RFI Incoming!

1. Introduction

„Hey, CTI, what is this?“

Your stakeholder in the Security Sperations Center (SOC) because they have received a suspicious alert on a Microsoft Exchange server.

The stakeholder sends the following RFI:

We need to have information about the hash below.

  • What malware is it? Does the malware have a name?
  • What malware familiy is it?
  • What actions does the malicious file do?
  • Is there an attribution possible?
  • Are there public reports or sandbox runs we can use to further investigate this threat?

Malicious file name: s1.exe

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (SHA256)
0e55ead3b8fd305d9a54f78c7b56741a (MD5)

2. Answers

  1. Malware name: DoejoCrypt and DEARCRY [1]
    Category: Decryptor / Ransomware
  2. Malware family: DearCry [2]

    DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

  3. Malware actions: [3]
  • Modifies Installed Components in the registry (Registry Run Keys / Startup Folder)
  • Modifies/encrypts extensions of user files (e.g 1.jpg will be renamend and encrypted to 1.jpg.crypt)
  • Reads user/profile data of web browsers –> Infostealers often target stored browser data, which can include saved credentials etc.
  • Drops desktop.ini file(s)
  • Enumareate Connected drives
  1. Attribution

    Possibly it stands in relation with HAFNIUM.
    Microsoft itself has attributed development and first uses of the exploits with “high confidence” to Chinese state-sponsored cyberespionage group Hafnium on 2 March. [4]

  2. Public reports / further investigation

    https://analyze.intezer.com
    www.joesandbox.com
    https://news.sophos.com
    unit42.paloaltonetworks.com/
    https://tria.ge

3. Ressources

[1,2] bazaar.abuse.ch
[3] tria.ge
[4] microsoft.com

Mai 23, 2021 | Cybercop