CUBA Ransomware Campaign Analysis — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 87c1f3a4-8b8e-4d1f-90fa-15977d7d2fc8 |
| Fingerprint | b72694933ba5964f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 8, 2022, midnight |
| Added to db | Nov. 20, 2023, 12:58 a.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | CUBA Ransomware Campaign Analysis |
| Title | CUBA Ransomware Campaign Analysis — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 134/4/85 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | scams.in |
|
| Details | Domain | 1 | mvnetworking.com |
|
| Details | Domain | 1 | bluetechsupply.com |
|
| Details | Domain | 911 | any.run |
|
| Details | File | 8 | c:\windows\system32\inetsrv\w3wp.exe |
|
| Details | File | 1 | c:\program files\microsoft\exchange server\v15\bin\genericapppoolconfigwithgcserverenabledfalse.config |
|
| Details | File | 1 | c:\inetpub\temp\apppools\msexchangeowaapppool\msexchangeowaapppool.config |
|
| Details | File | 128 | w3wp.exe |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 2 | add2.exe |
|
| Details | File | 7 | ad.exe |
|
| Details | File | 2 | add.dll |
|
| Details | File | 3 | ra.exe |
|
| Details | File | 1 | artifacts.sys |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 1 | c:\users\mysql\downloads\94-79.dll |
|
| Details | File | 1 | dhl.jpg |
|
| Details | File | 1 | temp.png |
|
| Details | File | 1 | c:\users\mysql\downloads\14931s.dll |
|
| Details | File | 4 | agent32.bin |
|
| Details | File | 1 | agsyst82.ps1 |
|
| Details | File | 2 | komar.ps1 |
|
| Details | File | 1 | cps.exe |
|
| Details | File | 2 | komar2.ps1 |
|
| Details | File | 1 | c:\windows\sysnative\svchost.exe |
|
| Details | File | 1 | gotoassistunattendedui.exe |
|
| Details | File | 11 | zero.exe |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | d478.dll |
|
| Details | File | 1 | d478.bat |
|
| Details | File | 4 | defendercontrol.exe |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 2 | temp%u.ps1 |
|
| Details | File | 2 | ransomware.cub |
|
| Details | File | 1 | 94-79.dll |
|
| Details | File | 1 | 14931s.dll |
|
| Details | File | 16 | defender.exe |
|
| Details | File | 50 | a.exe |
|
| Details | File | 4 | anet.exe |
|
| Details | sha256 | 2 | b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f |
|
| Details | sha256 | 3 | 33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e |
|
| Details | sha256 | 1 | 43f7d739f00c2fdc67f7ab6b976565a323a181fb6570ac3d261dff197f820165 |
|
| Details | sha256 | 1 | 728994be6b928de3d1c7b49ca1c79db8656c1cf4b95a1e508a6be48c6ab407da |
|
| Details | sha256 | 1 | c24d7a93d6a5c33e673e6b0fd171701c4646e67cf2328f41739ef9b50302a02e |
|
| Details | sha256 | 1 | 62f1fbb6f151bcc67fe68e06031af00bc87ae7e4d9d0a6a60a31d140def09365 |
|
| Details | sha256 | 1 | 5669f6a48dac80717fa5770fa3be6c18022a7633b996ccf0df6b468994085378 |
|
| Details | sha256 | 1 | 9c71b67411b1432931b4b135dc945f6f7f9da3c295a7449f3ab8dcb56681fa70 |
|
| Details | sha256 | 1 | e35632770a23d8e006e149b038c2ccf576c2da0998d830bbc7d7614dc5c22db5 |
|
| Details | sha256 | 1 | 17edf458f7b8baae5ddef725e255d3a7bb6c960830503556f157655308895128 |
|
| Details | sha256 | 1 | 2e6fffad384cd6ce93cc1cde97911063e640c1953dac0507cd5f5b4b3d21bb69 |
|
| Details | sha256 | 5 | 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0 |
|
| Details | sha256 | 1 | cdf2b3fbff2649a119051c63904476e70262bde2f6a9a7da8b7db13cbf257851 |
|
| Details | sha256 | 1 | ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4 |
|
| Details | sha256 | 4 | 0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 |
|
| Details | sha256 | 1 | b16e0d27e6fa24d3fe7c9ed9167474fbc1cde13ce047878bbd16548cfdf45be3 |
|
| Details | IPv4 | 295 | 8.8.8.8 |
|
| Details | IPv4 | 2 | 159.203.70.39 |
|
| Details | IPv4 | 1 | 208.76.253.84 |
|
| Details | IPv4 | 2 | 108.170.31.115 |
|
| Details | IPv4 | 2 | 104.217.8.100 |
|
| Details | IPv4 | 18 | 193.23.244.244 |
|
| Details | IPv4 | 11 | 86.59.21.38 |
|
| Details | IPv4 | 6 | 199.58.81.140 |
|
| Details | IPv4 | 3 | 204.13.164.118 |
|
| Details | IPv4 | 9 | 194.109.206.212 |
|
| Details | IPv4 | 6 | 131.188.40.189 |
|
| Details | IPv4 | 5 | 154.35.175.225 |
|
| Details | IPv4 | 11 | 171.25.193.9 |
|
| Details | IPv4 | 3 | 128.31.0.34 |
|
| Details | IPv4 | 14 | 128.31.0.39 |
|
| Details | IPv4 | 4 | 64.235.39.82 |
|
| Details | IPv4 | 2 | 38.108.119.121 |
|
| Details | IPv4 | 6 | 144.172.83.13 |
|
| Details | IPv4 | 2 | 217.79.243.148 |
|
| Details | IPv4 | 6 | 149.255.35.131 |
|
| Details | Mandiant Temporary Group Assumption | 1 | TEMP.PNG |
|
| Details | Mandiant Uncategorized Groups | 28 | UNC2596 |
|
| Details | Pdb | 1 | adduser.pdb |
|
| Details | Pdb | 1 | cmddll.pdb |
|
| Details | Pdb | 1 | f:\source\mosquito\agent\x64\release\agent.pdb |
|
| Details | Url | 1 | http://208.76.253.84 |
|
| Details | Url | 1 | http://108.170.31.115/add.dll |
|
| Details | Url | 1 | http://64.235.39.82/agent32.bin |
|
| Details | Yara rule | 1 | rule Windows_Trojan_Bughatch {
meta:
author = "Elastic Security"
creation_date = "2022-05-09"
last_modified = "2022-05-09"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "Bughatch"
threat_name = "Windows.Trojan.Bughatch"
reference_sample = "b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f"
strings:
$a1 = { 8B 45 ?? 33 D2 B9 A7 00 00 00 F7 F1 85 D2 75 ?? B8 01 00 00 00 EB 33 C0 }
$a2 = { 8B 45 ?? 0F B7 48 04 81 F9 64 86 00 00 75 3B 8B 55 ?? 0F B7 42 16 25 00 20 00 00 ?? ?? B8 06 00 00 00 EB ?? }
$b1 = { 69 4D 10 FD 43 03 00 81 C1 C3 9E 26 00 89 4D 10 8B 55 FC 8B 45 F8 0F B7 0C 50 8B 55 10 C1 EA 10 81 E2 FF FF 00 00 33 CA 8B 45 FC 8B 55 F8 66 89 0C 42 }
$c1 = "-windowstyle hidden -executionpolicy bypass -file"
$c2 = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShell.exe"
$c3 = "ReflectiveLoader"
$c4 = "\\Sysnative\\"
$c5 = "TEMP%u.CMD"
$c6 = "TEMP%u.PS1"
$c7 = "\\TEMP%d.%s"
$c8 = "NtSetContextThread"
$c9 = "NtResumeThread"
condition:
($a1 or $a2 or $b1) or 6 of ($c*)
} |
|
| Details | Yara rule | 2 | rule Windows_Ransomware_Cuba {
meta:
os = "Windows"
arch = "x86"
category_type = "Ransomware"
family = "Cuba"
threat_name = "Windows.Ransomware.Cuba"
Reference_sample = "33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e"
strings:
$a1 = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }
$a2 = { 8B 06 81 38 46 49 44 45 75 ?? 81 78 04 4C 2E 43 41 74 }
$b1 = "We also inform that your databases, ftp server and file server were downloaded by us to our servers." ascii fullword
$b2 = "Good day. All your files are encrypted. For decryption contact us." ascii fullword
$b3 = ".cuba" wide fullword
condition:
any of ($a*) or all of ($b*)
} |