SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
@online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
@online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } New Defray Ransomware Targets Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20230715 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03c8 8bc1 83d200 8345fc04 25ffffff0f 46 0facd11c }
            // n = 7, score = 200
            //   03c8                 | add                 ecx, eax
            //   8bc1                 | mov                 eax, ecx
            //   83d200               | adc                 edx, 0
            //   8345fc04             | add                 dword ptr [ebp - 4], 4
            //   25ffffff0f           | and                 eax, 0xfffffff
            //   46                   | inc                 esi
            //   0facd11c             | shrd                ecx, edx, 0x1c

        $sequence_1 = { 3938 0f857ffeffff 8b4dfc 8bfe 897d0c 3b7d10 75cb }
            // n = 7, score = 200
            //   3938                 | cmp                 dword ptr [eax], edi
            //   0f857ffeffff         | jne                 0xfffffe85
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8bfe                 | mov                 edi, esi
            //   897d0c               | mov                 dword ptr [ebp + 0xc], edi
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   75cb                 | jne                 0xffffffcd

        $sequence_2 = { eb01 5b bf006a1800 57 e8???????? 8bf0 }
            // n = 6, score = 200
            //   eb01                 | jmp                 3
            //   5b                   | pop                 ebx
            //   bf006a1800           | mov                 edi, 0x186a00
            //   57                   | push                edi
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_3 = { 742b 0fb611 0fb6c0 eb17 81fa00010000 7313 8a8740b54800 }
            // n = 7, score = 200
            //   742b                 | je                  0x2d
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   0fb6c0               | movzx               eax, al
            //   eb17                 | jmp                 0x19
            //   81fa00010000         | cmp                 edx, 0x100
            //   7313                 | jae                 0x15
            //   8a8740b54800         | mov                 al, byte ptr [edi + 0x48b540]

        $sequence_4 = { 56 57 33c0 8dbc2470020000 ab 33db 53 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   33c0                 | xor                 eax, eax
            //   8dbc2470020000       | lea                 edi, [esp + 0x270]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx

        $sequence_5 = { 8d85d8feffff c785dcfeffff06000000 33c9 89bde0feffff 50 }
            // n = 5, score = 200
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   c785dcfeffff06000000     | mov    dword ptr [ebp - 0x124], 6
            //   33c9                 | xor                 ecx, ecx
            //   89bde0feffff         | mov                 dword ptr [ebp - 0x120], edi
            //   50                   | push                eax

        $sequence_6 = { 59 85c0 755b 8bb57ccfffff 8d8580cfffff 50 56 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   755b                 | jne                 0x5d
            //   8bb57ccfffff         | mov                 esi, dword ptr [ebp - 0x3084]
            //   8d8580cfffff         | lea                 eax, [ebp - 0x3080]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_7 = { 53 f3a5 50 e8???????? 83c40c 8dbd68f9ffff be???????? }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8dbd68f9ffff         | lea                 edi, [ebp - 0x698]
            //   be????????           |                     

        $sequence_8 = { 8bec 81ece4000000 a1???????? 33c5 8945fc 8b4508 85c0 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   81ece4000000         | sub                 esp, 0xe4
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax

        $sequence_9 = { be53ffffff eb05 be40ffffff 8bcf c7878c00000000000000 e8???????? }
            // n = 6, score = 200
            //   be53ffffff           | mov                 esi, 0xffffff53
            //   eb05                 | jmp                 7
            //   be40ffffff           | mov                 esi, 0xffffff40
            //   8bcf                 | mov                 ecx, edi
            //   c7878c00000000000000     | mov    dword ptr [edi + 0x8c], 0
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules