{
	"id": "ce66308f-8956-4551-9685-0565be2e3c15",
	"created_at": "2026-04-06T00:13:45.955191Z",
	"updated_at": "2026-04-10T03:21:53.127184Z",
	"deleted_at": null,
	"sha1_hash": "2847874247ea27a682856fc2549823b510fd53f7",
	"title": "Unreleased RaaS analysis- CashRansomware - TEHTRIS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 178094,
	"plain_text": "Unreleased RaaS analysis- CashRansomware - TEHTRIS\r\nBy Katuiscia Benloukil\r\nPublished: 2024-05-31 · Archived: 2026-04-05 19:02:43 UTC\r\nIntroduction\r\nOur experts managed to intercept a pre‑release sample of a new Ransomware‑as‑a‑Service (RaaS) variant called\r\n“CashRansomware” which is currently in active development. This RaaS is highly anticipated and already being\r\nadvertised on a store for malicious software, Cashout.  It is also branded on the Telegram channel of the group,\r\ndedicated to Mint Stealer, another product sold on the cashout store. We managed to have this early access to the\r\nmalware thanks to advanced threat intelligence and network monitoring techniques. It will allow us to give you a\r\nunique analysis of its evolving capabilities and design strategies before it will even be used by threat actors./\r\nIn this technical analysis, we will delve into the intricate workings of a ransomware. Dissecting its architecture,\r\nattack vectors, and payload delivery mechanisms. Our objective is to provide a detailed examination of the life\r\ncycle of a ransomware attack, from the initial infiltration to the execution and propagation. By analyzing specific\r\nransomware families and case studies, we aim to uncover common patterns and unique characteristics that define\r\nmodern ransomware threats.\r\nRansomware-as-a-Service: one of the current biggest threats\r\nThe fall of some of the biggest ransomware families has led to the multiplication of small actors, which isn’t good\r\nnews, as it multiplies the potential threats. Ransomware has become one of the most damaging cyber threats in the\r\ndigital landscape. This malicious software, designed to encrypt a victim’s data or lock access to their system until\r\na ransom is paid, is a big challenge for individuals, businesses, and government agencies worldwide. The rapid\r\nevolution of ransomware tactics and the increasing sophistication of attacks create an urgent need for\r\ncomprehensive technical analysis to understand, mitigate, and ultimately neutralize these threats.\r\nRansomware-as-a-Service (RaaS) is a cybercrime model that allows individuals with little to no technical\r\nexpertise to launch ransomware attacks. It operates similarly to legitimate Software‑as‑a‑Service (SaaS) platforms,\r\nproviding a ready‑to‑use ransomware toolkit and support infrastructure in exchange of a part of the profits. RaaS\r\nplatforms typically offer user‑friendly interfaces, customization options, and even customer service, making it\r\neasier for cybercriminals to deploy sophisticated ransomware campaigns. This model has made it significantly\r\neasier to become a cybercriminal and has led to an increase in the frequency and scale of ransomware attacks\r\nworldwide.\r\nCashRansomware: full analysis by our experts\r\nOur experts managed to find a CashRansom.exe sample that was investigating on our TEHTRIS Threat\r\nIntelligence feed.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 1 of 42\n\nThe ransomware sample that was found is written in C# and suffers from poor obfuscation and inadequate\r\ncryptographic practices. Thanks to the lack of effective obfuscation, it was even easier for our security researchers\r\nto dissect the code and understand its behavior. In addition to that, the flawed cryptographic techniques used by\r\nthe sample create vulnerabilities and potential weaknesses. These deficiencies undermine the ransomware’s\r\neffectiveness, but they also enable decryption and mitigation by our teams. We will delve into these cryptographic\r\nflaws and their implications in greater detail later in this analysis. The software used by the sample is still in its\r\ndevelopment phase, so it is not surprising its protection and stealth are weak. The fact that this sample also leaked\r\non open source datasets also raises concerns about their OPSEC process.\r\nThis analysis is also an opportunity to highlight the crucial steps to take when an infection occurs:  cut the internet\r\nconnection to stop communicating with the attackers, back up the encrypted files and the memory of the process\r\nusing tools like ProcDump, then suspend the ransomware process using tools like Process Hacker to prevent\r\nfurther file deletion.\r\nSamples\r\nThe analyzed ransomware sample is uniquely identified by the hashes listed below. The other samples are very\r\nsimilar.\r\nType Value\r\nFile Type\r\nPE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows,\r\n3 sections\r\nDateTimestamp 2024‑05‑12 03:48:15\r\nSIZE 2.8 MB (pesize = 2.8 MB)\r\nMD5 69cc2e20ea7a51666b8c14be90441073\r\nSHA256 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24\r\nSHA512\r\nde565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29\r\nc873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a\r\nFigure 1: Hash of “CashRansom.exe”\r\nCode details\r\nThe sample is developed using the .NET Framework 4.7.2 and is designed for 64-bit architectures. This file does\r\nnot require any dependencies to run on Windows architectures only. It supports Windows versions from Vista to\r\nWindows 10. The debug information is stripped from this binary.\r\nTechniques\r\nThe ransomware uses several MITRE ATT\u0026CK techniques to carry out its malicious activities.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 2 of 42\n\nFigure 2: MITRE tactics distribution\r\nContext\r\nThe pre‑release sample of CashRansomware, a new Ransomware‑as‑a‑Service (RaaS) variant intercepted by our\r\nexperts, turned out to currently still be in active development.\r\nEven if it is not released yet, it is already anticipated on Cashout, the store for malicious software.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 3 of 42\n\nFigure 2: Cashout products\r\nIt is also already branded on the Telegram channel of the group dedicated to Mint Stealer, another of their\r\nmalicious software. It seems that there is no release date yet:\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 4 of 42\n\nFigure 3: Ad for the release\r\nDuring our investigation into CashRansomware, we delved into various underground websites and Telegram\r\nchannels to map out malicious activities. This extensive research involved monitoring discussions, exchanges, and\r\ntransactions among cybercriminals, allowing us to piece together the operational structure and tactics used by the\r\ndevelopers and their affiliates. By analyzing these communications, we gained valuable insights into the\r\ndistribution methods, target selection criteria, and the overall strategy behind CashRansomware’s development\r\nand deployment, enabling us to anticipate and counteract this emerging threat more effectively. The following\r\ninformation are available in Stix format in the appendices.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 5 of 42\n\nFigure 4: Stix schema\r\nThe others malicious software are not in the scope of the current article. While there are no ads for this software\r\nyet, we can anticipate well‑designed marketing efforts like those seen before by the same author. These campaigns\r\nare likely to use sophisticated techniques to entice users and spread the ransomware more effectively.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 6 of 42\n\nFigure 5: Mint Stealer branding\r\nAfter an extensive OSINT investigation, it was revealed that the lead malware developer, known by the nickname\r\n“Artem,” is both a Russian and French native speaker. Artem is believed to live in the Provence‑Alpes‑Côte\r\nd’Azur (PACA) region of France. The details of the OSINT analysis are classified.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 7 of 42\n\nFigure 6: Artem\r\nTelegram channels are used to provide customer support.\r\nDefense\r\nObfuscation\r\nThe data flow and control flow of the sample are obfuscated using Eziriz .NET Reactor. This tool makes the\r\nanalysis process more complicated. By obscuring the logical structure and execution pathways of the code, it is\r\nharder for security researchers to understand and reverse‑engineer the ransomware.\r\nYou can see an evaluation version of Eziriz .NET Reactor in the screenshot below. This is the demo version of this\r\nsoftware which is valid for only 14 days starting from 2024‑05‑11, which is coherent with the ransomware\r\ncompilation time\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 8 of 42\n\nFigure 7: Software Protection\r\nDetection\r\nCashRansomware is programmed to avoid infecting systems located in Russia and other Commonwealth of\r\nIndependent States (CIS) countries. This selective targeting is achieved through geolocation checks and system\r\nlanguage settings, ensuring that the malware only activates in non‑Russian environments. This tactic not only\r\nreduces the risk of local law enforcement scrutiny but also indicates a potential link to cybercriminal groups\r\noperating within these regions, who often use such strategies to evade detection and prosecution by their own\r\ngovernments. It makes a lot of sense as long as CashRansomware is hosted in Russia and doesn’t want its domains\r\nseized, as it already happened with their old domain.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 9 of 42\n\nFigure 8: Country filter\r\nThe malware employs time‑stomping techniques to detect the presence of a sandbox environment. By\r\nmanipulating file timestamps or monitoring system clock discrepancies, it can identify anomalies that are typical\r\nof the execution of a sandbox. This allows the malware to evade detection and analysis by delaying its malicious\r\nactions until it is confident that it is not being observed within a controlled environment.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 10 of 42\n\nFigure 9: Time Stomping Detection\r\nThe malware includes a very simple anti‑debugging function.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 11 of 42\n\nFigure 10: Anti debug\r\nIt also detects the presence of sandboxie and any.run sandbox based on those tricks:\r\n1 GetModuleHandle(“SbieDll.dll”)\r\nCheck that this variable is set:\r\n1 “%anyrun%”\r\nThe malware has anti VM features and can detect if the “Manifacturer” contains “microsoft corporation” or\r\n“vmware” by calling:\r\n1 Select * from Win32_ComputerSystem\r\nStealth\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 12 of 42\n\nThe sample isn’t stealthy which can be attributed to its conspicuous file extension and process name, likely\r\nindicative of its early development stage. The presence of a distinct “cashransomware” file extension and process\r\nname raises red flags for security software and knowledgeable users, potentially leading to quicker detection and\r\nmitigation efforts. This lack of stealth may suggest that CashRansomware is still undergoing refinement and\r\noptimization by its developers, with improvements in evasion techniques and obfuscation measures anticipated in\r\nfuture iterations. The file extension is however configurable in the builder.\r\nExecution\r\nInitial execution\r\nThe sample is a .NET PE executable intended to be executed manually. It autonomously encrypts files on the\r\ninfected system and subsequently displays a pop‑up window demanding cryptocurrency payment for decryption.\r\nThis automated process ensures a swift and effective attack, as the ransomware immediately locks critical data and\r\nprovides the victim with clear instructions on how to purchase and transfer the required cryptocurrency to regain\r\naccess to their files.\r\nFigure 11: Ransom pop up window\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 13 of 42\n\nIn addition to encrypting files and displaying a ransom note, CashRansomware also modifies the desktop\r\nwallpaper to reinforce its presence and demand for ransom. This alteration is a visual indication of the infection,\r\ndisplaying a customized image or message typically containing instructions on how to pay the ransom.\r\nFigure 12: Wallpaper\r\nEnsuring privileges\r\nThe sample detects if it is running in administrative mode. This step is used to make sure that the malware can\r\ngain the necessary privileges to modify system files, disable security measures, and fully encrypt the victim’s data.\r\nIf the sample is not launched as root, the following useless command is performed with powershell. The reason\r\nbehind this is not clear. Note the typo in “recure”.\r\n1\r\ncmd.exe /c start computerdefaults.exe \u0026\u0026 powershell.exe Remove-Item Path\r\nHKCU:\\Software\\Classes\\ms-settings\\shell -Recure\r\nLateral movement\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 14 of 42\n\nEvery device connected to the compromised computer is systematically explored by enumerating drive letters.\r\nThis process allows the malware to identify and target additional storage devices, such as external hard drives,\r\nUSB drives, and network shares, to maximize the scope of its encryption campaign. By going through available\r\ndrive letters, CashRansomware ensures comprehensive coverage of potential data sources, potentially extending\r\nits impact beyond the local system.\r\nPersistence\r\nThe software copies itself to the Start Menu’s Programs Startup folder, automatically executing each time the\r\nsystem boots up. This tactic allows the ransomware to continuously show instruction to pay.\r\nC:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/ Startup/\r\nConfiguration\r\nBy analyzing the payload builder leaked in a demonstration on Vimeo, researchers can gain insights into the\r\nconfiguration and operational parameters of CashRansomware. There is an authentication window prior to the\r\nbuilder window backing up the fact that this malware is a Ransomware-as-a-Service.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 15 of 42\n\nFigure 13: Cash builder Frontend\r\nIn the video, the malware developer leaked the builder console amongst other features.\r\nFigure 14: Cash builder Frontend\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 16 of 42\n\nFigure 15: Cash builder Builder\r\nSensitive data\r\nDestruction\r\nThe sample is able to delete system restore points as part of its evasion and persistence strategy. By removing\r\nthese restore points, which are often used by users to revert their system to a previous state before the ransomware\r\ninfection, CashRansomware further complicates the victim’s ability to recover their files without paying the\r\nransom.\r\nThe sample doesn’t erase the encrypted files after encryption by calling a simple Fileinfo .Delete(). It usually\r\ndoesn’t matter as a lot of the file modification might overwrite ancient file artifact. It is however a bad practice: a\r\nsecured deletion or in place encryption would have totally wiped the original file with identical performances.\r\nCommand and control\r\nIdentification\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 17 of 42\n\nThe sample establishes communication with its command and control (C2) server through the encrypted\r\nmessaging platform Telegram. This choice of communication channel makes it possible for the malware to operate\r\nstealthily within network traffic, leveraging the encryption and anonymity provided by the messaging service. By\r\nusing Telegram, CashRansomware can receive commands, transmit encryption keys, and facilitate ransom\r\nnegotiations securely, minimizing the risk of detection by security measures that may not scrutinize messaging\r\ntraffic. This strategic use of a popular messaging platform shows the malware’s adaptability and the evolving\r\ntactics employed by cybercriminals to evade detection and maintain operational secrecy.\r\nAs the ransomware is communicating the new victim status over Telegram, it is possible to intercept the API key\r\nfrom the ransomware and directly communicate with the API.\r\ncurl -s --socks5-hostname 127.0.0.1:9050 -A \"\" https://api.telegram.org /bot5990276952:AAHb30fvIHOh_d1GRVKrpfW4\r\nThe channel is not secure enough and leaks some data about the author which uses its personal Telegram account\r\ninstead of creating an account dedicated to the exchange between victims and ransomware operators.\r\n{\r\n \"ok\": true,\r\n \"result\": {\r\n \"id\": 968071618,\r\n \"first_name\": \"Artem\",\r\n \"last_name\": \"Ey\",\r\n \"username\": \"ArtemDotIcu\",\r\n \"type\": \"private\",\r\n \"active_usernames\": [\r\n \"ArtemDotIcu\"\r\n ],\r\n \"bio\": \"Cash-Hosting.PW CEO - Cashout.pw Founder | RAT, Bypassing Defender Crypter, Stealer\",\r\n \"business_location\": {\r\n \"address\": \"In a place where feds can't come\"\r\n },\r\n \"photo\": {\r\n \"small_file_id\": \"AQADBAADy6cxG8KZszkACAIAA8KZszkABKQxOquj8qFhNQQ\",\r\n \"small_file_unique_id\": \"AQADy6cxG8KZszkAAQ\",\r\n \"big_file_id\": \"AQADBAADy6cxG8KZszkACAMAA8KZszkABKQxOquj8qFhNQQ\",\r\n \"big_file_unique_id\": \"AQADy6cxG8KZszkB\"\r\n },\r\n \"emoji_status_custom_emoji_id\": \"4983570692374004583\",\r\n \"max_reaction_count\": 11,\r\n \"accent_color_id\": 3\r\n }\r\n}\r\nHere is the Telegram profile of the developer:\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 18 of 42\n\nFigure 16: Telegram profile\r\nCommands\r\nCashRansomware communicates with its command and control (C2) server primarily through a beacon containing\r\ncrucial information about the infected system and the generated decryption keys. This beacon includes details such\r\nas the user’s system information, unique identifiers for the infected machine, and the encryption keys necessary\r\nfor decrypting the files. This method of communication ensures that the attackers maintain control over the\r\ndecryption process and can monitor the status of the infected systems. By centralizing this information, the\r\ncybercriminals can manage ransom demands more effectively and provide decryption keys upon payment,\r\nreinforcing their extortion strategy. With the message, a screenshot is attached.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 19 of 42\n\nFigure 17: New Victim Notification Message\r\nIf no network communication is available, CashRansomware adapts by storing the decryption key in the registry,\r\nwhich is encrypted using asymmetric algorithm. Thanks to this, it is made sure that the key remains accessible to\r\nthe attackers in order to provide it to the victim once the ransom is paid, even if the infected system can’t connect\r\nto the command and control (C2) server.\r\nCryptography\r\nKeys\r\nThe encryption key and IV are generated using RNGCryptoServiceProvider which is now depreciated but still\r\npretty secure.\r\nThe file encryption keys are then encrypted by a static Key encryption key (KEK). Using symmetric encryption\r\nfor local storage is a huge vulnerability, as it makes it easier to decrypt. Instead, it should be an asymmetric\r\nencryption.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 20 of 42\n\nFigure 18: Key encryption routine\r\nBecause an RSA mechanism exists in the code and because the URL https://pastebin.com/raw/ azDDWzUg points\r\nto the following public key, it can be assumed that a proper key encryption will be performed in the next versions.\r\n-----BEGIN PUBLIC KEY-----\r\nMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgGFPnrvYFsHG3+NAFcVf4czqpdFX Of/eQyyFTUxwm4qjPJGLpm/agh5U3gUS6E5t9QHHSpN6hf3\r\n-----END PUBLIC KEY-----\r\nThe found RSA key is very weak, making it vulnerable to cryptographic attacks:\r\nopenssl rsa -pubin -in /dev/shm/a.asc -noout -text\r\nPublic-Key: (1023 bit)\r\nModulus:\r\n 61:4f:9e:bb:d8:16:c1:c6:df:e3:40:15:c5:5f:e1:\r\n cc:ea:a5:d1:57:39:ff:de:43:2c:85:4d:4c:70:9b:\r\n 8a:a3:3c:91:8b:a6:6f:da:82:1e:54:de:05:12:e8:\r\n 4e:6d:f5:01:c7:4a:93:7a:85:fd:e0:f2:a2:0c:81:\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 21 of 42\n\nb9:43:b5:34:a5:b5:4e:2b:99:61:1f:dc:2f:09:a0:\r\n 72:bd:7d:2b:09:7a:8d:89:69:d3:92:a0:98:fc:60:\r\n 14:cf:16:33:93:37:3e:ff:3e:44:b4:17:e4:a7:ff:\r\n cb:68:ff:26:f3:b7:cb:54:45:e4:fd:e4:5c:62:e0:\r\n 95:a4:27:2c:50:a5:c5:a7\r\nExponent: 65537 (0x10001)\r\nThe ransomware includes a feature that allows the decryption of a single file, which indicates that the decryption\r\nkey remains in the system’s memory during this process. By leveraging memory forensics techniques, it is\r\npossible to extract this key while it is temporarily stored in volatile memory (RAM). We have developed a tool\r\nthat can decrypt files encrypted by the ransomware. This tool first identifies and extracts the decryption key from\r\nthe system’s memory, which is temporarily stored there when the ransomware decrypts a single file. The source\r\ncode is available in appendices.\r\nFigure 19: Decryption process using TEHTRIS’ tool\r\nAfter a ransomware infection, backing up encrypted files and system memory is essential due to potential design\r\nflaws in the malware that could be used for file recovery. Ransomware is often developed in a hurry which can\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 22 of 42\n\ncreate weaknesses in the encryption algorithm, improper key management, or bugs in the encryption process\r\nitself. By preserving the encrypted files, you maintain the original state of the data, enabling you to apply different\r\ndecryption strategies or updates to decryption tools as they become available. Simultaneously, backing up the\r\nsystem memory captures crucial information, such as the decryption key and operational data of the ransomware,\r\nwhich can be analyzed to uncover vulnerabilities or methods to reverse the encryption. This dual backup approach\r\nmaximizes the chances of successful data recovery and mitigates the risk of permanent data loss.\r\nAlgorithms\r\nThe files are encrypted using AES‑256 CBC. The IV is a part of the decryption secret and is not included in the\r\nencrypted file, which is strange but does not jeopardize the global security level of the ransomware.\r\nFigure 20: Encryption Routine\r\nIOCss\r\nFiles and registry\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 23 of 42\n\n1 HKEY_CURRENT_USER\\\\SOFTWARE\\\\Wow64Inject\\\\([A-F\\d]{2} ){32}\r\n2\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Tracing\\\\.*_RASAPI32\\\r\nEnableFileTracing\r\n3\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Tracing\\\\.*_RASAPI32\\\r\nEnableConsoleTracing\r\n4\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Tracing\\\\.*_RASAPI32\\\r\nFileTracingMask\r\n5\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Tracing\\\\.*_RASAPI32\\\r\nConsoleTracingMask\r\n6\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Tracing\\\\.*_RASAPI32\\\r\nMaxFileSize\r\n7\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Tracing\\\\.*_RASAPI32\\\r\nFileDirectory\r\n8 .*\\.CashRansomware\r\nArtifacts\r\nMutex: MVI6MT0qPLmQhQ6j\r\nSimilar samples\r\nThe following SHA256 are similar samples:\r\n1 958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24\r\n2 b8f506741843e2c76fb207b41d205530236f4a263a9a5902146cd71a13fdfd23\r\n3 5525d297a346b80912c4f5ec0ac4875e9d49f96d01e52c10df5c064bd803bd79\r\n4 e387c084d5c3b62413743e912ee10776564e7c55ba1dc801990b312b88b61efe\r\n5 39096e9a521ea1c001083d8c82317c8e6dbdd5d705d9a92beb15db102fb87263\r\n6 e1696968ad55e7e03a8334711d90350c4145fb4f60de5fb4a2f5f19187183c05\r\n7 6332e43af93cf00c5bd536e189b30d5a44c0568fb3fdef5e9b020146420d8b15\r\n8 dd7d6dc03dea59e2f48ef92849ec0d03aa6cf4c5e1e6758eba184be311e6fb1f\r\n9 003311f504eec2d0203de5e5e9d8c4213a981a3f6db85141a6d1e84a58e2b6b9\r\n10 91edb2ed65ae31113c3c2f3ba63bcac5d24d48ef3d5765018799863e4717b845\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 24 of 42\n\n11 b7f5f19864639b32f24e806091bf0a0a7483df73c97eac41fe5eb1d3321cea39\r\n12 c67332d690304dfd5d43fc35dbdf0a832a803ff5f73f6187e3d94ace7433fffd\r\n13 132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3\r\n14 8040b684f12ac819ba9ecb407f202f01182d25186552093379ad33c86f3a4273\r\nDetection\r\nYara\r\nimport \"dotnet\"\r\nrule CashRansomware {\r\n meta:\r\n author = \"PEZIER Pierre-Henri. Copyright TEHTRIS 2024\"\r\n strings:\r\n $str_01 = \"cashransom.exe\" ascii wide nocase\r\n $str_02 = \"cashransomware\" ascii wide nocase\r\n $func_01 = \"get_icons8_code_file_100\"\r\n $func_02 = \"get_icons8_document_120\"\r\n $func_03 = \"get_icons8_inquiry_100\"\r\n $func_04 = \"get_icons8_lock_500\"\r\n $func_06 = \"get_icons8_unlocking_a_secure_web_login_for_admin_96\"\r\n $func_07 = \"get_icons8_upload_90\"\r\n $func_08 = \"get_KadavroSupp\"\r\n $func_09 = \"get_key\"\r\n $func_10 = \"get_logo_jester_done\"\r\n $func_11 = \"get_monero\"\r\n $func_12 = \"get_monero_icon_512x512_kqg9n5mp\"\r\n $func_13 = \"get_Monero_Logo_svg\"\r\n $func_14 = \"get_money_bag_coins_bitcoin_isolated_white_background_106234394_removebg_preview\"\r\n $func_15 = \"get_Pinvoke\"\r\n $func_16 = \"get_SuppID\"\r\n $func_17 = \"get_SuppToken\"\r\n $func_18 = \"get_telegram\"\r\n $msg_01 = \"Your files are heavily encrypted, and none can be decrypted without the decryption key.\"\r\n $msg_02 = \"To obtain the decryption key, you need to make a payment to the specified amount to the XMR /\r\n $msg_03 = \"Once you've made the payment, you should contact the attackers via email or Telegram to recei\r\n $msg_04 = \"After receiving the decryption key, you need to input it into the decryption panel in Cash.\"\r\n $msg_05 = \"Once you hit the decryption button, your files will be decrypted.