• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
  • T4-24-01-S-E-M
  • Ransomware (CryptoWire)

    The ransomware is written in the AutoIt 3 scripting language, which is open-source on GitHub, and the source files have now been removed. When executed, the malware encrypts only subdirectories based on the path to the user's home directory. It is also characterized by the fact that the decryption key exists inside the program, which makes it easy to obtain it, and for encrypted files, it performs changes in the form of .encrypted..
    The sample is characterized by

    1. the decryption key is inside the file
    2. uses the AES-256 cipher algorithm
    3. only encrypts subfiles in the user directory
  •  


  • OS IP Software Log collection
    time
    Program
    runtime
    Attacker - - - 133 sec 200 sec
    Victim Windows 10(21H1) 10.0.2.15 -

  • Installing
  • python3 -m pip install -r requirements.txt

  • Using
  • python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_01_T4_{time}.evtx # YYmmdd_HHMMSS


  • References
  • [1] Ahnlab ASEC [CryptoWire with Decryption Key Included]
    [2] VirusTotal [bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f]
    [3] GitHub [CryptoWire Open Source]
  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024 01
    • T1-24–01–S–N–CL
    • T2-24–01–S–N–CL
    • T3-24–01–S–N–CL
    • T4-24–01–S–E–M
    • T5-24–01–S–E–LM
    • T6-24–01–S–E–FH
    • T7-24–01–M–NE–CLM
    • T8-24–01–M–NE–CFHL
    • T9-24–01–M–NE–CLM
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.