SYMBOLCOMMON_NAMEaka. SYNONYMS
win.megacortex (Back to overview)

MegaCortex


Megacortex is a ransomware used in targeted attacks against corporations.
Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

References
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-24Dev Kundaliya
@online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
MegaCortex
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data
MegaCortex
2019-08-05ThreatpostTara Seals
@online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } MegaCortex Ransomware Revamps for Mass Distribution
MegaCortex
2019-07-19Bleeping ComputerLawrence Abrams
@online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } Elusive MegaCortex Ransomware Found - Here is What We Know
MegaCortex
2019-05-07Trend MicroTrendmicro
@online{trendmicro:20190507:megacortex:f7c061d, author = {Trendmicro}, title = {{MegaCortex Ransomware Spotted Attacking Enterprise Networks}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks}, language = {English}, urldate = {2020-01-08} } MegaCortex Ransomware Spotted Attacking Enterprise Networks
MegaCortex
2019-05-03SophosAndrew Brandt
@online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } “MegaCortex” ransomware wants to be The One
MegaCortex
2019MalwarebytesMalwarebytes Labs
@online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } Ransom.Megacortex
MegaCortex
Yara Rules
[TLP:WHITE] win_megacortex_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_megacortex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4598 2bc6 d1ea 8d4fff f7d9 1bc9 23c8 }
            // n = 7, score = 300
            //   8d4598               | lea                 eax, [ebp - 0x68]
            //   2bc6                 | sub                 eax, esi
            //   d1ea                 | shr                 edx, 1
            //   8d4fff               | lea                 ecx, [edi - 1]
            //   f7d9                 | neg                 ecx
            //   1bc9                 | sbb                 ecx, ecx
            //   23c8                 | and                 ecx, eax

        $sequence_1 = { 1bd2 23fa 8d550c 03f9 8d4dec 2bd1 897de8 }
            // n = 7, score = 300
            //   1bd2                 | sbb                 edx, edx
            //   23fa                 | and                 edi, edx
            //   8d550c               | lea                 edx, [ebp + 0xc]
            //   03f9                 | add                 edi, ecx
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   2bd1                 | sub                 edx, ecx
            //   897de8               | mov                 dword ptr [ebp - 0x18], edi

        $sequence_2 = { 2408 0f44ca 8bc1 83c810 80e304 0f44c1 89473c }
            // n = 7, score = 300
            //   2408                 | and                 al, 8
            //   0f44ca               | cmove               ecx, edx
            //   8bc1                 | mov                 eax, ecx
            //   83c810               | or                  eax, 0x10
            //   80e304               | and                 bl, 4
            //   0f44c1               | cmove               eax, ecx
            //   89473c               | mov                 dword ptr [edi + 0x3c], eax

        $sequence_3 = { 23d1 8d4d0c 03c2 2bce 8945f0 8b450c 6a00 }
            // n = 7, score = 300
            //   23d1                 | and                 edx, ecx
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]
            //   03c2                 | add                 eax, edx
            //   2bce                 | sub                 ecx, esi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   6a00                 | push                0

        $sequence_4 = { ff750c e8???????? 8d4d10 e8???????? 8b4508 8b4df4 64890d00000000 }
            // n = 7, score = 300
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8d4d10               | lea                 ecx, [ebp + 0x10]
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_5 = { 8b08 57 8d3c01 49 f7d9 1bc9 23f9 }
            // n = 7, score = 300
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   57                   | push                edi
            //   8d3c01               | lea                 edi, [ecx + eax]
            //   49                   | dec                 ecx
            //   f7d9                 | neg                 ecx
            //   1bc9                 | sbb                 ecx, ecx
            //   23f9                 | and                 edi, ecx

        $sequence_6 = { c740140f000000 c60000 83ec28 8bc4 8965a0 c700???????? }
            // n = 6, score = 300
            //   c740140f000000       | mov                 dword ptr [eax + 0x14], 0xf
            //   c60000               | mov                 byte ptr [eax], 0
            //   83ec28               | sub                 esp, 0x28
            //   8bc4                 | mov                 eax, esp
            //   8965a0               | mov                 dword ptr [ebp - 0x60], esp
            //   c700????????         |                     

        $sequence_7 = { e8???????? 83c408 83c718 3b7d9c 0f85c8fcffff 8d4d90 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   83c718               | add                 edi, 0x18
            //   3b7d9c               | cmp                 edi, dword ptr [ebp - 0x64]
            //   0f85c8fcffff         | jne                 0xfffffcce
            //   8d4d90               | lea                 ecx, [ebp - 0x70]

        $sequence_8 = { 8bf0 83c40c 85f6 0f85b0000000 6a01 ff750c 8d45e8 }
            // n = 7, score = 300
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f85b0000000         | jne                 0xb6
            //   6a01                 | push                1
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_9 = { 8b17 83781410 8b7810 7202 8b00 3b7df8 755c }
            // n = 7, score = 300
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   83781410             | cmp                 dword ptr [eax + 0x14], 0x10
            //   8b7810               | mov                 edi, dword ptr [eax + 0x10]
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   3b7df8               | cmp                 edi, dword ptr [ebp - 8]
            //   755c                 | jne                 0x5e

    condition:
        7 of them and filesize < 1556480
}
Download all Yara Rules