\"\r\n $msg_06 = \"The \\\"trial decrypt file\\\" function allows you to decrypt one of the\"\r\n $msg_07 = \"encrypted files to verify the legitimacy\"\r\n $msg_08 = \"After decrypting one of your files, be sure to save it because\"\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 25 of 42\n\n$msg_09 = \"files you manage to decrypt will be encrypted again.\"\n $msg_10 = \"However, there won't be another \\\"trial decrypt\\\"\"\n $msg_11 = \"attempt available, so keep that in mind!\"\n $msg_12 = \"https://pastebin.com/raw/azDDWzUg\"\n $msg_13 = \"\u003eregret to inform you that your files have been compromised by the insidious\"\n $msg_14 = \"encryption algorithm, your files have been ensnared with unbreakable tags and a deadly combin\n $msg_15 = \"meticulously chosen by the ransomware's constructors to ensure maximum devastation.\"\n $msg_16 = \"To further fortify its grip on your data, \"\n condition:\n dotnet.is_dotnet\n and (\n all of ($str*)\n or 5 of ($func*)\n or any of ($msg*)\n )\n}\nsnort\nWarning: The Telegram API enforces TLS. This rule will not work unless a proxi splits the TLS.\nalert http any any -\u003e any any (\\\n sid: 110000001;\\\n msg:\"Cash ransomware\";\\\n metadata: author PEZIER Pierre-Henri. Copyright TEHTRIS 2024;\\\n content:\"POST\"; content:\"CASH RANSOMWARE\";\n classtype:bad-unknown;\\\n rev:1\n)\nsigma\nThe following Sigma rule detects the presence of encrypted files:\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\nPage 26 of 42\n\ntitle: CashRansomware file encryption\r\nid: 1a4f7892-4766-4e2b-ac60-edaa00fcc31f\r\ndescription: Detects default CashRansomware file extension\r\nauthor: TEHTRIS - Pezier Pierre-Henri\r\ndate: 2024/05/17\r\ntags:\r\n - detection.threat_hunting\r\nlogsource:\r\n category: file_access\r\n product: windows\r\ndetection:\r\n encrypted_file:\r\n FileName|endswith: '.CashRansomware'\r\n condition: encrypted_file\r\nfalsepositives:\r\n - Unknown\r\nlevel: critical\r\nThe following rule detects the local backup of encrypted keys:\r\ntitle: CashRansomware registry activity\r\nid: d0756305-56fe-4a5d-a06b-8cc447f11e66\r\ndescription: Detects CashRansomware malicious activity based on registry access\r\nauthor: TEHTRIS - Pezier Pierre-Henri\r\ndate: 2024/05/17\r\ntags:\r\n - detection.threat_hunting\r\nlogsource:\r\n category: registry_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetObject|endswith: 'SOFTWARE\\Wow64Inject\\SysWow64'\r\n Details|re: '(?ims)(([a-f\\d]{2}\\s?){8}(\\r\\n)?){4}'\r\n condition: selection\r\nfalsepositives:\r\n - Unknowns\r\nlevel: critical\r\nAppendix\r\ndecrypt.cpp\r\nThe following code leverages a decryption key and algorithm to reverse the encryption process enforced by the\r\nransomware, restoring the original files to their accessible state if the ransomware is still running.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 27 of 42\n\n#include \u003cwindows.h\u003e\r\n#include \u003cfstream\u003e\r\n#include \u003ciostream\u003e\r\n#include \u003calgorithm\u003e\r\n#include \u003cstring\u003e\r\n#include \u003ccctype\u003e\r\n#include \u003ccassert\u003e\r\n#include \u003cregex\u003e\r\n#include \u003cset\u003e\r\n#include \u003cthread\u003e\r\n#include \u003cexperimental/filesystem\u003e\r\n#include \"AES.hpp\" // github: http://github.com/mrdcvlsc/AES\r\n// build using: cl.exe decrypt.cpp /std:c++latest /EHsc\r\n#define ENTROPY_THRESHOLD 3.5\r\n#pragma comment(lib, \"user32.lib\")\r\nwchar_t extension[] = L\".CashRansomware\"; // The file extensions\r\n/*\r\n* Find the ransomware window based on its window name. Returns the window ID if it exists, 0 if not\r\n* Do not hesitate to patch the window by identifying window title. Autoit editor can be helpful identifying this\r\n*/\r\nHWND find_window(void)\r\n{\r\nchar window_text[1024] = {0};\r\nchar window_class[1024] = {0};\r\nHWND curr_win = GetTopWindow(NULL);\r\ndo {\r\nRealGetWindowClass(curr_win, window_class, sizeof(window_class));\r\nGetWindowText(curr_win, window_text, sizeof(window_text));\r\nif(strstr(window_text, \"ansomware\")) {\r\nreturn curr_win;\r\n}\r\ncurr_win = GetNextWindow(curr_win, 2);\r\n} while(curr_win);\r\nreturn NULL;\r\n}\r\n/*\r\n* Egg hunting to extract keys from memory. Having the right extension is critical. Patch if needed.\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 28 of 42\n\n*/\r\nstd::string find_candidate_mem_page(HWND window_id) {\r\nDWORD pid = 0;\r\nSYSTEM_INFO si;\r\nMEMORY_BASIC_INFORMATION mbi;\r\nGetWindowThreadProcessId(window_id, \u0026pid);\r\nHANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\r\nif(process_handle == NULL) {\r\nreturn \"\";\r\n}\r\nGetSystemInfo(\u0026si);\r\nuint8_t *ptr = (uint8_t *)si.lpMinimumApplicationAddress;\r\nwhile(ptr \u003c si.lpMaximumApplicationAddress) {\r\nif(!VirtualQueryEx(process_handle, ptr, \u0026mbi, sizeof(mbi))) {\r\nptr += si.dwPageSize;\r\ncontinue;\r\n}\r\nif(mbi.Protect == PAGE_READWRITE \u0026\u0026 mbi.Type == MEM_PRIVATE \u0026\u0026 mbi.State == MEM_COMMIT) {\r\nuint8_t *data = (uint8_t *)malloc(mbi.RegionSize);\r\nif(!data) {\r\nCloseHandle(process_handle);\r\nreturn \"\";\r\n}\r\nsize_t read;\r\nif(ReadProcessMemory(process_handle, ptr, data, mbi.RegionSize, \u0026read)) {\r\nstd::string data_str((char *)data, read);\r\nstd::string tofind((char *)extension, sizeof(extension));\r\nsize_t pos = 0, ext_count = 0;\r\nwhile((pos = data_str.find(tofind, pos)) \u003c data_str.length()) {\r\next_count += 1;\r\npos += tofind.length();\r\n}\r\nif(ext_count \u003e 1) {\r\nCloseHandle(process_handle);\r\nfree(data);\r\nreturn data_str;\r\n}\r\n}\r\nfree(data);\r\n}\r\nptr += mbi.RegionSize;\r\n}\r\nCloseHandle(process_handle);\r\nreturn \"\";\r\n}\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 29 of 42\n\n/*\r\n * Shanon entropy of a std::string\r\n */\r\nfloat shannon_entropy(const std::string \u0026 s)\r\n{\r\n int counts[256] = {};\r\n for (unsigned char c: s)\r\n {\r\n counts[c]++;\r\n }\r\n float entropy = 0;\r\n float length = (float)s.size();\r\n for (int count: counts)\r\n {\r\n if (count == 0)\r\n continue;\r\n float p = (float)count / length;\r\n entropy -= p * std::log2f(p);\r\n }\r\n return entropy;\r\n}\r\n/*\r\n * Retrieve potential key and IV based on string entropy to improve performance\r\n */\r\nbool get_key_and_iv(std::set\u003cstd::string\u003e *IVs, std::set\u003cstd::string\u003e *keys, std::string \u0026data)\r\n{\r\nint progress = -1;\r\nstd::cout \u003c\u003c \"progress (%): \";\r\nfor(size_t i=1; i\u003cdata.length() - 33/*0x91358*/; i++) {\r\nint curr_progress = (100 * i) / data.length();\r\nif(curr_progress \u003e progress) {\r\nstd::cout \u003c\u003c curr_progress \u003c\u003c \" \";\r\nprogress = curr_progress;\r\n}\r\nif((int)data.at(i - 1) == 0) {\r\nstd::string candidate_iv = data.substr(i, 16);\r\nstd::string candidate_key = data.substr(i, 32);\r\nif((int)data.at(i + 33) == 0 \u0026\u0026 shannon_entropy(candidate_key) \u003e ENTROPY_THRESHOLD) {\r\nkeys-\u003einsert(candidate_key);\r\n}\r\nif((int)data.at(i + 17) == 0 \u0026\u0026 shannon_entropy(candidate_iv) \u003e ENTROPY_THRESHOLD) {\r\nIVs-\u003einsert(candidate_iv);\r\n}\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 30 of 42\n\n}\r\n}\r\nstd::cout \u003c\u003c std::endl;\r\nreturn IVs-\u003esize() \u003e 0 \u0026\u0026 keys-\u003esize() \u003e 0;\r\n}\r\n/*\r\n * Extract every file enctypted by the ransomware. They are wide encoded and ends with the encryption extension\r\n */\r\nstd::set\u003cstd::wstring\u003e extract_file_names(std::string \u0026data)\r\n{\r\nstd::set\u003cstd::wstring\u003e retval;\r\nsize_t min_string_len = (sizeof(extension) + 1) * sizeof(wchar_t);\r\nfor(size_t i=0; i\u003cdata.length() - min_string_len; i++) {\r\nif(data.c_str()[i] != '\\x00') {\r\nsize_t j;\r\nfor(j=1; i+j \u003c data.length() \u0026\u0026 data.c_str()[i + j] == '\\x00' \u0026\u0026 data.c_str()[i + j -\r\nif(j \u003e min_string_len) {\r\nstd::wstring ws(\r\n(wchar_t *)\u0026data.c_str()[i]\r\n);\r\nif(ws.length() == 2 \u0026\u0026 ws.c_str()[i]) {\r\nbreak;\r\n}\r\ni += ws.length() * 2;\r\nif(ws.length() \u003e sizeof(extension) / sizeof(wchar_t) \u0026\u0026 ws.substr(ws.length\r\nretval.insert(ws);\r\n}\r\n}\r\n}\r\n}\r\nreturn retval;\r\n}\r\n/*\r\n * Decrypt the first chunk of encrypted payload and xor it with the IV\r\n */\r\nstd::string decrypt(std::string \u0026IV, std::string \u0026key, std::string \u0026chunk)\r\n{\r\nunsigned char block[16];\r\nchunk.copy((char *)block, 16);\r\nCipher::Aes\u003c256\u003e aes((unsigned char *)key.c_str());\r\naes.decrypt_block((unsigned char *)block);\r\nfor(size_t i=0; i\u003c16; i++) {\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 31 of 42\n\nblock[i] ^= IV.at(i);\r\n}\r\nreturn std::string((char *)block, 16);\r\n}\r\n/*\r\n * Entropy based key validation. We try to decrypt using every couple IV/KEY found and accept if entropy of deci\r\n * Return False if no key has been found\r\n */\r\nbool bruteforce_keys(std::wstring \u0026encrypted_file_path, std::set\u003cstd::string\u003e \u0026IVs, std::set\u003cstd::string\u003e \u0026keys,\r\n{\r\nstd::ifstream input_file(encrypted_file_path, std::ios::binary);\r\nif(!input_file.is_open()) {\r\nreturn FALSE;\r\n}\r\nunsigned char block[16];\r\ninput_file.read((char *)block, sizeof(block));\r\ninput_file.close();\r\nstd::string encrypted_chunk((char *)block, sizeof(block));\r\nstd::cout \u003c\u003c \"progress (%): \";\r\nint progress = -1;\r\nsize_t counter = 0;\r\nfor(std::string key: keys) {\r\nint curr_progress = (100 * counter) / keys.size();\r\nif(curr_progress \u003e progress) {\r\nstd::cout \u003c\u003c curr_progress \u003c\u003c \" \";\r\nprogress = curr_progress;\r\n}\r\ncounter += 1;\r\nfor(std::string IV: IVs) {\r\nstd::string cleartext = decrypt(IV, key, encrypted_chunk);\r\nif(shannon_entropy(cleartext) \u003c 2.5) { // Arbitrary threshold to determine that we fo\r\n*out_iv += IV;\r\n*out_key += key;\r\nstd::cout \u003c\u003c std::endl;\r\nreturn TRUE;\r\n}\r\n}\r\n}\r\nstd::cout \u003c\u003c std::endl;\r\nreturn FALSE;\r\n}\r\n/*\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 32 of 42\n\n* Decrypt a file. The destination file will be the stem concatenate with \".decrypted\" extension\r\n * Returns the file name if decryption is sucessfull, empty path if not\r\n */\r\nstd::experimental::filesystem::path decrypt_file(std::wstring \u0026encrypted_file_path, std::string \u0026key, std::strin\r\n{\r\nstd::experimental::filesystem::path path(encrypted_file_path);\r\nstd::experimental::filesystem::path destination = path.parent_path() / path.stem();\r\ndestination += \".decrypted\";\r\nif(std::experimental::filesystem::exists(destination)) {\r\nstd::cout \u003c\u003c \"[+] File: \" \u003c\u003c destination \u003c\u003c \" already exists\" \u003c\u003c std::endl;\r\nreturn \"\";\r\n}\r\nstd::ofstream out_file(destination, std::ios::binary);\r\nif(!out_file.is_open()) {\r\nreturn \"\";\r\n}\r\nstd::ifstream in_file(encrypted_file_path, std::ios::binary);\r\nif(!in_file.is_open()) {\r\nout_file.close();\r\nreturn \"\";\r\n}\r\nCipher::Aes\u003c256\u003e aes((unsigned char *)key.c_str());\r\nunsigned char diffuser[16];\r\niv.copy((char *)diffuser, 16);\r\nwhile(!in_file.eof()) {\r\nunsigned char block[16], deciphered[16];\r\nin_file.read((char *)block,16);\r\nmemcpy(deciphered, block, 16);\r\naes.decrypt_block(deciphered);\r\nfor(size_t i=0; i\u003c16; i++) { // quick CBC implem\r\ndeciphered[i] ^= diffuser[i];\r\n}\r\nout_file.write((char *)deciphered, 16);\r\nmemcpy(diffuser, block, 16);\r\n}\r\nin_file.close();\r\nout_file.close();\r\nreturn destination;\r\n}\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 33 of 42\n\nint main(void)\r\n{\r\nstd::cout \u003c\u003c \"CashRansomware decryptor. Copyright TEHTRIS 2024\" \u003c\u003c std::endl;\r\nHWND window = find_window();\r\nif(window) {\r\nstd::cout \u003c\u003c \"[+] Found ransomware process window\" \u003c\u003c std::endl;\r\n} else {\r\nstd::cerr \u003c\u003c \"[-] Cannot find cash ransomware windows. Is the ransomware running? If window cl\r\nreturn 1;\r\n}\r\nstd::string data = find_candidate_mem_page(window);\r\nif(data.length() \u003e 0) {\r\nstd::cout \u003c\u003c \"[+] Found candidate memory page.\" \u003c\u003c std::endl;\r\n} else {\r\nstd::cerr \u003c\u003c \"[-] Could not find any valid memory page. If file extention changed, please comm\r\nreturn 1;\r\n}\r\nstd::set\u003cstd::wstring\u003e encrypted_file_list = extract_file_names(data);\r\nif(encrypted_file_list.size() \u003e 0) {\r\nstd::cout \u003c\u003c \"[+] found: \" \u003c\u003c encrypted_file_list.size() \u003c\u003c \" encrypted file(s)\" \u003c\u003c std::endl;\r\n} else {\r\nstd::cerr \u003c\u003c \"[-] No encrypted file found. If file extention changed, please commit in the sou\r\nreturn 1;\r\n}\r\nstd::set\u003cstd::string\u003e IVs, keys;\r\nstd::cout \u003c\u003c \"[+] Looking for candidate keys and ivs. This can take a long time\" \u003c\u003c std::endl;\r\nif(get_key_and_iv(\u0026IVs, \u0026keys, data)) {\r\nstd::cout \u003c\u003c \"[+] Found: \" \u003c\u003c std::dec \u003c\u003c keys.size() \u003c\u003c \" candidate keys and \" \u003c\u003c IVs.size()\r\n} else {\r\nstd::cerr \u003c\u003c \"[-] Could not extract valid keys and IVs\" \u003c\u003c std::endl;\r\nreturn 1;\r\n}\r\nstd::string real_iv, key;\r\nfor(std::wstring encrypted_file_path: encrypted_file_list) {\r\nstd::wcout \u003c\u003c L\"[+] Bruteforcing key on file: \" \u003c\u003c encrypted_file_path \u003c\u003c std::endl;\r\n if(bruteforce_keys(encrypted_file_path, IVs, keys, \u0026real_iv, \u0026key)) {\r\n std::cout \u003c\u003c \"[+] Found couple KEY, IV\" \u003c\u003c std::endl;\r\n break;\r\n } else {\r\n std::cerr \u003c\u003c \"[-] Failed to extract couple KEY, IV. Continuing with next file\" \u003c\u003c std\r\n }\r\n}\r\nif(real_iv.length() == 0 || key.length() == 0) {\r\nstd::cerr \u003c\u003c \"[-] Failed to extract couple KEY, IV.\" \u003c\u003c std::endl;\r\nreturn 1;\r\n}\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 34 of 42\n\nfor(std::wstring encrypted_file_path: encrypted_file_list) {\r\nstd::experimental::filesystem::path decrypted_file = decrypt_file(encrypted_file_path, key, re\r\nif(std::experimental::filesystem::exists(decrypted_file)) {\r\nstd::cout \u003c\u003c \"[+] File \" \u003c\u003c decrypted_file \u003c\u003c \" successfully decrypted\" \u003c\u003c std::endl;\r\n} else {\r\nstd::wcerr \u003c\u003c L\"[-] Failed to decrypt file: \" \u003c\u003c encrypted_file_path \u003c\u003c std::endl;\r\n}\r\n}\r\nsystem(\"pause\"); // Do not close console\r\n}\r\nStix2.1 json source\r\n{\r\n \"type\": \"bundle\",\r\n \"id\": \"bundle--b9d25a93-f002-4fef-b115-38f9f7205516\",\r\n \"objects\": [\r\n {\r\n \"type\": \"threat-actor\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"threat-actor--af63e750-a86a-4f61-afff-d90c14291b0f\",\r\n \"created_by_ref\": \"identity--8f89679b-f5f9-4773-8980-dc409c74b548\",\r\n \"threat_actor_types\": [ \"crime-syndicate\"],\r\n \"name\": \"Cash LLC\",\r\n \"description\": \"Cash out and Cash Hosting malware as a service entity\",\r\n \"aliases\": [\"cash out\", \"cash hosting\"],\r\n \"goals\": [\"Steal Money\"],\r\n \"sophistication\": \"advanced\",\r\n \"resource_level\": \"team\",\r\n \"primary_motivation\": \"organizational-gain\"\r\n },\r\n {\r\n \"type\": \"identity\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"identity--023d105b-752e-4e3c-941c-7d3f3cb15e9e\",\r\n \"name\": \"Artem Ey\",\r\n \"identity_class\": \"individual\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--8a2c59b2-990e-4f05-b2d9-25b0da6bc064\",\r\n \"relationship_type\": \"attributed-to\",\r\n \"source_ref\": \"threat-actor--af63e750-a86a-4f61-afff-d90c14291b0f\",\r\n \"target_ref\": \"identity--023d105b-752e-4e3c-941c-7d3f3cb15e9e\"\r\n },\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 35 of 42\n\n{\r\n \"type\":\"infrastructure\",\r\n \"spec_version\": \"2.1\",\r\n \"id\":\"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"name\":\"Cash out malware store\",\r\n \"infrastructure_types\": [\"hosting-malware\"]\r\n },\r\n {\r\n \"type\":\"infrastructure\",\r\n \"spec_version\": \"2.1\",\r\n \"id\":\"infrastructure--b285b5b0-d757-418f-ba5b-4df23a4fe8e7\",\r\n \"name\":\"Cash hosting\",\r\n \"infrastructure_types\": [\"hosting-target-lists\"]\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--621277c3-198e-4c9a-b91b-ed54eacd33de\",\r\n \"relationship_type\": \"hosts\",\r\n \"source_ref\": \"threat-actor--af63e750-a86a-4f61-afff-d90c14291b0f\",\r\n \"target_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--2765d8df-a6d5-4d2a-b042-20d7450a0396\",\r\n \"relationship_type\": \"hosts\",\r\n \"source_ref\": \"threat-actor--af63e750-a86a-4f61-afff-d90c14291b0f\",\r\n \"target_ref\": \"infrastructure--b285b5b0-d757-418f-ba5b-4df23a4fe8e7\"\r\n },\r\n {\r\n \"type\": \"domain-name\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"domain-name--faf0609d-2a3d-4706-925a-a6f7699e385a\",\r\n \"value\": \"cashout.pw\"\r\n },\r\n {\r\n \"type\": \"domain-name\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"domain-name--1e42e57c-269a-4446-8557-95c4f807a91b\",\r\n \"value\": \"cash-hosting.pw\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--280c98d0-3ac8-4eb0-b333-3b3e0309f9cc\",\r\n \"relationship_type\": \"consists-of\",\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 36 of 42\n\n\"source_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"target_ref\": \"domain-name--faf0609d-2a3d-4706-925a-a6f7699e385a\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--b4d5e3fa-cab0-426c-84b8-f6bd02e96feb\",\r\n \"relationship_type\": \"consists-of\",\r\n \"source_ref\": \"infrastructure--b285b5b0-d757-418f-ba5b-4df23a4fe8e7\",\r\n \"target_ref\": \"domain-name--1e42e57c-269a-4446-8557-95c4f807a91b\"\r\n },\r\n {\r\n \"type\": \"malware\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"malware--b793b2ed-9c02-46ef-8e8a-039ecc983a1b\",\r\n \"name\": \"CashRansomware\",\r\n \"description\": \"A not release yet ransomware\",\r\n \"malware_types\": [\"ransomware\"],\r\n \"is_family\": false\r\n },\r\n {\r\n \"type\": \"malware\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"malware--d511b55c-35b2-425d-b04d-e2e417421198\",\r\n \"name\": \"Mint Stealer\",\r\n \"description\": \"A dotnet stealers\",\r\n \"malware_types\": [\"spyware\"],\r\n \"is_family\": false\r\n },\r\n {\r\n \"type\": \"malware\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"malware--d877eb07-94c1-429b-bf99-d5719148b1e0\",\r\n \"name\": \"Cash Rat\",\r\n \"description\": \"A csharp RAT\",\r\n \"malware_types\": [\"remote-access-trojan\"],\r\n \"is_family\": false\r\n },\r\n {\r\n \"type\": \"malware\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"malware--f35e38e0-681b-481f-9ca8-86eda1c128c8\",\r\n \"name\": \"Cash Crypter\",\r\n \"description\": \"A PE crypter\",\r\n \"malware_types\": [\"unknown\"],\r\n \"is_family\": false\r\n },\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 37 of 42\n\n{\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--e7b46831-cb79-4528-b8c5-3a31eb373757\",\r\n \"relationship_type\": \"hosts\",\r\n \"source_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"target_ref\": \"malware--b793b2ed-9c02-46ef-8e8a-039ecc983a1b\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--0c133ffa-fd72-46f3-865e-e9e8d6222766\",\r\n \"relationship_type\": \"hosts\",\r\n \"source_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"target_ref\": \"malware--d511b55c-35b2-425d-b04d-e2e417421198\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--8cd09dc7-a106-4aa9-8589-7b81fe2ba972\",\r\n \"relationship_type\": \"hosts\",\r\n \"source_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"target_ref\": \"malware--d877eb07-94c1-429b-bf99-d5719148b1e0\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--048581fc-c12e-4f7f-ae90-2ff7a2a3e39f\",\r\n \"relationship_type\": \"hosts\",\r\n \"source_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"target_ref\": \"malware--f35e38e0-681b-481f-9ca8-86eda1c128c8\"\r\n },\r\n {\r\n \"type\": \"location\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"location--a7c4f414-3fab-4940-86d0-f4370ce2c7e50\",\r\n \"country\": \"RU\",\r\n \"city\": \"moscow\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--d9a4c1f2-e9ff-48cf-bdc4-5a27f2a077ef\",\r\n \"relationship_type\": \"located-at\",\r\n \"source_ref\": \"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d\",\r\n \"target_ref\": \"location--a7c4f414-3fab-4940-86d0-f4370ce2c7e50\"\r\n },\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 38 of 42\n\n{\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--6b530293-0275-4862-98dc-69d452da8542\",\r\n \"relationship_type\": \"located-at\",\r\n \"source_ref\": \"infrastructure--b285b5b0-d757-418f-ba5b-4df23a4fe8e7\",\r\n \"target_ref\": \"location--a7c4f414-3fab-4940-86d0-f4370ce2c7e50\"\r\n },\r\n {\r\n \"type\": \"location\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"location--c5c1eacf-cd9f-44ed-9515-9aa0401e7067\",\r\n \"country\": \"FR\",\r\n \"region\": \"PACA\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--ce8bff7b-3aa3-4475-8a01-6bdc4e967a2b\",\r\n \"relationship_type\": \"located-at\",\r\n \"source_ref\": \"identity--023d105b-752e-4e3c-941c-7d3f3cb15e9e\",\r\n \"target_ref\": \"location--c5c1eacf-cd9f-44ed-9515-9aa0401e7067\"\r\n },\r\n {\r\n \"type\": \"campaign\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"campaign--7cdc2b62-3f35-43eb-ae6d-11145036876d\",\r\n \"name\": \"CashRansom Development\",\r\n \"description\": \"Active development of CashRansom\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--c5f677d4-55ee-43ad-90b5-d19552731625\",\r\n \"relationship_type\": \"uses\",\r\n \"source_ref\": \"campaign--7cdc2b62-3f35-43eb-ae6d-11145036876d\",\r\n \"target_ref\": \"malware--b793b2ed-9c02-46ef-8e8a-039ecc983a1b\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--75f6adba-3c71-4815-9763-3aef55b9f174\",\r\n \"hashes\": {\r\n \"SHA-256\": \"e1696968ad55e7e03a8334711d90350c4145fb4f60de5fb4a2f5f19187183c05\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 39 of 42\n\n{\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--36c8fdaa-6b8f-4112-acb4-1095d75beee8\",\r\n \"hashes\": {\r\n \"SHA-256\": \"39096e9a521ea1c001083d8c82317c8e6dbdd5d705d9a92beb15db102fb87263\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--034a9dbf-083e-464a-a055-509a4c9a330b\",\r\n \"hashes\": {\r\n \"SHA-256\": \"958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--6ca2758f-2586-40b9-b712-fcd22a70873e\",\r\n \"hashes\": {\r\n \"SHA-256\": \"b8f506741843e2c76fb207b41d205530236f4a263a9a5902146cd71a13fdfd23\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--f084f3da-b64a-468c-8733-2230751ef02a\",\r\n \"hashes\": {\r\n \"SHA-256\": \"003311f504eec2d0203de5e5e9d8c4213a981a3f6db85141a6d1e84a58e2b6b9\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--85975011-d8f3-43b0-982a-30f2286a3dfb\",\r\n \"hashes\": {\r\n \"SHA-256\": \"c67332d690304dfd5d43fc35dbdf0a832a803ff5f73f6187e3d94ace7433fffd\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 40 of 42\n\n\"spec_version\": \"2.1\",\r\n \"id\": \"file--fe389703-22f3-4950-93ae-07f5d0d76775\",\r\n \"hashes\": {\r\n \"SHA-256\": \"6332e43af93cf00c5bd536e189b30d5a44c0568fb3fdef5e9b020146420d8b15\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--485a2105-4905-48dc-bfc3-f7bc4bfa87e0\",\r\n \"hashes\": {\r\n \"SHA-256\": \"5525d297a346b80912c4f5ec0ac4875e9d49f96d01e52c10df5c064bd803bd79\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--c9e4aa04-9366-48a3-a086-3bc5f0eff111\",\r\n \"hashes\": {\r\n \"SHA-256\": \"8040b684f12ac819ba9ecb407f202f01182d25186552093379ad33c86f3a4273\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--c61fd93b-06c6-4e9b-b6da-fb4bd9f7f24a\",\r\n \"hashes\": {\r\n \"SHA-256\": \"b7f5f19864639b32f24e806091bf0a0a7483df73c97eac41fe5eb1d3321cea39\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--406008db-228c-45b8-adaf-bc3d9a8592f1\",\r\n \"hashes\": {\r\n \"SHA-256\": \"dd7d6dc03dea59e2f48ef92849ec0d03aa6cf4c5e1e6758eba184be311e6fb1f\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--8ceda5a1-a4a4-402d-8a6f-9f7c2df4c733\",\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 41 of 42\n\n\"hashes\": {\r\n \"SHA-256\": \"91edb2ed65ae31113c3c2f3ba63bcac5d24d48ef3d5765018799863e4717b845\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--7b12438f-63cc-4c44-8618-61f18aea1955\",\r\n \"hashes\": {\r\n \"SHA-256\": \"132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--defa04d0-7f9b-4901-b029-7b094bdc45e9\",\r\n \"hashes\": {\r\n \"SHA-256\": \"e387c084d5c3b62413743e912ee10776564e7c55ba1dc801990b312b88b61efe\"\r\n },\r\n \"name\": \"CashRansom.exe\"\r\n },\r\n {\r\n \"type\": \"observed-data\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"observed-data--fa04cdeb-623c-46f3-afa1-bc76b219aaba\",\r\n \"first_observed\": \"2024-05-10T00:00:00Z\",\r\n \"last_observed\": \"2024-05-10T00:00:00Z\",\r\n \"number_observed\": 1,\r\n \"object_refs\": [\"campaign--7cdc2b62-3f35-43eb-ae6d-11145036876d\", \"file--75f6adba-3c71-4815-9763-3\r\n }\r\n ]\r\n}\r\nSource: https://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nhttps://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/\r\nPage 42 of 42\n\n https://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/  \nFigure 9: Time Stomping Detection  \nThe malware includes a very simple anti‑ debugging function.\n   Page 11 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tehtris.com/en/blog/unreleased-raas-analysis-cashransomware/"
	],
	"report_names": [
		"unreleased-raas-analysis-cashransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434425,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2847874247ea27a682856fc2549823b510fd53f7.pdf",
		"text": "https://archive.orkl.eu/2847874247ea27a682856fc2549823b510fd53f7.txt",
		"img": "https://archive.orkl.eu/2847874247ea27a682856fc2549823b510fd53f7.jpg"
	}
}