SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
@online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
@online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } New Defray Ransomware Targets Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20211008 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2b07 6a01 50 ff37 e8???????? 83c40c 8d0433 }
            // n = 7, score = 200
            //   2b07                 | sub                 eax, dword ptr [edi]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff37                 | push                dword ptr [edi]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d0433               | lea                 eax, dword ptr [ebx + esi]

        $sequence_1 = { 8a06 3c7f 7435 8b5db4 84c0 7e2b 0fbec8 }
            // n = 7, score = 200
            //   8a06                 | mov                 al, byte ptr [esi]
            //   3c7f                 | cmp                 al, 0x7f
            //   7435                 | je                  0x37
            //   8b5db4               | mov                 ebx, dword ptr [ebp - 0x4c]
            //   84c0                 | test                al, al
            //   7e2b                 | jle                 0x2d
            //   0fbec8               | movsx               ecx, al

        $sequence_2 = { 894dec 3b04b5e0fb4800 7cb5 51 6bce0c 891cb5d8f94800 030d???????? }
            // n = 7, score = 200
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   3b04b5e0fb4800       | cmp                 eax, dword ptr [esi*4 + 0x48fbe0]
            //   7cb5                 | jl                  0xffffffb7
            //   51                   | push                ecx
            //   6bce0c               | imul                ecx, esi, 0xc
            //   891cb5d8f94800       | mov                 dword ptr [esi*4 + 0x48f9d8], ebx
            //   030d????????         |                     

        $sequence_3 = { 75f1 8dbdc8fdffff 83ef02 668b4702 83c702 663bc6 75f4 }
            // n = 7, score = 200
            //   75f1                 | jne                 0xfffffff3
            //   8dbdc8fdffff         | lea                 edi, dword ptr [ebp - 0x238]
            //   83ef02               | sub                 edi, 2
            //   668b4702             | mov                 ax, word ptr [edi + 2]
            //   83c702               | add                 edi, 2
            //   663bc6               | cmp                 ax, si
            //   75f4                 | jne                 0xfffffff6

        $sequence_4 = { a5 a5 a5 66a5 8dbdc8fdffff 83ef02 668b4702 }
            // n = 7, score = 200
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   8dbdc8fdffff         | lea                 edi, dword ptr [ebp - 0x238]
            //   83ef02               | sub                 edi, 2
            //   668b4702             | mov                 ax, word ptr [edi + 2]

        $sequence_5 = { 8b5518 3bc1 0f44d7 8b45fc 8910 e9???????? 8b5518 }
            // n = 7, score = 200
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   3bc1                 | cmp                 eax, ecx
            //   0f44d7               | cmove               edx, edi
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8910                 | mov                 dword ptr [eax], edx
            //   e9????????           |                     
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]

        $sequence_6 = { a5 a5 8dbd60efffff be???????? ab ab ab }
            // n = 7, score = 200
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8dbd60efffff         | lea                 edi, dword ptr [ebp - 0x10a0]
            //   be????????           |                     
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_7 = { 8bc6 83e03f 6bc830 8b049568f34800 f644082801 740b 56 }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   83e03f               | and                 eax, 0x3f
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b049568f34800       | mov                 eax, dword ptr [edx*4 + 0x48f368]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   740b                 | je                  0xd
            //   56                   | push                esi

        $sequence_8 = { 895704 89770c 897710 897714 8975fc e8???????? 8bd8 }
            // n = 7, score = 200
            //   895704               | mov                 dword ptr [edi + 4], edx
            //   89770c               | mov                 dword ptr [edi + 0xc], esi
            //   897710               | mov                 dword ptr [edi + 0x10], esi
            //   897714               | mov                 dword ptr [edi + 0x14], esi
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_9 = { 8d4902 6685c0 75f1 8dbdc0fdffff 83ef02 668b4702 83c702 }
            // n = 7, score = 200
            //   8d4902               | lea                 ecx, dword ptr [ecx + 2]
            //   6685c0               | test                ax, ax
            //   75f1                 | jne                 0xfffffff3
            //   8dbdc0fdffff         | lea                 edi, dword ptr [ebp - 0x240]
            //   83ef02               | sub                 edi, 2
            //   668b4702             | mov                 ax, word ptr [edi + 2]
            //   83c702               | add                 edi, 2

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules