technical analysis of megacortex version 2 ransomware i ......technical analysis of megacortex...
TRANSCRIPT
CYBER
Technical Analysis of MegaCortex Version 2 Ransomware
ADVISORY
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 2
SUMMARY
MegaCortex Version 2 is a recently updated ransomware developed in the C++ programming
language. Actors weaponized the first version of MegaCortex to be self-protecting and required a password in the command-line arguments to run correctly. This feature makes it difficult for security vendors to analyze the sample and will prevent them from being able to reverse engineer it unless those researchers have captured the password during a live infection. The disadvantage of the first version was that actors had to run the ransomware manually or risk of leaking the password. This prevented global distribution of the ransomware. The MegaCortex Version 2 author has updated the ransomware to remove these disadvantages and redesigned the ransomware to self-execute. In addition, the ransomware integrates all of the script features of the first version into the ransomware.
Audience Note
This report is intended to aid security professionals, including security operations center (SOC) staff. Security professionals can use this intelligence to better understand MegaCortex's behavior to identify indicators of compromise (IoCs). SOC analysts may use the IoCs in the Analysis section to hunt for the endpoints that MegaCortex affects. The provided information can also help inform ongoing intelligence analysis and forensic investigations, particularly for compromise discovery, damage assessment and attribution efforts. This report covers the technical details about MegaCortex and provides knowledge of MegaCortex's tactics, techniques and procedures (TTPs) to help better inform detection and response efforts to attacks using this threat.
ANALYSIS
Assessment
MegaCortex Version 2 Ransomware Overview
MegaCortex Version 2 is a recently updated ransomware developed in the C++ programming
language. Actors weaponized the first version of MegaCortex to be self-protecting and required a password in the command-line arguments to run correctly. This feature makes it difficult for security vendors to analyze the sample and will prevent them from being able to reverse engineer it unless those researchers have captured the password during a live infection. The disadvantage of the first version was that actors had to run the ransomware manually or risk of leaking the password. This prevented global distribution of the ransomware. The MegaCortex Version 2 author has updated the ransomware to remove these disadvantages and redesigned the ransomware to self-execute. In addition, the ransomware integrates all of the script features of the first version into the ransomware. Version 2:
• decrypts the main payload and executes in memory; • detects and terminates security tools; • detects and stops various types of software such as backup software, database software and
Web server software so there is no update to files related to that software; • hardcodes the password into the ransomware to allow the ransomware to decrypt the main
payload automatically; and
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 3
• integrates the loader, main module and worker into a single executable.
Exhibit 1 provides an overview of the ransomware.
Exhibit 1: MegaCortex Version 2 Overview
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 4
MegaCortex File Overview
iDefense analyzed a sample of the MegaCortex Version 2 ransomware with the following properties:
• MD5: 65939a4515a59da3697e4a454d6e8378
• SHA-1: 470a8189915b01bc4012d7e0bdccba8e97a6a2d6
• SHA-256: 86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2
• Size: 956,416 bytes
• File Type: PE32 executable (GUI) Intel 80386, for MS Windows
The executable is digitally signed with a valid signature from ABADAN PIZZA (see Exhibit 2).
Exhibit 2: Digital Signature
Command Option
In the first version of the ransomware, the ransomware requires a password to be able to run successfully. The loader uses this password to decrypt the main module. In version 2, the ransomware can be executed with and without the password. When the ransomware executes without the password, it decrypts the payload with the hardcoded password. The password provided in the command line also specifies to the loader which module to load. Exhibit 3 shows the decompiled code of the hardcoded password and the type of module to load.
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 5
Exhibit 3: MegaCortex Version 2 Hardcoded Password
Loader
Similar to version 1, the version 2 loader is responsible for decrypting the main module and executing the ransomware. While the first version only decrypts the payload if the password is available in the command argument, the password in version 2 is hardcoded into the ransomware, as shown in Exhibit 3. In addition, the loader decides which module to execute in memory based on the command argument. If the ransomware process does not have a command argument, the ransomware decrypts and loads the controller module. When the ransomware is executed with a password, the ransomware decrypts and executes the worker's code. The controller created the following command line:
C:\Users\[user]\Desktop\mega.exe" E9Ql0G9gSiXqlyWa7sdT6LX2O//TIQq9msLQUuBsLcg=
MegaCortex Main Module File Overview
The MegaCortex decrypted module is a Microsoft Corp. Windows DLL file. The DLL file contains two exported functions, Start and ss2. The Start function is the controller; it is responsible for killing analysis software, terminating services, adding tasks to the inter-process communication (IPC) queue and starting the worker. The ss2 function is the worker; it is responsible for retrieving 10 tasks and encrypting files. The main payload has the following properties:
• MD5: 53dddbb304c79ae293f98e0b151c6b28
• SHA-1: 2632529b0fb7ed46461c406f733c047a6cd4c591
• SHA-256: 873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466
• Size: 745,408 bytes
• File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Controller Module
The Controller module is responsible for searching files on the victim system and creating the worker process to start encryption. The ransomware uses an IPC queue to add tasks to the worker. The module performs the following actions:
• Detects and terminates anti-analysis software • Detects and shuts down software • Retrieves a list of drives • Searches files in every directory and adds them to the queue for each drive • Creates a worker process to encrypt files • Drops !!!README!!!.txt and nxahoft_G9.log into the c:\ directory
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 6
• Deletes shadow files and unused data • Drops a ransom message in the C:\ directory
Controller Module: Anti-Analysis and Services
Upon execution, the controller gathers all services and processes and compares them with a list of filenames. If the processes filename and the filename from the list match, the ransomware
executes taskkill.exe to terminate the process. If the services match, the ransomware
executes net.exe stop to stop the services. This feature is an integration of the scripts in version 1. Exhibit 4 shows the decompiled code of the anti-analysis software.
