{
	"id": "6f0ad2f0-6abc-40f1-aebe-71b0ffadc062",
	"created_at": "2026-04-06T00:14:02.327491Z",
	"updated_at": "2026-04-10T03:28:28.121724Z",
	"deleted_at": null,
	"sha1_hash": "da21a9ac65a768da0b1015a64c333054fbde3f1e",
	"title": "CUBA Ransomware Campaign Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3074061,
	"plain_text": "CUBA Ransomware Campaign Analysis\r\nBy Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease\r\nPublished: 2022-09-08 · Archived: 2026-04-02 10:51:52 UTC\r\nKey Takeaways\r\nThe Elastic Security Team is tracking an organized and financially-motivated ransomware and extortion group\r\ncalled Cuba Ransomware\r\nCuba Ransomware targets small and medium-sized retailers, exfiltrating sensitive information, and then deploying\r\nransomware\r\nCuba Ransomware uses a “name and shame” approach by releasing exfiltrated data as an additional method to\r\nextort ransomware cryptocurrency payments\r\nWe are releasing a YARA signature and providing hunting queries that detect this ransomware family\r\nFor information on the CUBA ransomware campaign and associated malware analysis, check out our blog posts\r\ndetailing this:\r\nCUBA Malware Analysis\r\nBUGHATCH Malware Analysis\r\nPreamble\r\nThe Elastic Security Team is tracking a threat group that is leveraging the Cuba Ransomware, combined with data\r\nexfiltration and extortion, to target North American and European retailers and manufacturers for cryptocurrency payments.\r\nThe threat group has followed an effective, but repetitive cluster of TTPs for initial access, lateral movement, exfiltration,\r\nransomware deployment, and extortion.\r\nInitial Access\r\nThe incidents that we have observed included hosts that were infected with a litany of initial access opportunities. These\r\nincluded everything from potentially unwanted programs (PUP) to remotely executable vulnerabilities. Because of this, we\r\ncannot verify what the initial access vehicle was, but there are two theories:\r\nAn access broker\r\nA remotely exploitable vulnerability\r\nWhile there are many ways to gain access into a targeted network, we’ll explore the most likely hypotheses for how the\r\nCUBA threat group gained access.\r\nAccess Broker\r\nAs an introduction, an access broker is a threat group who, as they move through the kill chain, has their “actions on\r\nobjective” as collecting and maintaining remote access into a targeted network so that access can be sold to other threat\r\ngroups who have other goals.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 1 of 19\n\nThis is a common tactic for ransomware campaigns where the goal is to rapidly encrypt and extort victims into paying to\r\nrecover data. When using ransomware kits (ransomware-as-a-service), the threat actors are often focused on moving\r\nrapidly across many victims and not on the reconnaissance required to identify and exploit victims to deploy their\r\nransomware.\r\nRansomware-as-a-service includes a lot of overhead such as negotiating with victims, troubleshooting unlock procedures,\r\nand managing the crypto infrastructure. It is often easier to purchase previously exploited systems that allow the\r\nransomware campaign owners to be “shell wranglers” instead of needing to gain and maintain access to a large number of\r\nenvironments.\r\nThe theory that an initial access broker may have been used began percolating because we observed access attempts using\r\nan Exchange vulnerability in multiple contested networks; however, all networks did not receive the CUBA ransomware.\r\nAdditionally, we observed initial access attempts in January but did not observe CUBA ransomware until March which\r\nwould align with an access broker gaining and maintaining persistence while shopping for a buyer.\r\nIn the environments where the CUBA ransomware was not deployed, the incident response was rapid, however incomplete,\r\nand access was regained. Once the persistence was observed, the adversary was successfully evicted and CUBA was never\r\ndeployed.\r\nRemotely Exploitable Vulnerability\r\nWe observed the execution of the ProxyLogon exploit. Previous research has observed this threat group leveraging\r\nProxyLogon and ProxyShell vulnerabilities to gain initial access.\r\nc:\\windows\\system32\\inetsrv\\w3wp.exe, -ap, MSExchangeOWAAppPool, -v, v4.0, -c, C:\\Program Files\\Microsoft\\Exchange Serve\r\nIn each case REF9019 activity was traced back to Windows servers running Microsoft’s Exchange Server. Although we do\r\nnot have information on the patch levels of those machines at the time of the execution or the exact vulnerabilities\r\nexploited, there is corroborating evidence regarding the exploitation of publicly accessible Exchange servers at this time\r\ngenerally, as well as specific reporting tied to the CUBA threat actor exploiting them.\r\nThis information combined with the lack of activity preceding this event, as well as the order of tactics after, indicates that\r\nin both cases exploitation of publicly accessible Exchange servers initiated the compromise.\r\nWhile analyzing certain alerts throughout these events, we used data present in the\r\nprocess.Ext.memory_region.bytes_compressed field, and the technique we described in our Cobalt Strike series,\r\nto extract the memory-resident binaries and shellcode.\r\nEstablish Foothold\r\nafk.ttf\r\nThis exploitation attempt preceded one primary infection by about 6 weeks. It appears a tactics shift occurred in the\r\nintervening period.\r\nThe file afk.ttf has been identified as a variant of “ZenPak” by some vendors on VirusTotal. ZenPak is categorized as a\r\ngeneric Trojan which has been associated with the Bazar malware family. The BazarBackdoor has a long history and was\r\nrecently sighted in ransomware-as-a-service campaigns.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 2 of 19\n\nInitially, afk.ttf was identified through a malicious_file alert when it was created by the IIS worker process (w3wp.exe)\r\nhandling the Exchange Service.\r\nThe afk.ttf file is a 64-bit Windows DLL that has a single export, bkfkals. Next, afk.ttf is loaded by rundll32.exe (spawned\r\nby w3wp.exe) which unpacks shellcode in memory and executes it. The unpacked shellcode is a Meterpreter payload from\r\nthe offensive security framework, Metasploit.\r\nFollowing this, afk.ttf uses an injection technique that allows the injected code to run before the entry point of the main\r\nthread of the process. This is known as Early Bird injection and is used in this situation to inject the shellcode in a\r\nsuspended process for nslookup 8.8.8.8. Once the shellcode was deobfuscated for execution, the Elastic Agent identified\r\nand prevented the Metasploit payload.\r\nUsing the process.Ext.memory_region.bytes_compressed field we were able to recover the memory snapshot from these\r\ntwo alerts and verified that the shellcode was Meterpreter, which is part of the Metasploit framework. Additionally, we\r\nwere able to extract the C2 IP (159.203.70[.]39) and URI (/Time/cb6zubbpio...truncated...).\r\nUltimately this foothold was either never established, or abandoned because there is no further activity from this endpoint\r\nuntil it is re-exploited about 6 weeks later.\r\nadd2.exe\r\nThe primary execution chain of both infections started with a malicious_file alert that fired upon the creation and execution\r\nof add2.exe by the IIS worker process handling the Exchange service. This was the same technique observed previously\r\nwith the afk.ttf attempt. Interestingly, these executions happened within about 15 minutes of each other on victims in\r\ndifferent countries and different industry verticals.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 3 of 19\n\nThe Elastic Malware Analysis and Reverse Engineering (MARE) team was able to find this file in VirusTotal and pull it\r\ndown for binary analysis.\r\nBOOL sub_4013B0()\r\n{\r\n int v1;\r\n int v2;\r\n WCHAR REMOTE_DESKTOP_USERS_groups_list[256];\r\n WCHAR ADMINS_groups_list[256];\r\n char password[44];\r\n wchar_t username[9];\r\n v2 = enum_local_groups(DOMAIN_ALIAS_RID_ADMINS, ADMINS_groups_list);\r\n v1 = enum_local_groups(DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS, REMOTE_DESKTOP_USERS_groups_list);\r\n if ( v2 || v1 )\r\n {\r\n wcscpy(username, L\"Mysql\");\r\n qmemcpy(password, L\"KJaoifhLOaiwdhadx1@!\", 0x2Au);\r\n if ( Add_user((int)username, (int)password) )\r\n {\r\n if ( v2 )\r\n add_user_groups(ADMINS_groups_list, (int)username);\r\n if ( v1 )\r\n add_user_groups(REMOTE_DESKTOP_USERS_groups_list, (int)username);\r\n hide_accountName(username); SpecialAccounts\\\\UserList regkey\r\n }\r\n }\r\n return enable_RDP();\r\n}\r\nMARE determined that this executable performs several functions:\r\nEnumerates local administrator and RDP groups.\r\n WCHAR REMOTE_DESKTOP_USERS_groups_list[256];\r\n WCHAR ADMINS_groups_list[256];\r\n char password[44];\r\n wchar_t username[9];\r\n v2 = enum_local_groups(DOMAIN_ALIAS_RID_ADMINS, ADMINS_groups_list);\r\n v1 = enum_local_groups(DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS, REMOTE_DESKTOP_USERS_groups_list);\r\n if ( v2 || v1 )\r\nCreates a new user Mysql, sets the password to KJaoifhLOaiwdhadx1@!, and sets no expiration date (0x2Au).\r\n wcscpy(username, L\"Mysql\");\r\n qmemcpy(password, L\"KJaoifhLOaiwdhadx1@!\", 0x2Au);\r\n if ( Add_user((int)username, (int)password) )\r\nAdds this user to the previously enumerated local administrative and RDP groups.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 4 of 19\n\nif ( v2 )\r\n add_user_groups(ADMINS_groups_list, (int)username);\r\n if ( v1 )\r\n add_user_groups(REMOTE_DESKTOP_USERS_groups_list, (int)username);\r\nSets the SpecialAccounts\\UserList regkey for this user to hide the user from login screens and the control panel.\r\n hide_accountName(username); regkey\r\nEnables RDP by setting the fDenyTSConnections value to false in the Registry.\r\nreturn enable_RDP();\r\nIn total, add2.exe establishes local persistence via a hidden user and opening of a remote access service. This enables the\r\nREF9019 actor to connect back to this machine in case of discovery, patching of the vulnerability, or an incomplete\r\neviction.\r\nAdditionally, VirusTotal indicated on the graph page that this file has been hosted at http://208.76.253[.]84 .\r\nOf particular note, within the strings of add2.exe, we identified a unique program database file (PDB) named AddUser.pdb.\r\nPDB files are used to map elements of source code to the compiled program.\r\nSearching in VirusTotal for the HEX value of F:\\Source\\WorkNew17\\ (content:\r\n{463a5c536f757263655c576f726b4e65773137}), we identified another file named ad.exe which shared the same folder\r\nstructure, and included another PDB file, CmdDLL.pdb.\r\nVirusTotal shows on the graph page that this file has been hosted at `http://108.170.31[.]115/add.dll``. While we did not\r\nobserve add.dll, we believe they are related and have included the name, hash, and IP in our Observables table as the IP\r\naddress (108.170.31[.]115) was also reported distributing ra.exe (see the NetSupport section below).\r\nUsing this same search criteria, we were able to locate three other files with the same PDB debugging artifacts.SystemBC\r\nis a socks5 backdoor with the ability to communicate over TOR.