Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Web Feed] The analysed sample is a malware employed by the Threat Actor known as Ragnar...
2 views
Skip to first unread message
Feed Supplier
Apr 29, 2021, 12:39:25 PM4/29/21
to
..ok. The ransomware is responsible for files’ encryption and i
The analysed sample is a malware employed by the Threat Actor known as _Ragnarok. _The ransomware is responsible for files’ encryption and it is typically executed, by the actors themselves, on the compromised machines. The name of the analysed executable is
xs_high.exe
, but others have been found used by the same ransomware family (such as
xs_normal.exe
and
xs_remote.exe
).
The configuration within the malware contains information regarding the encryption activities, from whitelisted countries to the contents of the ransom note. It is interesting to note that the same configuration has been used across different victims, suggesting that the actor’s activities are not specifically tailored to them.
The ransomware is a DLL named
cry_demo.dll
, which is packed inside the
xs_high.exe
executable. The unpacking process takes place with self-injection (also known as PE-overwrite), an injection technique that does not involve spawning new processes or threads. All the packed DLL code is contained in the .data section of the
xs_high.exe
executable and will get unpacked and decrypted by a custom loader before being executed.
Link 1
Malware Analysis: Ragnarok Ransomware – YLabs: https://labs.yarix.com/2021/04/malware-analysis-ragnarok-ransomware
The analysed sample is a malware employed by the Threat Actor known as _Ragnarok. _The ransomware is responsible for files’ encryption and it is typically executed, by the actors themselves, on the compromised machines. The name of the analysed executable is
xs_high.exe
, but others have been found used by the same ransomware family (such as
xs_normal.exe
and
xs_remote.exe
).
The configuration within the malware contains information regarding the encryption activities, from whitelisted countries to the contents of the ransom note. It is interesting to note that the same configuration has been used across different victims, suggesting that the actor’s activities are not specifically tailored to them.
The ransomware is a DLL named
cry_demo.dll
, which is packed inside the
xs_high.exe
executable. The unpacking process takes place with self-injection (also known as PE-overwrite), an injection technique that does not involve spawning new processes or threads. All the packed DLL code is contained in the .data section of the
xs_high.exe
executable and will get unpacked and decrypted by a custom loader before being executed.
Link 1
Malware Analysis: Ragnarok Ransomware – YLabs: https://labs.yarix.com/2021/04/malware-analysis-ragnarok-ransomware
0 new messages