{ "Event": { "analysis": "0", "date": "2020-06-12", "extends_uuid": "", "info": "Dharma Ransomware Event", "publish_timestamp": "1592742388", "published": true, "threat_level_id": "3", "timestamp": "1592742357", "uuid": "5ee3822c-6828-418c-b619-62de950d210f", "Orgc": { "name": "The DFIR Report", "uuid": "5e9e5d86-5b94-4ff6-b07e-4e3e950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Dharma\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Dharma Ransomware\"", "relationship_type": "" }, { "colour": "#000000", "local": false, "name": "Ransomware", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "rdp actor login source", "deleted": false, "disable_correlation": false, "timestamp": "1591968666", "to_ids": true, "type": "ip-src", "uuid": "5ee3839a-07e0-4533-8ed9-fe83950d210f", "value": "217.138.202.116" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1591973283", "to_ids": false, "type": "yara", "uuid": "5ee395a3-54c0-4f88-a035-433e950d210f", "value": "/*\r\n YARA Rule Set\r\n Author: DFIR Report\r\n Date: 2020-06-12\r\n Identifier: dharma-06-12-20\r\n Reference: https://thedfirreport.com/\r\n*/\r\n\r\n/* Rule Set ----------------------------------------------------------------- */\r\n\r\nimport \"pe\"\r\n\r\nrule vssadmin_Shadow_bat {\r\n meta:\r\n description = \"dharma-06-12-20 - file Shadow.bat\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878\"\r\n strings:\r\n $s1 = \"vssadmin delete shadows /all\" fullword ascii\r\n condition:\r\n uint16(0) == 0x7376 and filesize < 1KB and\r\n all of them\r\n}\r\n\r\nrule Network_Scanner_post_exploit_enumeration {\r\n meta:\r\n description = \"dharma-06-12-20 - file NS.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446\"\r\n strings:\r\n $s1 = \"CreateMutex error: %d\" fullword ascii\r\n $s2 = \"--Error mount \\\\\\\\%s\\\\%s Code: %d\" fullword wide\r\n $s3 = \"-Found share \\\\\\\\%s\\\\%s\" fullword wide\r\n $s4 = \"--Share \\\\\\\\%s\\\\%s successfully mounted\" fullword wide\r\n $s5 = \"host %s is up\" fullword ascii\r\n $s6 = \"Get ip: %s and mask: %s\" fullword wide\r\n $s7 = \"GetAdaptersInfo failed with error: %d\" fullword wide\r\n $s8 = \"# Network scan and mount include chek for unmounted local volumes. #\" fullword wide\r\n $s9 = \"####################################################################\" fullword wide /* reversed goodware string '####################################################################' */\r\n $s10 = \"Share %s successfully mounted\" fullword wide\r\n $s11 = \"Error mount %s %d\" fullword wide\r\n $s12 = \"Failed to create thread.\" fullword ascii\r\n $s13 = \" start scan for shares. \" fullword wide\r\n $s14 = \"# '98' was add for standalone usage! #\" fullword wide\r\n $s15 = \"Error, wrong value.\" fullword wide\r\n $s16 = \"QueryDosDeviceW failed with error code %d\" fullword wide\r\n $s17 = \"FindFirstVolumeW failed with error code %d\" fullword wide\r\n $s18 = \"FindNextVolumeW failed with error code %d\" fullword wide\r\n $s19 = \"SetVolumeMountPointW failed with error code %d\" fullword wide\r\n $s20 = \"| + scan local volumes for unmounted drives. |\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( pe.imphash() == \"0b0d8152ea7241cce613146b80a998fd\" or 8 of them )\r\n}\r\n\r\nrule Dharma_ransomware_1pgp {\r\n meta:\r\n description = \"dharma-06-12-20 - file 1pgp.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b\"\r\n strings:\r\n $x1 = \"C:\\\\crysis\\\\Release\\\\PDB\\\\payload.pdb\" fullword ascii\r\n $s2 = \"sssssbsss\" fullword ascii\r\n $s3 = \"sssssbs\" fullword ascii\r\n $s4 = \"9c%Q%f\" fullword ascii\r\n $s5 = \"jNYZO\\\\\" fullword ascii\r\n $s6 = \"RSDS%~m\" fullword ascii\r\n $s7 = \"xy ?*5\" fullword ascii\r\n $s8 = \"Eve\" ascii\r\n $s9 = \"; settings stored in %APPDATA%\\\\Everything\\\\Everything.ini\" fullword ascii\r\n $s10 = \"Host the pipe server with the security descriptor.\" fullword ascii\r\n $s11 = \"http://www.voidtools.com/support/everything/\" fullword ascii\r\n $s12 = \"username:password@host:port\" fullword ascii\r\n $s13 = \"