Last active
September 27, 2018 19:26
-
-
Save anir0y/cb2aa9d60d7b89c1228313fe7a974a28 to your computer and use it in GitHub Desktop.
Information : RyukRansomware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is #RyukRansomware ( uploaded few times ago as Unknown ransomware here). It drops either x86 either x64 executable depends on OS arch, injects code to csrss, explorer.exe or lsass.exe ( depends on access rights ). Have a lot debug prints inside. | |
Summury: | |
[+] Coded in C++. | |
[+] BTC address: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk | |
[+] EMAIL address: WayneEvenson@protonmail.com, WayneEvenson@tutanota.com | |
[+] Injected code to explorer.exe, "lsaas.exe" (yes, author mistyped xD), csrss.exe ( CreateRemoteThread is used ) | |
[+] Note name: RyukReadMe | |
[+] Drops file to %Public% and executes it.. | |
[+] Autorun via HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run = "svchos" to running executable | |
[+] Very poorly coded, contains debug code, naive code injection, process name mistyped, possible system crash if code injected to csrss.exe, because it can exit with ExitProcess. Autorun doesnt work without administrative privileges | |
IMG link: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment