Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Multiple vulnerabilities in Adobe ColdFusion
September 25, 2019Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019
Severity
High
Analysis Summary
The file RAND_NAME.exe, is an updated version (V.2) of the ransomware MegaCortex. Similar to version 1 (V.1), this new version (V.2) of MegaCortex is also compiled using Microsoft Visual C++ and uses the mbedcrypto library to carry out its file encryption algorithms. RAND_NAME.exe is observed to be digitally signed with a valid signature from ABADAN PIZZA LTD and acts as a loader to a module named payload.dll which is found encrypted and embedded within its body. The DLL module has two export functions, “start” and “ss2” which the MegaCortex loader uses to carry out its ransomware functionality.
Analysis
RAND_NAME.exe Loader Functionality
Similar to version 1, this new version of MegaCortex (V.2) is also compiled using Microsoft Visual C++ and uses mbedcrypto to carry out its file encryption algorithms. The MegaCortex loader binary RAND_NAME.exe is also observed to be digitally signed with a valid signature from ABADAN PIZZA LTD.
The MegaCortex binary RAND_NAME.exe acts as a loader to an embedded module named payload.dll, whose name is derived from its export table. The module payload.dll is found encrypted and embedded within the body of RAND_NAME.exe.
The code in payload.dll’s “start” function initially verifies if the process is running with “administrator” privilege, if not it will invoke ShellExecuteExA with “runas” to ensure it has the proper privileges. Next, it disables file system redirection of the current thread and adjusts the token privileges of the current process to enable SeDebugPrivilege for DLL injection.
payload.dll’s “ss2” export is only activated and called when the loader binary (RAND_NAME.exe) is executed with the correct base64 key as stated above in the export function start. The “ss2” export starts by getting the available number of processors. The number of worker threads created to conduct file encryption depends upon the number of available processors.
Impact
File encryption
Indicators of Compromise
Email Address
- MckinnisKamariyah91@mail.com
- ThomassenVallen1999@mail.com
Malware Hash (MD5/SHA1/SH256)
- c12ab67f2835b3a867af6c91aa3d3039
- 9369e8f849fad6c87d630b08cc91a320ccafd367
- 77ee63e36a52b5810d3a31e619ec2b8f5794450b563e95e4b446d5d3db4453b2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.