Shade Ransomware Analysis
ZooKeeper.pdf
In the spring of 2019 there was US uptick of this 2014 Ransomware normally found in Russia
Windows Defender wouldn't even download the zip-file without disabling features. First indicator found was it trying to find it's external IP address. Shade also will delete volume snapshots while spawning a lot of processes. It will query kernel debugger information along with process information. Envirnmentally it will query CPU information, read the active computer name and the crypto machine GUID. Shade Creates new processes and drops executable files. It sends HTTP traffic on typical outbound ports, but without headers.
It will will use a common user agent found on common browsers, even though a browser was not launched.
Found user agent(s): Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
The It can register a top-level exception handler for anti-debugging.It also installs hooks. It drops files marked as "clean". Shade opens the Kernel Security Device Driver (KsecDD) of Windows
Inital findings that were interesting from pcaps after intial file execution
Some IOCs found were the use of uncommon ports 9001 9101
