CUBA Ransomware Malware Analysis — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 56db8264-d4cf-4c0b-bdd9-4607b94bee6f |
| Fingerprint | af042071e6bfa693 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 14, 2023, midnight |
| Added to db | Nov. 20, 2023, 12:58 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | CUBA Ransomware Malware Analysis |
| Title | CUBA Ransomware Malware Analysis — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 62/3/37 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 144 | cock.li |
|
| Details | Domain | 4 | encryption-support.com |
|
| Details | Domain | 34 | exploit.im |
|
| Details | Domain | 2 | cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion |
|
| Details | Domain | 4 | fidel.ca |
|
| Details | Domain | 5 | microsoft.exchange.store |
|
| Details | 1 | waterstatus@cock.li |
||
| Details | 4 | admin@encryption-support.com |
||
| Details | 7 | cuba_support@exploit.im |
||
| Details | File | 1 | c:\system32\cmd.exe |
|
| Details | File | 1 | block.pub |
|
| Details | File | 58 | sqlagent.exe |
|
| Details | File | 119 | sqlservr.exe |
|
| Details | File | 66 | sqlwriter.exe |
|
| Details | File | 12 | sqlceip.exe |
|
| Details | File | 55 | msdtc.exe |
|
| Details | File | 62 | sqlbrowser.exe |
|
| Details | File | 15 | vmwp.exe |
|
| Details | File | 7 | vmsp.exe |
|
| Details | File | 173 | outlook.exe |
|
| Details | File | 10 | worker.exe |
|
| Details | File | 351 | recycle.bin |
|
| Details | File | 2 | ransomware.cub |
|
| Details | md5 | 1 | CA5F4AF10ABC885182F3FB9ED425DE65 |
|
| Details | md5 | 1 | 931B22064E9E214BF59A4E07A6CA9109 |
|
| Details | md5 | 1 | F6F97411BCD64126A96B08BA9AE1E775 |
|
| Details | md5 | 1 | 03B1B11B4531BB656E43A8B457D4A5F7 |
|
| Details | md5 | 1 | F754ADBD7F5D6195FD6D527001CAB98C |
|
| Details | md5 | 1 | 08B0994DAECAAAA4173B388A80CC52FE |
|
| Details | sha256 | 4 | 0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 |
|
| Details | sha256 | 1 | 3654af86dc682e95c811e4fd87ea405b627bca81c656f3a520a4b24bf2de879f |
|
| Details | sha256 | 1 | 2957226fc315f71dc22f862065fe376efab9c21d61bbc374dde34d47cde85658 |
|
| Details | sha256 | 3 | 33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e |
|
| Details | sha256 | 1 | 32beefe2c5e28e87357813c0ef91f47b631a3dff4a6235256aa123fc77564346 |
|
| Details | sha256 | 2 | bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4 |
|
| Details | Url | 1 | http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion |
|
| Details | Yara rule | 2 | rule Windows_Ransomware_Cuba {
meta:
os = "Windows"
arch = "x86"
category_type = "Ransomware"
family = "Cuba"
threat_name = "Windows.Ransomware.Cuba"
Reference_sample = "33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e"
strings:
$a1 = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }
$a2 = { 8B 06 81 38 46 49 44 45 75 ?? 81 78 04 4C 2E 43 41 74 }
$b1 = "We also inform that your databases, ftp server and file server were downloaded by us to our servers." ascii fullword
$b2 = "Good day. All your files are encrypted. For decryption contact us." ascii fullword
$b3 = ".cuba" wide fullword
condition:
any of ($a*) or all of ($b*)
} |