Exhibit 4: Decompiled Anti-Analysis Software and Services Code
The following is a list of process names and service names for which the ransomware scans:
ccflic0.exe
ccflic4.exe
ccenter.exe
ravxp.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 7
healthservice.exe
ilicensesvc.exe
nimbus.exe
prlicensemgr.exe
certificateprovider.exe
proficypublisherservice.exe
proficysts.exe
erlsrv.exe
vmtoolsd.exe
managementagenthost.exe
vgauthservice.exe
epmd.exe
hasplmv.exe
spooler.exe
hdb.exe
ntservices.exe
n.exe
monitoringhost.exe
win32sysinfo.exe
inet_gethost.exe
taskhostw.exe
proficy administrator.exe
ntevl.exe
prproficymgr.exe
prrds.exe
prrouter.exe
prconfigmgr.exe
prgateway.exe
premailengine.exe
pralarmmgr.exe
prftpengine.exe
prcalculationmgr.exe
rfwproxy.exe
rfwstub.exe
knownsvr.exe
ras.exe
rasupd.exe
upfile.exe
rstray.exe
ravalert.exe
rav.exe
ravmond.exe
ravmon.exe
ravservice.exe
ravstub.exe
ravtask.exe
ravtray.exe
ravupdate.exe
rnreport.exe
rsnetsvr.exe
scanfrm.exe
rfwmain.exe
rfwsrv.exe
winlog.exe
omslogmanager.exe
snhwsrv.exe
snicheckadm.exe
snichecksrv.exe
snicon.exe
snsrv.exe
smsx.exe
svcharge.exe
svdealer.exe
svframe.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 8
prprintserver.exe
prdatabasemgr.exe
preventmgr.exe
prreader.exe
prwriter.exe
prsummarymgr.exe
prstubber.exe
prschedulemgr.exe
cdm.exe
musnotificationux.exe
npmdagent.exe
client64.exe
keysvc.exe
server_eventlog.exe
proficyserver.exe
server_runtime.exe
config_api_service.exe
fnplicensingservice.exe
workflowresttest.exe
proficyclient.exe
vmacthlp.exe
msdtssrvr.exe
sqlservr.exe
msmdsrv.exe
reportingservicesservice.exe
dsmcsvc.exe
winvnc4.exe
client.exe
collwrap.exe
bluestripecollector.exe
sqlbrowser.exe
dsmcad.exe
svtray.exe
sschk.exe
trjscan.exe
trupd.exe
ssecuritymanager.exe
dltray.exe
dlservice.exe
almon.exe
lmon.exe
savadminservice.exe
savservice.exe
sweepsrv.sys
swnetsup.exe
alsvc.exe
alupdate.exe
savmain.exe
sav32cli.exe
certificationmanagerservicent.exe
emlibupdateagentnt.exe
managementagentnt.exe
mgntsvc.exe
routernt.exe
schdsrvc.exe
scfmanager.exe
scfservice.exe
scftray.exe
op_viewer.exe
sgbhp.exe
pctsauxs.exe
pctsgui.exe
pctssvc.exe
pctstray.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 9
nimcluster.exe
googleupdate.exe
smc.exe
bcrservice.exe
dbsrv9.exe
rtvscan.exe
bcreporter.exe
csadmin.exe
csdbsync.exe
csmon.exe
csauth.exe
cslog.exe
csradius.exe
cstacacs.exe
url_response.exe
vmware-converter-a.exe
vmware-converter.exe
avagent.exe
paxton.net2.clientservice.exe
paxton.net2.commsserverservice.exe
avscc.exe
prunsrv.exe
googlecrashhandler.exe
googlecrashhandler64.exe
vmwaretray.exe
nd2svc.exe
tnslsnr.exe
omtsreco.exe
oracle.exe
patrolagent.exe
scfagent_64.exe
patrolperf.exe
regmech.exe
sdtrayapp.exe
svcntaux.exe
swdsvc.exe
swnxt.exe
execstat.exe
seestat.exe
swserver.exe
slee81.exe
kpf4gui.exe
kpf4ss.exe
wrspysetup.exe
acctmgr.exe
alertsvc.exe
alunotify.exe
aluschedulersvc.exe
appsvc32.exe
ccap.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccpxysvc.exe
ccsetmgr.exe
checkup.exe
cka.exe
comhost.exe
cpdclnt.exe
csinject.exe
csinsm32.exe
csinsmnt.exe
dbserv.exe
defwatch.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 10
rscdsvc.exe
rscd.exe
pmgreader.exe
firefox.exe
chrome.exe
netsession_win.exe
pcsws.exe
pcscm.exe
cwbunnav.exe
rdrcef.exe
ndrvx.exe
ndrvs.exe
dr_serviceengine.exe
teamviewer_service.exe
sqlagent.exe
dwrcst.exe
ccm messaging.exe
zoolz.exe
agntsvc.exe
dbeng50.exe
dbsnmp.exe
encsvc.exe
excel.exe
firefoxconfig.exe
infopath.exe
isqlplussvc.exe
msaccess.exe
msftesql.exe
mspub.exe
mydesktopqos.exe
mydesktopservice.exe
mysqld.exe
defwatch
diskmon.exe
djsnetcn.exe
doscan.exe
dwhwizrd.exe
fwcfg.exe
ghost_2.exe
ghosttray.exe
icepack.exe
idsinst.exe
ispwdsvc.exe
issvc.exe
isuac.exe
luall.exe
lucallbackproxy.exe
lucoms~1.exe
lucoms.exe
mcui32.exe
navapsvc.exe
navapw32.exe
navectrl.exe
navelog.exe
navesp.exe
navshcom.exe
navw32.exe
navwnt.exe
ndetect.exe
ngctw32.exe
ngserver.exe
nisoptui.exe
nisserv.exe
nisum.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 11
mysqld-nt.exe
mysqld-opt.exe
ocautoupds.exe
ocomm.exe
ocssd.exe
onenote.exe
outlook.exe
powerpnt.exe
sqbcoreservice.exe
sqlwriter.exe
steam.exe
synctime.exe
tbirdconfig.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
xfssvccon.exe
tmlisten.exe
pccntmon.exe
cntaosmgr.exe
ntrtscan.exe
mbamtray.exe
qhactivedefense.exe
qhwatchdog.exe
qhsafetray.exe
avgsvc.exe
avgui.exe
v3lite.exe
v3main.exe
nmain.exe
npfmntor.exe
nprotect.exe
npscheck.exe
npssvc.exe
nscsrvce.exe
nsctop.exe
nsmdtr.exe
olfsnt40.exe
opscan.exe
poproxy.exe
pqibrowser.exe
pqv2isvc.exe
pxeservice.exe
qdcsfs.exe
qserver.exe
reportersvc.exe
rnav.exe
savfmsesp.exe
savroam.exe
savscan.exe
savui.exe
sbserv.exe
scanexplicit.exe
semsvc.exe
sesclu.exe
sevinst.exe
smsectrl.exe
smselog.exe
smsesjm.exe
smsesp.exe
smsesrv.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 12
v3sp.exe
avastui.exe
avastsvc.exe
avguard.exe
avshadow.exe
avgnt.exe
avira.servicehost.exe
avira.systray.exe
bdagent.exe
bdredline.exe
bdss.exe
bullguardbhvscanner.exe
bullguardscanner.exe
bullguardtray.exe
bullguardupdate.exe
bullguard.exe
cmdagent.exe
cistray.exe
cis.exe
spideragent.exe
dwengine.exe
dwarkdaemon.exe
dwnetfilter.exe
a2service.exe
a2guard.exe.a2start.exe
egui.exe
ekrn.exe
fshoster32.exe
fshoster64.exe
fortisslvpndaemon.exe
fortiesnac.exe
fortiwf.exe
smsetask.exe
smseui.exe
sms.exe
sndmon.exe
sndsrvc.exe
spbbcsvc.exe
symlcsvc.exe
symproxysvc.exe
symsport.exe
symtray.exe
symwsc.exe
sysdoc32.exe
ucservice.exe
updtnv28.exe
urllstck.exe
usrprmpt.exe
v2iconsole.exe
vpc32.exe
vpdn_lu.exe
vprosvc.exe
wfxctl32.exe
wfxmod32.exe
wfxsnt40.exe
lucomserver.exe
savfmselog.exe
savfmsesjm.exe
savfmsectrl.exe
savfmsespamstatsmanager.exe
savfmsesrv.exe
savfmsetask.exe
savfmseui.exe
snac.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 13
fortitray.exe
fchelper64.exe
fortiproxy.exe
fcappdb.exe
fcdblog.exe
avp.exe
avpui.exe
mbamservice.exe
mcsacore.exe
mcapexe.exe
mcshield.exe
mcsvhost.exe
nortonsecurity.exe
psuaservice.exe
psuamain.exe
psanhost.exe
sdrservice.exe
swc_service.exe
swi_service.exe
ssp.exe
ccsvchst.exe
smcgui.exe
coreserviceshell.exe
coreframeworkhost.exe
uiwatchdog.exe
uiseagnt.exe
paamsrv.exe
psh_svc.exe
aupdrun.exe
acaas.exe
acaegmgr.exe
acaif.exe
ssm.exe
reportsvc.exe
vptray.exe
procexp.exe
tdimon.exe
tfun.exe
tfgui.exe
tfservice.exe
tftray.exe
tiaspn~1.exe
traflnsp.exe
asupport.exe
isntsmtp.exe
nsmdemf.exe
nsmdmon.exe
nsmdreal.exe
nsmdsch.exe
ofcdog.exe
pccnt.exe
pccntupd.exe
pcctlcom.exe
pcscnsrv.exe
schupd.exe
tmntsrv.exe
tmpfw.exe
tmproxy.exe
tmas.exe
entitymain.exe
aphost.exe
lwdmserver.exe
mrf.exe
isntsysmonitor
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 14
acais.exe
ahnsd.exe
ahnsdsv.exe
autoup.exe
v3clnsrv.exe
v3medic.exe
v3svc.exe
aflogvw.exe
ahnrpt.exe
atwsctsk.exe
v3exec.exe
v3imscn.exe
monsvcnt.exe
monsysnt.exe
aexnsrcvsvc.exe
aexsvc.exe
atrshost.exe
ctdataload.exe
aexagentuihost.exe
aexnsagent.exe
aclntusr.exe
aexswdusr.exe
pxemtftp.exe
aclient.exe
securitycenter.exe
starta.exe
stopa.exe
anvir.exe
csrss_tc.exe
ashavast.exe
ashbug.exe
ashchest.exe
ofcpfwsvc.exe
dwwin.exe
patch.exe
pccclient.exe
pccguide.exe
pcclient.exe
pccpfw.exe
pcscan.exe
pntiomon.exe
pop3pack.exe
pop3trap.exe
scanmailoutlook.exe
smoutlookpack.exe
webtrapnt.exe
euqmonitor.exe
smex_activeupda
smex_master.exe
smex_remoteconf
smex_systemwatc
svcgenerichost
spntsvc.exe
stopp.exe
stwatchdog.exe
usbguard.exe
uploadrecord.exe
sbamsvc.exe
vrvmail.exe
vrvmon.exe
vrvnet.exe
vrv.exe
wrsa.exe
networkagent.exe
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 15
ashcmd.exe
ashdisp.exe
ashenhcd.exe
ashlogv.exe
ashmaisv.exe
ashpopwz.exe
ashquick.exe
ashserv.exe
ashsimp2.exe
ashsimpl.exe
ashskpcc.exe
ashskpck.exe
ashupd.exe
ashwebsv.exe
aswdisp.exe
aswregsvr.exe
aswserv.exe
aswupdsv.exe
aswwebsv.exe
avengine.exe
afwserv.exe
avastemupdate.exe
unsecapp.exe
avgamsvr.exe
avgas.exe
avgcc32.exe
avgcc.exe
avgctrl.exe
avgdiag.exe
avgemc.exe
avgfws8.exe
avgfwsrv.exe
websensecontrolservice.exe
mpcmdrun.exe
msascui.exe
msmpeng.exe
mspmspsv.exe
kb891711.exe
zavaux.exe
zavcore.exe
zillya.exe
zlclient.exe
vsmon.exe
forcefield.exe
iswmgr.exe
zapro.exe
zonealarm.exe
mantispm.exe
Acronis VSS Provider
Enterprise Client Service
Sophos Agent
Sophos AutoUpdate Service
Sophos Clean Service
Sophos Device Control Service
Sophos File Scanner Service
