BlackRuby Ransomware

VTI SCORE: 100/100

Target:

win7_32_sp1 | exe

Classification:

Dropper, Downloader, Ransomware

daea4b5ea119786d996f33895996396892fa0bdbb8f9e9fcc184a89d0d0cb85e (SHA256)

Defender.exe

Windows Exe (x86-32)

Created at 2018-02-08 14:58:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
3/5	Browser	Reads data related to browser cookies	-
Reads Cookies for "Mozilla Firefox". ... VTI Actions Go to Function Call
3/5	Browser	Reads data related to saved browser credentials	-
Reads the master key for "Mozilla Firefox". ... VTI Actions Go to Function Call
Reads saved credentials for "Mozilla Firefox". ... VTI Actions Go to Function Call
2/5	Browser	Reads data related to browsing history	-
Reads browsing history and related data, such as bookmarks, for "Mozilla Firefox". ... VTI Actions Go to Function Call
1/5	Process	Creates system object	-
Creates mutex with name "TheBlackRuby". ... VTI Actions Go to Function Call
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
1/5	Network	Performs DNS request	-
Resolves host name "freegeoip.net". ... VTI Actions Go to Function Call
1/5	Persistence	Installs system startup script or application	-
Adds "C:\Windows\system32\BlackRuby\WindowsUI.exe" to Windows startup via registry. ... VTI Actions Go to Function Call
1/5	File System	Modifies operating system directory	-
Creates file "C:\Windows\system32\BlackRuby\WindowsUI.exe" in the OS directory. ... VTI Actions Go to Function Call
Creates file "C:\Windows\system32\BlackRuby\Svchost.exe" in the OS directory. ... VTI Actions Go to Function Call
1/5	Process	Creates process with hidden window	-
The process "Svchost.exe" starts with hidden window. ... VTI Actions Go to Function Call
1/5	Network	Downloads data	Downloader
URL "freegeoip.net/json/". ... VTI Actions Go to Function Call
1/5	Network	Connects to HTTP server	-
URL "freegeoip.net/json/". ... VTI Actions Go to Function Call
1/5	PE	Drops PE file	Dropper
Drops file "c:\windows\system32\blackruby\svchost.exe". ... VTI Actions Go to File Details Go to Function Call
1/5	PE	Executes dropped PE file	-
Executes dropped file "c:\windows\system32\blackruby\svchost.exe". ... VTI Actions Go to File Details

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After