#Cryakl_ransom_210918

1. #IOC #OptiData #VR #210918 #Cryakl #Ransomware #SCR #ZIP
2.  
3. (!) Cryakl
4. Identified by sample_extension: email-<email>.ver-CL <version>.id-<random>-<random>.doubleoffset
5. This ransomware may be decryptable under certain circumstances.
6.  
7. email_headers
8. --------------
9. Received: from konto-design.ru (konto-design.ru [95.213.203.178])
10. by mailsrv.victim.com (8.15.2/8.15.2) with ESMTP id w8LGeCtv003880
11. for <user1@vip.victim.com>; Fri, 21 Sep 2018 19:40:13 +0300 (EEST)
12. (envelope-from send@konto-design.ru)
13. Reply-To: =?windows-1251?B?w+vu8Oj/?= <bounce@konto-design.ru>
14. From: =?windows-1251?B?w+vu8Oj/?= <send@konto-design.ru>
15. To: <user1@vip.victim.com>
16. Subject: Сверка дублирую. вчера не тот файл вислали
17. Date: Fri, 21 Sep 2018 19:40:06 +0300
18.  
19. files
20. --------------
21. SHA-256 5e82435a7f1a04d29a96bb56c3c1febe1124f556425b029a2c45f144e142c651
22. File name st140620.tmp
23. File size 156.25 KB
24.  
25. SHA-256 bbcdfd57739dab2c4d1ea6e3e209a4b829f200e7bbc9cc78b616e9b358880ebe
26. File name чек повторной оплаты выписка из банка.scr (EXE) packer PECompact 2.xx --> BitSum Technologies
27. File size 170 KB
28.  
29. activity
30. -------------
31.  
32. proc
33. --------------
34. "C:\Users\operator\Desktop\1.scr" /S
35. "C:\Users\operator\Desktop\1.scr"
36. "C:\tmp\ADHLRUXBEH.exe"
37. "C:\tmp\ADHLRUXBEH.exe"
38.  
39. persist
40. --------------
41. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 24.09.2018 12:02
42. 2889404871 c:\tmp\adhlruxbeh.exe 20.09.2018 16:42
43.  
44. netwrk
45. --------------
46. 5.101.152.212 dyrovpa9.beget{.} tech GET /inst.php?vers=CL%201.5.1.0&id=2889404871-43520714514599267111949&sender= HTTP/1.1 Mozilla/5.0 (Windows NT 6.3; WOW64)
47. 164.132.235.17 www.vabel{.} fr GET /wp-content/uploads/2018/08/stat/inst.php?vers=CL%201.5.1.0&id=2889404871-43520714514599267111949&sender= HTTP/1.1 Mozilla/5.0 (Windows NT 6.3; WOW64)
48.  
49. encrypted
50. --------------
51. email-vally@x-mail.pro.ver-CL 1.5.1.0.id-2889404871-43520714514599267111949.fname-name_of_initial_doc.pdf
52.  
53. ransom_note
54. --------------
55. Your files was encrypted! Write us:
56. vally@x-mail.pro
57. vally@x-mail.pro
58. vally@x-mail.pro
59.  
60. decryptor
61. --------------
62. https://id-ransomware.malwarehunterteam.com/identify.php?case=439a00e2de51c43e19560eff059316bb94d96d1d
63. https://www.experts-exchange.com/articles/31579/Decrypting-Cryakl-1-4-0-0-1-4-1-0-FAIRYTAIL-Ransomware.html
64. https://www.youtube.com/watch?v=oNqcWQ3WL20
65. # # #
66. https://www.virustotal.com/#/file/5e82435a7f1a04d29a96bb56c3c1febe1124f556425b029a2c45f144e142c651/details
67. https://www.virustotal.com/#/file/bbcdfd57739dab2c4d1ea6e3e209a4b829f200e7bbc9cc78b616e9b358880ebe/details
68. https://analyze.intezer.com/#/analyses/0c0a08ea-4f82-4540-a000-55c6b1f1a83b