• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – NJRAT – Active IOCs
December 2, 2021
Rewterz Threat Alert – Amadey Botnet – Active IOCs
December 2, 2021

Rewterz Threat Alert – DJVU Ransomware – Active IOCs

December 2, 2021

Severity

Medium

Analysis Summary

DJVU was one of the most active and widespread versions of ransomware in 2019. DJVU was first used aggressively in campaigns in 2019, even though it had been around for about a year. Continuously changing its extensions and payloads has helped it evade detection. Its encryption techniques also continue to improve. Earlier versions of the malware, where the key was not generated by its command and control servers, were easier to recover the files. In current versions, decryption is more difficult. Delivery of the malware has been through cracked programs, keygens, activators, fake setup programs, and fake Windows updates. To avoid infecting victims in specific countries, DJVU did not use local information, such as keyboard layouts and timezone settings, but rather it uses the information returned by a request sent to https[:]//api.2ip.ua/geo.json. Persistence is achieved through a scheduled task. The MAC address of the ethernet card is used as the basis of a unique identifier for the system. This identifier is sent to DJVU’s command and control server when then returns an RSA-2048 public key to be used in the encryption. Additional malware is then downloaded and installed, including an information stealer called Vidar.

Impact

  • Information Theft
  • File Encryption

Indicators of Compromise

MD5

  • e9ec76189fe83753f401cc78d2673afc
  • a45cc1fd03563cec86abff39fcc59a29

SHA-256

  • 67397180bfba3033654bccc927eb8e79dc9c5554b847d22fa30f09df8b9aeb8e
  • ec892345779df7156691fcc7eb37deb89bb8d6d6fd925841fa1764ea93bef58f
  • 28ee1c34cd8d9f84a37db4381c590e1e74de19d9eb98e6c6c1688109e89dc200
  • 8bf487d079d75f80b88340543b6ecf8f31b25943e023fc301d09ceb147457ee7
  • 1de105a90124c9f70de3da1ca93ea48efb99132f9b898781a196a66ddd1affb8
  • 5caf23866228aed0d7c2c10950cc4d714e89a7d8fb063e77797961d26a2154d0
  • 3421bf965b4875b345bbfdcaa002a3c1791bb49192121773cfa0398a324dbbe0
  • 4db7331fd6faa3170b21d6952ec0b34108cdef920d7268b799c70d18afd80237
  • b86c8b8eec782a8a08eebcadb4cc84ee9eda2ce75f0741001d7841c748702b08
  • 28161354e5511cc684115ac350c29e83fea32f156fafa407e181a2766eb1ee0f
  • ff190583f183978af532616dc3a7bc3a23dd8633a1297e89d8d3c99633a48ae6
  • 3cd9f6d03444984e92f47045fe3b31b29d69ae4fb3e850b7a1ee8175373cb8e4

SHA-1

  • 7ed02dcbd56e3d79ef0fdd07bc87c85cec85abd8
  • d67fc87b8ad1d882bc740d3799b1089bbb7fc2c1

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.