SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megacortex (Back to overview)

MegaCortex


Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-24Dev Kundaliya
@online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex
2019-08-05ThreatpostTara Seals
@online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex
2019-07-19Bleeping ComputerLawrence Abrams
@online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex
2019-05-07Trend MicroTrendmicro
@online{trendmicro:20190507:megacortex:f7c061d, author = {Trendmicro}, title = {{MegaCortex Ransomware Spotted Attacking Enterprise Networks}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks}, language = {English}, urldate = {2020-01-08} } MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex
2019-05-03SophosAndrew Brandt
@online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } “MegaCortex” ransomware wants to be The One
MegaCortex
2019MalwarebytesMalwarebytes Labs
@online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } Ransom.Megacortex
MegaCortex
Yara Rules
[TLP:WHITE] win_megacortex_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 e8???????? 8bf0 83c40c 85f6 740c be80bcffff }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   740c                 | je                  0xe
            //   be80bcffff           | mov                 esi, 0xffffbc80

        $sequence_1 = { 8d4d08 8b4518 0f434d08 6a00 8d3441 8b4db4 8d4508 }
            // n = 7, score = 400
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   0f434d08             | cmovae              ecx, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   8d3441               | lea                 esi, [ecx + eax*2]
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_2 = { 03c2 8945fc 8bc6 50 8d45f4 50 e8???????? }
            // n = 7, score = 400
            //   03c2                 | add                 eax, edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 7405 8b7df0 8938 8d45f8 03c2 8d7bff f7df }
            // n = 7, score = 400
            //   7405                 | je                  7
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   8938                 | mov                 dword ptr [eax], edi
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   03c2                 | add                 eax, edx
            //   8d7bff               | lea                 edi, [ebx - 1]
            //   f7df                 | neg                 edi

        $sequence_4 = { f7da 1bd2 23d0 3bd1 0f8598000000 8a4604 8ac8 }
            // n = 7, score = 400
            //   f7da                 | neg                 edx
            //   1bd2                 | sbb                 edx, edx
            //   23d0                 | and                 edx, eax
            //   3bd1                 | cmp                 edx, ecx
            //   0f8598000000         | jne                 0x9e
            //   8a4604               | mov                 al, byte ptr [esi + 4]
            //   8ac8                 | mov                 cl, al

        $sequence_5 = { 8bf3 2bf0 b801000000 0f1f4000 85db 8bce 0f44c8 }
            // n = 7, score = 400
            //   8bf3                 | mov                 esi, ebx
            //   2bf0                 | sub                 esi, eax
            //   b801000000           | mov                 eax, 1
            //   0f1f4000             | nop                 dword ptr [eax]
            //   85db                 | test                ebx, ebx
            //   8bce                 | mov                 ecx, esi
            //   0f44c8               | cmove               ecx, eax

        $sequence_6 = { e9???????? 83fb22 750a 68???????? e9???????? 83fb21 750a }
            // n = 7, score = 400
            //   e9????????           |                     
            //   83fb22               | cmp                 ebx, 0x22
            //   750a                 | jne                 0xc
            //   68????????           |                     
            //   e9????????           |                     
            //   83fb21               | cmp                 ebx, 0x21
            //   750a                 | jne                 0xc

        $sequence_7 = { e9???????? 83fb08 750a 68???????? e9???????? 83fb0a 750a }
            // n = 7, score = 400
            //   e9????????           |                     
            //   83fb08               | cmp                 ebx, 8
            //   750a                 | jne                 0xc
            //   68????????           |                     
            //   e9????????           |                     
            //   83fb0a               | cmp                 ebx, 0xa
            //   750a                 | jne                 0xc

        $sequence_8 = { f7f1 8b4518 2b550c 035510 8910 b001 5d }
            // n = 7, score = 400
            //   f7f1                 | div                 ecx
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   2b550c               | sub                 edx, dword ptr [ebp + 0xc]
            //   035510               | add                 edx, dword ptr [ebp + 0x10]
            //   8910                 | mov                 dword ptr [eax], edx
            //   b001                 | mov                 al, 1
            //   5d                   | pop                 ebp

        $sequence_9 = { f7da 1bd2 23ca 03ce 3bcb 7414 8bd7 }
            // n = 7, score = 400
            //   f7da                 | neg                 edx
            //   1bd2                 | sbb                 edx, edx
            //   23ca                 | and                 ecx, edx
            //   03ce                 | add                 ecx, esi
            //   3bcb                 | cmp                 ecx, ebx
            //   7414                 | je                  0x16
            //   8bd7                 | mov                 edx, edi

    condition:
        7 of them and filesize < 1556480
}
Download all Yara Rules