up

_posts/Malware Analyze/2023-12-31-dharma-ransomware-family.md

@@ -50,14 +50,14 @@ Here is the table for better presentation; we will try to examine each of the po
 | MALICIOUS  | Deletes shadow copies                                      | cmd.exe (PID: 2320), cmd.exe (PID: 7020), cmd.exe (PID: 5220) |
 | MALICIOUS  | [Creates a writable file in the system directory](#startup)           | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | MALICIOUS  | Actions looks like stealing of personal data               | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
-| SUSPICIOUS | Starts CMD.EXE for commands execution                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| SUSPICIOUS | [Starts CMD.EXE for commands execution](#delete-shadow)                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | SUSPICIOUS | Reads the date of Windows installation                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876) |
 | SUSPICIOUS | Application launched itself                                | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876) |
 | SUSPICIOUS | Executes as Windows Service                                | VSSVC.exe (PID: 6600) |
 | SUSPICIOUS | Process drops legitimate windows executable                | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | SUSPICIOUS | The process creates files with name similar to system file names | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | INFO       | Checks supported languages                                | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), mode.com (PID: 6288), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960), mode.com (PID: 6216), mode.com (PID: 5584) |
-| INFO       | Reads the computer name                                    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| INFO       | [Reads the computer name](#read-computer-name)                                    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 | INFO       | Creates files or folders in the user directory            | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876) |
 | INFO       | Creates files in the program directory                    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
 
@@ -238,6 +238,8 @@ The malware replicates in the following folders:
 ![image](/images/dharma/dharma-07.png)
 
 ## Overview of Windows Command Operations
+<a id="delete-shadow"></a>
+
 
 ![image](/images/dharma/dharma-08.png)
 
@@ -250,3 +252,8 @@ C:\\Windows\\system32\\cmd.exe" "mode con cp select=1251\nvssadmin delete shadow
 2.  `mode con cp select=1251`: This command configures the code page of the Windows console to be 1251. The code page is used to handle characters and character encoding in the console. Code page 1251 is typically associated with Cyrillic encoding used for languages like Russian.
     
 3.  `vssadmin delete shadows /all /quiet`: This command is used to delete all volume shadow copies created by the Volume Shadow Copy Service (VSS) on a Windows system. Volume shadow copies are typically used for system backups. The "/all" option indicates to delete all volume copies, and "/quiet" specifies to do it silently without prompting the user.
+
+## Read Computer Name
+<a id="read-computer-name"></a>
+
+![image](/images/dharma/dharma-10.png)