Sunday, November 12, 2017

COBRA - Crysis / Dharma Ransomware

COBRA CRYSIS - NEW VARIANT OF RANSOMWARE

New variant of the Crysis / Dharma ransomware that adds the .cobra extension to the encrypted files

Recently, security researcher Jakub Kroustek discovered a new ransomware sample that appears to be a new variant of the ransomware Crysis that appends the .cobra extension to the file name of the encrypted file.

It is not known exactly how this variant is distributed, but in the past Crysis is normally propagated by piracy in remote desktop services and manually installs the ransomware.
When this variant of Cobra ransomware is installed, a computer will be scanned for data files and encryption of them. When you encrypt a file, an extension will be added in the .id- [id]. [E-mail] .cobra format .id- [id]. [E-mail] .cobra .id- [id]. [E-mail] .cobra . For example, a file called pepe.jpg was encrypted and the name was changed to pepe.jpg.id-BCBEF350.[Cranbery@colorendgrace.com].cobra .

 
It should be noted that this ransomware will encrypt assigned network drives and unassigned network shares. Therefore, it is important to make sure that the actions of your network are blocked so that only those who really need access have permission.
When this variant encodes a computer, it will also remove all plumes from volume snapshots on the machine so that they can not be used to recover encrypted files. It is removed by running the vssadmin delete shadows /all /quiet .
 
This ransomware will also create two different rescue notes on the infected machine. One of them is the file info.hta , which was launched by an automatic execution when a user initiates a session on the computer.


The other note is called encrypted files !!. Txt and can be found on the desktop.
Both rescue notes contain instructions to contact cranbery@colorendgrace.com in order to obtain payment instructions.
 
Finally, the ransomware will be configured to start automatically when it connects to Windows. This allows you to encrypt new files that are created since the last time executed.

It is not possible to decipher the new variant of Crysis Cobra

Unfortunately, at this time it is not possible to decrypt the files encrypted by the .cobra Crysis ransomware for free. The only way to recover the encrypted files is through a backup, or if you are unbelievably lucky, through volume snapshots. Although Crysis does not attempt to remove volume snapshots, in rare cases, ransomware infections do not do so for any reason.

How to protect yourself from the Crysis ransomware

In order to protect yourself from Crysis, or from any ransomware, it is important that you use good computer habits and security software. First and foremost, you should always have a reliable and proven backup of data that can be restored in the event of an emergency, such as an attack on the ransomware. You must also have security software that contains behavioral detections such as squared Anti-Malware, Malwarebytes, or HitmanPro

IOC :

COBRA SHA256: de6376e23536b3039afe6b0645da4fc180969b1dc3cc038b1c6bd5941d88c4d8
 

Cobra Associated Emails:

cranbery@colorendgrace.com
 
 Ref Link :

https://www.hybrid-analysis.com/sample/45fb6d93d7bbfdde3d56ddad3861d85e94551c86bd1409c709ad5895d5f7e4ae?environmentId=100

https://virustotal.com/ru/file/de6376e23536b3039afe6b0645da4fc180969b1dc3cc038b1c6bd5941d88c4d8/analysis/
 

Tuesday, November 7, 2017

QRadar Community Edition - Free

QRadar Community Edition:

 Download and use the QRadar Community Edition for free.!!!!


Install on your laptop, run it at home, try out apps, build apps, or just have some fun !

 



Download Link :

https://www-01.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=swg-qradarcom

Videos / Other Resources :

https://ibm.ent.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc

Saturday, November 4, 2017

Janusec - WebCruiser Ultimate Web Penetration Testing Tool

WebCruiser:-
                   Web Vulnerability Scanner for Windows, Mac OS, and iOS (iPhone/iPad) , HTTP Replay/Repeater for iPhone and iPad, SQL Injection, XSS. Also an effective and powerful web penetration testing tool that will aid you in auditing your website! It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, Local File Inclusion, Remote File Inclusion, Redirect, Obsolete Backup etc.



The most typical feature of WebCruiser comparing with other Web Vulnerability Scanners is that WebCruiser Web Vulnerability Scanner focuses on high risk vulnerabilities, and WebCruiser can scan a designated vulnerability type, or a designated URL, or a designated page separately, while the others usually will not.


WebCruiser v3.4.0 is available, new feature: support scanning absolete backup files which may cause potential information leakage.

User Guide : http://www.janusec.com/download/WebCruiserUserGuide.pdf

http://www.janusec.com/download/WebCruiser.zip