SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megacortex (Back to overview)

MegaCortex


Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-02-20McAfeeChristiaan Beek, Eamonn Ryan, Darren Fitzpatrick
@online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-24Dev Kundaliya
@online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex
2019-08-05ThreatpostTara Seals
@online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex
2019-07-19Bleeping ComputerLawrence Abrams
@online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex
2019-05-07Trend MicroTrendmicro
@online{trendmicro:20190507:megacortex:f7c061d, author = {Trendmicro}, title = {{MegaCortex Ransomware Spotted Attacking Enterprise Networks}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks}, language = {English}, urldate = {2020-01-08} } MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex
2019-05-03SophosAndrew Brandt
@online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } “MegaCortex” ransomware wants to be The One
MegaCortex
2019MalwarebytesMalwarebytes Labs
@online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } Ransom.Megacortex
MegaCortex
Yara Rules
[TLP:WHITE] win_megacortex_auto (20210616 | Detects win.megacortex.)
rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.megacortex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8d460c c745fc00000000 50 e8???????? 83c40c f6450801 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8d460c               | lea                 eax, dword ptr [esi + 0xc]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   f6450801             | test                byte ptr [ebp + 8], 1

        $sequence_1 = { 8d75d4 8d4d10 2bce f7da 1bd2 23d1 }
            // n = 6, score = 400
            //   8d75d4               | lea                 esi, dword ptr [ebp - 0x2c]
            //   8d4d10               | lea                 ecx, dword ptr [ebp + 0x10]
            //   2bce                 | sub                 ecx, esi
            //   f7da                 | neg                 edx
            //   1bd2                 | sbb                 edx, edx
            //   23d1                 | and                 edx, ecx

        $sequence_2 = { 2bfe 1b5df8 8b4130 2930 8b4120 0130 eb24 }
            // n = 7, score = 400
            //   2bfe                 | sub                 edi, esi
            //   1b5df8               | sbb                 ebx, dword ptr [ebp - 8]
            //   8b4130               | mov                 eax, dword ptr [ecx + 0x30]
            //   2930                 | sub                 dword ptr [eax], esi
            //   8b4120               | mov                 eax, dword ptr [ecx + 0x20]
            //   0130                 | add                 dword ptr [eax], esi
            //   eb24                 | jmp                 0x26

        $sequence_3 = { 2bd9 33d2 8bf7 83f801 8d7df8 0f44f2 03f0 }
            // n = 7, score = 400
            //   2bd9                 | sub                 ebx, ecx
            //   33d2                 | xor                 edx, edx
            //   8bf7                 | mov                 esi, edi
            //   83f801               | cmp                 eax, 1
            //   8d7df8               | lea                 edi, dword ptr [ebp - 8]
            //   0f44f2               | cmove               esi, edx
            //   03f0                 | add                 esi, eax

        $sequence_4 = { f7da 1bd2 891e 23d0 8b0a 2bd6 83e1fd }
            // n = 7, score = 400
            //   f7da                 | neg                 edx
            //   1bd2                 | sbb                 edx, edx
            //   891e                 | mov                 dword ptr [esi], ebx
            //   23d0                 | and                 edx, eax
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   2bd6                 | sub                 edx, esi
            //   83e1fd               | and                 ecx, 0xfffffffd

        $sequence_5 = { 03fe 894d08 8d5eff f7db 1bdb 23df 8d7d0c }
            // n = 7, score = 400
            //   03fe                 | add                 edi, esi
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   8d5eff               | lea                 ebx, dword ptr [esi - 1]
            //   f7db                 | neg                 ebx
            //   1bdb                 | sbb                 ebx, ebx
            //   23df                 | and                 ebx, edi
            //   8d7d0c               | lea                 edi, dword ptr [ebp + 0xc]

        $sequence_6 = { e8???????? ff7510 ff750c 57 e8???????? 83c418 85c0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax

        $sequence_7 = { f7f3 8bca 894d08 85c9 750e 395608 7509 }
            // n = 7, score = 400
            //   f7f3                 | div                 ebx
            //   8bca                 | mov                 ecx, edx
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   85c9                 | test                ecx, ecx
            //   750e                 | jne                 0x10
            //   395608               | cmp                 dword ptr [esi + 8], edx
            //   7509                 | jne                 0xb

        $sequence_8 = { f7d9 1bc9 23c8 8d4508 03c2 4a 8b4904 }
            // n = 7, score = 400
            //   f7d9                 | neg                 ecx
            //   1bc9                 | sbb                 ecx, ecx
            //   23c8                 | and                 ecx, eax
            //   8d4508               | lea                 eax, dword ptr [ebp + 8]
            //   03c2                 | add                 eax, edx
            //   4a                   | dec                 edx
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]

        $sequence_9 = { f00fc101 7516 8b07 8bcf ff10 8bc3 f00fc14708 }
            // n = 7, score = 400
            //   f00fc101             | lock xadd           dword ptr [ecx], eax
            //   7516                 | jne                 0x18
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8bcf                 | mov                 ecx, edi
            //   ff10                 | call                dword ptr [eax]
            //   8bc3                 | mov                 eax, ebx
            //   f00fc14708           | lock xadd           dword ptr [edi + 8], eax

    condition:
        7 of them and filesize < 1556480
}
Download all Yara Rules