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 5 of 19\n\nRemote Access Tools\r\nAfter establishing a beachhead, REF9019 dropped tooling to manage the post-exploitation phase of the attacks. Notably all\r\ntools were not present in each attack. It’s unclear if the decision to use one tool over another was merely driven by\r\npreference of individual operators, or if there was an operational factor that contributed to the decision.\r\nSystemBC\r\nSystemBC is a socks5 backdoor with the ability to communicate over TOR.\r\nIt was identified via malware_signature alerts that ran after SystemBC was injected into a svchost.exe process.\r\nPost processing of the compressed_bytes of the shellcode_thread alert exposed network indicators our sample utilized,\r\nincluding its command and control server (104.217.8[.]100:5050).\r\nCheck out AhnLab’s ASEC blog for detailed coverage of SystemBC’s features.\r\nLet’s look at the data for the SystemBC binary that was collected from the process.Ext.memory_region.bytes_compressed\r\nfield.\r\nIf we run this through the strings command, it becomes a bit more readable. As mentioned above, the work done by the\r\nteam at ASEC does a tremendous job of describing the SystemBC remote access tool, so we’ll focus on the atomic\r\nindicators that we observed.\r\n…truncated…\r\nBEGINDATA\r\nHOST1:104.217.8[.]100\r\nHOST2:104.217.8[.]100\r\nPORT1:5050\r\n…truncated…\r\n193.23.244[.]244\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 6 of 19\n\n86.59.21[.]38\r\n199.58.81[.]140\r\n204.13.164[.]118\r\n194.109.206[.]212\r\n131.188.40[.]189\r\n154.35.175[.]225\r\n171.25.193[.]9\r\n128.31.0[.]34\r\n128.31.0[.]39\r\n/tor/status-vote/current/consensus\r\n/tor/server/fp/\r\n…truncated…\r\nThe values of HOST1 and HOST2 are well-documented infrastructure for the SystemBC tool. The list of 10 IP addresses is\r\nTor directory authorities. One IP address is selected from the list to get the consensus data for the Tor network. Then it will\r\nstart Tor communications based on the settings it received (as previously reported by ASEC).\r\nWhile we were not able to identify if Tor traffic was executed, this could have been a clandestine way to exfiltrate sensitive\r\ndata.\r\nGoToAssist\r\nGoToAssist is a remote desktop support application with some legitimate usage, but also known for its use in tech support\r\nscams.In this incident, it was used to download a malicious DLL to the newly created user’s downloads directory\r\n(C:\\Users\\Mysql\\Downloads\\94-79.dll). We were unable to collect this file and have not observed it later in the incident,\r\nhowever previous reporting has indicated use in CUBA campaigns of DLLs with similar naming conventions.\r\nNetSupport\r\nNetSupport Manager is another client-server remote desktop management application. In this incident, NetSupport was\r\nnamed ra.exe and was written and executed from the C:\\programdata\\ directory by the previously exploited IIS worker\r\nprocess (w3wp.exe). ra.exe has been distributed by a previously identified IP address (see add2.exe section above).\r\nOur sample is the NetSupportManager RAT as indicated on VirusTotal and corroborates prior reporting of its usage with\r\nthe CUBA Ransomware group.When analyzing the process data that we extracted from memory we can see that\r\nCobalt Strike\r\nCobalt Strike was used in these intrusions, we confirmed this while reviewing the value of the\r\nTarget.process.thread.Ext.start_address_bytes (a few (typically 32) raw opcode bytes at the thread start address, hex-encoded). Upon doing this, we observed bytes commonly observed in Cobalt Strike payloads.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 7 of 19\n\nWhen analyzing the process data that we extracted from memory we can see that dhl.jpg (from mvnetworking[.]com) and\r\ntemp.png (from bluetechsupply[.]com) are being used for command and control. This is corroborated by previous research.\r\nLooking at the domains in Shodan ([1][2]), we can see that they are both categorized as Cobalt Strike beacon C2\r\ninfrastructure.\r\nBoth sites are hosted by a cloud provider, Hivelocity, Inc. We have requested the domains be taken down.\r\nBUGHATCH\r\nBUGHATCH is the name given to a Cuba Ransomware associated downloader by Mandiant in their blog on UNC2596. We\r\ndetail the observed execution chain and indicators below.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 8 of 19\n\nBUGHATCH was launched via PowerShell script stagers in both cases. One execution was following the dropping of a\r\nmalicious DLL to the Mysql user’s downloads folder (C:\\Users\\Mysql\\Downloads\\14931s.dll). Download URI for the next\r\nstage was found in the Target.process.Ext.memory_region.strings ( http://64.235.39[.]82/Agent32.bin ).\r\nIn the above example, we observed agsyst82.ps1 downloading Agent32.bin from 64.235.39[.]82, but were unable to collect\r\nthe PowerShell script. However, while performing open-source research, we identified a PowerShell script on ANY.RUN\r\nthat performed network connections to the same IP and URL ( http://64.235.39[.]82/Agent32.bin ). The script is named\r\nkomar.ps1 in ANY.RUN’s analysis. We are associating these two PowerShell scripts and network activity together.\r\nThe other PowerShell script was called by a malicious file, cps.exe. This PowerShell script is called komar2.ps1 and\r\ndownloads Agent32.bin from 38.108.119[.]121.\r\nkomar2.ps1 next attempts to inject itself into svchost.exe from C:\\Windows\\Sysnative\\svchost.exe.\r\nFor context, the C:\\Windows\\Sysnative path is a legitimate Windows directory and used to allow 32-bit\r\napplications to access the System32 folder on a 64-bit version of Windows. This path has also been observed as a\r\nSpawnTo parameter in Cobalt Strike process injection configurations.\r\nThis new injected process again executes komar2.ps1 and includes a new PDB entry of\r\nF:\\Source\\Mosquito\\Agent\\x64\\Release\\Agent.pdb. As we discussed above, “komar” means “mosquito” in Polish and is a\r\ngood indicator as a way to identify other related entities; we see “Mosquito” in the path of the PDB. While a weak\r\nassociation by itself, the PDB in this sample is located in F:\\Source, which is the same location that we’d observed with\r\nF:\\Source\\WorkNew## above for add2.exe. By themselves, they are not a solid reference point between the two samples,\r\nbut when compared together, they can be categorized as “interesting”.\r\nBased on analysis of the Agent32.bin file, we believe that this is the BUGHATCH malware. BUGHATCH has been\r\nobserved being used as a downloader in CUBA ransomware incidents. This aligns to how we observed Agent32.bin.\r\nBUGHATCH has been covered in the UNC2596 blog by the team at Mandiant.\r\nCredential Harvesting, Internal Reconnaissance, and Lateral Movement\r\nCredential harvesting was observed through process injection into the GoToAssistUnattendedUi.exe binaries. These appear\r\nto be the legitimate files for the Go To Assist suite. The credential harvesting was accomplished by using Meterpreter and\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 9 of 19\n\nMimikatz.\r\nMeterpreter\r\nAs we observed in the initial infection several months prior, Meterpreter was observed being used to collect the SAM\r\ndatabase using the hashdump module. As previously, this was observed in the Target.process.Ext.memory_region.strings\r\nfields.\r\nMimikatz\r\nSimilarly to the Meterpreter tool markings, we also observed Mimikatz. Mimikatz is an offensive security tool used to\r\ncollect and inject passwords from compromised systems. It uses the SEKURLSA::LogonPasswords module to list all\r\navailable provider credentials, and this was observed in the Target.process.Ext.memory_region.strings fields.\r\nZerologon Exploit\r\nNext the threat actors attempted to use a file called zero.exe, which is used to exploit the Zerologon vulnerability to\r\nescalate privileges. This file is referenced in previous reporting and is executed on a vulnerable domain controller to dump\r\nthe NTLM hash for the Administrator. This is a common tactic for lateral movement and to deploy additional implants into\r\nthe environment, such as Cobalt Strike.\r\nPsExec\r\nPsExec is a legitimate utility, part of the SysInternals suite of tools, used to interactively launch processes on remote\r\nsystems. PsExec is a common tool for remote administration, both benign and malicious.\r\nWhile we cannot validate how specifically PsExec was used because there was not an SMB parser on the infected hosts, we\r\ncan see that PsExec was used to move files between the infected hosts. We cannot confirm that this was not normal\r\nadministration by the local IT staff, but the only activity observed was between infected hosts and was within the time\r\nwindow of other confirmed malicious activity.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 10 of 19\n\nUsing LOLBAS\r\nLiving off the land binaries, scripts, and libraries (LOLBAS) is a commonly leveraged method to use native and benign\r\ntools for malicious purposes. This reduces attacker tools that need to be moved into the environment as well as to appear\r\nmore like legitimate processes running in a targeted environment.\r\nIn one intrusion we observed PsExec being used to remotely copy files (see the PsExec section), however in another\r\nenvironment, we observed similar activity to move files using cmd.exe to move files from one host to another. We were\r\nunable to collect the files that were being moved for analysis, but they were a DLL and a Batch file named d478.dll and\r\nd478.bat, and the atomic indicators are stored in the Observations table.\r\nData Exfiltration\r\nThe CUBA group belongs to a variant of ransomware operators in that they use extortion as a mechanism to coerce\r\npayments from their victims.\r\nIn these situations, once initial access and a foothold is achieved, threat actors will identify potentially sensitive data and\r\nexfiltrate it off of the environment to use for threats of “name and shame”.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 11 of 19\n\nThe CUBA group runs a website on the dark web where they release data from victims that do not pay. CUBA releases\r\nsome data for free, and for others that are more lucrative, have a payment option.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 12 of 19\n\nThere are multiple ways that the victim data could have been exfiltrated for extortion, the presence of BUGHATCH,\r\nMeterpreter, and Cobalt Strike all have data movement capabilities.\r\nDefense Evasion and Actions on the Objective\r\nDefenderControl.exe\r\nTo prevent the detection of their malware, the threat actors used Defender Control as a way to disable Microsoft Defender,\r\nthe native antivirus built into all Windows systems since Vista.\r\nTo ensure that Defender Control continued to run, the threat actor used svchost.exe to create a scheduled task.\r\nCUBA Ransomware\r\nWe detail the observed execution chain and indicators above, but please see Elastic MARE’s detailed reverse engineering\r\nof this sample here.\r\nDiamond Model\r\nElastic Security utilizes the Diamond Model to describe high-level relationships between the adversaries, capabilities,\r\ninfrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and\r\nleveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section\r\n7.1.4) approach allows for a, although cluttered, single diamond.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 13 of 19\n\nObserved Adversary Tactics and Techniques\r\nTactics\r\nUsing the MITRE ATT\u0026CK® framework, tactics represent the why of a technique or sub technique. It is the adversary’s\r\ntactical goal: the reason for performing an action.\r\nInitial access\r\nPersistence\r\nPrivilege escalation\r\nDefense evasion\r\nCredential access\r\nDiscovery\r\nLateral movement\r\nCommand \u0026 Control\r\nExfiltration\r\nImpact\r\nIt should be noted that we did not observe the Collection tactic, but based on the evidence of Exfiltration and Impact, this\r\nwould have been completed.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 14 of 19\n\nTechniques / Sub Techniques\r\nTechniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.\r\nAs noted throughout this research, this covered multiple victims over a large period of time. The CUBA intrusion set has\r\nbeen reported using different techniques and sub techniques, but these are our specific observations.\r\nObserved techniques/sub techniques.\r\nExploit Public-Facing Application\r\nCommand and Scripting Interpreter - PowerShell, Windows Command Shell\r\nScheduled Task/Job - Scheduled Task\r\nBoot or Logon Autostart Execution - Registry Run Keys/Startup Folder\r\nCreate Account - Local Account\r\nOS Credential Dumping - LSA Secrets\r\nData Encrypted for Impact\r\nHide Artifact - Hidden Window\r\nMasquerading - Match Legitimate Name or Location\r\nObfuscated Files or Information\r\nReflective Code Loading\r\nDetection\r\nYARA\r\nElastic Security has created YARA rules to identify this BUGHATCH and CUBA ransomware activity.\r\nrule Windows_Trojan_Bughatch {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-05-09\"\r\n last_modified = \"2022-05-09\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Bughatch\"\r\n threat_name = \"Windows.Trojan.Bughatch\"\r\n reference_sample = \"b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f\"\r\n strings:\r\n $a1 = { 8B 45 ?? 33 D2 B9 A7 00 00 00 F7 F1 85 D2 75 ?? B8 01 00 00 00 EB 33 C0 }\r\n $a2 = { 8B 45 ?? 0F B7 48 04 81 F9 64 86 00 00 75 3B 8B 55 ?? 0F B7 42 16 25 00 20 00 00 ?? ?? B8 06 00 00 00 EB\r\n $b1 = { 69 4D 10 FD 43 03 00 81 C1 C3 9E 26 00 89 4D 10 8B 55 FC 8B 45 F8 0F B7 0C 50 8B 55 10 C1 EA 10 81 E2 FF\r\n $c1 = \"-windowstyle hidden -executionpolicy bypass -file\"\r\n $c2 = \"C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell.exe\"\r\n $c3 = \"ReflectiveLoader\"\r\n $c4 = \"\\\\Sysnative\\\\\"\r\n $c5 = \"TEMP%u.CMD\"\r\n $c6 = \"TEMP%u.PS1\"\r\n $c7 = \"\\\\TEMP%d.%s\"\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 15 of 19\n\n$c8 = \"NtSetContextThread\"\r\n $c9 = \"NtResumeThread\"\r\n condition:\r\n ($a1 or $a2 or $b1) or 6 of ($c*)\r\n}\r\nrule Windows_Ransomware_Cuba {\r\n meta:\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Ransomware\"\r\n family = \"Cuba\"\r\n threat_name = \"Windows.Ransomware.Cuba\"\r\n Reference_sample =\r\n\"33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e\"\r\n strings:\r\n $a1 = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }\r\n $a2 = { 8B 06 81 38 46 49 44 45 75 ?? 81 78 04 4C 2E 43 41 74 }\r\n $b1 = \"We also inform that your databases, ftp server and file server were downloaded by us to our servers.\" as\r\n $b2 = \"Good day. All your files are encrypted. For decryption contact us.\" ascii fullword\r\n $b3 = \".cuba\" wide fullword\r\n condition:\r\n any of ($a*) or all of ($b*)\r\n}\r\nDefensive Recommendations\r\nEnable Elastic Security Memory and Ransomware protections\r\nReview and ensure that you have deployed the latest Microsoft Security Updates\r\nMaintain backups of your critical systems to aid in quick recovery\r\nAttack surface reduction\r\nNetwork segmentation\r\nObservations\r\nAtomic indicators observed in our investigation.