Malware Analysis Project57 ransomware analysis

Online Malware Analysis Report
https://app.any.run/tasks/1f65ead8-e0e2-4c57-8009-34c2c1786e01

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Ok guys, despite now it seems this ransomware is detected by more AVs on VirusTotal report the sample seems difficult to detect in the test against Bitdefender (posted by @Der.Reisende) here: Video - Bitdefender Antivirus Free [v1.0.14.76] vs Project57 ransomware

Project57 seems to no have internet connections (requests, DNS, etc.) With remote servers, that is strange for a ransomware, but it could connect lately and silently to a remote server when the victim pay the ransom to decrypt the encrypted files. It seems it calls WinRar process (maybe to zip possible dropped files to reduce AV detection?)

Project57 ransomware probably uses this Windows vulnerable process: SearchProtocolHost.exe to search in a faster and easier way the files to encrypt, because this permits to the sample to use more advanced algorithm to search files in folders. In the files used by the malware you can see under FileZilla (FTP software) the following string: ti_kozel[at]lashbania.tv, this is probably the email used for the ransomware. The same string (the email) is found also under this Google Chrome path: AppData/Local/Google/Chrome/User Data/Default/Extensions/ the same is for Opera, Skype, Windows Mail, OneNote. So guys I think now this ransomware is detected (mainly with signatures), because without a deep analysis it could seem harmless because of apparent absent internet connection and other aspects that don't highlight malicious and dangerous behaviours. But yes, it is malicious, pay attention to this ransomware!

SHA256: 2f79ccfe3a57fa2157d187925dabc38cb919383c17ff464613c06ea6730cadd4

MD5: D6DA2DBEF3FAF1987502FE81CDDD6976
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top