DJVU: The Ransomware That Seems Strangely Familiar…
Tags
cmtmf-attack-pattern: Boot Or Logon Autostart Execution Masquerading Process Injection
country: Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Tajikistan Uzbekistan Syria Ukraine
maec-delivery-vectors: Watering Hole
attack-pattern: Data Boot Or Logon Autostart Execution - T1547 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 System Information Discovery - T1426 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Scheduled Task - T1053.005 Software - T1592.002 Tool - T1588.002 Masquerading - T1036 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Scheduled Task - T1053 System Information Discovery - T1082 Masquerading
Show in Graph
Common Information
Type Value
UUID b235797e-aba6-4127-880c-ed159ca0a4e0
Fingerprint ad240d1925bb86c1
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 29, 2022, 1:01 a.m.
Added to db Dec. 15, 2022, 10:44 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline DJVU: The Ransomware That Seems Strangely Familiar…
Title DJVU: The Ransomware That Seems Strangely Familiar…
Detected Hints/Tags/Attributes 93/4/43
Source URLs
Redirection Url
Details Source https://blogs.blackberry.com/en/2022/09/djvu-the-ransomware-that-seems-strangely-familiar
URL Provider
Details Provider Source level domain
Details blackberry.com blogs.blackberry.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 56 Latest Articles - BlackBerry Blogs https://blogs.blackberry.com/en/feed.rss 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 39 
api.2ip.ua
Details Domain 9 
acacaca.org
Details Domain 11 
rgyui.top
Details Domain 33 
www.apache.org
Details Domain 1 
8069076584.zip
Details Domain 1 
ns1.kriston.ug
Details Domain 1 
ns2.chalekin.ug
Details Domain 1 
ns3.unalelath.ug
Details Domain 1 
ns4.andromath.ug
Details Domain 4 
bestyourmail.ch
Details Domain 84 
airmail.cc
Details Domain 37 
www.blackberry.com
Details Email 3 
support@bestyourmail.ch
Details Email 2 
datarestorehelp@airmail.cc
Details File 29 
geo.json
Details File 67 
get.php
Details File 3 
bowsakkdestx.txt
Details File 4 
c:\systemid\personalid.txt
Details File 8 
personalid.txt
Details File 193 
ntuser.dat
Details File 100 
ntuser.dat.log
Details File 40 
_readme.txt
Details File 1 
5d2860c89d774.jpg
Details md5 1 
53B1E5DA52C0B1B73B57A5129A43BC5D
Details sha256 1 
bd5114b7fcb628ba6f8c5c5d1d47fc7bb16214581079b3cc07273618b0c41fd8
Details sha256 1 
db41e055496b7eb3dfed7bc50a2afe8636c742a1d0963489569134d9e95aa1fc
Details sha256 1 
5fc8f1eddeb98d127899c15663275da4a30b734e0c812ea4ca24fc99023329da
Details IPv4 1 
116.202.180.202
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 440 
T1055
Details Pdb 2 
encrypt_win_api.pdb
Details Pdb 1 
c:\renobi11_senuxisecituxa\coxuzef\layesareli\mefuzazokusuf.pdb
Details Url 28 
https://api.2ip.ua/geo.json
Details Url 1 
https://acacaca.org/d/test1/get.php?pid={mac
Details Url 1 
http://acacaca.org/test1/get.php?pid=53b1e5da52c0b1b73b57a5129a43bc5d&first=true
Details Url 6 
http://rgyui.top/dl/build2.exe
Details Url 5 
http://acacaca.org/files/1/build3.exe
Details Url 20 
https://www.apache.org/licenses/license-2.0
Details Url 1 
http://116.202.180.202/8069076584.zip
Details Url 17 
https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
Details Yara rule 1 
import "pe"

rule Mal_Ransomware_Win32_DJVU_Payload {
	meta:
		description = "Detects DJVU Ransomware Payload"
		author = "BlackBerry Threat Research team"
		date = "2022-09-09"
		sha256 = "bd5114b7fcb628ba6f8c5c5d1d47fc7bb16214581079b3cc07273618b0c41fd8"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$a_nameserver_regex = /ns[0-9]?\.[a-z0-9]+\.[a-z]+/
		$a_deny_perm = "/deny *S-1-1-0:(OI)(CI)(DE,DC)" wide
		$a_pdb = "encrypt_win_api.pdb"
		$a_arg1 = "--Admin" wide
		$a_arg2 = "--AutoStart" wide
		$a_arg3 = "IsAutoStart" wide
		$a_arg4 = "IsNotAutoStart" wide
		$a_arg5 = "IsTask" wide
		$a_jpg = "5d2860c89d774.jpg" wide
		$a_country_check = "country_code\":"
		$a_c2_pid = "?pid=" wide
		$a_c2_first = "&first=" wide
		$a_scheduled_task = "Time Trigger Task" wide
		$a_user_agent = "Microsoft Internet Explorer" wide
		$mutex1 = "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}"
		$mutex2 = "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}"
		$mutex3 = "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}"
	condition:
		uint16(0) == 0x5a4d and all of ($a*) and 1 of ($mutex*)
}