can also analyze network traffic and endpoint data to detect signs of an AITM attack, such as the use of Threat Intelligence-based known malicious IP addresses or domains.

Another significant aspect of multi-cloud threat hunting is log analytics. Sentinel SIM provides a robust log analytics engine that allows organizations to search and analyze large volumes of log data from multiple sources, such as firewall logs, intrusion detection systems, and cloud-based services, even providing data from 3rd party data connectors as well. This enables organizations to identify and respond to security threats in real time, as well as to generate detailed reports and charts that can be used to track trends and identify areas of concern in their security posture.

An example of an AITM phishing attack would be an attacker sending an email to a user that appears to be from a legitimate source, such as a bank or a government agency. The email may contain a link or an attachment that, when clicked, will install malware on the user's device or prompt them to enter sensitive information, such as their login credentials or credit card information.

One way to detect AITM phishing attacks using Sentinel SIM is to use log analytics to search for suspicious patterns in email-related data. Here one should utilize the best Threat Intelligence feeds for finding trending cyber-attack activity.

For example, a query to detect AITM phishing attacks could include the following elements:

Searching for email messages that contain attachments with a file extension commonly associated with malware, such as .exe or .js
Searching for email messages that contain links to known malicious domains or IP addresses.
Searching for email messages that are sent from a domain that is different from the one displayed in the "From" field.
Email messages from a campaign are removed after delivery.
Suspicious inbox manipulation rule creations or "Anomalous Token" alert triggering.

Here's an example of a query that could be used to detect AITM phishing attacks in Sentinel SIM:

//Detect the presence of a suspicious email attachment and a threat intelligence indicator in email entities.
EmailEvents
|join kind= leftouter EmailAttachmentInfo on NetworkMessageId
|where FileName endswith ".exe" or
FileName endswith ".js" and
SenderIPv4 has_any (ThreatIntelligenceIndicator)or
SenderIPv6 has_any (ThreatIntelligenceIndicator) or
SHA256 has_any (ThreatIntelligenceIndicator)

This query looks for email messages that contain attachments with a .exe or .js file extension, or that contain links to a domain known to be associated with malware from the best Threat Intelligence feed.

//Find suspicious tokens tagged by AAD "Anomalous Token" alert
let suspiciousSessionIds = materialize(
AlertInfo
| where TimeGenerated > ago(7d)
| where Title == "Anomalous Token"
| join (AlertEvidence | where Timestamp > ago(7d) | where EntityType == "CloudLogonSession") on AlertId
| project sessionId = todynamic(AdditionalFields).SessionId);
//Find Inbox rules created during a session that used the anomalous token
let hasSuspiciousSessionIds = isnotempty(toscalar(suspiciousSessionIds));
CloudAppEvents
| where hasSuspiciousSessionIds
| where TimeGenerated > ago(21d)
| where ActionType == "New-InboxRule"
| where RawEventData.SessionId in (suspiciousSessionIds)

This query looks for "Anomalous Token" alerts from the cloud authentication session and finds a new "New-InboxRule" rules creation activity from a cloud-based office application.

It's important to note that this is a simple query example, and organizations should work with their hunters or security team and adjust the query to match their own specific needs and environment. Also, this query is just one way to detect AITM phishing attacks, there are other techniques and methods that can be employed to detect and thwart Advanced Persistent Threats. A synergistic blend of various methods is essential for the establishment of threat hunters in a comprehensive threat-hunting program.

Detecting AITM activity using MSTICPY + Jupyter notebook

All the security researchers and threat hunters knows the MSTICPY is very useful Python module crafted by the tech-titans at Microsoft, which can be employed for the purpose of hunting for digital threats and undertaking incident response actions within the Microsoft Sentinel. One of the key features of MSTICPY is its ability to perform advanced analytics on log data and detect advanced threats, such as AITM phishing attacks.

Here is an example of how MSTICPY can be used to detect AITM phishing attacks in Azure Sentinel:

# Import the necessary modules
from msticpy.nbtools import nbinit
from msticpy.nbtools.foliummap import FoliumMap
from msticpy.sectools import EmailAnalyzer
# Initialize the Jupyter notebook environment
nbinit.init_notebook(namespace=globals())

# Create an instance of the EmailAnalyzer class
ea = EmailAnalyzer()

# Query Azure Sentinel for email messages that contain attachments with a .exe or .js file extension
query = '''
EmailAttachmentInfo
| where FileName endswith '.exe' or FileName endswith '.js'
'''
# Execute the query and store the results in a variable
email_results = ea.query_logs(query)
# Analyze the results to identify potential phishing emails
phishing_emails = ea.analyze_emails(email_results)
# Print the results
print(phishing_emails)

This code uses the MSTICPY EmailAnalyzer class to query Azure Sentinel for email messages that contain attachments with a .exe or .js file extension. It then analyzes the results to identify potential phishing emails.

