SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megacortex (Back to overview)

MegaCortex


Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz LuckyMouse
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-24Dev Kundaliya
@online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex
2019-08-05ThreatpostTara Seals
@online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex
2019-07-19Bleeping ComputerLawrence Abrams
@online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex
2019-05-07Trend MicroTrendmicro
@online{trendmicro:20190507:megacortex:f7c061d, author = {Trendmicro}, title = {{MegaCortex Ransomware Spotted Attacking Enterprise Networks}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks}, language = {English}, urldate = {2020-01-08} } MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex
2019-05-03SophosAndrew Brandt
@online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } “MegaCortex” ransomware wants to be The One
MegaCortex
2019MalwarebytesMalwarebytes Labs
@online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } Ransom.Megacortex
MegaCortex
Yara Rules
[TLP:WHITE] win_megacortex_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4d18 03c6 c745e401000000 894708 8d45d7 3bde 760f }
            // n = 7, score = 400
            //   8d4d18               | lea                 ecx, [ebp + 0x18]
            //   03c6                 | add                 eax, esi
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   8d45d7               | lea                 eax, [ebp - 0x29]
            //   3bde                 | cmp                 ebx, esi
            //   760f                 | jbe                 0x11

        $sequence_1 = { ffb514ffffff c7401407000000 668908 8bc8 e8???????? 83430418 eb0f }
            // n = 7, score = 400
            //   ffb514ffffff         | push                dword ptr [ebp - 0xec]
            //   c7401407000000       | mov                 dword ptr [eax + 0x14], 7
            //   668908               | mov                 word ptr [eax], cx
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   83430418             | add                 dword ptr [ebx + 4], 0x18
            //   eb0f                 | jmp                 0x11

        $sequence_2 = { ffb57cfeffff c645fc01 50 57 8d45cc 56 50 }
            // n = 7, score = 400
            //   ffb57cfeffff         | push                dword ptr [ebp - 0x184]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   50                   | push                eax
            //   57                   | push                edi
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_3 = { 57 e8???????? 83c404 8d8d48fcffff e8???????? 8d8d60fdffff e8???????? }
            // n = 7, score = 400
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d8d48fcffff         | lea                 ecx, [ebp - 0x3b8]
            //   e8????????           |                     
            //   8d8d60fdffff         | lea                 ecx, [ebp - 0x2a0]
            //   e8????????           |                     

        $sequence_4 = { 50 ffd2 c745ac00000000 8b7704 81c6c8000000 c645fc07 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   c745ac00000000       | mov                 dword ptr [ebp - 0x54], 0
            //   8b7704               | mov                 esi, dword ptr [edi + 4]
            //   81c6c8000000         | add                 esi, 0xc8
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7

        $sequence_5 = { 894b08 8bc8 8955d0 83c410 8d55b4 2bca 85c0 }
            // n = 7, score = 400
            //   894b08               | mov                 dword ptr [ebx + 8], ecx
            //   8bc8                 | mov                 ecx, eax
            //   8955d0               | mov                 dword ptr [ebp - 0x30], edx
            //   83c410               | add                 esp, 0x10
            //   8d55b4               | lea                 edx, [ebp - 0x4c]
            //   2bca                 | sub                 ecx, edx
            //   85c0                 | test                eax, eax

        $sequence_6 = { eb08 8d040a 3bf0 0f42f0 8d4601 8bcf 50 }
            // n = 7, score = 400
            //   eb08                 | jmp                 0xa
            //   8d040a               | lea                 eax, [edx + ecx]
            //   3bf0                 | cmp                 esi, eax
            //   0f42f0               | cmovb               esi, eax
            //   8d4601               | lea                 eax, [esi + 1]
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax

        $sequence_7 = { 7464 57 0f1f440000 8b4e1c 8b3e 83f908 722e }
            // n = 7, score = 400
            //   7464                 | je                  0x66
            //   57                   | push                edi
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   83f908               | cmp                 ecx, 8
            //   722e                 | jb                  0x30

        $sequence_8 = { f7d8 895dfc 1bc0 23c1 8b10 2bc6 83e2fd }
            // n = 7, score = 400
            //   f7d8                 | neg                 eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   1bc0                 | sbb                 eax, eax
            //   23c1                 | and                 eax, ecx
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   2bc6                 | sub                 eax, esi
            //   83e2fd               | and                 edx, 0xfffffffd

        $sequence_9 = { 85c0 751c 8be5 5d c20800 8d4df0 e8???????? }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   751c                 | jne                 0x1e
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1556480
}
Download all Yara Rules