216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:33 · Modified 20/12/2025 20:08

Essential information

Value / Name
deadbolt_cgi_ransomnote
Confidence
100/100
Revoked
Yes
Valid from
06/06/2022 16:34
Valid until
09/09/2023 16:34
Pattern type
yara
Published
20/12/2025 19:33
Modified
20/12/2025 20:08
Author / Source
AlienVault

Description

deadbolt_cgi_ransomnote Looks for configuration fields in the JSON parsing code

Pattern

rule deadbolt_cgi_ransomnote : ransomware {
    meta:
        description = "Looks for CGI shell scripts created by DeadBolt"
        author = "Trend Micro Research"
        date = "2022-03-25"
        hash = "4f0063bbe2e6ac096cb694a986f4369156596f0d0f63cbb5127e540feca33f68"
        hash = "81f8d58931c4ecf7f0d1b02ed3f9ad0a57a0c88fb959c3c18c147b209d352ff1"
        hash = "3058863a5a169054933f49d8fe890aa80e134f0febc912f80fc0f94578ae1bcb"
        hash = "e0580f6642e93f9c476e7324d17d2f99a6989e62e67ae140f7c294056c55ad27"

    strings:
        $= "ACTION=$(get_value \"$DATA\" \"action\")"
        $= "invalid key len"
        $= "correct master key"
        $= "'{\"status\":\"finished\"}'"
        $= "base64 -d 2>/dev/null"

    condition:
        uint32be(0) != 0x7F454C46 // We are not interested on ELF files here
        and all of them
}

Labels / Tags

Labels: asustor deadbolt qnap ransomware

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.