Good Day Ransomware analysis — ShadowStackRE
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 920dd665-ce91-4273-97fb-b8a4b7209f3e |
| Fingerprint | a7105652250c8654 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 12, 2024, midnight |
| Added to db | Aug. 31, 2024, 10:57 a.m. |
| Last updated | Nov. 17, 2024, 6:56 p.m. |
| Headline | Good Day Ransomware |
| Title | Good Day Ransomware analysis — ShadowStackRE |
| Detected Hints/Tags/Attributes | 68/1/46 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.shadowstackre.com/analysis/goodday |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 434 | ✔ | ShadowStackRE | https://www.shadowstackre.com/analysis?format=rss | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 144 | cock.li |
|
| Details | Domain | 622 | en.wikipedia.org |
|
| Details | Domain | 8 | gdpr-info.eu |
|
| Details | Domain | 59 | torproject.org |
|
| Details | Domain | 10 | shadowstackre.com |
|
| Details | Domain | 18 | opensource.org |
|
| Details | 2 | miklymakly555@cock.li |
||
| Details | File | 2125 | cmd.exe |
|
| Details | File | 1 | snd.exe |
|
| Details | File | 3 | s-ice.exe |
|
| Details | File | 11 | immunitydebugger.exe |
|
| Details | File | 23 | x64dbg.exe |
|
| Details | File | 28 | x32dbg.exe |
|
| Details | File | 40 | ollydbg.exe |
|
| Details | File | 35 | windbg.exe |
|
| Details | File | 8 | cdb.exe |
|
| Details | File | 1 | syserx32.exe |
|
| Details | File | 1 | pdb2sdsx32.exe |
|
| Details | File | 1 | unpackx32.exe |
|
| Details | File | 2 | w32dsm89.exe |
|
| Details | File | 1 | w32dsm88.exe |
|
| Details | File | 1 | w32dsm87.exe |
|
| Details | File | 1 | 'readme_for_unlocks.txt |
|
| Details | File | 351 | recycle.bin |
|
| Details | File | 243 | autorun.inf |
|
| Details | File | 90 | bootfont.bin |
|
| Details | File | 99 | bootsect.bak |
|
| Details | File | 100 | ntuser.dat.log |
|
| Details | File | 143 | thumbs.db |
|
| Details | File | 101 | iconcache.db |
|
| Details | File | 193 | ntuser.dat |
|
| Details | File | 8 | d3d9caps.dat |
|
| Details | File | 345 | vssadmin.exe |
|
| Details | File | 5 | readme_for_unlock.txt |
|
| Details | sha256 | 1 | 24b1b23b046a0cd196f38ffd6d43b661fbbc2496dc7f67824f1ac16f3e90ccc1 |
|
| Details | MITRE ATT&CK Techniques | 247 | T1070 |
|
| Details | MITRE ATT&CK Techniques | 52 | T1622 |
|
| Details | MITRE ATT&CK Techniques | 82 | T1115 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 472 | T1486 |
|
| Details | MITRE ATT&CK Techniques | 276 | T1490 |
|
| Details | Url | 1 | https://en.wikipedia.org/wiki/general_data_protection_regul |
|
| Details | Url | 4 | https://gdpr-info.eu |
|
| Details | Url | 27 | https://torproject.org |
|
| Details | Url | 10 | https://opensource.org/license/mit |
|
| Details | Yara rule | 1 | rule goodday {
meta:
description = "rule to detect Goodday Ransomware"
author = "ShadowStackRe.com"
date = "2023-10-12"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Gooday"
License = "MIT License, https://opensource.org/license/mit/"
strings:
$strFile_A = "crYptA" ascii wide
$strFile_B = "crYptB" ascii wide
$strFile_C = "crYptC" ascii wide
$strFile_D = "crYptD" ascii wide
$strFile_E = "crYptE" ascii wide
$strFile_F = "crYptF" ascii wide
$strTorInfo = "Download & Install TOR browser" ascii wide
$strReadmeNote = "readme_for_unlock.txt" ascii wide
$strAttention = "ATTENTION" ascii wide
$strHacked = "Your network is hacked and files are encrypted." ascii wide
condition:
all of them
} |