Sophos Health Service
Sophos MCS Agent
Sophos MCS Client
Sophos Message Router
Sophos Safestore Service
Sophos System Protection Service
Sophos Web Control Service
SQLsafe Backup Service
SQLsafe Filter Service
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 16
avginet.exe
avgmsvr.exe
avgrssvc.exe
avgscanx.exe
avgserv9.exe
avgserv.exe
avgupd.exe
avgupdln.exe
avgupsvc.exe
avgvv.exe
avgwb.dat
avgw.exe
avgwizfw.exe
guard.exe
avgcsrvx.exe
avgidsagent.exe
avgidsmonitor.exe
avgidsui.exe
avgidswatcher.exe
avgam.exe
avgnsx.exe
avgfws9.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
sidebar.exe
avgchsvx.exe
avgcmgr.exe
avgemcx.exe
avgfws.exe
avgmfapx.exe
avgcefrend.exe
Symantec System Recovery
Veeam Backup Catalog Data Service
AcronisAgent
AcrSch2Svc
Antivirus
ARSM
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDeviceMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
BackupExecVSSProvider
bedbg
DCAgent
EPSecurityService
EPUpdateService
EraserSvc11710
EsgShKernel
FA_Scheduler
IISAdmin
IMAP4Svc
macmnsvc
masvc
MBAMService
MBEndpointAgent
McAfeeEngineService
McAfeeFramework
McAfeeFrameworkMcAfeeFramework
McShield
McTaskManager
mfemms
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 17
avgcsrva.exe
avgemca.exe
avgnsa.exe
avgrsa.exe
loggingserver.exe
toolbarupdater.exe
wtusystemsuport.exe
avgregcl.exe
avgsystx.exe
vprot.exe
avcenter.exe
avconfig.exe
avesvc.exe
avmailc.exe
avmcdlg.exe
avnotify.exe
avscan.exe
guardgui.exe
avadmin.exe
avfwsvc.exe
avwebgrd.exe
fwinst.exe
sysoptenginesvc.exe
bavtray.exe
bhipssvc.exe
bmrt.exe
seccenter.exe
gziface.exe
gzserv.exe
bdc.exe
bdlite.exe
bdmcon.exe
mfevtp
MMS
mozyprobackup
MsDtsServer
MsDtsServer100
MsDtsServer110
MSExchangeES
MSExchangeIS
MSExchangeMGMT
MSExchangeMTA
MSExchangeSA
MSExchangeSRS
MSOLAP$SQL_2008
MSOLAP$SYSTEM_BGC
MSOLAP$TPS
MSOLAP$TPSAMA
MSSQL$BKUPEXEC
MSSQL$ECWDB2
MSSQL$PRACTICEMGT
MSSQL$PRACTTICEBGC
MSSQL$PROFXENGAGEMENT
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQL$SQL_2008
MSSQL$SYSTEM_BGC
MSSQL$TPS
MSSQL$TPSAMA
MSSQL$VEEAMSQL2008R2
MSSQL$VEEAMSQL2012
MSSQLFDLauncher
MSSQLFDLauncher$PROFXENGAGEMENT
MSSQLFDLauncher$SBSMONITORING
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 18
bdsubmit.exe
deloeminfs.exe
livesrv.exe
setloadorder.exe
vsserv.exe
xcommsvr.exe
bka.exe
bkavsystemserver.exe
blupro.exe
blackd.exe
blackice.exe
proutil.exe
rapapp.exe
basfipm.exe
isafe.exe
cavrid.exe
vetmsg.exe
amswmagt
caf.exe
capmuamagt.exe
ccnfagent.exe
ccsmagtd.exe
cfftplugin.exe
cfnotsrvd.exe
cfsmsmd.exe
alert.exe
igateway.exe
inotask.exe
caantispyware.exe
caavcmdscan.exe
caav.exe
caavguiscan.exe
MSSQLFDLauncher$SHAREPOINT
MSSQLFDLauncher$SQL_2008
MSSQLFDLauncher$SYSTEM_BGC
MSSQLFDLauncher$TPS
MSSQLFDLauncher$TPSAMA
MSSQLSERVER
MSSQLServerADHelper100
MSSQLServerOLAPService
MySQL57
ntrtscan
OracleClientCache80
PDVFSService
POP3Svc
ReportServer
ReportServer$SQL_2008
ReportServer$SYSTEM_BGC
ReportServer$TPS
ReportServer$TPSAMA
RESvc
sacsvr
SamSs
SAVAdminService
SAVService
SDRSVC
SepMasterService
ShMonitor
Smcinst
SmcService
SMTPSvc
SNAC
SntpService
sophossps
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 19
cafw.exe
calogdump.exe
capfaem.exe
capfsem.exe
cappactiveprotection.exe
casecuritycenter.exe
caunst.exe
cavrep.exe
cctray.exe
ccupdate.exe
isafinst.exe
itmrt_supportdiagnostics.exe
itmrtsvc.exe
itmrt_trace.exe
ppclean.exe
umxagent.exe
umxcfg.exe
umxfwhlp.exe
umxpol.exe
unvet32.exe
capfasem.exe
ccprovsp.exe
ppctlpriv.exe
casc.exe
ccschedulersvc.exe
ccsystemreport.exe
inonmsrv.exe
inoweb.exe
auth8021x.exe
krbcc32s.exe
pep.exe
realmon.exe
SQLAgent$BKUPEXEC
SQLAgent$ECWDB2
SQLAgent$PRACTTICEBGC
SQLAgent$PRACTTICEMGT
SQLAgent$PROFXENGAGEMENT
SQLAgent$SBSMONITORING
SQLAgent$SHAREPOINT
SQLAgent$SQL_2008
SQLAgent$SYSTEM_BGC
SQLAgent$TPS
SQLAgent$TPSAMA
SQLAgent$VEEAMSQL2008R2
SQLAgent$VEEAMSQL2012
SQLBrowser
SQLSafeOLRService
SQLSERVERAGENT
SQLTELEMETRY
SQLTELEMETRY$ECWDB2
SQLWriter
SstpSvc
svcGenericHost
swi_filter
swi_service
swi_update_64
TmCCSF
tmlisten
TrueKey
TrueKeyScheduler
TrueKeyServiceHelper
UI0Detect
VeeamBackupSvc
VeeamBrokerSvc
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 20
repmgr64.exe
csacontrol.exe
leventmgr.exe
okclient.exe
clamscan.exe
clamtray.exe
clamwin.exe
ccemflsv.exe
cssauth.exe
cavscan.exe
clps.exe
clpsla.exe
clpsls.exe
cmdinstall.exe
cfpconfig.exe
cfp.exe
cfplogvw.exe
cfpsbmit.exe
cfpupdat.exe
crashrep.exe
cpf.exe
cfpconfg.exe
csfalconservice.exe
cylanceui.exe
cylancesvc.exe
cramtray.exe
crssvc.exe
amsvc.exe
frzstate2k.exe
drwagnui.exe
drweb32.exe
drweb32w.exe
VeeamCatalogSvc
VeeamCloudSvc
VeeamDeploymentService
VeeamDeploySvc
VeeamEnterpriseManagerSvc
VeeamMountSvc
VeeamNFSSvc
VeeamRESTSvc
VeeamTransportSvc
W3Svc
wbengine
WRSVC
VeeamHvIntegrationSvc
swi_update
SQLAgent$CXDB
SQLAgent$CITRIX_METAFRAME
SQL Backups
MSSQL$PROD
Zoolz 2 Service
MSSQLServerADHelper
SQLAgent$PROD
msftesql$PROD
NetMsmqActivator
EhttpSrv
ekrn
ESHASRV
MSSQL$SOPHOS
SQLAgent$SOPHOS
AVP
klnagent
MSSQL$SQLEXPRESS
SQLAgent$SQLEXPRESS
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 21
drweb386.exe
drwebcgp.exe
drwebdc.exe
drweb.exe
drwebmng.exe
drwebscd.exe
drwebupw.exe
drwebwcl.exe
drwebwin.exe
drwinst.exe
spiderml.exe
spidernt.exe
spiderui.exe
drwagntd.exe
drwupgrade.exe
drwebcom.exe
eeyeevnt.exe
retinaengine.exe
a2guard.exe
a2start.exe
administrator.exe
control_panel.exe
usergate.exe
esmagent.exe
era.exe
ppmcativedetection.exe
vettray.exe
cavtray.exe
inorpc.exe
inort.exe
ca.exe
caissdt.exe
kavfsslp
KAVFSGT
KAVFS
mfefire
avast! Antivirus
aswBcc
Avast Business Console Client Antivirus Service
mfewc
Telemetryserver
WdNisSvc
WinDefend
MCAFEETOMCATSRV530
MCAFEEEVENTPARSERSRV
MSSQLFDLauncher$ITRIS
MSSQL$EPOSERVER
MSSQL$ITRIS
SQLAgent$EPOSERVER
SQLAgent$ITRIS
SQLTELEMETRY$ITRIS
MsDtsServer130
SSISTELEMETRY130
MSSQLLaunchpad$ITRIS
BITS
BrokerInfrastructure
epag
EPIntegrationService
EPProtectedService
epredline
TmPfw
SentinelAgent
SentinelHelperService
LogProcessorService
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 22
etagent.exe
etloganalyzer.exe
etrssfeeds.exe
evtarmgr.exe
evtmgr.exe
etreporter.exe
etconsole3.exe
etwcontrolpanel.exe
useranalysis.exe
etcorrel.exe
evtprocessecfile.exe
etscheduler.exe
useractivity.exe
traptrackermgr.exe
ewidoctrl.exe
ewidoguard.exe
nslocollectorservice.exe
fmon.exe
fortifw.exe
update_task.exe
fpavserver.exe
fprottray.exe
fameh32.exe
fspex.exe
fsaa.exe
bwgo0000
fch32.exe
fih32.exe
fsaua.exe
fsav32.exe
fscuif.exe
fsdfwd.exe
SentinelStaticEngine
DB2
DB2GOVERNOR_DB2COPY1
DB2LICD_DB2COPY1
DB2MGMTSVC_DB2COPY1
DB2REMOTECMD_DB2COPY1
DB2DAS00
DB2-0
DB2INST2
IBMDataServerMgr
IBMDSServer41
MSSQL$CITRIX_METAFRAME
RumorServer
myAgtSvc
SentinelAgent
SentinelHelperService
LogProcessorService
SentinelStaticEngine
TmPfw
EPSecurityService
EPUpdateService
epredline
EPProtectedService
EPIntegrationService
epag
BITS
BrokerInfrastructure
EPSecurityService
EPUpdateService
MSSQLLaunchpad$ITRIS
SSISTELEMETRY130
MsDtsServer130
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 23
fsgk32.exe
fsgk32st.exe
fsguidll.exe
fsguiexe.exe
fshdll32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fsorsp.exe
fspc.exe
fsqh.exe
fssm32.exe
setupguimngr.exe
tnbutil.exe
fsavgui.exe
gdscan.exe
avkproxy.exe
avkservice.exe
avktray.exe
avkwctl.exe
gdfirewalltray.exe
gdfwsvc.exe
endpointsecurity.exe
esecservice.exe
gfireporterservice.exe
esecagntservice.exe
rcsvcmon.exe
dolphincharge.e
dolphincharge.exe
loggetor.exe
netalertclient.exe
printdevice.exe
SQLTELEMETRY$ITRIS
SQLAgent$ITRIS
SQLAgent$EPOSERVER
MSSQL$ITRIS
MSSQL$EPOSERVER
MSSQLFDLauncher$ITRIS
MCAFEEEVENTPARSERSRV
MCAFEETOMCATSRV530
WdNisSvc
WinDefend
Telemetryserver
mfewc
Avast Business Console Client Antivirus Service
aswBcc
avast! Antivirus
mfefire
KAVFS
KAVFSGT
kavfsslp
wbengine
SQLAgent$SQLEXPRESS
MSSQL$SQLEXPRESS
klnagent
AVP
SQLAgent$SOPHOS
MSSQL$SOPHOS
EhttpSrv
ekrn
ESHASRV
NetMsmqActivator
msftesql$PROD
SQLAgent$PROD
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 24
pwdfilthelp.exe
pthosttr.exe
hpqwmiex.exe
ntcaagent.exe
ntcadaemon.exe
ntcaservice.exe
privacyiconclient.exe
rapuisvc.exe
vpatch.exe
tclproc.exe
isscsf.exe
issdaemon.exe
kvdetech.exe
kvmonxp_2.kxp
kvmonxp.kxp
kvolself.exe
kvsrvxp_1.exe
kvsrvxp.exe
kvxp.kxp
ppppwallrun.exe
avpcc.exe
avpexec.exe
avpm.exe
avpncc.exe
avps.exe
avpupd.exe
kav.exe
kavisarv.exe
kavmm.exe
kavss.exe
kavsvc.exe
