SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
@online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
@online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } New Defray Ransomware Targets Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20230125 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4de8 e8???????? 83f8ff 742e 0f1f440000 8d45e8 }
            // n = 6, score = 200
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   742e                 | je                  0x30
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_1 = { 99 f7fb 894dfc 8bd0 3bf2 0f8693000000 b955555515 }
            // n = 7, score = 200
            //   99                   | cdq                 
            //   f7fb                 | idiv                ebx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8bd0                 | mov                 edx, eax
            //   3bf2                 | cmp                 esi, edx
            //   0f8693000000         | jbe                 0x99
            //   b955555515           | mov                 ecx, 0x15555555

        $sequence_2 = { 6afd 5f 56 ff15???????? 8bc7 eb13 56 }
            // n = 7, score = 200
            //   6afd                 | push                -3
            //   5f                   | pop                 edi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bc7                 | mov                 eax, edi
            //   eb13                 | jmp                 0x15
            //   56                   | push                esi

        $sequence_3 = { 0f8567010000 81fe00020000 7e0c b8fcffffff 5f 5e 5b }
            // n = 7, score = 200
            //   0f8567010000         | jne                 0x16d
            //   81fe00020000         | cmp                 esi, 0x200
            //   7e0c                 | jle                 0xe
            //   b8fcffffff           | mov                 eax, 0xfffffffc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_4 = { 8dbda0f5ffff be???????? ab ab ab ab ab }
            // n = 7, score = 200
            //   8dbda0f5ffff         | lea                 edi, [ebp - 0xa60]
            //   be????????           |                     
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_5 = { 8b430c 89410c 8d4f08 8b4310 8907 8a4314 884704 }
            // n = 7, score = 200
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8d4f08               | lea                 ecx, [edi + 8]
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   8907                 | mov                 dword ptr [edi], eax
            //   8a4314               | mov                 al, byte ptr [ebx + 0x14]
            //   884704               | mov                 byte ptr [edi + 4], al

        $sequence_6 = { 6a01 50 e8???????? 8bce 8945fc 2bcb }
            // n = 6, score = 200
            //   6a01                 | push                1
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   2bcb                 | sub                 ecx, ebx

        $sequence_7 = { 731c 83fe08 7d0a 8a8074e64600 8807 47 }
            // n = 6, score = 200
            //   731c                 | jae                 0x1e
            //   83fe08               | cmp                 esi, 8
            //   7d0a                 | jge                 0xc
            //   8a8074e64600         | mov                 al, byte ptr [eax + 0x46e674]
            //   8807                 | mov                 byte ptr [edi], al
            //   47                   | inc                 edi

        $sequence_8 = { c70424???????? e8???????? 8d8500feffff 50 }
            // n = 4, score = 200
            //   c70424????????       |                     
            //   e8????????           |                     
            //   8d8500feffff         | lea                 eax, [ebp - 0x200]
            //   50                   | push                eax

        $sequence_9 = { 50 56 ff15???????? 85c0 7579 ff15???????? 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7579                 | jne                 0x7b
            //   ff15????????         |                     
            //   50                   | push                eax

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules