IOC Brain Cipher Ransomware v.3.1 25 Juni 2024 Sign Sign

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

BADAN SIBER DAN SANDI NEGARA

Jalan Harsono R.M. Nomor 70, Ragunan, Pasar Minggu, Jakarta Selatan 12550
Telepon (021) 7805814, Faksimile (021) 78844104
i
Website : https://bssn.go.id, E-mail : [email protected]

INDICATOR OF COMPROMISE BRAIN CIPHER RANSOMWARE


RILIS : 25 JUNI 2024

No Indicator Of Compromise Hash File Path

1. c60a0b99729eb6d95c2d C:\User\itadmin\
SHA1 Win_old.exe
9f8b76b9714411a3a751 music\

2. 9c5698924d4d1881efaf C:\User\itadmin\
MD5 Win_old.exe
88651a304cb3 music\

3. 935c0b39837319fda571
SHA1 Win.exe Any Path
aa800b67d997b79c3198

4. 448f1796fe8de02194b2
MD5 Win.exe Any Path
1c0715e0a5f6

No Indicator Of Compromise Hash

1. 07612eed1e0341bcff08870f8a47df488318cee57bd1fb64
SHA256
709c0a5dc8635340

2. 0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344
SHA256
f574d471827c256cf086

3. 1ddacee1d25936970279557169037a335b362f86c379
SHA256
7ded625d68077bd0145c

4. 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea
SHA256
4f12e20271263417

5. 917e115cc403e29b4388e0d175cbfac3e7e40ca17422
SHA256
99fbdb353847db2de7c2

6. eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66
SHA256
995403b110118b12

Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 1 dari 5
No Indicator Of Compromise Hash

7. 6c1b646e002e45688d750e5feb47fc3d6f514b77 SHA1

8. 870865aad7c7cccafbca0c1f50f7eecaedbd4bf1 SHA1

9. 968c4ae64dcb71c9eeffd812ef38a69d5548b3bb SHA1

10. 9cb96848386327410ca588b6cd5f6401 MD5

11. deb2e0756d331362d57ad9fe408c4ff3 MD5

12. eebb7935dfe2a521bd5253c7e4660fb4 MD5

13. 104.71.214.69 IPv4

14. 104.86.182.43 IPv4

15. 104.86.182.51 IPv4

16. 104.86.182.8 IPv4

17. 104.86.182.82 IPv4

18. 104.96.203.51 IPv4

19. 13.107.4.50 IPv4

20. 13.107.4.52 IPv4

21. 131.253.33.203 IPv4

22. 184.25.191.235 IPv4

23. 20.99.133.109 IPv4

24. 20.99.186.246 IPv4

25. 204.79.197.203 IPv4

26. 23.205.104.12 IPv4

27. 23.205.104.4 IPv4

Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 2 dari 5
No Indicator Of Compromise Hash

28. 23.205.104.41 IPv4

29. 23.205.104.42 IPv4

30. 23.205.104.43 IPv4

31. 23.205.104.47 IPv4

32. 23.205.104.53 IPv4

33. 23.205.104.8 IPv4

34. 23.205.104.9 IPv4

35. 23.216.81.152 IPv4

36. 89.35.237.180 IPv4

37. 199.232.214.172 IPv4

38. 224.0.0.252 IPv4

39. http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25c
url
oqerrq2zdioanob34ad.onion

40. [email protected] email

Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 3 dari 5
Yara Rules IoC Brain Cipher Ransomware

rule braincipher_ransom {
meta:
description = "Detection rule for braincipher ransomware behavior
and known indicators"
author = "SEE"
date = "2024-06-25"
reference = "Based on user-provided IOCs and behavioral analysis"

strings:
// Behavioral indicators (shellcode patterns, common malware
strings)
$behavior1 = { 33 D2 4D ?? ?? 01 8B C7 FF C7 F7 F6 42 0F B? ?? ??
41 3? 4? FF 3B FB }
$behavior2 = { 48 8? ?? E8 ?? ?? 00 00 FF D3 4C }
$behavior3 = "auth_timestamp:" ascii
$behavior4 = "auth_signature:" ascii
$behavior5 = "&act=check" ascii

// SHA256 hashes
$sha256_1 =
"07612eed1e0341bcff08870f8a47df488318cee57bd1fb64709c0a5dc8635340"
$sha256_2 =
"0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344f574d471827c256cf086"
$sha256_3 =
"1ddacee1d25936970279557169037a335b362f86c3797ded625d68077bd0145c"
$sha256_4 =
"6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417"
$sha256_5 =
"917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2"
$sha256_6 =
"eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12"

// SHA1 hashes
$sha1_1 = "c60a0b99729eb6d95c2d9f8b76b9714411a3a751"
$sha1_2 = "935c0b39837319fda571aa800b67d997b79c3198"
$sha1_3 = "6c1b646e002e45688d750e5feb47fc3d6f514b77"
$sha1_4 = "870865aad7c7cccafbca0c1f50f7eecaedbd4bf1"
$sha1_5 = "968c4ae64dcb71c9eeffd812ef38a69d5548b3bb"

// MD5 hashes
$md5_1 = "9c5698924d4d1881efaf88651a304cb3"
$md5_2 = "448f1796fe8de02194b21c0715e0a5f6"
$md5_3 = "9cb96848386327410ca588b6cd5f6401"
$md5_4 = "deb2e0756d331362d57ad9fe408c4ff3"
$md5_5 = "eebb7935dfe2a521bd5253c7e4660fb4"

Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 4 dari 5
// IP addresses
$ip1 = "104.71.214.69"
$ip2 = "104.86.182.43"
$ip3 = "104.86.182.51"
$ip4 = "104.86.182.8"
$ip5 = "104.86.182.82"
$ip6 = "104.96.203.51"
$ip7 = "13.107.4.50"
$ip8 = "13.107.4.52"
$ip9 = "131.253.33.203"
$ip10 = "184.25.191.235"
$ip11 = "20.99.133.109"
$ip12 = "20.99.186.246"
$ip13 = "204.79.197.203"
$ip14 = "23.205.104.12"
$ip15 = "23.205.104.4"
$ip16 = "23.205.104.41"
$ip17 = "23.205.104.42"
$ip18 = "23.205.104.43"
$ip19 = "23.205.104.47"
$ip20 = "23.205.104.53"
$ip21 = "23.205.104.8"
$ip22 = "23.205.104.9"
$ip23 = "23.216.81.152"
$ip24 = "89.35.237.180"
$ip25 = "199.232.214.172"
$ip26 = "224.0.0.252"

// URL
$url =
"http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion"

// Email
$email = "[email protected]"

condition:
uint16(0) == 0x5A4D and
uint32(uint32(0x3c)) == 0x00004550 and
(
any of ($behavior*) or
any of ($sha256*) or
any of ($sha1*) or
any of ($md5*) or
any of ($ip*) or
$url or
$email
)
}

Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 5 dari 5

You might also like