{
	"id": "9c4ef834-233f-4318-9d24-135bd0948089",
	"created_at": "2026-04-06T00:18:32.236046Z",
	"updated_at": "2026-04-10T03:21:16.569032Z",
	"deleted_at": null,
	"sha1_hash": "ac657876fed909185c9e64e186b935efacb83b8b",
	"title": "Tfw ransomware is only your side hustle...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 610418,
	"plain_text": "Tfw ransomware is only your side hustle...\r\nBy f0wL\r\nPublished: 2019-07-31 · Archived: 2026-04-05 19:13:04 UTC\r\nWed 31 July 2019 in Ransomware\r\nand you constantly have to apply for jobs. A partial analysis of the \"GermanWiper\" Ransomware\r\nToday someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you\r\nknow the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got\r\nwas this email and the two attached files.\r\nThe two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse\r\nAktuell.doc.lnk are made to look like Microsoft Office Documents but are actually just Windows File Shortcuts\r\nand can easily be parsed with the LNK Parser @ Google Code. The output looks like this:\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 1 of 9\n\nThe person who provided me with this data was kind enough to also include the ransom note, which is, unlike\r\nmost ransomware strains out there in the wild wild cyber west, not a txt File but rather a HTML file. It includes\r\nlinks to bitcoin exchanges, a hardcoded wallet address and asks for 0.15038835 BTC as a ransom. Just like the E-Mail it is written in spotless german but without Umlauts (ä,ö,ü). A cleaned sample can be found here\r\nCommunication with the attacker's server at 173.33.106.120 (hosted at OVH) is done via a php script at the\r\nbottom of the ransom note. Since the server was not reachable at the time of analysis I could not take a closer look\r\nat neither the script nor the dropped .hta file that is run via the powershell command in the .lnks.\r\nThe most worrying thing about this sample is the \"encryption\" though. Every file touched by GermanWiper is\r\noverwritten with zeros. A list of file extensions used by the wiper can be found on pastebin. Because of this\r\nbehaviour the malware was dubbed \"GermanWiper\" by Michael Gillespie (@Demonslay335). The\r\nBleepingComputer Forum post discussing this strain can be found here.\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 2 of 9\n\nA not-so-Happy Ending: Encrypted files will not be recoverable and if you are a victim please spend your money\r\nsomewhere else and not on the ransom.\r\nUpdate: A look at the dropped executable\r\nGermanWiper available @ https://malshare.com/sample.php?\r\naction=detail\u0026hash=36ccd442755d482900b57188ae3a89a7\r\nsha256 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 3 of 9\n\nAs a first step I like to run my samples through \"Detect it easy\" to get a first look at what to expect. Not a huge\r\ndiscovery, but it interesting none the less that the executable was likely compiled with Visual Studio 2010.\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 4 of 9\n\nLet's check the entropy of the sample to see if it is packed. Heavy obfuscation is a rare sight for ransomware, but\r\nrunning your executable through a packer or crypter of some sort might avoid detection through already existing\r\nsignatures and ransom campaigns often ship more than one version of their executable.\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 5 of 9\n\nA quick test to see how much effort the attackers have put into it is to try to unpack it with upx, but no such luck\r\nin this case:\r\nI'm not quite sure why, but the attackers set an Amazon Logo as a file icon for the malware. Maybe to lure the\r\nvictim into clicking on it ?\r\nWith this sample we also get to see a new domain for a control server at expandingdelegation[.]top (8.208.13.24)\r\nin the ransom note, so this sample might already be part of a second wave since it was still dropping the\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 6 of 9\n\nexecutable today (02.08.2019).\r\nA couple of noteworthy events after running the sample in a virtual machine: The Ransomware runs vssadmin.exe\r\nto delete system restore points and shadow copies. Furthermore this command will disable recovery options at\r\nsystem startup, but not without first asking the victim for their approval first (how nice of them).\r\nThe seemingly arbitrary process description of the GermanWiper process might be a handy string to keep in mind\r\nfor identification of samples in the future.\r\nTo display the ransomnote after system startup it creates two entries in the start menue..\r\n..and an entry to open the html Ransom-File in the msconfig autostart.\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 7 of 9\n\nIOCs\r\nFiles\r\nwiper.exe --SHA1--\u003e 8cd96603cdd2637cf5469aba8ed2b149c35ef699\r\nArbeitszeugnisse - Lebenslauf - Doris Sammer.zip --SHA1--\u003e 058ad51c8eb86545a5424c0b021235da3bbce1c8\r\nDoris Sammer - Arbeitszeugnisse Aktuell.doc.lnk --SHA1--\u003e 2d8f89693d14b9ea7a056bced983dfc88fe76105\r\nDoris Sammer - Lebenslauf Aktuell.doc.lnk --SHA1--\u003e 77d5224fc02999b04ab79054aad23b0f6213b7eb\r\nMalspam Domains\r\napplicant.name[at]rasendmail.com\r\napplicant.name[at]stadtmailer.com\r\napplicant.name[at]nrwmail.com\r\napplicant.name[at]mailplatz.com\r\nDropper URLs/IPs\r\n173.33.106[.]120\r\nmoneymaker[.]software\r\nexpandingdelegation[.]top\r\nSkipped Folders and Filenames\r\nautorun.inf\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\ndesktop.ini\r\niconcache.db\r\nntldr\r\nntuser.dat\r\nntuser.dat.log\r\nntuser.ini\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 8 of 9\n\nbootmgr\r\nbootnxt\r\nthumbs.db\r\nWindows\r\nrecycle.bin\r\nmozilla\r\ngoogle\r\nboot\r\napplication data\r\nappData\r\nprogram files\r\nprogram files (x86)\r\nprogramme\r\nprogramme (x86)\r\nprogramdata\r\nperflogs\r\nintel\r\nmsocache\r\nSystem Volume Information\r\nThanks again to @Demonslay335, @James_inthe_box and all the other researchers who contributed to the anlysis\r\nof this threat. This article has also been mentioned in this excellent ZDNet Article, which is quite an honor, thanks\r\n:D\r\nSource: https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nhttps://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html\r\nPage 9 of 9\n\n  https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html     \nAs a first step I like to run my samples through \"Detect it easy\" to get a first look at what to expect. Not a huge\ndiscovery, but it interesting none the less that the executable was likely compiled with Visual Studio 2010.\n    Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html"
	],
	"report_names": [
		"tfw-ransomware-is-only-your-side-hustle.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434712,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac657876fed909185c9e64e186b935efacb83b8b.pdf",
		"text": "https://archive.orkl.eu/ac657876fed909185c9e64e186b935efacb83b8b.txt",
		"img": "https://archive.orkl.eu/ac657876fed909185c9e64e186b935efacb83b8b.jpg"
	}
}