kis.exe
MSSQLServerADHelper
Zoolz 2 Service
MSSQL$PROD
SQL Backups
SQLAgent$CITRIX_METAFRAME
Acronis VSS Provider
Enterprise Client Service
Sophos Agent
Sophos AutoUpdate Service
Sophos Clean Service
Sophos Device Control Service
Sophos File Scanner Service
Sophos Health Service
Sophos MCS Agent
Sophos MCS Client
Sophos Message Router
Sophos Safestore Service
Sophos System Protection Service
Sophos Web Control Service
SQLsafe Backup Service
SQLsafe Filter Service
Symantec System Recovery
Veeam Backup Catalog Data Service
AcronisAgent
AcrSch2Svc
Antivirus
ARSM
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDeviceMediaService
BackupExecJobEngine
BackupExecManagementService
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 25
klnagent.exe
klswd.exe
klwtblfs.exe
kwsprod.exe
up2date.exe
klserver.exe
oespamtest.exe
kavadapterexe.exe
kavlotsingleton.exe
kavfsgt.exe
kavfsrcn.exe
kavfs.exe
kavfswp.exe
kavshell.exe
klnacserver.exe
avpdtagt.exe
netcfg.exe
kavfsscs.exe
kavtray.exe
persfw.exe
avserver.exe
winroute.exe
wrctrl.exe
kabackreport.exe
kaccore.exe
kanmcmain.exe
kastray.exe
kislive.exe
kmailmon.exe
knupdatemain.exe
kswebshield.exe
kxeserv.exe
BackupExecRPCService
BackupExecVSSProvider
bedbg
DCAgent
EPSecurityService
EPUpdateService
EraserSvc11710
EsgShKernel
FA_Scheduler
IISAdmin
IMAP4Svc
macmnsvc
masvc
MBAMService
MBEndpointAgent
McAfeeEngineService
McAfeeFramework
McAfeeFrameworkMcAfeeFramework
McShield
McTaskManager
mfemms
mfevtp
MMS
mozyprobackup
MsDtsServer
MsDtsServer100
MsDtsServer110
MSExchangeES
MSExchangeIS
MSExchangeMGMT
MSExchangeMTA
MSExchangeSA
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 26
uplive.exe
kansgui.exe
kansvr.exe
kavstart.exe
kpfwsvc.exe
kwatch.exe
kav32.exe
kissvc.exe
kpfw32.exe
system.exe
wssfcmai.exe
aawservice.exe
ad-aware2007.exe
nlsvc.exe
engineserver.exe
eventparser.exe
log_qtine.exe
mfeann.exe
nailgpip.exe
rpcserv.exe
srvmon.exe
mcagent.exe
mfemactl.exe
macmnsvc.exe
masvc.exe
masalert.exe
msssrv.exe
massrv.exe
msscli.exe
mcshld9x.exe
mgavrtcl.exe
mcappins.exe
MSExchangeSRS
MSOLAP$SQL_2008
MSOLAP$SYSTEM_BGC
MSOLAP$TPS
MSOLAP$TPSAMA
MSSQL$BKUPEXEC
MSSQL$ECWDB2
MSSQL$PRACTICEMGT
MSSQL$PRACTTICEBGC
MSSQL$PROFXENGAGEMENT
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQL$SQL_2008
MSSQL$SYSTEM_BGC
MSSQL$TPS
MSSQL$TPSAMA
MSSQL$VEEAMSQL2008R2
MSSQL$VEEAMSQL2012
MSSQLFDLauncher
MSSQLFDLauncher$PROFXENGAGEMENT
MSSQLFDLauncher$SBSMONITORING
MSSQLFDLauncher$SHAREPOINT
MSSQLFDLauncher$SQL_2008
MSSQLFDLauncher$SYSTEM_BGC
MSSQLFDLauncher$TPS
MSSQLFDLauncher$TPSAMA
MSSQLSERVER
MSSQLServerADHelper100
MSSQLServerOLAPService
MySQL57
ntrtscan
OracleClientCache80
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 27
mfecanary.exe
macompatsvc.exe
mcvsrte.exe
mfefire.exe
dao_log.exe
firesvc.exe
firetray.exe
mfeesp.exe
naprdmgr.exe
cpd.exe
mfefw.exe
frameworkservic
cmgrdian.exe
mcshell.exe
mfehcs.exe
mcinfo.exe
hwapi.exe
mcafeedatabackup.exe
mcmscsvc.exe
mcnasvc.exe
mcods.exe
mcpromgr.exe
mcproxy.exe
mcuimgr.exe
mpfsrv.exe
mpsevh.exe
mps.exe
msksrver.exe
redirsvc.exe
saservice.exe
siteadv.exe
mfemms.exe
PDVFSService
POP3Svc
ReportServer
ReportServer$SQL_2008
ReportServer$SYSTEM_BGC
ReportServer$TPS
ReportServer$TPSAMA
RESvc
sacsvr
SamSs
SAVAdminService
SAVService
SDRSVC
SepMasterService
ShMonitor
Smcinst
SmcService
SMTPSvc
SNAC
SntpService
sophossps
SQLAgent$BKUPEXEC
SQLAgent$ECWDB2
SQLAgent$PRACTTICEBGC
SQLAgent$PRACTTICEMGT
SQLAgent$PROFXENGAGEMENT
SQLAgent$SBSMONITORING
SQLAgent$SHAREPOINT
SQLAgent$SQL_2008
SQLAgent$SYSTEM_BGC
SQLAgent$TPS
SQLAgent$TPSAMA
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 28
neotrace.exe
vshwin32.exe
mpfagent.exe
mpfconsole.exe
mpf.exe
mpfservice.exe
mpftray.exe
mscifapp.exe
mfevtps.exe
qclean.exe
mcregwiz.exe
rssensor.exe
safeservice.exe
ncdaemon.exe
mcdash.exe
mcdetect.exe
ssscheduler.exe
sahookmain.exe
mskdetct.exe
msksrvr.exe
mskagent.exe
stinger.exe
mcsysmon.exe
mctskshd.exe
mfetp.exe
myagttry.exe
mcupdmgr.exe
rulaunch.exe
mcvsshld.exe
tbmon.exe
alogserv.exe
mcmnhdlr.exe
SQLAgent$VEEAMSQL2008R2
SQLAgent$VEEAMSQL2012
SQLBrowser
SQLSafeOLRService
SQLSERVERAGENT
SQLTELEMETRY
SQLTELEMETRY$ECWDB2
SQLWriter
SstpSvc
svcGenericHost
swi_filter
swi_service
swi_update_64
TmCCSF
tmlisten
TrueKey
TrueKeyScheduler
TrueKeyServiceHelper
UI0Detect
VeeamBackupSvc
VeeamBrokerSvc
VeeamCatalogSvc
VeeamCloudSvc
VeeamDeploymentService
VeeamDeploySvc
VeeamEnterpriseManagerSvc
VeeamMountSvc
VeeamNFSSvc
VeeamRESTSvc
VeeamTransportSvc
W3Svc
WRSVC
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 29
mghtml.exe
edisk.exe
scan32.exe
frameworkservice.exe
mcconsol.exe
mcscript_inuse.exe
mctray.exe
mcupdate.exe
shstat.exe
udaterui.exe
updaterui.exe
mcepoc.exe
mcepocfg.exe
mcpalmcfg.exe
mcwcecfg.exe
mcwce.exe
frameworkservic.exe
vsmain.exe
oasclnt.exe
vsstat.exe
mcvsftsn.exe
avconsol.exe
avsynmgr.exe
vstskmgr.exe
webscanx.exe
mfewc.exe
mfewch.exe
giantantispywaremain.exe
giantantispywareupdater.exe
gcasservalert.exe
gcascleaner.exe
gcasinstallhelper.exe
VeeamHvIntegrationSvc
swi_update
SQLAgent$CXDB
McAfee SiteAdvisor Enterprise Service
MSSQL$CITRIX_METAFRAME
IBMDSServer41
IBMDataServerMgr
DB2INST2
DB2-0
DB2DAS00
DB2REMOTECMD_DB2COPY1
DB2MGMTSVC_DB2COPY1
DB2LICD_DB2COPY1
DB2GOVERNOR_DB2COPY1
DB2
Alerter
ERSvc
Eventlog
ImapiService
NetDDE
NtLmSsp
NtmsSvc
odserv
ose
SnowInventoryClient
TlntSvr
TSM
VMTools
VMware
WebClient
WinVNC4
BlueStripeCollector
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 30
gcasnotice.exe
gcasdtserv.exe
gcasserv.exe
gcasswupdater.exe
fcsms.exe
fcssas.exe
nissrv.exe
dpmra.exe
msseces.exe
wscntfy.exe
securitymanager.exe
aesecurityservice.exe
deteqt.agent.exe
omniagent.exe
nerosvc.exe
seanalyzertool.exe
spyemergency.exe
spyemergencysrv.exe
nlclient.exe
crdm.exe
nmagent.exe
ehttpsrv.exe
nod32.exe
nod32krn.exe
nod32kui.exe
nod32view.exe
cclaw.exe
elogsvc.exe
nip.exe
nipsvc.exe
njeeves.exe
npfmsg2.exe
Cissesrv
CpqRcmc3
gupdate
gupdatem
HealthService
NimbusWatcherService
ProLiantMonitor
SDD_Service
sysdown
System
GoogleChromeElevationService
bcrservice
ccEvtMgr
ccSetMgr
CSAdmin
CSAuth
CSDbSync
CSLog
CSMon
CSRadius
CSTacacs
Symantec
VGAuthService
SepMasterServiceMig
vmware-converter-agent
vmware-converter-server
vmware-converter-worker
avbackup
MSSQL$NET2
Net2ClientSvc
NetSvc
SQLAgent$NET2
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 31
npfmsg.exe
npfsvice.exe
nrmenctb.exe
nvcoas.exe
nvcsched.exe
nymse.exe
zanda.exe
zlh.exe
ixaptsvc.exe
ixavsvc.exe
ixfwsvc.exe
emlproui.exe
emlproxy.exe
mpsvc.exe
onlinent.exe
onlnsvc.exe
scanmsg.exe
scanwscs.exe
tsansrf.exe
tsatisy.exe
tscutynt.exe
tsmpnt.exe
upschd.exe
xfilter.exe
aps.exe
aus.exe
outpost.exe
adminserver.exe
avtask.exe
clshield.exe
console.exe
cpntsrv.exe
tpautoconnsvc
TPVCGateway
VMwareCAFCommAmqpListener
VMwareCAFManagementAgentHost
TPAutoConnSvc
AdobeARMservice
RSCDsvc
LRSDRVX
msvsmon90
IDriverT
MSMQ
Alerter
ERSvc
Eventlog
ImapiService
NetDDE
NtLmSsp
NtmsSvc
odserv
ose
SnowInventoryClient
TlntSvr
TSM
VMTools
VMware
WebClient
WinVNC4
BlueStripeCollector
Cissesrv
CpqRcmc3
gupdate
gupdatem
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 32
padfsvr.exe
pasystemtray.exe
pavfnsvr.exe
pavkre.exe
pavprot.exe
pavreport.exe
pnmsrv.exe
psimsvc.exe
pavupg.exe
remupd.exe
iface.exe
pavfires.exe
pavmail.exe
pavprsrv.exe
pavsched.exe
pavsrv50.exe
pavsrv51.exe
pavsrv52.exe
prevsrv.exe
tpsrv.exe
pagent.exe
pagentwd.exe
psctris.exe
apvxdwin.exe
inicio.exe
pavbckpt.exe
pavjobs.exe
psctrls.exe
pshost.exe
psimreal.exe
pskmssvc.exe
srvload.exe
HealthService
NimbusWatcherService
ProLiantMonitor
SDD_Service
sysdown
System
GoogleChromeElevationService
bcrservice
ccEvtMgr
ccSetMgr
CSAdmin
CSAuth
CSDbSync
CSLog
CSMon
CSRadius
CSTacacs
Symantec
VGAuthService
SepMasterServiceMig
vmware-converter-agent
vmware-converter-server
vmware-converter-worker
avbackup
MSSQL$NET2
Net2ClientSvc
NetSvc
SQLAgent$NET2
tpautoconnsvc
TPVCGateway
VMwareCAFCommAmqpListener
VMwareCAFManagementAgentHost
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 33
webproxy.exe
avltmain.exe
firewallgui.exe
pviewer.exe
pview.exe
pmon.exe
qoeloader.exe
fws.exe
TPAutoConnSvc
AdobeARMservice
RSCDsvc
LRSDRVX
msvsmon90
IDriverT
MSMQ
Worker Module
The worker is responsible for retrieving files from the IPC queue and encrypting them. The ransomware uses an RSA public key, which is hardcoded into the malware, to encrypt files.