\r\n| | |\r\nIndicator Type\r\nReference from\r\nblog\r\nNote\r\n43f7d739f00c2fdc67f7ab6b976565a323a181fb6570ac3d261dff197f820165\r\nSHA-256\r\nafk.ttf\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 16 of 19\n\nIndicator Type\r\nReference from\r\nblog\r\nNote\r\n159.203.70[.]39\r\nipv4-\r\naddr\r\nafk.ttf C2 IP\r\n728994be6b928de3d1c7b49ca1c79db8656c1cf4b95a1e508a6be48c6ab407da\r\nSHA-256\r\nadd2.exe\r\n208.76.253[.]84\r\nipv4-\r\naddr\r\nadd2.exe C2 IP\r\nc24d7a93d6a5c33e673e6b0fd171701c4646e67cf2328f41739ef9b50302a02e\r\nSHA-256\r\nadd.dll\r\n108.170.31[.]115\r\nipv4-\r\naddr\r\nadd.dll C2 IP\r\n62f1fbb6f151bcc67fe68e06031af00bc87ae7e4d9d0a6a60a31d140def09365\r\nSHA-256\r\n94-79.dll\r\n5669f6a48dac80717fa5770fa3be6c18022a7633b996ccf0df6b468994085378\r\nSHA-256\r\nra.exe\r\n9c71b67411b1432931b4b135dc945f6f7f9da3c295a7449f3ab8dcb56681fa70\r\nSHA-256\r\ncps.exe\r\ne35632770a23d8e006e149b038c2ccf576c2da0998d830bbc7d7614dc5c22db5\r\nSHA-256\r\n14931s.dll\r\n38.108.119[.]121\r\nipv4-\r\naddr\r\nAgent32.bin stage\r\nlocation\r\n64.235.39[.]82\r\nipv4-\r\naddr\r\nAgent32.bin stage\r\nlocation\r\n17edf458f7b8baae5ddef725e255d3a7bb6c960830503556f157655308895128\r\nSHA-256Agent32.bin\r\n(BUGHATCH)\r\n2e6fffad384cd6ce93cc1cde97911063e640c1953dac0507cd5f5b4b3d21bb69\r\nSHA-256Agent32.bin\r\n(BUGHATCH)\r\n144.172.83[.]13\r\nipv4-\r\naddr\r\nAgent32.bin C2 IP\r\n3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0\r\nSHA-256\r\nzero.exe\r\ncdf2b3fbff2649a119051c63904476e70262bde2f6a9a7da8b7db13cbf257851\r\nSHA-256\r\nd478.dll\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 17 of 19\n\nIndicator Type\r\nReference from\r\nblog\r\nNote\r\n104.217.8[.]100\r\nipv4-\r\naddr\r\nSystemBC\r\ninfrastructure\r\n193.23.244[.]244\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n86.59.21[.]38\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n199.58.81[.]140\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n204.13.164[.]118\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n194.109.206[.]212\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n131.188.40[.]189\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n154.35.175[.]225\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n171.25.193[.]9\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n128.31.0[.]34\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\n128.31.0[.]39\r\nipv4-\r\naddr\r\nSystemBC Tor\r\ndirectory authority\r\nbluetechsupply[.]com/components/temp.png url\r\nCobalt Strike C2\r\nURL\r\nbluetechsupply[.]com\r\ndomain-name\r\nCobalt Strike C2\r\n217.79.243[.]148\r\nipv4-\r\naddr\r\nCobalt Strike C2\r\nmvnetworking[.]com\r\ndomain-name\r\nCobalt Strike C2\r\nmvnetworking[.]com/files/dhl.jpg url\r\nCobalt Strike C2\r\nURL\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 18 of 19\n\nIndicator Type\r\nReference from\r\nblog\r\nNote\r\n149.255.35[.]131\r\nipv4-\r\naddr\r\nCobalt Strike C2\r\nce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4\r\nSHA-256defender.exe \\\r\nDefenderControl.exe\r\n0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3\r\nSHA-256A.exe \\ (CUBA\r\nRANSOMWARE)\r\nb16e0d27e6fa24d3fe7c9ed9167474fbc1cde13ce047878bbd16548cfdf45be3\r\nSHA-256Anet.exe(CUBA\r\nRANSOMWARE)\r\nSource: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
	],
	"report_names": [
		"cuba-ransomware-campaign-analysis"
	],
	"threat_actors": [
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434442,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da21a9ac65a768da0b1015a64c333054fbde3f1e.pdf",
		"text": "https://archive.orkl.eu/da21a9ac65a768da0b1015a64c333054fbde3f1e.txt",
		"img": "https://archive.orkl.eu/da21a9ac65a768da0b1015a64c333054fbde3f1e.jpg"
	}
}