Derin Analiz - Rus Delphi Ransomware | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab |
|---|---|
| Dosya uzantisi | .Ransomware (MalwareBazaar etiketli) |
| Boyut | 379,392 byte (PE32 GUI x86, Delphi) |
| Entropi | 7.104 (packed) |
| Timestamp | TOO OLD (pre-2000) = timestamp manipulasyon |
Plaintext Rus C2 Adresleri
C2 IOC: Sifrelenmemis Rus C2 URL buludu!
http://shopping-na-divane.ru/system/logs/tool/inst.php\nhttp://shoptorgvlg.ru/system/logs/tool/inst.php\n\n-- shopping-na-divane.ru: Rusca "kanepede alisveris" = sosyal muhendislik kamuflaj\n-- shoptorgvlg.ru: "shop" + "torg" (Rusca ticaret) + VLG (Volgograd?)\n-- /system/logs/tool/inst.php: klasik infostealer/ransomware C2 yolu\n-- inst.php: "install" = kurulum kaydı veya payload gönderim noktasi\n-- ||| + tekrar eden sayilar: kimlik belgesi ayirici (bot ID format)
Gelistirici Email IOC
Johnmen.24@aol.com\n\n-- Gelistirici veya operatör email adresi: Johnmen.24 (AOL mail)\n-- ".24" = dogum yili 2024 veya 1924? Muhtemelen 2024 = genc gelistirici\n-- AOL: tarihsel/eski email saglayicisi (anonimlik icin?)
{ENCRYPTSTART} / {ENCRYPTENDED}: Sifreleme Isaretleri
{ENCRYPTSTART}\n}{ENCRYPTENDED}\n{ENCRYPTENDED}\n\n-- Dosya sifreleme baslangic/bitis isaretleri\n-- RSA: FGIntRSA = Delphi RSA kutuphanesi (anahtar sifrelemesi)\n-- InternetOpenUrlA + InternetOpenA: HTTP C2 baglantisi\n-- ShellExecuteA / ShellExecuteExA: payload calistirmaIOC
| SHA256 | 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab |
|---|---|
| C2 #1 | http://shopping-na-divane.ru/system/logs/tool/inst.php |
| C2 #2 | http://shoptorgvlg.ru/system/logs/tool/inst.php |
| Email IOC | Johnmen.24@aol.com |
| Sifreleme | {ENCRYPTSTART}/{ENCRYPTENDED} + FGIntRSA (RSA) |
RussianDelphiRansomware — Malware Profile
Delphi-compiled ransomware targeting Russian-speaking cybercrime. C2: shopping-na-divane.ru and shoptorgvlg.ru (/system/logs/tool/inst.php). Developer/operator email: Johnmen.24@aol.com. Uses FGIntRSA (Delphi RSA library) for key encryption. File encryption markers: {ENCRYPTSTART}/{ENCRYPTENDED}. Pre-2000 timestamp manipulation.
Malware Type
Ransomware
Programming Language
Delphi
C2 Protocol
HTTP
Target Systems
Kuresel
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (6 indicators)
IOC — RussianDelphiRansomware
# SHA256
0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
# DOMAIN
shopping-na-divane.ru
# DOMAIN
shoptorgvlg.ru
# EMAIL
Johnmen.24@aol.com
# URL
http://shopping-na-divane.ru/system/logs/tool/inst.php
# URL
http://shoptorgvlg.ru/system/logs/tool/inst.php
| Type | Value | Note |
|---|---|---|
| sha256 | 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab | |
| domain | shopping-na-divane.ru | |
| domain | shoptorgvlg.ru | |
| Johnmen.24@aol.com | ||
| url | http://shopping-na-divane.ru/system/logs/tool/inst.php | |
| url | http://shoptorgvlg.ru/system/logs/tool/inst.php |