Ransom Notes
The ransomware drops the following ransom note onto the C drive.
If you are reading this text, it means, we've hacked your corporate network.
Now all your data is encrypted with very serious and powerful algorithms (AES256 and RSA-4,096).
These algorithms now in use in military intelligence, NSA and CIA .
No one can help you to restore your data without our special decipherer.
Don't even waste your time.
But there are good news for you.
We don't want to do any damage to your business.
We are working for profit.
The core of this criminal business is to give back your valuable data in the original form (for ransom of course).
In order to prove that we can restore all your data, we'll decrypt 3 of your files for free.
Please, attach 2-3 encrypted files to your first letter.
Each file must be less than 5 Mb, non-archived and your files should not contain valuable information
(databases, backups, large word files or excel sheets, etc.).
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 34
You will receive decrypted samples and our conditions how to get the decipherer.
For the fastest solution of the problem, please, write immediately in your first letter:
the name of your company,
the domain name of your corporate network and
the URL of your corporate website
It is important !
And please do not start your first letter to us with the words:
"It's a mistake !! Our company is just trimming and grooming little dogs. We don't have money at all."
"There is a big mistake on our site !
We are not leaders in our industry and all our competitors don't suck our huge dick.
We're just а small company, and we are dying because of hard competition."
"We are not the Super Mega International Corporation ltd., we are just a nursery etc."
We see it 5 times a day. This shit doesn't work at all !!!
Don't waste our and your time.
Remember ! We don't work for food.
You have to pay for decryption in Bitcoins (BTC).
If you think you pay $500 and you'll get the decryptor, you are 50 million light years away from reality :)
The ransom begins from 2-3 BTC up to 600 BTC.
If you don't have money don't even write to us.
We don't do charity !
One more time :
1.(In first letter) write the name of your company, the domain name of your corporate network and the URL of your corporate website
2. Attach 2-3 encrypted files (we'll show you some magic)
3. Use Google in order to find out how to buy bitcoins fast
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 35
As soon as we get bitcoins you'll get all your decrypted data back.
Contact emails:
or
Man is the master of everything and decides everything.
Conclusion
MegaCortex is a recently deployed ransomware that is making a few headlines due to its ability to infect various organizations. The developer of this ransomware designed to be self-protective and anti-forensic, therefore making capturing the main component difficult. However, these features are also the major disadvantage of the ransomware due to a lack ability to deploy globally and quickly. Version 2 is the latest version of MegaCortex in which the author traded security for ease of use. With a hardcoded password and anti-analysis software, parties can deliver the ransomware without an actor-supplied the password for that ransomware. Therefore, there could potentially be an increase in the number of MegaCortex files delivered through e-mail campaigns or dropped by a malware downloader.
MITIGATION
Initial Access
Execution Persistence Privilege Escalation
Defense Evasion
Credential Access
Discovery Lateral Movement
Collection Exfiltration Command Control
Command-Line Interface
Access Token Manipulation
Access Token Manipulation
Disabling Security Tools
For threat hunting, iDefense recommends leveraging the YARA rule below:
rule MegaCortex_v2_DLL
{
meta:
description = “Detects MegaCortex DLL samples from version 2”
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 36
hash = “53dddbb304c79ae293f98e0b151c6b28”
author = “iDefense”
date = "2019-07-29"
strings:
$ = "If you are reading this text, it means, we've hacked your corporate network" nocase wide ascii
$ = "No one can help you to restore your data without our special decipherer" nocase wide ascii
$ = "You will receive decrypted samples and our conditions how to get the decipherer" nocase wide ascii
$ = "Man is the master of everything and decides everything" nocase wide asci
$ = "@mail.com" nocase wide ascii
$ = ".log" nocase wide ascii
$ = "MEGA-" nocase wide ascii
$ = "elevate" nocase wide ascii
$ = "fail:" nocase wide ascii
$ = "scaning" nocase wide ascii
$ = "taskkill" nocase wide ascii
$ = "payload.dll" nocase wide ascii
condition:
all of them
}
iDefense also recommends searching for the following:
• System: Presence of the following artifacts:
o On-disk Artifacts:* ▪ c:\nxahoft_G9.log ▪ c:\!!!_READ-ME_!!!.txt ▪ C:\x5gj5_gmG8.log
o Any of the Following File Hashes: ▪ c965e59627b1fed12e8bb049480f55d9 ▪ e69f84e15dec9e49eb56031962d26854 ▪ 582a604682e44330a9ab549a94226545
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 37
LEGAL NOTICE AND DISCLAIMER: This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.
Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change. The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned.
As such, all information and content set out is provided on an “as-is” basis without representation or warranty and the reader is responsible for determining whether or not to follow any of the suggestions, recommendations or potential mitigations set out in this report, entirely at their own discretion. Accenture accepts no liability for any action or failure to act in response to the information contained or referenced in this alert.
TECHNICAL ANALYSIS
Copyright © 2019 Accenture Security. All rights reserved. 38
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or
unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries.
All trademarks are properties of their respective owners. All materials are intended for the original
recipient only. The reproduction and distribution of this material is forbidden without express written
permission from Accenture. The opinions, statements, and assessments in this report are solely those
of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the
views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence,
the content contained in this report is based on information gathered and understood at the time of
its creation. It is subject to change. Accenture provides the information on an “as-is” basis without
representation or warranty and accepts no liability for any action or failure to act taken in response
to the information contained or referenced in this report.
Copyright © 2019 Accenture
All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks