SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
@online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie
2017-09-26Threat VectorCylance Threat Research Team
@online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } New Defray Ransomware Targets Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
@online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 6afe eb36 53 8d856cffffff 50 6a20 }
            // n = 7, score = 200
            //   68????????           |                     
            //   6afe                 | push                -2
            //   eb36                 | jmp                 0x38
            //   53                   | push                ebx
            //   8d856cffffff         | lea                 eax, [ebp - 0x94]
            //   50                   | push                eax
            //   6a20                 | push                0x20

        $sequence_1 = { 0f849a000000 53 8d4da4 e8???????? c645f301 8b4508 }
            // n = 6, score = 200
            //   0f849a000000         | je                  0xa0
            //   53                   | push                ebx
            //   8d4da4               | lea                 ecx, [ebp - 0x5c]
            //   e8????????           |                     
            //   c645f301             | mov                 byte ptr [ebp - 0xd], 1
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_2 = { a5 a5 a5 e8???????? 6a05 59 }
            // n = 6, score = 200
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   e8????????           |                     
            //   6a05                 | push                5
            //   59                   | pop                 ecx

        $sequence_3 = { 8dbdd4f6ffff a5 a5 a5 8dbde0f6ffff }
            // n = 5, score = 200
            //   8dbdd4f6ffff         | lea                 edi, [ebp - 0x92c]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8dbde0f6ffff         | lea                 edi, [ebp - 0x920]

        $sequence_4 = { 8b7510 8b7d0c 84c0 7520 8b5328 85d2 }
            // n = 6, score = 200
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   84c0                 | test                al, al
            //   7520                 | jne                 0x22
            //   8b5328               | mov                 edx, dword ptr [ebx + 0x28]
            //   85d2                 | test                edx, edx

        $sequence_5 = { 6a05 83caff 59 e8???????? 59 59 8d85a4f0ffff }
            // n = 7, score = 200
            //   6a05                 | push                5
            //   83caff               | or                  edx, 0xffffffff
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8d85a4f0ffff         | lea                 eax, [ebp - 0xf5c]

        $sequence_6 = { 03c2 394508 7305 33c0 40 eb02 33c0 }
            // n = 7, score = 200
            //   03c2                 | add                 eax, edx
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   7305                 | jae                 7
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 8bb790000000 83fe94 7515 8bc6 5f 5e }
            // n = 6, score = 200
            //   8bb790000000         | mov                 esi, dword ptr [edi + 0x90]
            //   83fe94               | cmp                 esi, -0x6c
            //   7515                 | jne                 0x17
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_8 = { e8???????? c20800 55 8bec 8b450c 2b4508 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2b4508               | sub                 eax, dword ptr [ebp + 8]

        $sequence_9 = { 53 e8???????? 694dfc30020000 83c40c 8bf0 8bd7 2b55fc }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   e8????????           |                     
            //   694dfc30020000       | imul                ecx, dword ptr [ebp - 4], 0x230
            //   83c40c               | add                 esp, 0xc
            //   8bf0                 | mov                 esi, eax
            //   8bd7                 | mov                 edx, edi
            //   2b55fc               | sub                 edx, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules