TAU Threat Intelligence Notification: Djvuu Ransomware

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

Summary

Djvuu ransomware is believed to be a newer variant of the “Stop” ransomware strain, which was seen circulating in the early part of 2018. There are also similarities to the Goren-B trojan originally reported by Sophos back in 2016. Djvuu is likely to be delivered through phishing e-mail campaigns such as Emotet, in the form of e-mail attachments or malicious links. When the dropped file is executed, the following files are placed into the following folder: 

C:Users<logged_in_user>AppDataLocalTemp_ir_sf_temp_1

IRIMG1.jpg – Background image that appears to be benign

IRIMG2.jpg – Background image that appears to be benign

Irsetup.exe – IOC included at the end of this document

Lua5.1.dll – LUA language interpreter that appears to be benign

 The irsetup.exe file is packed using the commonly used packer called UPX. Once the selected files have been encrypted on disk, the following window will appear in the foreground, requesting login credentials to The Pirate Bay.

This page is requested via a bit.ly address. A VPS, as well as an account with The Pirate Bay, is required in order to proceed, although it is unconfirmed at this stage whether there is any official ransom note or method to pay the ransom after proceeding.

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Djvuu ransomware.

Indicators of Compromise (IOCs)

Indicator

Type

Context

Ec6572e9f926eba338a797f8b9c9cc86757194a21f211968a9ddf7292861a284

b94f48d5b3bfdb9efe07baaa308e81b7

SHA256

MD5

Dropper

5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

dec931e86140139380ea0df57cd132b6

SHA256

MD5

irsetup.exe

93205d5c2bc29df0a842c0dcaaf4aa83b211f5e2bc2a62fc9abb77dfdf56b8f6

7576b8677975261fbb1e799d0231ec01

SHA256

MD5

timy.exe

5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

dec931e86140139380ea0df57cd132b6

SHA256

MD5

irsetup.exe

72DC8E03CE5E50E4819F9C865B382A54EF9B7796E3F3FD7F8C70DD8B1B65E675

b69660b8a37fafa6d0b4e440d54c55d2

SHA256

MD5

dsetup.exe

Eef6d90fcf9171fc7082955b59ce11622b1aacb21db85c5cf048a8630eb02dee

87d08cde433ec5658e953cd1f23f5e0b

SHA256

MD5

locgunderson.exe

958d41aaf09f73024159d02047aa9df1da7e7961ca3bb4d18239fd86cac9c438

9a26d46ea779d1e030a2edb1ad922380

SHA256

MD5

codecfixit.exe

F621d94346ee49a9a01a646592a507515411daafc2b94210aa7627206bc6a23c

c4359c286db44be708a92dc64ab74151

SHA256

MD5

xvid.exe

E84fda0acf8caa36700b08e685865a4d813422cbd58255c84a0489dfa8699a77

6d945a0448f4a57cc5a19fcf3e2e9237

SHA256

MD5

stunggh.exe

If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here. 

The post TAU Threat Intelligence Notification: Djvuu Ransomware appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
153 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel