SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
@online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
@online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } New Defray Ransomware Targets Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20221125 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 8b35???????? 8bd8 899decfdffff 85db 747e }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   899decfdffff         | mov                 dword ptr [ebp - 0x214], ebx
            //   85db                 | test                ebx, ebx
            //   747e                 | je                  0x80

        $sequence_1 = { 5d c20400 56 8bf1 8b4614 83f808 720e }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   83f808               | cmp                 eax, 8
            //   720e                 | jb                  0x10

        $sequence_2 = { 50 8d5598 8d4da8 e8???????? 83c410 85c0 0f85ce010000 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d5598               | lea                 edx, [ebp - 0x68]
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f85ce010000         | jne                 0x1d4

        $sequence_3 = { 8945ec 83c404 895dd4 85db 0f8437010000 897dcc 85ff }
            // n = 7, score = 200
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   83c404               | add                 esp, 4
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   85db                 | test                ebx, ebx
            //   0f8437010000         | je                  0x13d
            //   897dcc               | mov                 dword ptr [ebp - 0x34], edi
            //   85ff                 | test                edi, edi

        $sequence_4 = { 8b11 3b514c 7525 3b5150 }
            // n = 4, score = 200
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   3b514c               | cmp                 edx, dword ptr [ecx + 0x4c]
            //   7525                 | jne                 0x27
            //   3b5150               | cmp                 edx, dword ptr [ecx + 0x50]

        $sequence_5 = { 7cd6 8b4510 8b7d08 85c0 0f8567010000 8b470c 8b08 }
            // n = 7, score = 200
            //   7cd6                 | jl                  0xffffffd8
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax
            //   0f8567010000         | jne                 0x16d
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_6 = { e8???????? 83c40c 8d4de4 e8???????? 47 81c330020000 3b3d???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   e8????????           |                     
            //   47                   | inc                 edi
            //   81c330020000         | add                 ebx, 0x230
            //   3b3d????????         |                     

        $sequence_7 = { 6a02 59 e8???????? 59 59 6afe }
            // n = 6, score = 200
            //   6a02                 | push                2
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   6afe                 | push                -2

        $sequence_8 = { 56 8b7508 57 6a00 8975e8 8945e0 ff15???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   6a00                 | push                0
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   ff15????????         |                     

        $sequence_9 = { c745e8ece64600 8945f0 8945ec c745e4e4e64600 50 8945fc 8d45e4 }
            // n = 7, score = 200
            //   c745e8ece64600       | mov                 dword ptr [ebp - 0x18], 0x46e6ec
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   c745e4e4e64600       | mov                 dword ptr [ebp - 0x1c], 0x46e6e4
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules