IOC Brain Cipher Ransomware v.3.1 25 Juni 2024 Sign Sign
IOC Brain Cipher Ransomware v.3.1 25 Juni 2024 Sign Sign
IOC Brain Cipher Ransomware v.3.1 25 Juni 2024 Sign Sign
Jalan Harsono R.M. Nomor 70, Ragunan, Pasar Minggu, Jakarta Selatan 12550
Telepon (021) 7805814, Faksimile (021) 78844104
i
Website : https://bssn.go.id, E-mail : [email protected]
1. c60a0b99729eb6d95c2d C:\User\itadmin\
SHA1 Win_old.exe
9f8b76b9714411a3a751 music\
2. 9c5698924d4d1881efaf C:\User\itadmin\
MD5 Win_old.exe
88651a304cb3 music\
3. 935c0b39837319fda571
SHA1 Win.exe Any Path
aa800b67d997b79c3198
4. 448f1796fe8de02194b2
MD5 Win.exe Any Path
1c0715e0a5f6
1. 07612eed1e0341bcff08870f8a47df488318cee57bd1fb64
SHA256
709c0a5dc8635340
2. 0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344
SHA256
f574d471827c256cf086
3. 1ddacee1d25936970279557169037a335b362f86c379
SHA256
7ded625d68077bd0145c
4. 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea
SHA256
4f12e20271263417
5. 917e115cc403e29b4388e0d175cbfac3e7e40ca17422
SHA256
99fbdb353847db2de7c2
6. eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66
SHA256
995403b110118b12
Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 1 dari 5
No Indicator Of Compromise Hash
7. 6c1b646e002e45688d750e5feb47fc3d6f514b77 SHA1
8. 870865aad7c7cccafbca0c1f50f7eecaedbd4bf1 SHA1
9. 968c4ae64dcb71c9eeffd812ef38a69d5548b3bb SHA1
Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 2 dari 5
No Indicator Of Compromise Hash
39. http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25c
url
oqerrq2zdioanob34ad.onion
Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 3 dari 5
Yara Rules IoC Brain Cipher Ransomware
rule braincipher_ransom {
meta:
description = "Detection rule for braincipher ransomware behavior
and known indicators"
author = "SEE"
date = "2024-06-25"
reference = "Based on user-provided IOCs and behavioral analysis"
strings:
// Behavioral indicators (shellcode patterns, common malware
strings)
$behavior1 = { 33 D2 4D ?? ?? 01 8B C7 FF C7 F7 F6 42 0F B? ?? ??
41 3? 4? FF 3B FB }
$behavior2 = { 48 8? ?? E8 ?? ?? 00 00 FF D3 4C }
$behavior3 = "auth_timestamp:" ascii
$behavior4 = "auth_signature:" ascii
$behavior5 = "&act=check" ascii
// SHA256 hashes
$sha256_1 =
"07612eed1e0341bcff08870f8a47df488318cee57bd1fb64709c0a5dc8635340"
$sha256_2 =
"0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344f574d471827c256cf086"
$sha256_3 =
"1ddacee1d25936970279557169037a335b362f86c3797ded625d68077bd0145c"
$sha256_4 =
"6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417"
$sha256_5 =
"917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2"
$sha256_6 =
"eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12"
// SHA1 hashes
$sha1_1 = "c60a0b99729eb6d95c2d9f8b76b9714411a3a751"
$sha1_2 = "935c0b39837319fda571aa800b67d997b79c3198"
$sha1_3 = "6c1b646e002e45688d750e5feb47fc3d6f514b77"
$sha1_4 = "870865aad7c7cccafbca0c1f50f7eecaedbd4bf1"
$sha1_5 = "968c4ae64dcb71c9eeffd812ef38a69d5548b3bb"
// MD5 hashes
$md5_1 = "9c5698924d4d1881efaf88651a304cb3"
$md5_2 = "448f1796fe8de02194b21c0715e0a5f6"
$md5_3 = "9cb96848386327410ca588b6cd5f6401"
$md5_4 = "deb2e0756d331362d57ad9fe408c4ff3"
$md5_5 = "eebb7935dfe2a521bd5253c7e4660fb4"
Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 4 dari 5
// IP addresses
$ip1 = "104.71.214.69"
$ip2 = "104.86.182.43"
$ip3 = "104.86.182.51"
$ip4 = "104.86.182.8"
$ip5 = "104.86.182.82"
$ip6 = "104.96.203.51"
$ip7 = "13.107.4.50"
$ip8 = "13.107.4.52"
$ip9 = "131.253.33.203"
$ip10 = "184.25.191.235"
$ip11 = "20.99.133.109"
$ip12 = "20.99.186.246"
$ip13 = "204.79.197.203"
$ip14 = "23.205.104.12"
$ip15 = "23.205.104.4"
$ip16 = "23.205.104.41"
$ip17 = "23.205.104.42"
$ip18 = "23.205.104.43"
$ip19 = "23.205.104.47"
$ip20 = "23.205.104.53"
$ip21 = "23.205.104.8"
$ip22 = "23.205.104.9"
$ip23 = "23.216.81.152"
$ip24 = "89.35.237.180"
$ip25 = "199.232.214.172"
$ip26 = "224.0.0.252"
// URL
$url =
"http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion"
// Email
$email = "[email protected]"
condition:
uint16(0) == 0x5A4D and
uint32(uint32(0x3c)) == 0x00004550 and
(
any of ($behavior*) or
any of ($sha256*) or
any of ($sha1*) or
any of ($md5*) or
any of ($ip*) or
$url or
$email
)
}
Dokumen/Informasi ini dapat disebarkan secara bebas (Disclosure is not limited) TLP : WHITE
Halaman 5 dari 5