SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
@online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
@online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } New Defray Ransomware Targets Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20220516 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9???????? 8d850cf7ffff 668b10 663b11 751e 6685d2 7415 }
            // n = 7, score = 200
            //   b9????????           |                     
            //   8d850cf7ffff         | lea                 eax, [ebp - 0x8f4]
            //   668b10               | mov                 dx, word ptr [eax]
            //   663b11               | cmp                 dx, word ptr [ecx]
            //   751e                 | jne                 0x20
            //   6685d2               | test                dx, dx
            //   7415                 | je                  0x17

        $sequence_1 = { 83e03f c1f906 6bf030 03348d68f34800 837e18ff 740c 837e18fe }
            // n = 7, score = 200
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf030               | imul                esi, eax, 0x30
            //   03348d68f34800       | add                 esi, dword ptr [ecx*4 + 0x48f368]
            //   837e18ff             | cmp                 dword ptr [esi + 0x18], -1
            //   740c                 | je                  0xe
            //   837e18fe             | cmp                 dword ptr [esi + 0x18], -2

        $sequence_2 = { e8???????? 8b7508 8365d400 8365fc00 837d2400 740f 6a02 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8365d400             | and                 dword ptr [ebp - 0x2c], 0
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   837d2400             | cmp                 dword ptr [ebp + 0x24], 0
            //   740f                 | je                  0x11
            //   6a02                 | push                2

        $sequence_3 = { e8???????? 83a668f3480000 59 83c604 81fe00020000 72dd b001 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83a668f3480000       | and                 dword ptr [esi + 0x48f368], 0
            //   59                   | pop                 ecx
            //   83c604               | add                 esi, 4
            //   81fe00020000         | cmp                 esi, 0x200
            //   72dd                 | jb                  0xffffffdf
            //   b001                 | mov                 al, 1

        $sequence_4 = { 55 8bec 81ecfc0a0000 a1???????? 33c5 8945fc 53 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecfc0a0000         | sub                 esp, 0xafc
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx

        $sequence_5 = { 0fb701 6689040a 8d4902 6685c0 75f1 8dbdc8fdffff 83ef02 }
            // n = 7, score = 200
            //   0fb701               | movzx               eax, word ptr [ecx]
            //   6689040a             | mov                 word ptr [edx + ecx], ax
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   6685c0               | test                ax, ax
            //   75f1                 | jne                 0xfffffff3
            //   8dbdc8fdffff         | lea                 edi, [ebp - 0x238]
            //   83ef02               | sub                 edi, 2

        $sequence_6 = { 8bfa 8bf1 85ff 7411 56 e8???????? }
            // n = 6, score = 200
            //   8bfa                 | mov                 edi, edx
            //   8bf1                 | mov                 esi, ecx
            //   85ff                 | test                edi, edi
            //   7411                 | je                  0x13
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_7 = { d1f8 50 52 e8???????? 8bc6 5e 8be5 }
            // n = 7, score = 200
            //   d1f8                 | sar                 eax, 1
            //   50                   | push                eax
            //   52                   | push                edx
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { 0f42df 6a01 683c020000 53 e8???????? 694dfc3c020000 83c40c }
            // n = 7, score = 200
            //   0f42df               | cmovb               ebx, edi
            //   6a01                 | push                1
            //   683c020000           | push                0x23c
            //   53                   | push                ebx
            //   e8????????           |                     
            //   694dfc3c020000       | imul                ecx, dword ptr [ebp - 4], 0x23c
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { c20400 68???????? e8???????? cc 55 8bec 83ec28 }
            // n = 7, score = 200
            //   c20400               | ret                 4
            //   68????????           |                     
            //   e8????????           |                     
            //   cc                   | int3                
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec28               | sub                 esp, 0x28

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules