TECHNICAL ANALYSIS OF THE NETWALKER RANSOMWARE
Common Information
| Type | Value |
|---|---|
| UUID | 24cbf5ee-080f-48a0-8b32-ebab58da90c6 |
| Fingerprint | 2d9b5ec19d3adb2d00854da75f4b8b9c8927a4219007749bff720a175284242e |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | None |
| Added to db | April 14, 2024, 9:04 a.m. |
| Last updated | Aug. 31, 2024, 6:58 a.m. |
| Headline | TECHNICAL ANALYSIS OF THE NETWALKER RANSOMWARE |
| Title | TECHNICAL ANALYSIS OF THE NETWALKER RANSOMWARE |
| Detected Hints/Tags/Attributes | 133/2/82 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 3 | rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion |
|
| Details | Domain | 3 | pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion |
|
| Details | Domain | 1 | xor.new |
|
| Details | Domain | 59 | torproject.org |
|
| Details | Domain | 2 | www.seanet.com |
|
| Details | Domain | 1 | chacha.py |
|
| Details | Domain | 1 | atvu7d6xhyn5cs4lt4pdrqqd.onion |
|
| Details | Domain | 1 | ifemawkujj4gp33ejzdq3did.onion |
|
| Details | File | 15 | -readme.txt |
|
| Details | File | 122 | psexec.exe |
|
| Details | File | 3 | fchelper64.exe |
|
| Details | File | 1 | nslsvice.exe |
|
| Details | File | 57 | agntsvc.exe |
|
| Details | File | 193 | ntuser.dat |
|
| Details | File | 90 | bootfont.bin |
|
| Details | File | 1 | hw_profile.doc |
|
| Details | File | 13 | slui.exe |
|
| Details | File | 34 | eventvwr.exe |
|
| Details | File | 12 | c:\windows\system32\vssadmin.exe |
|
| Details | File | 52 | infopath.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 1 | ignore.ps |
|
| Details | File | 11 | fmon.exe |
|
| Details | File | 1 | fcaptmon.exe |
|
| Details | File | 533 | ntdll.dll |
|
| Details | File | 1 | eadme.txt |
|
| Details | File | 1 | chacha.py |
|
| Details | File | 8 | decrypt.exe |
|
| Details | File | 1 | nservice.exe |
|
| Details | File | 29 | ntrtscan.exe |
|
| Details | File | 1 | jetty.exe |
|
| Details | File | 20 | wrsa.exe |
|
| Details | File | 5 | store.exe |
|
| Details | File | 55 | sqbcoreservice.exe |
|
| Details | File | 63 | thunderbird.exe |
|
| Details | File | 57 | ocssd.exe |
|
| Details | File | 57 | encsvc.exe |
|
| Details | File | 199 | excel.exe |
|
| Details | File | 57 | synctime.exe |
|
| Details | File | 102 | mspub.exe |
|
| Details | File | 57 | ocautoupds.exe |
|
| Details | File | 58 | thebat.exe |
|
| Details | File | 58 | dbeng50.exe |
|
| Details | File | 60 | mydesktopservice.exe |
|
| Details | File | 74 | onenote.exe |
|
| Details | File | 173 | outlook.exe |
|
| Details | File | 92 | powerpnt.exe |
|
| Details | File | 91 | msaccess.exe |
|
| Details | File | 55 | tbirdconfig.exe |
|
| Details | File | 90 | wordpad.exe |
|
| Details | File | 57 | ocomm.exe |
|
| Details | File | 61 | dbsnmp.exe |
|
| Details | File | 35 | thebat64.exe |
|
| Details | File | 323 | winword.exe |
|
| Details | File | 67 | oracle.exe |
|
| Details | File | 56 | xfssvccon.exe |
|
| Details | File | 41 | firefoxconfig.exe |
|
| Details | File | 86 | visio.exe |
|
| Details | File | 57 | mydesktopqos.exe |
|
| Details | File | 101 | iconcache.db |
|
| Details | File | 66 | ntuser.ini |
|
| Details | File | 28 | usrclass.dat |
|
| Details | File | 120 | boot.ini |
|
| Details | File | 196 | desktop.ini |
|
| Details | File | 243 | autorun.inf |
|
| Details | File | 143 | thumbs.db |
|
| Details | File | 99 | bootsect.bak |
|
| Details | sha1 | 1 | c6d2b35ffc91e09f50dfb214ea58237509329d6b |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 116 | T1134 |
|
| Details | MITRE ATT&CK Techniques | 29 | T1088 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 176 | T1135 |
|
| Details | MITRE ATT&CK Techniques | 472 | T1486 |
|
| Details | Url | 1 | https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/ntoskrnl/ps/query.c#l793 |
|
| Details | Url | 27 | https://torproject.org |
|
| Details | Url | 1 | https://www.seanet.com/~bugbee/crypto/chacha/chacha.py |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Classes\exefile\shell\command\open |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Classes\mscfile\shell\command\open |
|
| Details | Windows Registry Key | 16 | HKLM\Software |
|
| Details | Windows Registry Key | 36 | HKCU\Software |
|
| Details | Yara rule | 1 | rule CrowdStrike_CSIT_20081_01 : circus_spider netwalker ransomware {
meta:
copyright = "(c) 2020 CrowdStrike Inc."
description = "Detects the NetWalker ransomware"
reports = "CSIT-20081"
version = "202004281747"
last_modified = "2020-04-28"
malware_family = "NetWalker"
strings:
$salsaconst = "expand 32-byte kexpand 16-byte k"
$ins_getapi = { 55 8B EC A1 ?? ?? ?? ?? 5D C3 }
$ins_crc32 = { 25 20 83 B8 ED 33 D0 }
$ins_push1337 = { 68 39 05 00 00 68 69 7A 00 00 }
$ins_rc4 = { 8B 45 ( E? | F? ) 83 C0 01 33 D2 B9 00 01 00 00 F7 F1 89 55 }
$ins_c25519 = { 6A 00 68 41 DB 01 00 }
condition:
3 of them
} |