It's important to note that the EmailAnalyzer class provides various other functionalities like analyzing email headers, body, links, and attachments, and also it can be used to identify phishing domains, IP addresses, sender's reputation etc. This is just a simple example and organizations should work with their security team and adjust the code to match their specific needs and environment.

Please note that in order to effectively utilize the method outlined in this discourse, one must have Microsoft Sentinel configured and in possession of the necessary logs. Additionally, it is of paramount importance to ensure that the appropriate connection strings have been properly established. Be aware that this is but one technique for detecting Adversary-in-the-Middle Phishing attacks, and there are other methods and approaches that may be employed to detect and thwart Advanced Persistent Threats. Indeed, it is always advisable to adopt a multifaceted approach, utilizing a variety of techniques in one's threat-hunting program for maximum efficacy.

I do hope that this post shall prove useful in identifying basic Adversary-in-the-Middle Phishing activity. Your feedback and experiences in the comments section would be greatly appreciated.

Wednesday, 26 December 2018

Thanksgiving XML Based Doc Emotet Spam Camping Analysis State

Overview

Thanksgiving is national holiday foreign countries, In earlier of October cyber criminals and spammers are take advantage of this festivals and start to spamming in foreign countries. This campaign leverages an improved variant of the malware that implements new features and modules, this is the first campaign that doesn’t use financial themes. According to the research, the Thanksgiving-themed campaign targeted U.S. users and delivers Emotet banking Trojan malware.

Delivery and exploitation technique

The cyber criminals are use emails for deliver malicious document in email attachment. As par advisory’s cyber criminals are send 27,000 per day and target to foreign customers.

Image 1: Thanksgiving email body

Ref : https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet

With this email cybercriminal was attach malicious document.xls file. In this file is contain malicious embedded macro and functions. Which is execute command line and command line has capability to execute powershell that connect to malicious domain and download malicious exe in to %appdata% directory.

Behavior Analysis of malicious document

This is a typical macro-based Microsoft word document which has AutoOpen function. This function is using to execute VB based macro code on document open time. when we run document, the this ask for enable macro function.

Image 2: Macros disabled warning

As most commonly malicious Microsoft word macros contains obfuscated VBA script, which is used to execute malicious code and hide malicious function behind unreelable text, this also use to bypass antivirus detection. This macro is executing powershell command and try to make connections to download emotet malware from malicious domain. However here the domain is not working hence request is not get successful.

Image 3: Network Activity

In the image powershell is execute VBA code and make connections to multiple malicious domain, as par analysis this domains is categorized as malicious and deliver emotet malware in past.

Debugging of malicious macros

Image 4: Malicious macros execute command line

As common methords of mecros is contain obfuscated VBA code, I have start to debug malicious obfuscated VBA code, as par deep analysis we conclude the VBA macro has Execute IF- Else loop , and every loop has different variable declarations, in the image you can see ltRzxjkitk is holds command line executions. This value is prompted during macro code analysis and debugging time.

Malicious XML based word document file analysis:

Microsoft office suite has many functions and file formats. This all file formats has different file headers and file attributes. In the Thanksgiving campaigns cyber criminals are use xml based macros execution functionality.

Image 5: XML based word document file

In the image we have open file in to notepad++ where we can perform file format and header analysis. in the image 1 points is shows is word document file, this is file signature that this file is execute in Microsoft word document. In the xml attribute we can analyse XML version, encoding type and document settings. After file package attribute its start the . This element specifies that its contents shall be any rich WordprocessingML content, and that this content is the rich contents of a drawing object defined using the Vector Markup Language (VML) syntax. Here we found command line execution line same as we found in macro (highlight in 2^nd point in image.

Hear attacker has use cap sign (^) for avoid antivirus detection and make more complex obfuscation. For reverse engineering of word document file, this command line is main function that take us to final malicious code as output. In the full string dump has many cap sign (^) that only use for make strong obfuscation. 1^st I have remove all cap sign (^) from string dump. Now we have clear strings of command line, and obfuscated strings. Here we can see 2^nd pointed strings is (yellow marked) command line, 3^rd pointed string (green marked) is assign string in to t8vb variable which is unreadable formatted. And last 4^th pointed string has for loop. Lets understand stapes by stapes of the obfuscated strings execution.

First, we execute command line:

C:/> echo cmd /c %LOCalAPpdaTA:~ -3,-2%M%SysTEmrOoT:~ +6, +1%; ; ; ; /V:o ; /%appDATa:~-7, 1%

Return value: cMD; ;;; /V:o /R

The code extracts the substring from the value of the environment variable and from this, it builds a command string. For example: %localappdata% environment variable is equivalent to this path "C:\Users\Username\AppData\Local" Then using substring command in cmd shell "%localappdata:~-3,-2%" it extracts a character between position 3 from the end of the string and position 2 from the end string "C:\Users\Username\AppData\Local"

Image 6: Command line Execution

In the image you can see how command line is get values from environment variables.

Next the string is set value of t8vb variable and last the is for loop.

for /l %m IN (2143, -4, 3) do (SeT yN5H=!yN5H!!t8Vb:~ %m, 1!) if %m==3 ;(call; %yN5H:*yN5H!=%)

in the for loop we can see the set value is 2143. This is a size of t8vb variable string. And its start from -4 its means the loop is start from end and get values 4^th character from end till last 3^rd charter of t8vb.

Image 7: For loop execution and powershel string generation

For better understandings of for lop please see image no 7. I have reverse the t8vb variable string. And same as for loop I pickd 4^th charter from t8vb string. You can see after the forloop executing its build powershell command line (highlighted in image). The powershell has multiple C&C domain which are splitting with “@” and execute malware with start-process function.
This obfuscation call as demystify obfuscation technique.

The PowerShell attempts to download a binary from a list of URLs:

hxxp:// danzarspiritandtruth[.]com /J7B5TiAIp

hxxp:// littlepeonyphotos[.]ru /jPGDyvIm

hxxp:// iuyouth.hcmiu.edu[.]vn /mVayv0I7S

hxxp:// exploraverde[.]co /mmR4TaGu8

hxxp:// turkaline[.]com /zGiFH0X

Then the script saves the binary to the Windows temporary folder and executes it.

The binary files at the end of the URL are Emotet - a notorious banking trojan that rolls out different behavior such as info-stealing modules for emails and browsers.

Saturday, 18 August 2018

GandCrab Ransomware Analysis State

Overview

GandCrab Ransomware first appeared in the wild early this year and rapidly evolved over the months. Since its initial manifestation, in January 2018, the ransomware has undergone development and there have been 5 versions of the ransomware in 7 months. It is believed that the malware netted its operators over $600,000 in ransom payments.

Infection Vector and Ransom

Most commodity malware work by enticing a user to click on link or by sending spam emails to unsuspecting users. Gandcrab is no different.

In case of gandcrab phishing email, it either contains links to malicious Javascripts or dropper file as attachment. The malicious attachments (embedded in MS Office documents) contains malicious scripts and can download exploits from exploit kits or payloads. Similarly, compromised websites host malicious SWF advertisements and JS scripts which runs as endpoint and can also host exploits.

The ransomware is also hosted on compromised websites that appear like software download websites for cracked applications. Attackers leverage vulnerabilities in Internet Explorer and Adobe Flash Player using Exploit Kits to drop the payload and execute it. Various exploit kits like Grandsoft, RIG and Magnitude are used by attackers to distribute Gandcrab.

Evolution of the Ransomware

Gandcrab V1

The initial version of GandCrab ransomware was found to be distributed through malvertising campaign called Seamless that directs victims to a RIG exploit kit. It is also the first ransomware to accept DASH crypto-currency as a ransom payment and demands 1.54 dash (approx. 1200$) as ransom amount. Apart from this, it uses NameCoin’s (decentralized domain name system) “.bit” top-level domain for its C&C system. The ransomware encrypts files and appends “. GDCB” extension. once a system is infected by this ransomware, it first tries to establish connection with the ransomware’s C2 server and the server will send a public key to start the encryption process.

Image: Spam email used to distribute GandCrab

GandCrab V2

Some noticeable changes from the previous version include, updated file extension - .CRAB, updated hostnames for Command & Control servers namely, politiaromana[.]bit, malwarehunterteam[.]bit, gdcb[.]bit. The content of the ransom note was updated with instructions on communicating with the ransomware developers and to obtain decryption keys.

Image: Encrypted Files with .CRAB extension
Source: https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files

GandCrab V3

GandCrab ransomware version 3 was found to be distributed via the Magnitude exploit kit. This version comes with a low-resolution desktop background, which contains a ransom note text. When installed, it will encrypt files with .CRAB extension, sets the background and automatically reboots the computer. The ransomware communicates with the domain “carder.bit”.

Image: GandCrab Distributed via Magnitude Exploit Kit

GandCrab V4.0

GandCrab ransomware version 4 was released with few updates to the previous version. Prominent updates includes update to encryption mechanism, extension changed to ‘.KRAB’, updates to ransom note and demanded payment on a new TOR site. The ransomware was distributed via fake software crack sites, which lures the users to download software for free. When user downloads and executes the software, GandCrab ransomware gets installed. Further, it scans the computer and network shares, encrypts all the shares on the network, appends .KRAB extension to it and drops a ransom note.

GandCrab V4.1

The latest version of the GandCrab ransomware spreads via the NSA’s EternalBlue SMB exploit. It attempts to infect unpatched Windows XP machines and Windows Server 2003 systems along with the latest operating systems. The activity of the ransomware continues to remain constant in all the versions, however, the C2 communication is back in the 4.1 version. The encryption happens on a separate thread than the C&C communication, so the files get encrypted even if it fails to connect to the C&C server.

Technical Analysis

GandCrab version-3 executable from a server hosted in Canada (hxxp://185.199.225.114:12547). This IP hosts the same executable with different names. Analysis of GandCrab Version 3 is provided.

Image: Domain contains GandCrab executable

Domain/ Server Analysis

Hostname: 185.199.225.114

IP:Port: 185.199.225.114:12547

Registrar: RIPE NCC

Registrar e-mail: contact@heymman.com

created: 2017-02-23T12:48:32Z

reputation score Low

Based on the analysis and research, it was found that the domain is being used for hosting malicious files only. Here is an example of one of the files that was hosted on the server.

File Name: 1.exe

File Details:

File source: hxxp://185.199.225.114:12547/1.exe (removed)

File size: 260617 bytes

File type: PE32 executable(.exe)

MD5: ff6745411cc69bee286e17f4fba69b35

SHA 256: 747c3e82813bf85e4fdff7e7c1fc277d7ad82526b20224e5c5959e9eebc54225

Detection: 58 / 69

GandCrab Behavioural Analysis

While performing the dynamic analysis on GandCrab malware many malicious activities have been detected:

Queries for the computername (1 event)

Using GetComputerNameW windows API GandCrab gets system name.

Checks if process is being debugged by a debugger (1 event)

Using IsDebuggerPresent windows API GandCrab gets checks to debugger is present or not.

Uses Windows APIs to generate a cryptographic key (3 events)

Using CryptGenKey windows API GandCrab generate RSA1 cryptographic algorithms and generate buffer into system memory.

Checks adapter address which can be used to detect virtual network interfaces (1 event)

Using GetAdaptersAddresses windows API GandCrab gets internet interface and adapter details.

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

Using HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

windows registry GandCrab Checks system processer details and gets virtualization environment information.

Installs itself for autorun at Windows startup (1 event)

Using HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cwekmntohtt windows registry set "C:\Users\user\AppData\Roaming\Microsoft\furqev.exe" key that is used to create Start-up in to windows system.
This ransomware copied itself into “%AppData%\Roaming\Microsoft\” folder and created startup registry.

Image: System details exfiltration

Following image shows that grandcrab leverages many windows API which helped in getting system name, processor details, hard disc details, user information, network details, system name and configuration details. Using these details ransomware’s encryption function was build.

Wallpaper changed by Gandcrab ransomware

GandCrab had released many versions, however, 3 versions have the capability to change wallpaper of system.

Image: GandCrab change system wallpaper

The ransomware encrypts files and it forces the system to reboot. In our tests on Windows 10 and Windows 8.1 systems, the machine was able to start up normally, however, the wallpaper was changed by the malware.

System Information

GandCrab gathers system details such as IP, process details, presence of anti-virus, presence of virtualized environment and usage of any debugging tools using windows API and sends all the collected information to C2 server.

Image: Checks Presence of antivirus

Ransom-note

Once the ransomware has finished encrypting the computer, GandCrab drops ransom note through all directories on the computer. This ransom note is named GDCB-DECRYPT.txt and contains information on list of TOR gateways that can be used to access the payment site.

Image: Ransom-note of GrandCrab V3

TOR getaway of GandCrab “http://gandcrab2pie73et.onion/”.

Network Activity

When GandCrab ransomware is executed, the infected machine connects to some of the IP/domains and below activities were detected.

· ipv4bot.whatismyipaddress.com

use for fetching system IP and location details.

· 66.171.248.178:80 (carder.bit)

"carder.bit" is a server that the ransomware communicates with.

It was found that the attacker used the following user-agent to obtain victim’s machine information.

“GET / HTTP/1.1 Host: carder.bit User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache 200 OK“.

Impact

The malware collects data from the system and starts encrypts files on the victim’s environment. After encryption, C&C server is notified and the malware removes itself from the system.

New features and constant updates to source code makes GandCrab one of the most prevalent malware families to conduct widespread attacks.

Remediation

The following remediation are suggested:

Have a strong data storage, back up and restoration policy
Have a End point detection and response solution, which can thwart attacks that can evade Anti-Virus solutions
Ensure that all IT and Security software is up-to-date
Ensure that IT resources are exposed to the required personnel only. Eg – Port 3389, 445 etc.
Create awareness programs for employees on the best practice to followed by working on email and while on internet.

GandCrab Ransomware Version Metrics

VERSION	GandCrab V1	GandCrab V2	GandCrab V3	GandCrab V3.1	GandCrab V4	GandCrab V4.1
RELEASE	Jan 31st	March 5th	April 3rd	May 9th	July 1st	July 5th
AFFECTED VICTIMS	50000	N/A	N/A	N/A	N/A	N/A
RANSOM NOTE FILE	GDCB-DECRYPT.txt.	CRAB-DECRYPT.txt	CRAB-DECRYPT.txt	CRAB-DECRYPT.txt	KRAB-DECRYPT.txt	KRAB-DECRYPT.txt
EXTENSION	.GDCB	.CRAB	.CRAB	.CRAB	.KRAB	.KRAB
DROP FILE	%appdata% / <8hex-chars>.lock	%appdata% / <8hex-chars>.lock	%appdata% / <8hex-chars>.lock	%appdata% / <8hex-chars>.lock	%appdata% / <8hex-chars>.lock	%appdata% / <8hex-chars>.lock
DATA ENCRYPTION	RSA-2048	RSA-2048	RSA-2048	RSA-2048	Salsa20	Salsa20
EXPLOIT	web exploit, PDF exploit	Spam Mail Campaign	Spam Mail Campaign	inject payload svchost		SMB Exploit
OTHER ATTRIBUTES	(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)	(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)	wallpaper change ,(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)	(Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)	contains a private and a public key, (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)	(Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
PACKER INFO	hammering	ReflectiveLoader	ReflectiveLoader		ReflectiveLoader
C&C CONNECTION	Available	Available	Available	Available		Available
STRING OBFUSCATION	Available	Available	Available		Available
INFO GATHERING	#KeyboardLayoutCheck #mutex #AntiVirusChecks, #AntiVM	#IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #mutex #AutoRun #AntiAnalysis #AntiVirus #AntiVM #C&C #URLGeneration #deleteItSelf	#IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #mutex #AutoRun #AntiVirus #AntiVM #C&C #URLGeneration #deleteItSelf	#IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #URLGeneration #mutex #AntiVM #C&C #deleteItSelf	#UserName, #ComputerName #OperatingSystem #Processor #Architecture #C&C #mutex #AntiVM #C&C #deleteItSelf	#IP Address, #User name, #Computer #name, #Network #DOMAIN, #Operating #System, #Processor #Architecture, #Network #LocalDrives #C&C #URLGeneration
PROCESS LOAD	encryption.dll, ReflectiveLoader()	inject payload svchost	inject payload svchost	inject payload svchost
DECRYPTION TOOL	available (europol)
RANSOM METHOD	crypto-currency DASH (400 USD)	crypto-currency DASH(800 USD)	crypto-currency DASH (1200 USD)	crypto-currency DASH (1200 USD)	crypto-currency DASH (1,200 USD)	crypto-currency DASH (4000 USD)