SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megacortex (Back to overview)

MegaCortex

Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References
2023-01-05Bleeping ComputerBill Toulas
@online{toulas:20230105:bitdefender:dc76b2a, author = {Bill Toulas}, title = {{Bitdefender releases free MegaCortex ransomware decryptor}}, date = {2023-01-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-megacortex-ransomware-decryptor/}, language = {English}, urldate = {2023-01-06} } Bitdefender releases free MegaCortex ransomware decryptor
MegaCortex
2021-10-29Національна поліція УкраїниНаціональна поліція України
@online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29EuropolEuropol
@online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } 12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-07-15MandiantNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot}, language = {English}, urldate = {2022-07-28} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-02-20McAfeeChristiaan Beek, Eamonn Ryan, Darren Fitzpatrick
@online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-24Dev Kundaliya
@online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex
2019-08-05ThreatpostTara Seals
@online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex
2019-07-19Bleeping ComputerLawrence Abrams
@online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex
2019-05-10SophosLabs UncutAndrew Brandt
@online{brandt:20190510:megacortex:6b7c935, author = {Andrew Brandt}, title = {{MegaCortex, deconstructed: mysteries mount as analysis continues}}, date = {2019-05-10}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/}, language = {English}, urldate = {2022-03-18} } MegaCortex, deconstructed: mysteries mount as analysis continues
MegaCortex
2019-05-07Trend MicroTrendmicro
@online{trendmicro:20190507:megacortex:f7c061d, author = {Trendmicro}, title = {{MegaCortex Ransomware Spotted Attacking Enterprise Networks}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks}, language = {English}, urldate = {2020-01-08} } MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex
2019-05-03SophosAndrew Brandt
@online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } “MegaCortex” ransomware wants to be The One
MegaCortex
2019MalwarebytesMalwarebytes Labs
@online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } Ransom.Megacortex
MegaCortex
Yara Rules
[TLP:WHITE] win_megacortex_auto (20230125 | Detects win.megacortex.)
rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.megacortex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4520 53 89858cfbffff 8b4524 56 8b7508 8985b4fbffff }
            // n = 7, score = 400
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   53                   | push                ebx
            //   89858cfbffff         | mov                 dword ptr [ebp - 0x474], eax
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8985b4fbffff         | mov                 dword ptr [ebp - 0x44c], eax

        $sequence_1 = { 8d4b04 1bd2 2bc7 23d0 8d45e8 03d6 }
            // n = 6, score = 400
            //   8d4b04               | lea                 ecx, [ebx + 4]
            //   1bd2                 | sbb                 edx, edx
            //   2bc7                 | sub                 eax, edi
            //   23d0                 | and                 edx, eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   03d6                 | add                 edx, esi

        $sequence_2 = { 83e0fe 8d75fc 03c8 8d45fc 2bc7 5f 8d51ff }
            // n = 7, score = 400
            //   83e0fe               | and                 eax, 0xfffffffe
            //   8d75fc               | lea                 esi, [ebp - 4]
            //   03c8                 | add                 ecx, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   2bc7                 | sub                 eax, edi
            //   5f                   | pop                 edi
            //   8d51ff               | lea                 edx, [ecx - 1]

        $sequence_3 = { 6bc758 51 51 2bf0 56 53 e8???????? }
            // n = 7, score = 400
            //   6bc758               | imul                eax, edi, 0x58
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   2bf0                 | sub                 esi, eax
            //   56                   | push                esi
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_4 = { e8???????? 83c404 eb02 33f6 897704 6a01 56 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb02                 | jmp                 4
            //   33f6                 | xor                 esi, esi
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   6a01                 | push                1
            //   56                   | push                esi

        $sequence_5 = { 51 0f4385e09cffff 8d8d989cffff 50 6a00 e8???????? eb21 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   0f4385e09cffff       | cmovae              eax, dword ptr [ebp - 0x6320]
            //   8d8d989cffff         | lea                 ecx, [ebp - 0x6368]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   e8????????           |                     
            //   eb21                 | jmp                 0x23

        $sequence_6 = { 33c0 8be5 5d c3 b8abaaaaaa f7e1 33c0 }
            // n = 7, score = 400
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   b8abaaaaaa           | mov                 eax, 0xaaaaaaab
            //   f7e1                 | mul                 ecx
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 1bc9 23ca 8d55ec 8bd9 2bda 85c9 b901000000 }
            // n = 7, score = 400
            //   1bc9                 | sbb                 ecx, ecx
            //   23ca                 | and                 ecx, edx
            //   8d55ec               | lea                 edx, [ebp - 0x14]
            //   8bd9                 | mov                 ebx, ecx
            //   2bda                 | sub                 ebx, edx
            //   85c9                 | test                ecx, ecx
            //   b901000000           | mov                 ecx, 1

        $sequence_8 = { 8b4d08 8bd0 83c404 c702???????? 0f1001 0f114208 f30f7e4110 }
            // n = 7, score = 400
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8bd0                 | mov                 edx, eax
            //   83c404               | add                 esp, 4
            //   c702????????         |                     
            //   0f1001               | movups              xmm0, xmmword ptr [ecx]
            //   0f114208             | movups              xmmword ptr [edx + 8], xmm0
            //   f30f7e4110           | movq                xmm0, qword ptr [ecx + 0x10]

        $sequence_9 = { e8???????? ff75ec 8d4d20 e8???????? 8b36 3bf7 0f8578ffffff }
            // n = 7, score = 400
            //   e8????????           |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8d4d20               | lea                 ecx, [ebp + 0x20]
            //   e8????????           |                     
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   3bf7                 | cmp                 esi, edi
            //   0f8578ffffff         | jne                 0xffffff7e

    condition:
        7 of them and filesize < 1556480
}
Download all Yara Rules