SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megacortex (Back to overview)

MegaCortex


Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-24Dev Kundaliya
@online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex
2019-08-05ThreatpostTara Seals
@online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex
2019-07-19Bleeping ComputerLawrence Abrams
@online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex
2019-05-07Trend MicroTrendmicro
@online{trendmicro:20190507:megacortex:f7c061d, author = {Trendmicro}, title = {{MegaCortex Ransomware Spotted Attacking Enterprise Networks}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks}, language = {English}, urldate = {2020-01-08} } MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex
2019-05-03SophosAndrew Brandt
@online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } “MegaCortex” ransomware wants to be The One
MegaCortex
2019MalwarebytesMalwarebytes Labs
@online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } Ransom.Megacortex
MegaCortex
Yara Rules
[TLP:WHITE] win_megacortex_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a3???????? c3 8d8d30ffffff e9???????? 8d4dd8 e9???????? 8b542408 }
            // n = 7, score = 300
            //   a3????????           |                     
            //   c3                   | ret                 
            //   8d8d30ffffff         | lea                 ecx, [ebp - 0xd0]
            //   e9????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]

        $sequence_1 = { 32c0 eb02 b001 8b5d18 8d55f0 84c0 8d7d0c }
            // n = 7, score = 300
            //   32c0                 | xor                 al, al
            //   eb02                 | jmp                 4
            //   b001                 | mov                 al, 1
            //   8b5d18               | mov                 ebx, dword ptr [ebp + 0x18]
            //   8d55f0               | lea                 edx, [ebp - 0x10]
            //   84c0                 | test                al, al
            //   8d7d0c               | lea                 edi, [ebp + 0xc]

        $sequence_2 = { 8b00 894104 3bc7 740f 8b4dec 034a0c 8b4104 }
            // n = 7, score = 300
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   3bc7                 | cmp                 eax, edi
            //   740f                 | je                  0x11
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   034a0c               | add                 ecx, dword ptr [edx + 0xc]
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]

        $sequence_3 = { f7f3 85d2 0f8599010000 8b450c 8d5624 8b36 8b4e04 }
            // n = 7, score = 300
            //   f7f3                 | div                 ebx
            //   85d2                 | test                edx, edx
            //   0f8599010000         | jne                 0x19f
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8d5624               | lea                 edx, [esi + 0x24]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]

        $sequence_4 = { 03ca 014dec ff7518 8d4dd4 8bc7 2bc1 85ff }
            // n = 7, score = 300
            //   03ca                 | add                 ecx, edx
            //   014dec               | add                 dword ptr [ebp - 0x14], ecx
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   8bc7                 | mov                 eax, edi
            //   2bc1                 | sub                 eax, ecx
            //   85ff                 | test                edi, edi

        $sequence_5 = { 5d c3 e8???????? 68???????? 50 8d4dc4 e8???????? }
            // n = 7, score = 300
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   e8????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]
            //   e8????????           |                     

        $sequence_6 = { 8b8da0faffff 42 8bc1 81fa00100000 7214 8b49fc }
            // n = 6, score = 300
            //   8b8da0faffff         | mov                 ecx, dword ptr [ebp - 0x560]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7214                 | jb                  0x16
            //   8b49fc               | mov                 ecx, dword ptr [ecx - 4]

        $sequence_7 = { ff75c4 50 57 e8???????? 8b4dc4 8d0476 8d0cc1 }
            // n = 7, score = 300
            //   ff75c4               | push                dword ptr [ebp - 0x3c]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]
            //   8d0476               | lea                 eax, [esi + esi*2]
            //   8d0cc1               | lea                 ecx, [ecx + eax*8]

        $sequence_8 = { 23f2 8d51ff 8d1c06 8d75f0 895df4 8d4510 2bc6 }
            // n = 7, score = 300
            //   23f2                 | and                 esi, edx
            //   8d51ff               | lea                 edx, [ecx - 1]
            //   8d1c06               | lea                 ebx, [esi + eax]
            //   8d75f0               | lea                 esi, [ebp - 0x10]
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   2bc6                 | sub                 eax, esi

        $sequence_9 = { e8???????? 8d45b8 50 8d4e30 e8???????? 8b45d0 8d4d80 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   50                   | push                eax
            //   8d4e30               | lea                 ecx, [esi + 0x30]
            //   e8????????           |                     
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8d4d80               | lea                 ecx, [ebp - 0x80]

    condition:
        7 of them and filesize < 1556480
}
Download all Yara Rules