Home
Attack
Dataset
Contact Us
Attack
2024 01
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
2024 02
comming soon
Dataset
Contact Us
T4-24-01-S-E-M
Ransomware (CryptoWire)
The ransomware is written in the AutoIt 3 scripting language, which is open-source on GitHub, and the source files have now been removed. When executed, the malware encrypts only subdirectories based on the path to the user's home directory. It is also characterized by the fact that the decryption key exists inside the program, which makes it easy to obtain it, and for encrypted files, it performs changes in the form of
.encrypted.
.
The sample is characterized by
1. the decryption key is inside the file
2. uses the AES-256 cipher algorithm
3. only encrypts subfiles in the user directory
OS
IP
Software
Log collection
time
Program
runtime
Attacker
-
-
-
133 sec
200 sec
Victim
Windows 10(21H1)
10.0.2.15
-
Installing
python3 -m pip install -r requirements.txt
Using
python3 run.py
MITRE ATT&CK Framework
Attack Tactic
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Logs
./log/2024_01_T4_{time}.evtx # YYmmdd_HHMMSS
References
[1]
Ahnlab ASEC [CryptoWire with Decryption Key Included]
[2]
VirusTotal [bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f]
[3]
GitHub [CryptoWire Open Source]
※ Click on the attack name to see a description and scenario for the attack
2024
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.
